Blended Threats & JavaScript (OWASP AppSecUSA Presentation Review)

phil purvianceAt AppSecUSA, I attended an illuminating talk by Phil Purviance, who is an Application Security Consultant at AppSec Consulting, Inc. The talk was called, Blended Threats & JavaScript: A Plan for Permanent Network Compromise.

First of all, a blended threat is a single threat pursued through multiple vectors. This was one of those eye opening “holy crap never thought of that” sort of talks.

In this industry, we have already long since had our “holy crap never thought of that” moments with the mechanics of XSS, CSRF, etc but the particular ways Phil proposed for going about it were particularly enlightening.

I must confess that I had grown quite accustomed to the “classic model” of the anatomy of a XSS attack (i.e. attacking a blog). But Phil really showed us some new and eye opening XSS techniques that break the classic model. This would include such things as OnMouseOver() and OnMouseOut() with XSS. In order to do this, make the mouse over area really huge and then XSS the OnMouseOver() event so that all the victim has to do is move the mouse anywhere over the page to activate the attack.

The other half of his talk discussed how how too many engineers mistakenly grow complacent about network devices like routers and modems. IT departments as well as home users tend to set up their devices initially and then as long as they appear to be working, users don’t always remain vigilant about the device’s security over time. A recent example of hackers exploiting this complacency was when 4.5 million modems were hacked in Brazil.

The prevailing mindset is: if the router and/or modem seems to be working then everything is fine. For example, one might CSRF attack 192.168.1.1. A good way to craft such an attack is to couch it in a free download that makes you wait (29 seconds to download, 28, 27, etc). <img src=”http://192.168.1.1...”>.  Then the attacker changes the router password. He/she can even upload new firmware (during that 30 seconds of wait for download) that then does whatever the attacker wants which of course would generally be traffic snooping for passwords and the like and forwarding the information to hacker’s site.

A lot of these security talks are a scary splash of cold water, but for me this one was especially so and was thus a very valuable talk to have attended. Thanks Phil!

About M. J. Power 22 Articles
Connect with Mike on Google+

Be the first to comment

Leave a Reply

Your email address will not be published.


*