Friday, December 9, 2016

Pt5of7 BLACK OPS 2007 DESIGN REVIEWING THE WEB, with Dan Kaminsky.

February 21, 2012 by admin  
Filed under Videos

Recorded at www.ToorCon.org Oct 20, 2007. Content posted by www.MediaArchives.com BLACK OPS 2007 DESIGN REVIEWING THE WEB, with Dan Kaminsky. Design bugs are really difficult to fix – nobody ever takes a dependency on a buffer overflow, after all. Few things have had their design stretched as far as the web; as such, I’ve been starting to take a look at some interesting aspects of the “Web 2.0″ craze. Here’s a few things I’ve been looking at: Slirpie: VPN’ing into Protected Networks With Nothing But A Lured Web Browser. Part of the design of the web is that browsers are able to collect and render resources across security boundaries. This has a number of issues, but they’ve historically been mitigated with what’s known as the Same Origin Policy, which attempts to restrict scripting and other forms of enhanced access to sites with the same name. But scripts are not acquired from names; they come from addresses. As RSnake of ha.ckers.org and Dan Boneh of Stanford University have pointed out, so-called “DNS Rebinding” attacks can break the link between the names that are trusted, and the addresses that are connected to, allowing an attacker to proxy connectivity from a client. I will demonstrate an extension of RSnake and Boneh’s work, that grants full IP connectivity, by design, to any attacker who can lure a web browser to render his page. I will also discuss how the existence of attacks such as Slirpie creates special requirements for anyone intending to design or deploy

Video Rating: 0 / 5

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

Get Adobe Flash playerPlugin by wpburn.com wordpress themes