 One welcome to Defconn safe mode from crazy Vegas parties last year to me sitting alone in my room right now and sipping wartime Wow, it's been a crazy year But it's literally like Vegas in my house right now because cocktails are acceptable at any hour and I have no idea What time of the day it is things I've changed drastically in this time when everything is getting cancelled I'm so delighted that at least we still have Defconn welcome to the new normal. Thanks for joining it Before we start we would like to add a disclaimer that all content over here is specifically for demonstration purpose and or everything is informative and we have performed all of it on demo environments Now before moving ahead, we would like to introduce ourselves. So just a little bit about us My name is Devan Khan and I work as a security consultant within CCQ. I have multiple areas of interest But the most recent one being IOT and radio hacking I have also contributed in the development of NICE that is non-intrusive confidence engine for multi factor authentication mechanism And I am also working on instant messaging and secret storage protocol It is the first thought that I have ever given and therefore just a heads up to you guys The talk would be pretty big news friendly and we'd go over a lot of basic topics as well now passing on to my co-presenter Thank you, everyone. Hello, everyone. My name is Shruti Lohani I'm a computer scientist working in IOT research and development at Nexus in France I have three plus years of experience in IOT development for smart home Autonomous vehicles in the Radvogeo location precisely. I have previously contributed to some international projects like Eterishi and I'm also part of the theme for my contribution to the development of end-to-end IOT platform Which is a new research institute in Europe I'm also an independent researcher and very passionate about IOT development secure smart system teaching and women empowerment Well, now moving on to the agenda for our talk today We will begin with the idea of connected wall and how it all started It's like a brief boring history including introduction for our talk Well, it will be followed by the section discussing its security parameters You will see how unaware we are surrounded with the billions of devices with some stars And then we will move to the section of attacks and expedition scenario where we will be understanding a few basic concepts prior to our main demonstration We will also cover some tool During this demonstration and later discuss the crucial points Stealing how we can protect a smart world from those discuss attacks needs an organization developer or project designer Lastly, we will go over the demonstration I will demonstrate a small tool that we have developed which can be very useful in protecting IOT consumers Or making them aware of any attacks they might be unwillingly facing on the connected world But I connected work. Okay. So are you telling me that anyone on the internet can talk to my fridge? Well today in an era of COVID-19 pandemic We all are working from home aiming to stay connected worldwide during the time of social isolation even including the stock Completely online and where we are missing the real interaction We just grow and no access in the presenters like us Really nervous but thanks to internet of things from wearable devices Unhortable technologies to health related accessories IOT is everywhere has shifted from our futuristic concept to the central focus area of every industry Changing from manufacturing and retail to healthcare and real estate But the question is how exactly it all started the Internet of Things Emerged as the largest digital megatrend Bridging the physical and visual worlds with the fourth industrial revolution or to say industry 4.0 From the first revolution triggered by the construction of railways We are now aiming for increasing the networking of people machines and objects over the internet We understand that internet of things is basically a network of things which are simply launches like devices Weakers or every items in electronics with the only target of achieving an activity to enable connection and Exchange of data between the things to make a life simple Showcase in its talent IOT has facilitated things from eating and body copying to turning off the lights when we go to sleep at night I swear to God that thing has made me so lazy This is the reason my dependability has been exponentially increasing just like the go-and-grab From 1 million down to the expected 50.1 billion in 2020 There is a massive explosion in the usage of IOT devices From smart homes, smart healthcare, smart city and what not we want everything to be smarter now and this means I literally have no idea how to even say this on the right But moving on to how safe my world is, I'll pass on to you Devan All right So what if I just tell you that the S in IOT actually stands for security? Yes, that is true So talking about how safe my world is with billions of devices connecting the whole world We care a lot about functioning, right? We want things to be done in just one click We want things faster with less or almost no effort Better the functioning soon be clicked to buy in Amazon, Alibaba or wherever you guys shop But we need to understand that there is a need for security on so many levels So we should first look and compare the threat models in terms of classic web application and then in terms of IOT devices Over here we see a simple web app server connected to a SQL database Then we have a third party web service and cloud storage They all have their own corporate trust boundary and when to trust boundary and then we talk about the human user The human user is actually directly interacting with the web