Traps of Gold

Video thumbnail (Frame 0) Video thumbnail (Frame 1497) Video thumbnail (Frame 2474) Video thumbnail (Frame 3879) Video thumbnail (Frame 6297) Video thumbnail (Frame 7132) Video thumbnail (Frame 8269) Video thumbnail (Frame 9553) Video thumbnail (Frame 12269) Video thumbnail (Frame 15860) Video thumbnail (Frame 17893) Video thumbnail (Frame 18724) Video thumbnail (Frame 25813) Video thumbnail (Frame 26852) Video thumbnail (Frame 27688) Video thumbnail (Frame 28926) Video thumbnail (Frame 32371) Video thumbnail (Frame 33394) Video thumbnail (Frame 34348) Video thumbnail (Frame 37379) Video thumbnail (Frame 38257) Video thumbnail (Frame 39363) Video thumbnail (Frame 41290) Video thumbnail (Frame 43264) Video thumbnail (Frame 45296) Video thumbnail (Frame 46058) Video thumbnail (Frame 47419) Video thumbnail (Frame 48479) Video thumbnail (Frame 50147) Video thumbnail (Frame 51008) Video thumbnail (Frame 52786) Video thumbnail (Frame 55786) Video thumbnail (Frame 58242) Video thumbnail (Frame 59224)
Video in TIB AV-Portal: Traps of Gold

Formal Metadata

Traps of Gold
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
The only thing worse than no security is a false sense of security. And though we know, "you can't win by defense alone", our modern approaches tend to act as though offense and defense are two entirely separate things. Treating security as an issue of quality has gotten us far, however, nearly everyday, some of the largest companies are still being compromised. It's become apparent that with enough time a skillful attacker will always get in. We have created new armaments to fight back. This style of fighting, known as maneuverability, aims to make your opponents expend their own resources while putting yourself in a position of strategic advantage. Using techniques that leverage deception, ambiguity, and tempo we believe we can do better to protect web applications. If time is an attacker's most important resource, let's steal it away from them. But talk is cheap. Not only will we demonstrate real world examples of this system, we encourage you to prove us wrong. An unofficial web application capture the flag competition, based on deceptive defense techniques, will be made available for testing throughout the conference. Andrew Wilson is a Security Consultant at Trustwave. He is a member of Trustwave's SpiderLabs - the advanced security team focused on penetration testing, incident response, and application security. He has over 9 years experience building and securing software for a variety of companies. Andrew specializes in application security assessment, penetration testing, threat modeling and secure development life cycle. Andrew is active in the developer and security community as a speaker, a trainer, and as a leader of the Phoenix OWASP group. Twitter: @Kuzushi Michael Brooks writes exploit code because it is challenging and a privileged art form. He writes secure software and helps others do the same because secure software is a luxury that should be shared. He is the top answerer of security and cryptography questions on (Rook).

Related Material

Video is accompanying material for the following resource
Data management Proof theory Group action Integrated development environment Multiplication sign Flag Family Thresholding (image processing) Attribute grammar
Wiener filter Vulnerability (computing) Multiplication sign Maxima and minima Directory service Mereology Flow separation Computer programming Number Software bug Root Software Right angle Metric system Information security Vulnerability (computing)
Proxy server Server (computing) Code Heat transfer Content (media) Cartesian coordinate system Total S.A. Statistics Product (business) Intrusion detection system Function (mathematics) Intrusion detection system Information security Data type
Point (geometry) Proxy server Computer file Code Firewall (computing) Multiplication sign Transport Layer Security Total S.A. Coprocessor Rule of inference String (computer science) File system Vulnerability (computing) Physical system Algorithm Kolmogorov complexity Code Sound effect Plastikkarte Cartesian coordinate system Regulärer Ausdruck <Textverarbeitung> Statistics Web application Wave Curvature Fluid statics Intrusion detection system Function (mathematics) Order (biology) output Right angle Remote procedure call Information security Local ring Computer worm
Complex (psychology) Kolmogorov complexity Information security Information security Physical system
Filter <Stochastik> Scripting language Suite (music) Graphical user interface Web application Internetworking Firewall (computing) Operating system Web browser Exploit (computer security) Plug-in (computing) Twitter
Internetworking Ferry Corsten Software developer Operating system Sound effect Water vapor Bit Musical ensemble Cartesian coordinate system Vulnerability (computing)
Web page Point (geometry) Injektivität Dependent and independent variables Code Software developer Poisson-Klammer Web browser Symbol table Attribute grammar Type theory Web application Heegaard splitting Internetworking Website Cuboid Right angle Exception handling Window
Point (geometry) Filter <Stochastik> Slide rule Code Patch (Unix) Frustration Web browser Rule of inference Software bug 2 (number) Neuroinformatik Product (business) Strategy game Internetworking Semiconductor memory Negative number Information security Proxy server God Physical system Software developer Cartesian coordinate system Inclusion map Data management Video game Right angle Cycle (graph theory)
Code Patch (Unix) Multiplication sign Video game Right angle Game theory Cycle (graph theory) Window Product (business) Physical system Vulnerability (computing)
Data management Internetworking Term (mathematics) Patch (Unix) Gastropod shell Modem Vulnerability (computing)
Laptop Context awareness Patch (Unix) Firewall (computing) Connectivity (graph theory) Multiplication sign Port scanner Regular graph Theory Software bug Product (business) Neuroinformatik Twitter Strategy game Semiconductor memory Endliche Modelltheorie Information security Logic gate Punched card Physical system Capability Maturity Model Vulnerability (computing) Area Inheritance (object-oriented programming) Software developer Maxima and minima Denial-of-service attack Cartesian coordinate system Exploit (computer security) Measurement Hand fan 10 (number) Antivirus software Web application Data management Process (computing) Software Order (biology) Statement (computer science) Right angle Quicksort
