28c3: Rootkits in your Web application
Loading...
Uploaded by 28c3 on Dec 28, 2011
Download high quality version: http://bit.ly/rY3osO
Description: http://events.ccc.de/congress/2011/Fahrplan/events/4811.en.html
Artur Janc: Rootkits in your Web application
Achieving a permanent stealthy compromise of user accounts with XSS and JS injection attacks.
XSS bugs are the most widely known and commonly occurring Web vulnerability, but their impact has often been limited to cookie theft and/or simple actions, such as setting malicious email filters, stealing some data, or self-propagation via an XSS worm. In this work, I discuss practical approaches for exploiting XSS and other client-side script injection attacks, and introduce novel techniques for maintaining and escalating access within the victim's browser. In particular, I introduce the concept of resident XSS where attacker-supplied code is running in the context of an affected user's main application window and describe its consequences. I also draw analogies between such persistent Web threats and the traditional rootkit model, including similarities in the areas of embedding malicious code, maintaining access, stealthy communication with a C&C server, and the difficulty of detecting and removing attacker-supplied code.
- 14 likes, 1 dislikes
-
- 1:00:25
28c3: Macro dragnets: Why trawl the river when you can do the whole oceanby 28c3938 views
- 1:07:34
28c3: Taking control over the Tor networkby 28c33,893 views
- 26:03
28c3: Reverse Engineering USB Devicesby 28c37,800 views
- 1:04:37
28c3: Can trains be hacked? (german)by 28c315,544 views
- 59:23
28c3: The Science of Insecurityby 28c314,398 views
- 56:57
28c3: Effective Denial of Service attacks against web application platformsby 28c321,887 views
- 53:13
28c3: Building a Distributed Satellite Ground Station Network - A Call To Armsby 28c316,168 views
- 57:59
28c3: Hacking MFPsby 28c32,746 views
- 0:36
Girl with a funny talent. [original video]by theinternetisaweird30,813,475 views
- 1:01:00
28c3: The Atari 2600 Video Computer System: The Ultimate Talkby 28c34,918 views
- 33:50
28c3: TRESOR: Festplatten sicher verschlüsselnby 28c35,126 views
- 1:58:35
28c3: Jahresrückblick 2011by 28c38,755 views
- 54:35
28c3: The coming war on general computationby 28c3154,539 views
- 51:07
28c3: SCADA and PLC Vulnerabilities in Correctional Facilitiesby 28c34,931 views
- 1:02:36
28c3: Bitcoin - An Analysisby 28c33,954 views
- 49:27
28c3: Does Hacktivism Matter?by 28c31,635 views
- 57:19
28c3: 802.11 Packets in Packetsby 28c33,921 views
- 1:33:14
28c3: Security Nightmares (german)by 28c39,465 views
- 1:00:17
28c3: Smart Hacking for Privacyby 28c313,042 views
- 49:26
28c3: r0ket++by 28c33,816 views
demo?
SamDecrock 1 month ago
Nach meiner Meinung klappt das nicht. Da will ich erst einen POC sehen!
Nilos1234 2 months ago