application And then they all are being separated by separate privilege levels and their own trust So as you can see definitely in no way I'm saying that web applications are extremely similar. Trust me I would never say that They can definitely and more certainly are more complex than the basic diagram which I'm showing here However, we get more clarity when I try to compare it to a simple IOT application All right, so in this next diagram So as you can see over here in this IOT threat model, this is like a very simple IOT architecture I have not even gone into more complex ones We aren't even talking about embedded devices in airplanes and the complex architectures We're literally talking about a very simple architecture here Specifically focusing only on smart and connected homes. I would say these are more of consumer IOT and less of enterprise IOT So in this case what we are looking at is a connected user But the user is so a connected user is basically a user who is interacting with their smart device Then in this case, we have segregated the network into separate sections So as you can see we have proximity network So in a proximity network you can sit in to have physicals So we basically consider a proximity network to have physical sensors devices and the IOT gateway itself So basically that would generally be in Inside your house then devices are connected to the proximity network by let's say a smart ring Which the user might wear or any smart device which the user might have in their home Then apart from that the user also interacts with the mobile app So a user basically has two avenues over here one is in some cases to directly Interact with the embedded sensor of their smart watch or device And then the another one is the mobile app or any web interface Apart from that proximity network, we also talk about the cloud network However for IOT devices prior to going to cloud we also have to consider Ed servers as that is what separates them from most of the classic weather IOT's preferred microservices architecture compared to most Olympic standard apps Ed servers decreases the overall latency and increases the device efficiency However, it might add some more attacks of this in the overall architecture Let's just talk about a couple of attacks scenarios over here now So you can see that in the proximity network where the devices communicate over BLE co-app Laura van as these are close range protocols and the devices are in proximity Therefore in proximity network our main threat actors are generally the pre-installed malicious IOT devices As they might try to replay or intercept the existing traffic They might also exfiltrate that traffic out through the IOT gateway Okay, now moving on to the mobile interface We might have more attack surfaces generally like let's say a malicious device Sorry a malicious application on the user's device Which might try to directly interact with the device file system and processes In order to extract sensitive user specific data from the IOT device application Okay So let me just come back to this So the main is to show this threat model here is that generally when we consider IOT threat models We tend to focus on external threat actors like an attacker Compromising third-party cloud services or like a malicious app on the device or like a malicious IOT device in the home ecosystem So basically when talking about IOT, these are the attack services we most care about But what about the attack services that we least care about? What about those benign users on your home network who exist on your home network? Who also have updated operating systems who have updated browser versions? They're just casually running JavaScript All right So in terms of IOT devices specifically for connected home devices A common pattern has been noticed that the device manufacturers tend to give the least priority device security on local area network As the devices are not directly accessible to the external network Therefore it is generally assumed to be secure without physical access as in most cases The designer is just considered that physical access to be the only possible gateway to the private network That is why these devices have a variety of open ports and unauthenticated Http interfaces running on them which can be directly controlled by anyone who is present on the home network The best example of this was google home's unauthenticated Http API, which was literally patched in 2019 And it gave anyone on the local network to Perform multiple actions like rebooting the device or making any sort of modifications which a normal user could have When talking about this particular attack surface It is considered that if an attacker has physical access to the device Then the network based attack is among the lowest concern and physically Physical attacker access might open up some other serious concerns. So this one is given less less priority However, what if this was not the only attack tree for the exploitation of these http interfaces All an attack in needs is a single public gateway to break into the private network For a long time home private networks have been pretty secure as not everyone is running servers on their local Let's just be honest about that for a minute apart from developers and other people Not everybody is running or hosting an application on their local host networks However, with the advent of IoT technology IoT has literally given an exponential rise to a variety of web interfaces running on the user's private network In most cases the user is totally unaware of all the accessible IPs and even open ports on their devices The question is what if an attacker was able to proxy into the private network through a public gate now moving ahead to our Next section attacks an