Data mining
Area Newton, Isaac Content (media) Division (mathematics) Exploit (computer security) Infinity Attribute grammar Strategy game Intrusion detection system Personal digital assistant Intrusion detection system System programming Right angle Vulnerability (computing) Physical system
Arm Information Real number Exploit (computer security) Line (geometry) Social engineering (security) Wave packet Revision control Arithmetic mean Strategy game Intrusion detection system Personal digital assistant Term (mathematics) System programming Endliche Modelltheorie Right angle Endliche Modelltheorie Game theory Information security Vulnerability (computing)
Loop (music) Channel capacity Strategy game Personal digital assistant Decision theory Connectivity (graph theory) Right angle Cohesion (computer science)
Meta element Game controller Server (computing) Computer file Multiplication sign 1 (number) Web browser Mereology Extension (kinesiology) Information security Plug-in (computing) Task (computing) Default (computer science) Default (computer science) Mapping Server (computing) Software developer Weight Computer file Projective plane Menu (computing) Cartesian coordinate system Application service provider Arithmetic mean Process (computing) Software Personal digital assistant Order (biology) Canadian Mathematical Society Right angle Routing Extension (kinesiology)
Planning Right angle
Point (geometry) Slide rule Sequel Computer file Connectivity (graph theory) Decision theory Multiplication sign Port scanner Traverse (surveying) Neuroinformatik 2 (number) Frequency Crash (computing) Flag Software testing Information security Position operator Physical system Vulnerability (computing) Injektivität Noise (electronics) Algorithm Dependent and independent variables Instance (computer science) Directory service Website Right angle Quicksort Window
Web page Point (geometry) Building Mobile app Observational study Sequel Computer file Code Multiplication sign Port scanner Web browser Regular graph Field (computer science) Attribute grammar Strategy game Software testing Lie group Form (programming) Physical system Injektivität Default (computer science) Information Software developer Content (media) Mathematical analysis Database Cartesian coordinate system Subject indexing Integrated development environment Personal digital assistant Volumenvisualisierung Right angle Routing Spectrum (functional analysis)
Computer chess Context awareness Arm Host Identity Protocol Process (computing) Observational study Different (Kate Ryan album) Decision theory Expert system Cuboid Right angle Game theory
Simulation Context awareness Mobile app Surface Decision theory Weight Projective plane Menu (computing) Cartesian coordinate system Intrusion detection system Right angle Endliche Modelltheorie Routing Position operator Physical system
Injektivität Point (geometry) Hoax Sequel Code Planning Bit Denial-of-service attack Cartesian coordinate system Performance appraisal Energy level Software testing Game theory Remote procedure call Error message
Meta element Context awareness Personal digital assistant Port scanner Menu (computing) Right angle
Web page Execution unit Dynamical system Intel Information Real number Content (media) Port scanner Web browser Instance (computer science) Web 2.0 Mechanism design Goodness of fit Integrated development environment Kinematics Order (biology) Right angle Resultant Window Physical system
Mobile Web Turbo-Code Complex (psychology) Server (computing) Validity (statistics) Surface Source code Port scanner Web browser Mereology Exploit (computer security) Product (business) Number Web 2.0 Medical imaging Average Personal digital assistant Internetworking Right angle Sinc function Vulnerability (computing)
Ramification Execution unit Email Server (computing) Group action Information Validity (statistics) Virtual machine Letterpress printing Menu (computing) Web browser Attribute grammar Web 2.0 Arithmetic mean Process (computing) Software Personal digital assistant Netzwerkverwaltung Cuboid Right angle Physical system Vulnerability (computing)
Term (mathematics) Oval Menu (computing) Right angle Game theory Information security Position operator Vulnerability (computing)
Meta element Menu (computing)
okay so high thank you for coming to my talk are our talk this talks entitled traps of gold my name is andrew wilson i
work for Trustwave spiderlabs i compete
and capture the flags with these guys I'm trained in martial arts for quite
some time with these guys and this is
the family that supports me to make sure that I can be here and give talks like that with you guys so this talk is kind
of in popular parlance what some people would call offensive countermeasures right so offensive countermeasures as defined by the Paul comm group includes things like annoyance attribution and then attack right so based on where you live inside of this threshold it's probably do your best benefit to talk to somebody who is a legal advisor about whether or not some of the things that we're going to show you guys today are viable inside of the environment that you work in some of it is going to be straight forward that you probably don't need to get permission for and then other things you definitely want to see kind of legal counsel this is just some proof of concept stuff to go from there
my name is Michael Brooks and I attack software these are all the CV numbers I'm accumulated over the years that TV right there CBO 49 I just obtained my highest severity metric so the department of homeland security issues severity metrics for the most serious vulnerabilities this one right here
received a very metric of 25.2 which is in the top five hundred of all time I got it a part of the Mozilla bug bounty program and I got the highest bounty of three thousand dollars and the sweet t-shirt but that's not why I'm talking
about that's that's not why I'm here today the reason why I'm here today is because we have a problem our approach to security is flawed and one of the problems that I that I found is in a product called PHP ID s Oh
