OWASP AppSec USA 2014

Hackers today apply covert and persistent techniques to attack mobile devices. Attend this presentation to learn about the latest threats on mobile devices from the team who uncovered iOS malicious profiles and HTTP Request Hijacking. We will describe and demonstrate emerging mobile security threats: from physical, through network and up to application level. Hold on to your seats as we expose examples, statistics and insights about real-world attacks on mobile-devices around the world.

Use After Free vulnerabilities are the cause of a large number of web browser and client-side compromises. Software bugs residing on the heap can be difficult to detect through standard debugging and QA. This presentation will first define the Use After Free vulnerability class, and then dive deep into detecting the bug in a debugger and weaponizing it into a working exploit against Internet Explorer. We will also cover the concept of memory leaks which can allow for a complete Address Space Layout Randomization (ASLR) bypass.

Today’s dynamic and static web vulnerability scanners are capable of analyzing complex web applications for security weaknesses. They automate testing of many common vulnerabilities. However, there is a gap between Static and Dynamic scanners. They find different vulnerabilities. So why aren’t dynamic testers running static tools? Typically, they don’t have source code.

In this session, Greg will explore ways dynamic testers can utilize static tools without source code. Greg will discuss a process for collecting and scanning client-side files. Furthermore, Greg will demonstrate a custom developed tool that automates this process from the Burp Suite.

The objective of running static analysis during a dynamic assessment is to reduce potential false-negatives by increasing the breadth of the assessment.

With over 1.6 million applications in the Apple AppStore and Google Play store, and around 7 billion mobile subscribers in the world, mobile application security has been shoved into the forefront of many organizations. Mobile application security encompasses many facets of security. Device security, application security, and network security all play an important role in the overall security posture of a mobile application. Part of being a pen tester of mobile applications is understanding how each of the security controls work and how they interact. One powerful way to test the security and controls of our applications is to utilize runtime analysis and manipulation. Many tools exist to manipulate how an application works, both iOS and Android.

This hands-on skills course will help students learn how to improve their mobile security toolbox. The skills course will utilize tools such as cycript, snoop-it, jdb, etc for runtime manipulation and memory analysis. After the course, students will be able to get better results from their mobile application security testing.

Every year the security community produces a stunning number of new Web hacking techniques that are published in various white papers, blog posts, magazine articles, mailing list emails, conference presentations, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and their mobile platform equivalents. Beyond individual vulnerabilities with CVE numbers or system compromises, we are solely focused on new and creative methods of Web-based attack. Now in its eighth year, the Top 10 Web Hacking Techniques list encourages information sharing, provides a centralized knowledge base, and recognizes researchers who contribute excellent work.

In this talk, We will do a technical deep dive and take you through the Top 10 Web Hacks of 2013 as picked by an expert panel of judges.

This year’s winners are:
1 - Mario Heiderich – Mutation XSS
2 - Angelo Prado, Neal Harris, Yoel Gluck – BREACH
3 - Pixel Perfect Timing Attacks with HTML5
4 - Lucky 13 Attack
5 - Weaknesses in RC4
6 - Timur Yunusov and Alexey Osipov – XML Out of Band Data Retrieval
7 - Million Browser Botnet
8 - Large Scale Detection of DOM based XSS
9 - Tor Hidden-Service Passive De-Cloaking
10 - HTML5 Hard Disk Filler™ API

JavaScript controls our lives – we use it to zoom in and out of a map, to automatically schedule doctor appointments and to play online games. But have we ever properly considered the security state of this scripting language?
Before dismissing the (in)security posture of JavaScript on the grounds of a client-side problem, consider the impact of JavaScript vulnerability exploitation to the enterprise: from stealing server-side data to infecting users with malware. Hackers are beginning to recognize this new playground and are quickly adding JavaScript exploitation tools to their Web attack arsenal.
In this talk we explore the vulnerabilities behind Javascript, including:
• A new class of vulnerabilities unique only to JavaScript
• Vulnerabilities in 3rd-party platforms which are exploited through JavaScript code
• HTML5 is considered the NG-Javascript. In turn, HTML5 introduces a new set of vulnerabilities

Attacking in live memory has been the area of highly skilled attackers with focused&costly tools. This presentation will cover new tools and techniques to allow attackers with basic entry level skill to attack .NET applications live in memory allowing for attacks on critical parts of applications such remolding games or banking software.
The new tools will give a live view on memory in a 3D-GUI that allows for point and click attacks.
The tools are free and the attacks are devastating and easy to carry out.

