Wednesday, November 3, 2010

Browser Exploitation for Fun & Profit

This past Tuesday I run a SANS special webcast titled "Browser Exploitation for Fun and Profit" complementing the "Security 542: Web App Penetration Testing and Ethical Hacking" training I will run in SANS London 2010 at the end of November, early December:

"Cross-Site Scripting (XSS) is still one of the most prevalent vulnerability on web applications, and its exploitation is a very relevant threat to be considered by any organization. As the owner of the web application, you don't want your visitors and customers to get exploited through your website, and as the owner of any company, you don't want your users, browsing the web innocently, to become victims of large scale or targeted attacks. Browser exploitation frameworks, such as BeEF, provide attackers and pen-testers advanced capabilities to perform in-depth devastating attacks into an organization, using the ubiquitous web browser as the entry point."

The main goal was to introduce the state of the art of client vulnerabilities on the web browser and its associated plug-ins, and focus on the prevalence and impact of (the sometimes undervalued) XSS vulnerabilities. In order to change the general perception and help others to identify the real impact of XSS, pen-testers can make use of the attack platform suggested on the presentation: Samurai WTF v0.9, plus BeEF v0.4.0.3, and Metasploit v3.5.x. The integration of BeEF and Metasploit provides the capabilities required for advanced attacks. The presentation guides pen-testers through the process of updating, configuring, and launching these tools, greatly simplified by using Samurai WTF as your favourite web-app pen-testing platform :)

From the most commonly used web browser plug-ins (Adobe Reader, Flash Player, Java, Quick Time, Windows Media Player, RealPlayer…), I had to select one as my target, and Java was the (chosen) one as all webcast attendees had it installed; it is a pre-requisite for the Ellumitate Live! webcasting platform used by SANS. Despite the technical difficulties during the webcast (it seems an XSS attack affected the slides and the application sharing capabilities of the webcast ;-p ), I could run a demo of a Java-based vulnerability (CVE-2010-0094) to show how smoothly the integration of these two tools work. Time constraints didn't allow me to run the second, and more advanced demo, exploiting a different Java-based vulnerability (CVE-2010-0886), but you have all the details on the presentation. This presentation is an extended version of the original one with extra detailed steps and references.
Unfortunately, we almost didn't have time for questions and answers, so feel free to send me an e-mail.

This is the first of a series of XSS and browser exploitation presentations I will be running in the next few months. The next one will take place during the SANS London 2010 conference: Thursday, 2 December, from 19:30 - 20:45. This second part, titled "Browser Exploitation for Fun and Profit Reloaded", will take the already covered setup for granted, and will describe and demo live more XSS attacks, tools, and techniques, including (if it is mature enough) the new Ruby-based BeEF, v0.4.1.x. Hope to see you there!