A Loop of Nested Exceptions

Monday, November 17, 2014

It was a pretty incredible coincidence. Only a few days apart, I had to tackle two problems that had to do with nested exception handlers. Specifically, an infinite loop of nested exceptions that led to a stack overflow. And that's a pretty fatal combination. A stack overflow is an extremely nasty error to debug; a nested exception means the exception handler encountered an exception, which can't be pretty; and to add insult to injury, a stack corruption was also involved behind the scenes. Read on to learn some more about the trickiness of diagnosing nested exceptions and what can...

“Attacking Web Applications” at O’Reilly Fluent

Wednesday, March 12, 2014

I've just finished my presentation "Attacking Web Applications" at O'Reilly Fluent, a web developers' conference in San Francisco. I've really enjoyed the conference atmosphere and had some great conversations. If you were at my talk, thanks a lot for coming! (I'd also really appreciate it if you rate the session and provide any feedback in the comments.) Here are the slides: Attacking Web Applications from Sasha Goldshtein The basic premise of this talk is that web developers need to be aware of the way attackers think and operate. It isn't enough to be familiar with common attacks on the theoretical...
tags: ,
no comments

Talks from Software Architect 2013: Attacking Web Applications and First Steps in iOS Development

Thursday, October 10, 2013

I'm starting my way back from Software Architect 2013, and already miss the conference's great vibe and attentive delegates. It's been a pleasure meeting and interacting with all of you, and I look forward to returning for next year's conference! On a more practical note, I've promised to share with you the presentations from the event. I had two this year -- Attacking Web Applications and First Steps in iOS Development. In the first talk, I tried to cover the most typical attacks used against web applications today, including CSRF, XSS, improper session management with cookies, SQL and OS command...
tags: , , ,
no comments

Attacking Web Applications

Monday, May 6, 2013

My first breakout session at the SELA Developer Practice covered the most common attacks against web applications and how to defend against these attacks. When planning this talk, I knew 60 minutes are hardly enough to cover all common vulnerabilities -- especially if I wanted to show any demos -- so I decided to focus on the three most prevalent vulnerability types, according to the OWASP Top 10: Injection (command injection and SQL injection) Broken authentication or session management Cross-site scripting (and CSRF as a bonus) I've demonstrated these common vulnerabilities in a series of demos using...
tags: , , ,
no comments

Return-Oriented Programming

Thursday, December 22, 2011

A few days ago I delivered a session on return-oriented programming, in the context of stack-based buffer overflow exploitation, at the Distributed Systems, Networking and Security seminar (HUJI). Generally speaking, return-oriented programming (at least in limited form, such as return to libc, return to syscall) is not new at all. It is a very effective means of bypassing stack-based buffer overflow mitigations such as NX (non-executable stack) and W+X. The awesome thing about ROP is that code execution vulnerabilities don’t have to involve actual code being placed in memory – a carefully constructed sequence of stack words can...
no comments

Tracking Engagement Time Using 302-Moved Temporarily Redirects

Sunday, November 6, 2011

Suppose you are sending mass emails (legitimately, no doubt) and want to know which % of recipients actually viewed the email. The standard trick here is to embed a 1x1 image into your email’s HTML source, with the <img src= pointing to a location on your Web server with part of the URL unique to the user (e.g., <img src="http://example.com/track/12345" /> where your mailing system knows that 12345 is associated with john@example.org). When the user opens your email, most email clients will send your server a request for that image*, and voila—you know that the recipient opened it. It’s...
no comments

Baby Steps in Windows Device Driver Development: Part 6, Hiding Processes

Tuesday, August 16, 2011

Last time around, we’ve seen how to do something slightly useful in our driver. This time, we’ll simulate a technique used over ten years ago by Windows kernel rootkits to hide a process from tools such as Task Manager. First, some background: the Windows scheduler doesn’t need process information to run code. The scheduler needs access only to threads—threads ready for execution are stored in a set of ready queues. When a thread enters a wait state, the system tracks its information using _KWAIT_BLOCK structures, which again don’t require access to processes. Still, the system keeps track...

Dropbox, Instapaper, and the Cloud: Entrusting Your Data

Tuesday, July 12, 2011

I don't typically rant about security or "The Cloud", but as an avid Dropbox and Instapaper user I've had some comments building up inside for the past few weeks. Dropbox is a simple private file sharing service which gives you access to your files from a variety of devices (I use it on my Windows laptop, Windows desktop, MacBook Air, iPhone, and iPad). Instapaper is a tool for saving web pages for later viewing – when I don't have time to read a long blog post or interesting article, I click a bookmark in my browser and the...
one comment

What Did My Manifest Do: A Referral Was Returned from the Server

Thursday, September 2, 2010

The UAC section of an application’s manifest contains two simple settings under the <requestedExecutionLevel> element of the <requestedPrivileges> node: level – asInvoker, requireAdministrator, or highestAvailable. This setting controls whether the application will require elevation before it runs. uiAccess – true or false. This setting determines whether the application will exempt from UIPI rules introduced as part of the Windows Integrity Mechanism. If you really need the uiAccess element (and you should be really convinced that you understand why you need it before proceeding), then your application must be signed, and...
one comment

Exploitable Crash Analyzer

Sunday, September 6, 2009

The Microsoft Security Science Team released a debugger extension that performs automated crash dump analysis and assesses the security risk associated with the crash. It’s extremely simple to use—fire up WinDbg, open the crash dump (or debug the application until it crashes), load the debugger extension and execute the !exploitable command to receive an immediate risk assessment. I immediately wanted to try this thing out, so here’s what I did. I wrote a simple console application that reads user input with gets into a 4-character buffer: int main(int argc, char* argv) ...
no comments