 A bag of fresh and juicy 0days is certainly something you would love to get
as a Christmas present, but it would probably be just a dream you had one of those drunken nights.

Hold on! Not all is lost! There is still hope for pwning targets without 0days.

We will walk you through multiple real-life examples of client-side pwnage, from tricking the victim to take the bait, to achieving persistence on the compromised system.

The talk will be highly practical and will demonstrate how you can do proper client-side exploitation effectively, simply by abusing existing functionalities of browsers, extensions, legacy features, etc.

We'll delve into Chrome and Firefox extensions (automating various repetitive actions that you'll likely perform in your engagements), HTML applications, abusing User Interface expectations, (Open)Office macros and more. All the attacks are supposed to work on fully patched target software, with a bit of magic trickery as the secret ingredient.

You might already know some of these exploitation vectors, but you might need a way to automate your attacks and tailor them based on the victim language, browser, and whatnot. Either way, if you like offensive security, then this talk is for you.

The Oracle Application Framework (OAF) is the base of dozens of Oracle’s web-based business applications (the eBusiness Suite) and is used by many other organizations to develop their own in-house applications. Last year, the speaker published a major vulnerability (CVE-2013-xxxx) in the framework that allowed inspect inspection of run-time data. Unpublished at the time, the vulnerability also allowed unauthenticated attackers to impersonate any user with an active session, including administrators.

Why had such a critical vulnerability in a major application framework gone undiscovered for so long? The OAF has a huge install base in large companies, so it had undoubtedly been tested and scanned many times before. Attack complexity wasn’t a factor; once documented, the exploit was profoundly simple to use. In fact, while the functionality was poorly documented, the vulnerability was actually DESIGNED as part of OAF.

So, again, why did it take so long to discover? The answer can be found by looking at how most application testing is performed. Traditional black-box testing is only capable of discovering vulnerabilities that sit on the surface of the user interface. A relatively simple application, such as a blog or online store, will have limited functionality beyond the obvious user interface. This is radically different in enterprise-scale applications that must support complex integration with other applications and platforms.

Additionally, while superficial penetration testing of the user interface is sufficient to protect an application against casual attackers, a dedicated attacker will certainly dig deeper. This easier with off-the-shelf software (like OAF) that can be downloaded, evaluated, or pirated by attackers.

To fully test a complex application, advanced techniques are required. Static reverse engineering, mock environment creation, and dynamic monitoring are all essential components in any comprehensive application test. Using the Oracle Application Framework as a case study, deep-dive techniques will be explained and demonstrated in this presentation. A live environment will be provided for attendees who want to hack along with the presentation and during the rest of the day.

Headless browsers have quietly become indispensable tools for security teams, researchers, and attackers focusing on web applications. Tools like PhantomJS enable anyone to interact with highly dynamic websites to find vulnerabilities, performance bottlenecks, and even automate attacks.

This presentation will dive into the offensive use of these tools, and how to counteract them in practice. This will include techniques used by attackers to find vulnerabilities in websites, and how security teams can use these techniques to perform their own daily security practice.

With these base established, we will delve into an extended analysis of techniques that malicious browsers use to impersonate real end-users, and the countermeasures security teams can use to expose them. We will provide examples of how to collect threat forensics and attacker attribution data when malicious browsers are detected on your site. Lastly we will review vulnerabilities in headless browsers themselves and provide recommendations to ensure that your tools aren't turned against you.

Introduction to Headless Browsers
- What it is and how it works
- Legitimate uses and how you can benefit
- Malicious Use of PhantomJS
- Impersonate a legitimate browser
- Fuzzing a web application
- Find performance bottlenecks

Exploiting the Exploiter
- How attackers attempt to hide
- How to expose them on your site
- Additional evasion and techniques and countermeasures

Demonstrations
- Example of attacking with phantomJS with subsequent detection
- Arbitrary code execution on up-to-date remote PhantomJS
- Various ways of abusing remote PhantomJS

Counter-attacking and Attribution
- How to turn a headless browser against the attacker
- Vulnerabilities in PhantomJS
- Best practices for using headless browsers safely