Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

The Bank Job II - OWASP 2011

Hacking mobile devices

Adi Sharabani

on 18 May 2012

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of The Bank Job II - OWASP 2011

Agenda Know Your Target Same Origin Policy The Heist: Execute the Attack Attack to be written from scratch We will write our own attack The Common Exploit attacker.com User target.domain User's browser Executes the script as if it came from the bank Overcoming Same Origin Policy The script sends the Session ID without the user's consent or knowledge Attacker uses the stolen Session ID impersonating the user Let's Hack Challenges: Retrieving the Session cookie Set-Cookie: <name>=<value> [; expires=<date>]
[; domain=<domain_name>] [; path=<some_path>] [; secure] [; ] Additional Challenges: Second factor authentication Dongles Client side certificates Challange on transactions Connectivity Attacker might not have direct
access to attacked machine Security questions:
“What is your mom’s maiden name?”

Time-based challenge Victim not Authenticated HTTP Only Passwords are not enough User target.domain Request Response User's browser Executes the script as if it came from the bank Overcoming Same Origin Policy The Complex Expoit The Attack Victim's browser is doing all the work Browser Scripting Capabilities Scripts can perform user interactions with the site
Scripts can seamlessly interact with the web site
Can perform any action that is related to the site
Can launch signed and safe ActiveX control Restrictions Scripts can only interact with the domain they came from
Scripts can see send and receive responses only from their domain
Scripts can access other browser’s frames only from same domain
Scripts can issue requests to other domains (but not view the corresponding responses) b.com a.com a.com a.com JS Malicious ? Overcoming Same Origin Policy Site's Vulnerabilities Browser Vulnerabilities MitM Active MitM Client-Side vulnerabilities on a specific site Results with breaking Same Origin Policy on any site Breaks Same Origin Policy for sites user browse to Different Techniques DNS Vulnerabilities Breaks Same Origin Policy for any site Breaks Same Origin Policy for any site 1. Open URL: Malicious App Android Browser http://target.domain Android Browser Script executed
target.domain Android

CVE-2011-2357 Found earlier this year by Roee Hay & Yair Amit blog.watchfire.com Persistant attack on mobile device 2. Sleep 3. Open URL: http://target.domain javascript: alert(1) Demo The Bank Job II Adi Sharabani Rational's Security Strategy and Architecture adish @ il.ibm.com OWASP IL 15/09/2011 About the Presenter Adi Sharabani
Cross-Rational security strategy and architecture
Lead, design and deploy overall security processes within the development groups of Rational
Former head of the AppScan Security Research
Active leader in public communities such as OWASP IL
IBM Master Inventor
Part of the security industry for ~15 years

... also proud to be a high school teacher Thank You adish Malicious app
constantly poisoning
victim's browser Once installed, the malicious app fully compromises Android's browser http://blog.watchfire.com @ il.ibm.com @adisharabani @adisharabani What's left? ... Just wait for our user
to access his bank account Do we really need to wait? Compromizing
email addresses == Game
Full transcript