sorry ok PSB ideas is making an
incorrect assumption and the assumption PHP ID s is what's nice about this intrusion detention intrusion detection system is that it is embedded into your application so you can apply it in places that you wouldn't normally such as a godaddy shared hosting account it's making an incorrect assumption in its security system and that is that attacks can never be repetitive this is the
vulnerable piece of code now so we rely on web application firewalls I mean if you think of a secure website one of the first things you say is like well you have a laugh right but the problem is is that waves can be bypassed and a common problem with wifes is the pretty processor and what you're looking at right now is a method that's being called an all input and what it's looking at is it's looking at a regular expression and this is saying hey I want to match a wild card which is the dot I want to match two of those at least two of those and then I want to match at least a 32 more so total of thirty three repeating and if it finds a string that's repeating 33 times it replaces it with the letter X so the significance of this is that I can I can hide any payload from the PHP ID s rule sets by repeating it 33 times the effect is that I completely bypass PHP ideas entirely absolutely every rule set is bypassed but then I went to step further not only was I able to bypass it I can intentionally trigger a rule set in order to populate it's flat file logging system with PHP code the significance of this is that once I have PHP code on the local file system then I can use I can turn any local file include vulnerability in the application in a remote code execution so that I said a lot but the point is is that not only did i make did i bypass the web application firewall entirely i also made it less secure so this is a great
quote from bruce schneier complexity is the worst enemy of security if you're able to add complexity to a system and actually make it more secure well that's quite a hack that that is not an easy that is not easy yeah and
here let me demo let me demo it for you
can you please
ok now that wasn't the only thing i'm
looking at uh today we're seeing a new trend and that is we're starting to see XSS filters and web browsers internet
explorer was the first to introduce this but other browsers are following suit in firefox there's the new script plugin which has an anti XSS filter and also within a chrome is also beta testing their own XSS filter it's safe to say
that soon all web browsers all major web browsers will have XSS filters so the era of very simple XSS exploitation is starting to go away but instead really these security systems these general-purpose security systems it's not just web application firewalls or xss filters and browsers but also a SLR
these general-purpose security systems create this kind of water balloon effect
the more they try and cramp down on the
application the vulnerabilities that are that are present start bulging out in new and interesting ways and although
internet explorer is loading takes a while music in here for you guys but anyway it turns out that exit uh so a bit of background on the CD I go into great detail about bypassing PHP ID s in one of my papers I highly recommend reading it I go over a lot of my my attack methodology but after i submitted the paper to PHP ideas the developers were ecstatic they're really happy about it and i'm actually now a member of
their of the development team i submitted a similar paper to microsoft
internet explorer and so I submitted a similar paper to Microsoft right and basically it's this I showed that okay so i found a problem with the way that internet explorer was handling UTF seven characters so it turns out how this exercise filter is working is that it's looking at outgoing requests and it's looking specifically for brackets greater than less than symbols and quote marks if you can create a payload that doesn't contain any of these any of these attributes then it's possible to execute code I found to execute JavaScript rather so I found a way it turns out you can use UTS at UT f7 encoding now you tf7 has a history where it's only for smtp all right it's not designed for HTTP at all in fact no browser except for internet explorer supports you tf7 for web pages but that's beside the point I was able to the real problem here is that their exercise filter is not accounting for this but okay hold on I said that no UTF 7 is not for HTTP right well why so that means no website is going to be running it except there's a way you can change the content type of a web app of of a of a page using a CR LF injection or HTTP response splitting and bam and it allows you to get an alert box the
my god
the computer just crashed sorry technical difficulties yeah memory all right I apologize I was going to show you a great masterpiece and that is that i was going to bypass both PHP ID s is built-in rule set for XSS and internet explorer's rule set for XSS in the exact same attack that it is possible to bypass both filters on the browser and the server and be able to be able to execute code ultimately so it doesn't matter it doesn't matter that we're adding all of these new filters if really the fundamental problem remains and that they can they can be bypassed that can be fooled so we need another approach screw slides I could do it from memory okay so why talk about all this right what's the point of explaining you know really a bypass to PHP ID as a bypass to Internet Explorer is that these are supposed to be like defensive products that we're going to be relying on for the security of applications and kind of as Michael was pointing out this is like this system is stuff that we're going to be relying on more and more as we get into the future right so you kind of saw slide there for just two seconds before we crashed about frustration right is anybody here earnestly in the room think like the secure development approach is working right we see the news every day and some major company some data breach not just a small one but a really large one comes into play and it hits people in pretty negative impacts always right so everybody's kind of getting getting hit with that and we feel that the ultimate reason for that is kind of our approach to dealing with security has been a quality issue right it's a bug when you look at books that are in popular use today stuff like the secure development life cycle for Microsoft and then secure code and some of the rug and movement stuff we treat security issues literally as if they were a quality concern and that's how we approach it right so we took strategies to mitigate security issues like it was a bug like it was a quality concern and that starts with patch management right so patch management takes an approach that says you find a bug it's in production we've got to fix it so you