exfiltration scenario. We would first like you all to do a very simple exercise I'd like you all to fire up your terminal and make a simple request that is perform this following ns lookup Now if it returns a local IP Then there is a very high chance that you might be vulnerable to something called dns rewinding attacks Now look at what exactly the attack looks like but for that we need a quick refresher of how exactly dns works Well, we all know that a dns is like a Tetris directory of the internet It translates the domain name like this.com google.com to ip addresses So browser can load internet resources These IP addresses are given to each device on the internet and they are necessary to find appropriate internet device It's like a street address is used for a particular home to find that particular home in that particular location So to understand how this translation is done Let us imagine a situation where a user is trying to access a website called shopperscoreexample.com Because you know she's bored in this quarantine and one of them to shop at least So as a user types shop underscore example.com into a web browser The query will traverse into the internet asking what was the IP address of shop underscore example.com And it will be received by a dns recursive resolver Well, the next step is that if the recursive resolver has no answer Then the request will be passed on to the dns root name server asking the same question at what is the IP address of shop underscore example.com The root server will then respond with the address of a tld tld is top level domain server like dot com or dot net which stores the information for its domain In this case, it will be dot com once the address of tld is received the resolver that makes a request to the dot com tld The tld server will behave like a root server I know this guy who might know this guy and will respond with the IP address of the domain's name server The recursive resolver they ask the domain name server Where is the shop underscore example.com and then finally the name server will return IP address What shop underscore example.com to the resolver by tld And lastly the user's browser will have the requested IP address Now the browser lowers the address of the website It is able to make the request for the shop underscore example.com must be present after for instance Where the web server on the receiving the request will actually respond with that requested webpage You know, like the like 60% off Who doesn't like that? but We saw the complete flow to understand how dns work instead of going through all this way and to improve the performance And reliability of data request this information is temporarily stored in the locations like browser Operating system or recursive resolver This is all being as caching and the set amount of time for storing is known as time to live in short ttl as i said before So let's take another situation into consideration. Okay, so I just from the previous slide. I'd just like to focus on one thing trying to live Please make a note, but it'll be useful later. So Let's take another situation into consideration Let's say that the user is trying to access some webpage and there are some annoying ads on the webpage Among those there is one malicious ad waiting for the user's attention Since this ad has to be loaded from another domain our browser has to fetch it But loading a random JavaScript from some random domain will give the attacker access to load anything in our browser An authority to make requests to maybe our bank dot com or access pages For let's say maybe from our smartphone devices But you know what there is something called same origin policy Which is actually a policy implemented by the browsers and which led the browser restrict This kind of behavior as they restrict and limit any sort of http request which originates from one domain to access Resources that are hosted on or served on another domain. So To be specific, let's see an example. Okay, so let's take a quick look At an example of how the same origin policy is able to protect resources from being accessed by malicious JavaScript running on websites across origins So in this example, we have a secrets file. That is secrets.txt, which is located at test instance Running on port 8053. That is accessible over http And we will see how the same origin policy can protect this resource from being accessed by a malicious JavaScript running on a malicious version In this case, we are considering example dot com to be that malicious origin So when we try to perform an xhr request So in the first example, it is of a totally different origin because hey the host That is example dot com as well as the port is totally different from the test instance Okay, so here you can see that the browser's same origin policy was able to block the malicious website from accessing the resource As it said, they do not have the same origin give them having totally different host as well as port Okay, now we'll be looking at a different example So in this particular example These two resources have the same host that is testinstance.com But they have they happen to have this the totally different port numbers one The secrets was actually on 8053. Whereas this resource is on 8056 and we can observe that Okay, and in this case when we try to perform a xml http request or basically a cross site JavaScript Fetch we will be able to see okay, so As these still happen to have different port numbers, although they have the same host The resource is still not able to access the secrets.txt Because the browser still considers this to be a totally different origin because of them having totally different ports Now we will look at a standard example. This The page is testinstance.com and it has the same 8053 