Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in the manual
Do you really want to delete this prezi?
Neither you, nor the coeditors you shared it with will be able to recover it again.
Make your likes visible on Facebook?
You can change this under Settings & Account at any time.
The Bank Job II - OWASP 2011
Transcript of The Bank Job II - OWASP 2011
[; domain=<domain_name>] [; path=<some_path>] [; secure] [; ] Additional Challenges: Second factor authentication Dongles Client side certificates Challange on transactions Connectivity Attacker might not have direct
access to attacked machine Security questions:
“What is your mom’s maiden name?”
Time-based challenge Victim not Authenticated HTTP Only Passwords are not enough User target.domain Request Response User's browser Executes the script as if it came from the bank Overcoming Same Origin Policy The Complex Expoit The Attack Victim's browser is doing all the work Browser Scripting Capabilities Scripts can perform user interactions with the site
Scripts can seamlessly interact with the web site
Can perform any action that is related to the site
Can launch signed and safe ActiveX control Restrictions Scripts can only interact with the domain they came from
Scripts can see send and receive responses only from their domain
Scripts can access other browser’s frames only from same domain
Scripts can issue requests to other domains (but not view the corresponding responses) b.com a.com a.com a.com JS Malicious ? Overcoming Same Origin Policy Site's Vulnerabilities Browser Vulnerabilities MitM Active MitM Client-Side vulnerabilities on a specific site Results with breaking Same Origin Policy on any site Breaks Same Origin Policy for sites user browse to Different Techniques DNS Vulnerabilities Breaks Same Origin Policy for any site Breaks Same Origin Policy for any site 1. Open URL: Malicious App Android Browser http://target.domain Android Browser Script executed
Cross-Rational security strategy and architecture
Lead, design and deploy overall security processes within the development groups of Rational
Former head of the AppScan Security Research
Active leader in public communities such as OWASP IL
IBM Master Inventor
Part of the security industry for ~15 years
... also proud to be a high school teacher Thank You adish Malicious app
victim's browser Once installed, the malicious app fully compromises Android's browser http://blog.watchfire.com @ il.ibm.com @adisharabani @adisharabani What's left? ... Just wait for our user
to access his bank account Do we really need to wait? Compromizing
email addresses == Game