write new code that fixes the abuse
Aereo so that way you can actually go ahead and make it safe right but that tends to come with some baggage right
the first problem is that if you have a bug inside of a production system right it's available for people to exploit it
and if it's a known exploit you run this
patch window life cycle right where Microsoft puts out a patch on patch tuesday it's reverse engineered on wednesday and then you have a time between that patch that release where anybody who hasn't updated on the availability of the release is still incredibly vulnerable right so there's definitely some issues with that approach and then you run into a secondary issue where the patch itself may not necessarily be something that actually fixes the issue it might be a temporary fix or it might be there's also another problem like really the problems with ie XSS filter are trivial defects it would take an afternoon but they were did even recognized as a vulnerability they're not then they won't even fix it it's it's it's a constant problem like back in 2004 there was an interesting vulnerability that was released in IE is called the IE drag-and-drop vulnerability all right it allowed in the vulnerability in the in the attack the victim picks up a carrot and drags it just as if it was a game the only problem is is that that's not a
carrot it's actually a an executable on a remote share and you're dragging into your startup folder you could get remote
shell on Internet explorer for two years and microsoft said that's not a
vulnerability like you've got to be kidding me ultimately they did patch it and even so four years after this attack
was it wasn't until four years later that the term clickjacking was even
coined but it's recognizing that there's a problem is Syria is an important step
so patch management obviously was not
ideal and everybody kind of knows that right anybody who's done secure regular regular development doesn't want bugs in production right because bugs in production is no bueno the problem with that is that we move forward we move
forward to here let's just play it from here
so patch management to do to do oh and
the computer crashed again so I guess we're gonna do this whole thing from memory that's fine no big deal yes it is max apparently it has not been watching enough TV that's my theory okay so screw my laptop so sdlc right as dlc came out as a measure to say hey bugs in production that's definitely not the way that you want to go about doing this right because inside of that system was that distribute again inside of that system you want to deal with it proactively right so you build it into your development lifecycle it becomes something that you have to deal with it becomes an earlier system you start defining it you come up with quality gates you do threat models you work inside of the system and make sure that it works for what you're doing as your dev psychol and then at the end of the day it's sort of a process of refinement right you try to reduce known vulnerabilities inside of the application I'm a huge fan of Microsoft's sdlc right despite the fact that it misses stuff I think that it's the way that people ought to be taking a look at writing software right it's super mature ten years something of experience lots of money lots of manpower and perhaps even more importantly right it has executive buy-in to say you can't release insecure software right so it's it's a great approach fantastic approach right but you still have Patch Tuesday right you still have bugs that do get out into the system and so we gotta kind of question what what advantage does this have not in how tenable is this as an end product for us right so the the final thing we throw out there right as our solution to security is more bad software right i call it defects in defense right if we put more software like web application firewalls or we put protections like antivirus or regular firewalls in front of these things they're going to stop you know bad guys from doing bad things but kind of as we just shown earlier within the context of our actual attack component you can bypass those things and so when we rely on stuff like that that that definitely creates a situation for us that's pretty disadvantageous right it's not it's not ideal that's how we end up with the TSA you get groped for free in the airport which is nice right immediately but does it make you any safer is kind of the question and what about the backscatter security scanners right like we spend tens of millions of dollars on a security system that can be defeated with pancakes like really really are we really doing this and you know this is at least the second time that breakfast has been used in an attack the first the first of course being the captain crunch whistle so clearly more research needs to be done in the area of breakfast based exploitation I'm just putting that out there all right so the question then really this talk is not about all the stuff that's broken right I want to point out that these are difficulties that we face it's the reality of writing software and it's stuff that we we need to continue to do I think that's just security hygiene right it's the sort of stuff you do you brush your teeth because you don't want bad breath and ideally it makes you a better person even refinement right is good too but none of these approaches actually stop you from getting punched in the face in order they really prepare you for that right like having clean teeth isn't isn't a defensive countermeasure in my opinion and so we really think that the the solution or the answer here is