port as our secrets. So this happened to match all the criteria that is required for The same origin right then in that case we'll just try to see that How exactly same origin policy would allow this one to Access the secret so in this case as you can see this Was able to pass the same origin policy view to exactly the same Host the same protocol as well as the same port number because of which it was able to access the resource Which was hosted Secret which was actually located at secrets.txt. So that basically sums up the example of the same origin policy Oh, the question that arises here is if SOP is actually preventing this kind of attack then what is the threat? Well DNS rebinding DNS rebinding is a class of exploit in which the attacker initiates repeated dns queries to a domain under their control And see the scenario where the user is comfortably surfing over the internet to access our web page continuing some advertisement Among those ads there is one malicious ad as they once stated before As the web page is loaded the browser will request the malicious dns server Wearing the ip address of malicious ads.com When receiving this request the attacker control dns server responds with the real ip Let's say 1.2.3.4 And it also sets the ttl value on their response to be zero minutes or a few seconds So that the user's machine won't cache for long now. Let's wait for some time Now the malicious javascript makes another request to malicious ads.com And since the ttl is exceeded the ip of malicious ads.com isn't found in the browser cache Therefore the browser will again request the ip from the dns server But what wait this time on the user's subsequent dns request instead of the real ip the malicious ads.com The name server of you know malicious ads.com will respond with the ip of 10 001 Which happens to be an ip whether the user's local space and belongs to an iota device or the user's network The user's browser will receive this malicious dns response and will use this provided ip to make their ttl request Which were intended for malicious ads.com Because technically there is no change for the browser according to the non-functioning because based on sop Browser just sees the same name and goes oh, we have the same name So we are friends from now and allows all queries from the c4 agent irrespective of the ip's But the std to request and now send to the small unprojected web server running on the user's The same network where all your smart devices are connected and thus making your smart home unsafe And that's behaving as a proxy between your private and public world dns rebinding attack if actually bypass network firewalls security controls such as ports and make your be revised on your local network vulnerable and available to an attack from anywhere outside your protected internet Yeah, let's do technically Now it's time to add Okay, so in this example the first thing that we'll be talking about is a router interface that allows anyone on the network to access The router controls once they have authenticated however even further the authentication This allows users in the home network to access the home page to be a list of all the connected devices So let's see how a user on this private network can become vulnerable to the industry binding attack By just navigating to website that looks totally benign in this case cute videos because you know what who does not like cute animals So as you can see in the developer options In the network request you can see even before the page was loaded the militia Charleston page initiated a port scan the local network in order to identify the router interface Router is an easily identifiable target in most of the cases Because standard IP of their default gateways and therefore it is easy to scan Compared to other devices. So here it has already identified 10.0.4.2 And now automatically it has started sending the JavaScript on the page has already started sending multiple requests From the page to the external url And now this page is basically just waiting for the dns to be dns regards to be updated So this video is already 11 minutes long and that's like already enough time for an attacker to Perform the dns reminding attack. So by the time the attacker So by the time you're even watching first 22nd of the video the attacker has already been able to rebind and has been sent internal request to 10.0.0.2 And now we'll move to the attackers panel. So over here you can see a web socket connection has been made based on Which the attacker would be able to actually access Things on the internal network So now you can see the remote address has been updated from the attacker's IP address to the internal IP address and based on That the attacker is now able to any request that is being performed to the origin by the JavaScript is actually Helping the attacker to communicate with the internal services that is running on your router So now we'll just try some generic passwords Oh in this case we just tried the admin admin and that definitely worked because A lot of routers whether we want to accept or not are still working on default passwords So this gives any attacker multiple functionalities like setting the functionality of the router Modifying passwords and this also allows them to enable up and which might make them vulnerable to multiple other vulnerabilities apart from this. It also allows the attacker to Remotely reset or reboot the device. Also, it gives an attacker full functionality to like modify your dns servers And thus serving you all the malicious websites that they want to Also, they can just proxy your entire network and that would help them to take over other malicious devices as other multiple devices on your network as well So that would be in short pretty bad and