IoT Village - "Mixing industrial protocols with web applications flaws in order to exploit devices in the internet"

Zitieren

DEF CON

Bervis, Bertin

Formale Metadaten

Titel

IoT Village - "Mixing industrial protocols with web applications flaws in order to exploit devices in the internet"

Alternativer Titel

Mixing industrial protocols with web application security

Serientitel

DEF CON 27

Anzahl der Teile

335

Autor

Bervis, Bertin

Lizenz

CC-Namensnennung 3.0 Unported:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.

Identifikatoren

10.5446/48866 (DOI)

Herausgeber

DEF CON

Erscheinungsjahr

2019

Sprache

Englisch

Inhaltliche Metadaten

Fachgebiet

Informatik

Genre

Konferenz/Talk

Abstract

In this talk i'm going to explain in detail a new technique to achieve javascript code persistence in web applications from devices using the Bacnet protocol (building automation) in the underlying device protocol/web app arquitecture. A remote attacker is able to inject javascript code in the Bacnet device abusing the read/write properties from the Bacnet protocol itself, the code is going to be stored in the Bacnet database helping the attacker to achieve persistence in the victim browser, we are talking about devices that operates in building enviroments or industrial facilities , the posibility to jump from that point to another point in the industrial network using this particular vector is really high.