we need to start looking at strategies in which we can fight back against people right we want it we want to kick their ass right when I was working at a company while ago I used to tell developers they've got to build their applications so they can take a punch I'm going to change my statement I think you need to build applications that punch people back right i think that needs to be the way we move down this road so how do we do that right how do we build in systems for that and that's we leverage technology that already exists PHP ID s being one of those we use honey pot and honeynet technologies and then we write exploits that are capable of taking advantage of the fact that software that's going to be attempting to hit you also is vulnerable to all the same things that we talked about before right they have bugs they have weakness they have problems there's this phenomenal Twitter feed from Richard bait lick who said something great is that it's not just because we have these glass built homes it's because there's people throwing bricks at them right and that's that's what we need to deal with is the brick throwers hacking against our systems and
attacking these things this is this is a human problem that manifests itself
with technology check this out hey this
is good it works nice on mine do do do
all right well that was a nice idea
unless you can fix the mirroring for me too we'll just move on so they have the risk to write this is a human problem and because it's a human problem I think that's exactly where we attack people right we chase them in the places where they're human bad guys who are doing bad
things against you they have things like ego and bias and they think they're
going to get in and when they find results they're going to try to exploit these results because they're basing it
off of prior experience and prior knowledge they have weaknesses in the sense that the tools that they're using are imperfect as well and we'll just go
from here and so we need to start focusing on strategies that take advantage of that right I don't move it down dude alright sweet so we're about
here that's where your attack them when
we look at how we're going to do that we're going to leverage stuff that other people have done and that includes IDs
systems honey pots exploits and we're going to put those together in a fashion that we can trap people inside of our systems to create things like better attribution shut down their tools of the ignore particular content areas or in certain cases just completely shut them down entirely so the thing about lying like we're worried about China hacking
into us right well we're worried about them getting a leg up in business but that's weak China is being weak if they'd have to rely on you to have to break into you two get a leg up what happens if they high what happens if when they hack into you you give them information that you want them to find that you use that against them that they still a secret that you want them to have something to think about right if they can social engineer us why can't we social engineer them
right so people will take say you know potentially security hygiene is a way that you are fighting back to right they might say that and I would kind of classify that as more of like a war of attrition right when you look at how people fight kombat how they can you know conflict compete in combat there's really two strategies there's a tradition based model and then a maneuverability model which is kind of a modern day gorilla warfare combined with with some other things right in a war through attrition the idea is that i'm going to gather as many resources as i possibly can and kind of who has the most arms wins right if they have four nuclear warheads I've got to get 10 right and then when they got 10 I've got to come up with a better nuclear warhead so then I'm kind of the winner right that approach is expensive because it costs to build it up it's expensive because it costs to maintain these things and then it's expensive in the sense that if you actually go toe-to-toe with these people it's pretty deadly when you actually start talking about in real real tangible terms of human life right but that's not actually how the bad guys are attacking us they're taking approach weather weather conscious or unconscious of maneuverability right it's like our bet are good guys are our defensive line wants to create a football team right so we get the very best football players we can find we give them the best food we work out of them with them and the best equipment we do the best training and so they're the biggest and the baddest right and they're going to shut down the offensive line and when they show up to play the game they're there to win right but in this case the offensive lines like poison their food they're sleeping with the girlfriends on the side right when they go to play the game they've already broken in the house stole all their money that's how the bad guys are attacking they've set the stage up so that all the things you think you're doing that are to your advantage end up being to your weakness right they're not going to play your game because your game is designed so you can win right so they play their game and they make you play their game as a means to shut you down right and so if we look at
strategies I think the people that we want to look to is is people who are actually fighting in capacity to do that and in this case we've kind of based a model off of the United States Marine Corps so maneuverability just kind of at a historical reference comes from a gentleman primarily no known as John Boyd I don't know if you're familiar with the ODA loop but he's kind of a guy who is behind that and he's definitely behind maneuverability right maneuverability at score his doctrine says we aim to shatter the cohesion of our opponents so they can't make decisions at a timely manner while we gain strategic advantage and basically obliterate them right we're going to use their stuff against them we're going to stack the deck in our own favor this
strategy is based off of three major components right the first being ambiguity the second being deception and the third ultimately being tempo right ambiguity is this idea that if there's