over here as you can see all those requests So in this case password update page that was being fetched by the attackers So all these requests for actually being made to the external attacker is origin However, the remote address was routed to 10.0.0.2, which was the router's IP So by the time you're busy watching the Qtog Your entire router and the network has been taken over All right, so for the second demonstration, we will be looking at a papy monitor So based on the router's exploitation, the attacker already got to know more information about what all other devices exist on the local network In this case, the attack was able to identify. There's a baby monitor running on 10.0.0.182 So for our demonstration purpose There is a baby monitor and there is the baby crewed just to show you its life. There you go So this baby monitor software had a couple of functionalities like it Can connect to multiple other cameras on the same network and this feed is accessible to anyone on the local network So you can select all of the cameras as you can see there are three cameras here Apart from that, it has Functionalities to send commands to different cameras like getting images and it also has options of privacy toggle Then you can see camera 3 is disabled. So it also gives an option to specifically put an IP and find the camera if in case it is disabled Moving on to the attack. We will be using the tool singularity. We'll put in the IP the port and then we'll be going for Hook and control because we actually want to watch the video right And the time interval is set to seven seconds and we start the attack Let's look at the developer console So this way we can see that every seven seconds a request is being sent and it is waiting for a dns update And there you go as the dns update Was made and in this case. Let's move on to the attackers window Here you can see that the attacker there you go. So the attacker is actually able to get a live feed, right? Also, the attacker can try to now perform Queries and in order to identify what all other IPs might be there on the network So this would be really helpful for an attacker So the attacker can also try to exploit things like maybe a command injection Which is definitely the case over here. So we'll just try to perform a curl request from the camera's interface to an external webhook that the attacker controls in order to see if we'll be able to extract more information by performing cat As well in order to extract sensitive files and also to perform curl to the external endpoint of the attacker which would be like very helpful in order to Set up a connection so that the attacker can then Use the camera more like a bot So over here you can see that the ping request was successful Then the information was also extracted then here you can see that there was an incoming request to the attackers The webhook from The baby monitor itself as you can see over here the request is coming from grouped So this basically shows that okay, the attacker's command the curl command which the attacker executed was successful So now the attacker can actually exfiltrate a lot of information by exploiting the command execution of vulnerability so That's how we see if you like the attacker can exploit it in this particular case So for the third demonstration, we'll be looking at a smart home panel So this is not at all a hypothetical scenario. This is something which we have seen very commonly So this device is actually a smart home panel Which is kept unauthenticated because it is supposed to be accessible only on a local area network And it is supposed to be placed inside of a tablet and then it can be behave more like a control panel that it can access all these functionalities as you can see over here the lights thermostats and everything from a single control panel So that is why these kind of devices are like pretty common On a local area network and they are generally kept unauthenticated talking about a rebind attack on this particular device will be Again using the tool called singularity and in this case will be doing hook and control So so over here. We can see once the dns has been updated to 10.0.0.2 1 1 That is the IP of the smart panel in this case Then all the requests from the attackers domain were actually made to the result IP of the smart home panel On the port 8081 and that would basically allow an attacker to establish the web socket connection So as you can see over here the dns rebinding attack is successful So now You can look at the attacker's panel So the attacker over here is able to take a direct control of the smart home panel remotely and now the attacker can literally set it to night mode day mode And over here the attacker also has the ability to enable or disable your lamps So now for this application we explicitly specified and Disable host check and made it one level just for the demonstration purpose But if we could just make that minor tweak in the configuration and enable host error validation So you can see if we have enabled it and now we will be Reconfiguring the application. So now in this case, let's try to again perform the same attack after enabling host error validation So we are going to perform the exact same attack on the application Let's see what exactly happens this time so over here the Attack is probably again going to say that it was successful So you can see it shows that it was successful moving on to the attacker's window. Let's see How exactly host error would prevent so when it is tried to access the attacker is presented a screen showing inverted host error because There was a clear mismatch between the host headers So this was actually prevented by the applications built in host error validation Okay, so We have already seen that how someone