logging in or signing up Browser Rider kakarot3 Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 48 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: January 07, 2010 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Browser Rider : 1 Browser Rider By Benjamin Mossé Ruxcon 2008 Outline : 2 Outline About me Context What is Browser Rider? How does it work? Demos Features Writing payloads The future of the tool Questions About me : 3 About me Security consultant at SIFT Contributes to the Engineering For Fun project Trains Parkour mosse.benjamin@gmail.com http://www.engineeringforfun.com/ PS: Nikola is sorry he couldn’t make it today … Context: why browser security is in fashion? : 4 Context: why browser security is in fashion? Malwares are no more been spread through SMTP but HTTP New technologies = new attack vectors to research on Research leaded to sexy discoveries which leaded to more research on the topic Context: Browser exploitation? : 5 Context: Browser exploitation? Memory corruption Access controls bypass (e.g evade the Same Origin Policy) Use of legitimate technology features to perform malicious actions (e.g CSRF) Abuse of web services What is Browser Rider? : 6 What is Browser Rider? A hacking tool + framework to develop and deploy browser attacks Offers XSS tunnel functionalities as well as automated attacks Programmed in PHP and Javascript Demo! Other similar tools out there : 7 Other similar tools out there Backframe, XSSTunnel, BeEF … Difference between them is the attacks their offer and what programming language they’ve been created in Unmaintained Not updated No documentation Not as flexible Lack of features other than creating a tunnel Why create Browser Rider? : 8 Why create Browser Rider? Fun The challenge of creating something better than what is already existing Use it as a tunnel during penetration testing How does it work? : 9 How does it work? MINI DEMO: the reloading script tag to keep the tunnel up Overview : 10 Overview Zombie(s) Plugins Payloads Obfuscators + Compressors http request http response (1) (2) (3) (4) (5) Browser Rider PHP internals Demos : 11 Demos Now that you have an idea of what it looks like and how it works; now let’s see what we can do with it. Features: obfuscation : 12 Features: obfuscation Payloads are automatically obfuscated MINI DEMO: packing with DeanEdward’s packer Features: collected data : 13 Features: collected data Anything can be saved in a database which means we can analyse and process the data (e.g stolen DOM, stolen passwords, stolen urls etc.) example: BR-App-Finder Features: plugins : 14 Features: plugins Code logic that is ran before the payloads (essentially to manage them) Mini Demo Features: Smarty template engine : 15 Features: Smarty template engine A template engine is software that is designed to process web templates and content information to produce output web documents MVC model Allows the creation of polymorph code JavaScript output can be modified (packed, compressed …) before being output to zombie Overview : 16 Overview Zombie(s) Plugins Payloads Obfuscators + Compressors http request http response (1) (2) (3) (4) (5) Smarty template engine Smarty template engine : 17 Smarty template engine Features: PLOUF LIB everything you need to hack : 18 Features: PLOUF LIB everything you need to hack Contains all the public plugins, payloads and obfuscators A list of JavaScript framework you can use in your payloads (AttackAPI, jQuery, Mootools …) Many small specialized reusable JavaScript codes (Base64.js, md5.js, iframe.js …) Writing payloads : 19 Writing payloads Documentation Code snippet and template provided Source code documented Author motivated to help See for yourself: http://www.engineeringforfun.com/wiki/ Writing payloads (cont.) : 20 Writing payloads (cont.) user supplied exploit info Frameworks Code JS Code PHP CREATE PAYLOAD LAUNCH ATTACK Internet users Databases PAYLOAD TEMPLATE DOCUMENTATION PLOUF LIB Writing payloads (cont.) : 21 Writing payloads (cont.) 3 files: .php = controller .js = actual payload .tpl = template for the administration panel Parent class “PayloadModule” that offers many functions and attributes Interface “PayloadInterface” for polymorphism (PHP related) class your_payload extends PayloadModule implements PayloadInterface { … } Payload structure : 22 Payload structure Structure defined in PayloadInterface Writing payloads (cont.) : 23 Writing payloads (cont.) PayloadModule provides: http requests management ($this->http) Session management ($this->session) Payload management ($this->useLibrary(), $this->attachZombieToPayload()…) Template management ($this->setRenderData() …) Other PHP classes in the PLOUF LIB: Database BrowserRiderUrl Data Generator Flexibility : 24 Flexibility Zombie(s) Plugins Payloads Obfuscators + Compressors http request http response (1) (2) (3) (4) (5) Points where you can add you own code Current status of the tool : 25 Current status of the tool Mature enough to use it Strong architecture and core A lot of potential Not many payloads and plugins available yet The future of the tool : 26 The future of the tool Access Control for Cross-Site Requests = cross site http request with AJAX The future of the tool : 27 The future of the tool The administration panel needs to be optimized for IE Improve existing code Bug fixing Code more payloads, plugins, features and mini tools Get people to contribute For who? : 28 For who? For: Web pentesters Some random kids Hackers Not for: Botnet authors Hacker who need to stay stealth What you should remember from this presentation : 29 What you should remember from this presentation Browser Rider takes an existing concept and innovates upon it The tool is now relatively mature enough to be used Cross-site scripting is an important issue Many powerful attacks can be ported to the browser using programming features provided by JavaScript, Java and Flash Questions? : 30 Questions? Engineering For Fun : 31 Engineering For Fun A group of people passionate about IT who want to work together, and share some of the stuff they do with the rest of the world http://www.engineeringforfun.com/ You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