more than one way to accomplish a task we should try to find a route that makes it very unexciting and there's four different ways that I might possibly get there from a pure resourcing perspective if you're trying to provide Intel about how somebody does something you need four times the resources in order to monitor each one of the possible ones because presumably you don't know where they're going right that's the value of ambiguity but that's not how we build
apps we build our applications like their billboards right we're proud of the fact that we wrote it in Java or we're proud of the CMS that we built it on or we're proud of all the developers who were involved that's why we leave dev comments all over the place right and we make it as if hey you know not only am I going to this destination but here's how I'm going to get there here's who I'm taking along with me and here's all the gear that I'm gonna be packing with it right and so some of the ways we see that our server banners where we tell people what we're running oftentimes you don't need those right it's not of any value to stuff and when you start measuring that against things like the showdown project or when people are doing Google dorks when they find and exploit in a CMS or something that you might be using like those are pretty compelling reasons that you might not want to actually sit around and tell people that stuff right file extensions your browser doesn't care about file extensions if you send them HTML back for the most part your browser's fine so unless you have a use case where you have like different mappings for how the file extension comes back that's mostly a server-side processing issue and in most cases you can completely that and not say hey I've got PHP or hey i'm running asp net or hey i'm running ruby right those are things that are necessary and then finally default files right oh I was working on a CMS a couple of weeks ago and they had some default control examples for developers and it says hey you know this is how you write software using our stuff it's installed by default and it's it's of advantage right but the problem is that these control examples were bound to the top node of the CMS so they could look at every single part of the application with unauthenticated access so from a default control example that was left enabled you could completely bypass the majority of security in the entire CMS off of a default file right so these are most often unnecessary and in fact these are some of the things that when you start looking at things like June's clan or CMS Explorer or any of the tools that are based around fingerprinting they're going to be using these tools as a means to identify how you've built your application what plugins you've got enabled and how they might actually go about attacking them so if knowing is
half the battle you should shut up right that's what this is about is not you just don't be so obvious about everything you're doing and that's
that's kind of the first step right so the next step is deception and this is where we kind of get into the fun stuff deceptions about lying right we're going to convince people that we're doing stuff that we're not in fact planning on doing at all right instead of saying hey I'm going to this destination everybody plans and gets themselves situated to do that don't go to that destination right send them up to do it it's a trap or maybe you set up ways that if you go to that destination you're going to get ambushed as you get there and there's a couple of ways that we might go about
doing that reduce the things that they can know we lie about everything else and we could do that by increasing the noise we can blatantly lie about stuff and if I had a computer to show you I've been able to trigger every single vulnerability that's identified through major security tools like Nick to for instance I can trigger 54,000 or 5400 vulnerabilities inside of it if you scan my site I could tell you every single thing is valid right so how do you figure out which one of those is valid if you're trying to scan my system and try to identify components in it in PHP ID s i added a system of triggers so when when particular rule set is is hit let's say it's a blind sequel injection test and they're trying to get us to sleep
for 30 seconds well when I see an incoming request a PHP ID s Flags it and then I look at it I'm like well how long do they want me to sleep for I pull it out the regular expression and sleep for that period of time this fools every scanner another thing look what happens if they're trying to use directory traversal and they're trying to grab like / EG cps SWD well we'll just print out that file that's fine it's a fake it's not the actual file the same thing goes for windows files like trying to get when win that I and I and the point is is that it's it's easy to fool these tools are trusting the they're not planning on someone lying to them and so they're they're easy to manipulate so I actually have a slide and the one that doesn't crash where this isn't like to pick on Nick to you right this Nick do is just an example of a tool that we use to do this but we've been able to actually trigger false positives on just about every major scanner commercial or uncommital on on the industry today we can lie to them we can subvert their ability to make cognizant decisions because ultimately when it boils down to is they have this the pseudo responsibility of being safe right they don't want to shut you down which means they're not going to exploit stuff that they find and if they don't exploit stuff they're just collecting evidence and saying hey it kind of sort of looks like this so you might as well lie about the evidence and make sure that happens a secondary issue with this kind of a corollary is how these things work