can actually exploit this but now the main question that is Okay, this attack is already known, right? So why does it still exist? So let's just talk about what are the main reasons because of which it is still there So one of the main reasons is already devices are available at cheap prices with almost less or no security Because there has been an explosion of very cheap and smart devices and the vendors Who focus more on adding functionality compared to security measures They do not undergo ferro pen testing or any security compliance check at all We see a smart device providing such a smart feature at low cost. We add it to our cart and purchase us right away We as a customer do not understand that the cheap cost also comes out of price That is paid by the lack of research development and security measures Moreover the industry binding bugs have a history of being dismissed by developers and product designers and many times It is left as an unaddressed issue because many of them are not aware of this threat Apart from this any specific mitigation for removal might go against the traditional procedure of DNS functioning or sometimes it might break A lot of legacy applications Okay, so the next question that we ask is what individuals and organizations can do So some of the common ways an individual organization can prevent such kind of things would be to The ISP should actually consider it configure their DNS servers in a way that would block DNS responses Which contain local IP addresses additionally The device passwords should be changed and the firmware should be updated So this is something very specific for individuals Like they should not keep their device passwords as default because as we already shown Showed in the demo how a router was exploited was mostly because of default passwords being used also One of the good things that an organization should do would be to make developers more aware of such threat vectors as well There should be they should perform extensive penetration testing of devices before rolling them out also Investing in threat modeling to identify such issues in the initial stages would be a great effort Additionally internal network segmentation. So basically for anyone who is actually trying to have IoT devices on their network They should have multiple routes in internal network categorized for IoT devices Now we move on to roles of developers and pen testers. So talking about developer and pen testers roles Pen testers It would be great to actually know about this attack and to perform this kind of attack in almost all their Red teaming instances because this is a type of attack Which would actually help them to bypass the firewall restrictions bypass SOP and still being able to get into a private network And then pivot to other devices after that for developers. We would suggest host header validation is one of the most efficient ways of handling an attack like this also The developers should make sure that they provide proper authentication for all the local services additionally instead of creating standard default passwords all Passwords should be uniquely generated that would actually prevent a lot of Wonder abilities related to the industry binding attacks But we saw how host header validation could prevent such attacks and the roles of Organization individuals and developers in the permission of the industry binding attack scenarios So I have to word about us exactly we have created a browser extension called security Which intends to detect such attacks and keep a user safe while browsing such malicious effect So let's see what we have with this tool Security is a simple extension tool that monitors malicious behavior of domains Which intend to scan the consumer's local network for internal IPs and port scans Our extension provides a list of ports and IP addresses Scanned by any host and also notifies the consumer if it detects any remaining attack Or if any website stands your private network But the question is does it prevent rebinding attacks? Yes Once the attack is detected the extension will automatically block the further request from the requested URL Thus preventing the attacker from using the consumer browser as a proxy for further intervention Moreover in this extension we have integrated the shodan Which helps us in identifying the information like IP and hosting for the possible malicious domains And perform a port scan on the attacker's domain We have also provided an option of manually blocking all htp request based on user provided URL patterns We can simply use a block list feature of this tool Which will prevent such sites from scanning your local network or to perform a da s divine attack However, while working from home and testing this code We observed that there are some instances where we do not want to flag the domain as potentially malicious Specifically in cases where I'm working on a VPN and therefore the extension keeps me flagging all internal IP requests as a potential attack So for that we have also created an allow list to bypass monitoring Let's start talk about how this extension works precisely So how the extension is identifying internal access scans the dns IP Transactions are done through the chromes web requested here The request object on the target IP is fetched and checked for the private scanning permissions The extension notifies whenever the case occurs on scan private IPs and only displays the details from the ticket from the data object How is it identifying revining attacks? Similarly utilizing the request IP IP, we detect revining functions take that IP and originating data To process for detecting if revining occurs or not For which it first validates against a set of projects compliant to rfc1918 and compares against the