Browse by Tags
All Tags »
Security (
RSS)
My first breakout session at the SELA Developer Practice covered the most common attacks against web applications and how to defend against these attacks. When planning this talk, I knew 60 minutes are hardly enough to cover all common vulnerabilities -- especially if I wanted to show any demos -- so I decided to focus on the three most prevalent vulnerability types, according to the OWASP Top 10 : Injection (command injection and SQL injection) Broken authentication or session management Cross-site...
A few days ago I delivered a session on return-oriented programming, in the context of stack-based buffer overflow exploitation, at the Distributed Systems, Networking and Security seminar (HUJI). Generally speaking, return-oriented programming (at least in limited form, such as return to libc, return to syscall) is not new at all. It is a very effective means of bypassing stack-based buffer overflow mitigations such as NX (non-executable stack) and W+X. The awesome thing about ROP is that code execution...
Suppose you are sending mass emails (legitimately, no doubt) and want to know which % of recipients actually viewed the email. The standard trick here is to embed a 1x1 image into your email’s HTML source, with the <img src= pointing to a location on your Web server with part of the URL unique to the user (e.g., <img src="http://example.com/track/12345" /> where your mailing system knows that 12345 is associated with john@example.org). When the user opens your email, most email...
Last time around, we’ve seen how to do something slightly useful in our driver. This time, we’ll simulate a technique used over ten years ago by Windows kernel rootkits to hide a process from tools such as Task Manager. First, some background: the Windows scheduler doesn’t need process information to run code. The scheduler needs access only to threads—threads ready for execution are stored in a set of ready queues . When a thread enters a wait state, the system tracks its information using _KWAIT_BLOCK...
I don't typically rant about security or "The Cloud", but as an avid Dropbox and Instapaper user I've had some comments building up inside for the past few weeks. Dropbox is a simple private file sharing service which gives you access to your files from a variety of devices (I use it on my Windows laptop, Windows desktop, MacBook Air, iPhone, and iPad). Instapaper is a tool for saving web pages for later viewing – when I don't have time to read a long blog post or interesting...
The UAC section of an application’s manifest contains two simple settings under the <requestedExecutionLevel> element of the <requestedPrivileges> node: level – asInvoker, requireAdministrator, or highestAvailable. This setting controls whether the application will require elevation before it runs. uiAccess – true or false. This setting determines whether the application will exempt from UIPI rules introduced as part of the Windows Integrity Mechanism. If you really need the uiAccess...
The Microsoft Security Science Team released a debugger extension that performs automated crash dump analysis and assesses the security risk associated with the crash. It’s extremely simple to use—fire up WinDbg, open the crash dump (or debug the application until it crashes), load the debugger extension and execute the !exploitable command to receive an immediate risk assessment. I immediately wanted to try this thing out, so here’s what I did. I wrote a simple console application that reads user...