Browser Rider kakarot3 Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT lite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 48 Category: Entertainment License: All Rights Reserved Like it (0) Dislike it (0) Added: January 07, 2010 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Browser Rider : 1 Browser Rider By Benjamin Mossé Ruxcon 2008 Outline : 2 Outline About me Context What is Browser Rider? How does it work? Demos Features Writing payloads The future of the tool Questions About me : 3 About me Security consultant at SIFT Contributes to the Engineering For Fun project Trains Parkour mosse.benjamin@gmail.com http://www.engineeringforfun.com/ PS: Nikola is sorry he couldn’t make it today … Context: why browser security is in fashion? : 4 Context: why browser security is in fashion? Malwares are no more been spread through SMTP but HTTP New technologies = new attack vectors to research on Research leaded to sexy discoveries which leaded to more research on the topic Context: Browser exploitation? : 5 Context: Browser exploitation? Memory corruption Access controls bypass (e.g evade the Same Origin Policy) Use of legitimate technology features to perform malicious actions (e.g CSRF) Abuse of web services What is Browser Rider? : 6 What is Browser Rider? A hacking tool + framework to develop and deploy browser attacks Offers XSS tunnel functionalities as well as automated attacks Programmed in PHP and Javascript Demo! Other similar tools out there : 7 Other similar tools out there Backframe, XSSTunnel, BeEF … Difference between them is the attacks their offer and what programming language they’ve been created in Unmaintained Not updated No documentation Not as flexible Lack of features other than creating a tunnel Why create Browser Rider? : 8 Why create Browser Rider? Fun The challenge of creating something better than what is already existing Use it as a tunnel during penetration testing How does it work? : 9 How does it work? MINI DEMO: the reloading script tag to keep the tunnel up Overview : 10 Overview Zombie(s) Plugins Payloads Obfuscators + Compressors http request http response (1) (2) (3) (4) (5) Browser Rider PHP internals Demos : 11 Demos Now that you have an idea of what it looks like and how it works; now let’s see what we can do with it. Features: obfuscation : 12 Features: obfuscation Payloads are automatically obfuscated MINI DEMO: packing with DeanEdward’s packer Features: collected data : 13 Features: collected data Anything can be saved in a database which means we can analyse and process the data (e.g stolen DOM, stolen passwords, stolen urls etc.) example: BR-App-Finder Features: plugins : 14 Features: plugins Code logic that is ran before the payloads (essentially to manage them) Mini Demo Features: Smarty template engine : 15 Features: Smarty template engine A template engine is software that is designed to process web templates and content information to produce output web documents MVC model Allows the creation of polymorph code JavaScript output can be modified (packed, compressed …) before being output to zombie Overview : 16 Overview Zombie(s) Plugins Payloads Obfuscators + Compressors http request http response (1) (2) (3) (4) (5) Smarty template engine Smarty template engine : 17 Smarty template engine Features: PLOUF LIB everything you need to hack : 18 Features: PLOUF LIB everything you need to hack Contains all the public plugins, payloads and obfuscators A list of JavaScript framework you can use in your payloads (AttackAPI, jQuery, Mootools …) Many small specialized reusable JavaScript codes (Base64.js, md5.js, iframe.js …) Writing payloads : 19 Writing payloads Documentation Code snippet and template provided Source code documented Author motivated to help See for yourself: http://www.engineeringforfun.com/wiki/ Writing payloads (cont.) : 20 Writing payloads (cont.) user supplied exploit info Frameworks Code JS Code PHP CREATE PAYLOAD LAUNCH ATTACK Internet users Databases PAYLOAD TEMPLATE DOCUMENTATION PLOUF LIB Writing payloads (cont.) : 21 Writing payloads (cont.) 3 files: .php = controller .js = actual payload .tpl = template for the administration panel Parent class “PayloadModule” that offers many functions and attributes Interface “PayloadInterface” for polymorphism (PHP related) class your_payload extends PayloadModule implements PayloadInterface { … } Payload structure : 22 Payload structure Structure defined in PayloadInterface Writing payloads (cont.) : 23 Writing payloads (cont.) PayloadModule provides: http requests management ($this->http) Session management ($this->session) Payload management ($this->useLibrary(), $this->attachZombieToPayload()…) Template management ($this->setRenderData() …) Other PHP classes in the PLOUF LIB: Database BrowserRiderUrl Data Generator Flexibility : 24 Flexibility Zombie(s) Plugins Payloads Obfuscators + Compressors http request http response (1) (2) (3) (4) (5) Points where you can add you own code Current status of the tool : 25 Current status of the tool Mature enough to use it Strong architecture and core A lot of potential Not many payloads and plugins available yet The future of the tool : 26 The future of the tool Access Control for Cross-Site Requests = cross site http request with AJAX The future of the tool : 27 The future of the tool The administration panel needs to be optimized for IE Improve existing code Bug fixing Code more payloads, plugins, features and mini tools Get people to contribute For who? : 28 For who? For: Web pentesters Some random kids Hackers Not for: Botnet authors Hacker who need to stay stealth What you should remember from this presentation : 29 What you should remember from this presentation Browser Rider takes an existing concept and innovates upon it The tool is now relatively mature enough to be used Cross-site scripting is an important issue Many powerful attacks can be ported to the browser using programming features provided by JavaScript, Java and Flash Questions? : 30 Questions? Engineering For Fun : 31 Engineering For Fun A group of people passionate about IT who want to work together, and share some of the stuff they do with the rest of the world http://www.engineeringforfun.com/