Robert “RSnake” Hansen - CEO SecTheory Ltd
Bespoke Boutique Internet Security
Web Application/Browser Security Network/OS Security Advisory capacity to VCs/start-ups http://www.sectheory.com/
Founded the web application security lab http://ha.ckers.org/ - the lab http://sla.ckers.org/ - the forum 2
http://www.mywebsite.com https://www.mywebsite.com http://mobile.mywebsite.com http://admin.mywebsite.com http://mywebsite.akadns.net http://mywebsite-api.partner.com http://marcom-mywebsite.provider.com http://www.google.com/search?q=mywebsite dns1.provider.com Virtual hosts? Eg: http://www.yoursite.com
Regulations? Maybe… Recovery from a hack? Possibly… Fear? Nurses Union Autism
Automated scanning is repeatable and measurable (at least in theory) Less prone to human error in testing Automates time intensive/boring tasks Can aid people who otherwise may not be qualified and/or skilled enough to do testing Scalable and therefore cheap!
Some assembly required
Reports are un-useful
Still requires a skilled person to operate Often non-actionable Noisy with informational only Executives can’t read them
No site specific tuning of vuln severity They aren’t “creative”
Don’t second guess yourself – your first instinct is very often the correct one. Occam’s Razor too! You can compress 100x the information into an image verses into a sound.
"Copyright 2003" Alexa http://www.alexa.com/data/details/traff ic_details/?q= Archive.org http://www.archive.org/web/web.php Whois http://www.networksolutions.com/whoi s/index.jsp Last modified date Old server + modules version #'s
2-3 years (2) 3-5 years (3) 5-10 years (4) 10+ (5) For high traffic targets after 2-3 years (-1) 3-10 (-2)
XSS tests (1) "Company" I <3 U
SQL injection (1)
a AND b AND c ...
Does it exist? Yes (1) Email validation and/or CAPTCHA? No? (1-2) Password complexity? No? (1) Can you choose "admin"? Yes? (1) 11
/admin/ /blog/wp-admin/ /administrator/ /adm/ admin.url.com Etc...
Just because you can doesn’t mean you should…
PHP nuke Wordpress Drupal Etc... (3/instance) +1 for every major revision out of date 13
301/302 redirection (content not viewed) Live HTTP Headers vs Burp
First there was CSRF Then there was the nonce This begat clickjacking
Yes, intranet hacking is still possible. Yes, it’s still there. “I don’t see the point, everything’s still broken.” – Jeremiah Grossman (and yes, I agree). Yet, I still want to talk about it.
Spaghetti networks Is two always better than one? RFC1918 is not your friend in VPN world because of IP collisions Twins aren’t cute - they’re dangerous. Also obnoxious because it breaks home networks sometimes.
Intranets Internal Chat Clients Mail SMB backups
Malicious JS of every router type + BeEf + IE’s caching + RFC1918 + MITM Long term IP collision router hacking
Robert Hansen [email protected]
XSS Book: XSS Exploits and Defense
TBD: “Detecting Malice”
http://www.sectheory.com http://ha.ckers.org/ http://sla.ckers.org/