oftentimes they make developer mistakes if you put together like a scanner or tool and return of 404 oftentimes developers use these things as like a null check right I hit a web page if I get a 404 it means there's no content so why bother scanning it right well the problem is that your browser actually doesn't care about what the status code comes back it'll render that content anyways and so one of the ways you could actually evade content being discovered is if you take and return 404s for all your to hundreds it makes most scanners disappear by default and they can't identify stuff inside of its actually really trippy if you're using a popular scanning tool that's everybody uses in the industry or regular work and you try to spider off the index it actually makes the entire webpage disappear because as it's finding stuff it says 40 40 40 40 40 4 and so you can't rely on it for his alts they don't get included when you try to do other more advanced analysis against it because as far as the tool is concerned the content doesn't exist at all right so that's not necessarily going to fool people that's just a design strategy to say hey these tools are running automation against us which in and of itself is pretty bad because if you think of the impervious study that just came out and you are getting scan once every two minutes maybe shutting down the scanners ability to do that would probably be to your advantage so people right this is a people problem
and kind of as Mike was pointing out some of the lies are a lot better than other things when you get into forensics and you're trying to understand what happens inside of an application the only way that you're going to be able to really understand it is to start exploiting it and get information back out and if you can create a scenario where like he was talking about you're getting back the files that you're looking for you're getting back the blind sequel injection that you're expecting everything is working along the testing route that you've already prepared yourself to do why would you believe that's not valid why would you give it up and say hey maybe something's wrong personally I think I'd probably spend a really long time trying to figure out what's what I'm doing wrong as opposed to thinking hey maybe they're lying to me right but then it can take it a step further like why can't i seed my application with trip wiring why can't i create form fields inside of my app that do absolutely nothing other than if you tamper this I know you're tampering with stuff right then you put that inside of a secondary database that's isolated just like you would a honey pot and you can actually let them exploit it you can let them run the full broad spectrum completely isolated away from your production environment but while you're doing this you're building attribution you're building a case against them you know at this point it's probably not a scanner anymore and it's probably somebody exploiting your system and you actually have a case that if you want to build this attribution for prosecution later you've created better information better Intel about what they're doing against you right and that
leads into tempo tempo is about initiative a lot of people think of pace or tempo they think speed and maneuverability does have some concepts based in speed if I can overwhelm you by creating and putting forth a greater effort before you can start actively making real decisions about it I'm pretty likely to win if you've anybody compete in any games like chess go anything's like that box saying you never win if you play their game right you can't win if you play their game you have to take initiative and you have to keep it the entire way
through which means you can't be relying on reaction you have to be relying on awareness and then proper decision making there was a study that came out a couple of years ago where they had junior tennis players and then advanced tennis players and they were measuring Rick reaction speeds to see who is faster you know kind of make some notices between them and they found that that the difference was actually fairly nominal in the context of overall reaction but where the the juniors were failing and where the the expert players were exceeding is that the junior player would wait until the ball was hit before they start making decisions about where to go whereas the senior people were doing things like watching where the shoulder was moving or how their hips were turning and how their arm was coming up and they were getting Intel quicker into that process so they can make better decisions and they weren't relying on reaction they weren't relying on trying to catch up they were changing the pace to their own advantage and using that as a way to decision against people and do it so that's something that we need to do that and if we build
a system like we're talking about where it has IDs systems inside of it that are creating a bunch of false positives it effectively embedded honey Nets you can create a perceived attack surface that's completely different than the actual surface of attack inside of your system right so as people are going down this route you've already gotten visibility into the fact that they're doing bad things against you if you feed this into a sim or ideally a project that lets you create better decisions against it you can then use these things to create a scenario where you can decide how you want to respond right you can kick them out of your system you can shut them down or you can potentially attack them as we get to it right so yeah that's
where I think the App Center project right the OS apps that's the project actually has a lot of value of the stuff that Michael coats is working on is that application has to be embedded in the context of awareness as to what's going on inside of it which is why we chose PHP ID s as our base model for this because it lives inside of the application one thing you can do when you're living inside an application is
you can see how it's reacting so one thing is for to shut down blind sequel injection test we can we can sleep but what about error based detection okay so we could give them fake error messages but what if they trigger a real air like what happens if they trigger a my sequel error in our application or even worse like an eval error like they're trying to evaluate PHP code well when we get to that level we can shut down we know we know that they've broken something critical in the application and we can kill the application right a kill bit and if that kill that exists then do not run and that the point is is that yeah okay this would turn this is now a denial of service attack right but it's a hell of a lot better than the remote code execution you can go back and fix that so you're not we're not playing the game we know that you've gotten too far and we can shut down so