target hosting It validates if the hosting resolves to a private IP and if hosting is itself it's not a private IP When found true for these all set of conditions It then flags the revining astro and notifies the user with details displayed in the table on click Let's see how it is blocking the shdb So in our extensions block functionality We first check the valid import from the user for the domain name and then provide this valid pattern or url to the chromes web request block request function in order to prevent fetching this particular hosting Post permissions and content script matching are based on a set of URLs Defined by match patterns which permits a variety of schemes like shdb, htps, file or ftp and also the wildcard characters But how are we using shodan api for host info? We are using the standard shodan api to fetch details about the malicious host The api is used to resolve the hosting to the corresponding IP address Which then is used to perform shodan host lookup for fetching open ports and any other information That shodan has about the malicious host Okay, so let's see how the allow list is implemented similar to block list We used match patterns for generating the allow list based on the user input And then that is compared against the set of standard private IPs to not flag them as potentially malicious therefore preventing notifications and for same blocking Now coming to the major feature of our extension That is how secure IoT is preventing the DNS revining attack in addition to modifying all the information features So once the revining is detected from the detect revining function The block revine function blocks the further request made by the attacker's request URL on the internal IP address list That is automatically reviving the attack and detects filtration Let's Now we can move to the demonstration and see how the tool works We are still working on this tool and into our feature list Like sending monitoring updates to the user's big mobile device and other smart assistant devices on the home network We also plan to further improve and add support for other browsers like findbox And of course some beauty filters because we understand that user experience should be given So now moving on let us see the implementation So here is the extension. We'll now just try to scan As you can see it will display scan results and you can now see the list of details of the scanners to be IP support and Instam Like we can use the search for specific names like certain book number or a specific IP Apart from the scan, we have other features Like this one where we can see the information about the host, what ports are open, location, etc Okay, let us now see the reviving detection feature for that. We will now execute revining attack And see if our tool is able to function as a scope proposal. So we will do a simple fetch and vet We need to wait for a little only long And once we are done, we can see that it is displayed in our tools Okay, so we can see the revining attack is successful Also, our tool has more to find us and it's time to check the details. So here we can see the details IP domain timestamp Moving on to other features Let us see how our block and allow list work So we will go to the block or allow section and add the pattern you want to block from loading We can test it with say revine dot it and say Now we will go to the revine dot it page. We were using and reloaded what works. So the revine is Blocked we can take another example. Let's say blogger.com We will add this one as well and try to block it and hit the save to see if it is blocked or not They'll go back and reload the page for the blogger And it is blocked. We can also test this case for Iframes also much relatable to the example of the malicious card that we have seen before so you can see that is blocked by the extension And this will prevent any subsides from loading any malicious scripts Now moving on to the allow list feature where we can specifically tell the extension that it should not flagging request from this domain And we are doing it for revine dot it So we will type revine it here and save to allow it Okay, so let's reload the revine dot it page and scan again And we can see that it does not notify as it lets the revine scan For that we can see that we have no details So Now we can scan from some other side to see if the function is normal. So let's check here It will scan and notify us with a display of details Let's see if it works exactly So this is it and we can see the details here Okay, now we will be seeing how the extension is preventing attacks. So as you can see, this is a router. It is hosted here Now we'll be trying to perform A hook and control in the revine dot it and see how it is preventing So let's inspect And start attack we can see here all the requests while doing the revine attack Okay, so we can see there was a successful socket connection and our extension is able to detect the dns ribbon name But the next thing there is extension data is to block this. Oh, no, it blocked the URL. So let's check So for that Let us go to the attacker's panel and We can see what exactly happened so Here the attacker will try to load The panel and we can check if he is able to load actually or not So it's trying to fetch the page and we can see in the inspect That the extension is blocking all for the request to the page So all the requests are getting rejected by extension Therefore we can see that even though the attacker is trying to fetch the information that he won't be able to And we'll just keep on meeting. So that basically concludes our talk We'll soon be launching the code for security on our github after some modifications and bug fixes And that's it. So thanks a lot for making it to the end and stay safe