miércoles, 8 de abril de 2009

Browser Rider: what you never expected your browser could do to you

Bueno la verdad es que no tengo demasiado tiempo para contruir un buen artículo (15 minutos XD) ya que al igual que The X-C3LL también parto de vacaciones a mi pueblo, así que en nuestra ausencia me temo que le tocara a seth mantener el blog :P

-------------------------------------------------------------------------------------------------

Y otra de OWASP se podría decir. Ayer por la noche después de haber estado jugando un poco con igoogle, estaba mirando las conferencias que ya habían terminado haber si podía agarrar algún paper/video de algún sitio. En eso que vi que la Australia conference ya había finalizado hace tiempo. Y buscando llegué a las presentaciones , vi una que me llamó especialmente la atención.

Browser Rider: what you never expected your browser could do to you

Browser exploitation is in fashion but it doesn't seem that there's a popular tool to build and run attacks. Browser Rider will try to fill the gap by providing a framework to build, deploy and manage payloads that exploit the browser. This project aims on the long term to provide a powerful, simple and flexible interface to any client side attack for hackers.

Proposal

Browser security has become one of the most discussed subjects. This is mainly due to two things: First, nowadays malwares are not spread over emails any longer but through web application often using JavaScript obfuscation to avoid anti-virus detection. Second as the web is growing new technologies are constantly appearing to enhance the user experience but also offering many new attack vectors. In both cases it is important to understand that the browser offers an easy mechanism for bypassing firewalls and other perimeter security to gain unauthorised access or commit other security breach.

From a security consultant point of view it can be hard to justify the risk of vulnerabilities that affect the browser such as cross-site scripting, cross-site request forgery and unauthorized redirection vulnerabilities as they do not impact directly the server or the database.

Browser rider is a security tool to exploit browser vulnerabilities. It offers several existing payloads but also provides a complete programming framework to develop exploits. It also acts as a management system to deploy your attacks and control the infected browsers.

The first part of this presentation will introduce the audience to the tool and demonstrate many attacks that can be ported to the browser using the Browser Rider. The second part will technically explain how the tool works (i.e. obfuscation, signature detection avoidance, polymorphism, program architecture, framework), how to write your own exploits with it and deploy them.

On the long term Browser Rider aims at becoming a complete solution to execute, develop and test browser based attacks for security consultants.



Google un poco y encontré la página oficial de esté proyecto, junto a una presentación ppt.

Browser Rider - A hacking framework for browser explotation

Browser Rider OWASP 2009 Melbourne Chapter

Básicamente es un framework basado en payloads una interfaz simple y manejable para cualquier tipo de cliente que se pueda explotar.

Les recomiendo que prueben la demo online y que consulten la documentación de la wiki.

Engineering For Fun Wiki

Saludos a todos y felices pascuas!



5 0verl0ad Labs: Browser Rider: what you never expected your browser could do to you Bueno la verdad es que no tengo demasiado tiempo para contruir un buen artículo (15 minutos XD) ya que al igual que The X-C3LL también parto...

No hay comentarios:

< >