how do we put this all together right that's the real question and we love it when a plan comes together of course so
we talked about like misdirection with the 404 as we've talked about shutting down tools scanners completely invalidating the results and in some cases as we were hitting scanners we can just crash the scanner remotely by accident right at least one or two major scanners that we've hit this with we've actually been able to stop the scanner from working completely inside of that so we can increase awareness as to what was going on but the real question is can we attack people with the scanner through the scanner and I think yes we
can all right what you're looking at is
a very unpatched windows XP vm running academics right now well anyway so I want to be careful here and I don't definitely want this not on the news to read Oh day and a kinetics it's actually this attack is not based on a kinetics this is attack based on the fact that a kinetics is many other web scanners on the market when they're trying to parse information you want to do that well the only real way to do that is to use an embedded browser or to use the browser that's on the system because you need to execute JavaScript you need to execute the HTML in order to get a real clear picture for like Fritz's for instance little things like if they have Ajax requests on the page and content comes back dynamically if all you're doing is an HTTP GET and then parsing the results back out because there's no dynamic execution environment you'll never see any of that content right so commercial-grade scanners or particularly advanced scanners good scanners quite frankly they're going to be using this as a mechanism to gather intel about what's going on so let's pop this so you should attack them exactly in that spot oh that kind of pop
all right okay so actually what I was
doing was scanning metasploit and and
now there's a shelf you notice it popped it in web vulnerability scanner 7 so it pops just fine now really what so what's
happening here like we heard about the Zeus botnet being leaked and or the source code for that so these black cats have these great tools to attack the web browser well what about using these tools to defend ourselves what about having Zeus installed on your production server with a disallowed saying hey disallow don't go to slash Zeus because if you do you're going to get owned well web a web for mobility scanners could ignore that it's going to see it disallow and it's going to go there purposefully and in that case it would be owned interesting side note I've tried a number of vulnerabilities like I tried the NI animated cursor vulnerability in to pop the scanner and that was the first thing I tried it didn't work so one thing to note is that a lot of these scanners it's not executing the graphical part of it so maybe some of the image based attacks like we're seeing the new some of the new SVG based attacks or opengl attacks and on web browsers like these are these are graphics based and if if you're running a browser headless within a scanner it's not going to be executing this complexity and that's not really a part of attack so maybe it has a smaller attack surface than your average web browser but it's still huge like in this attack right here we're using an an activex exploit and come on activex has been a festering wound and internet explorer since date since the beginning so um and it is a valid avenue of attack for against some of these web browsers that rely upon IE yeah so there you go
we took over somebody's
as they were attempting to scan us you
can you switch me back so you definitely don't want to put this in a place that's
going to be like blatantly obvious publicly accessible because that creates obviously legal problems and kind of as we talked about the system before I think I'm for we talked about the system
before there's some legal ramifications to this and I don't necessarily want to under undercut that right there's some case evidence that says this might actually be a valid approach under particular circumstances in particular us versus hecking camp which the network administrator took over the box of a person who is in their mail server saying that this was an emergency I had to respond against this this was the best course of a venezia information to get attribution to identify that this was the gentleman who had broken into the Machine and that evidence was equipped allocable in court in the court court accepted and he went to jail because the he signed a EULA that said I'm not going to do that and within the course of action the network administrator's tasked with protecting his systems in the best way that he possibly can and the best way he could possibly do it in this case was to take it over that doesn't mean you get free rights to sit around and leave you know vulnerable browser stuff inside of it you can hit anybody because accidental attacks probably would be bad too but if you put something like this into a web server that's hosted on you know like your mail server or on a print server or something that people really ought not to be in that's not public that maybe is an internal process now you have a better case where you might be able to come against that but again consult your lawyer right so kind of as a recap you
need to stop acting like security is a
broken egg that you can put band-aids over and and think of it you can't think of it this way this is not a tenable position right you need to start
thinking like I'm gonna kick your ass right like you need to think like this guy because I'm not a rooster but I'm actually a little afraid of him to this isn't somebody you want to mess with this is somebody who looks like if you start playing games with me I'm going to take you down and that's how we should be treating security as we're looking towards it and stop thinking about purely in terms of vulnerabilities and think how can how can we shut you down how can we take that back and how can we regain our our pride right and that means we should fight back
right that's what we need to do so that's does it for us any questions