Reflected File Download - A New Web Attack Vector

Presented at Black Hat Europe 2014, Oct. 17, 2014, 5 p.m. (60 minutes).

Attackers would LOVE having the ability to upload executable files to domains like Google.com, Facebook.com, and Bing.com. How cool would it be for them if their files are downloaded without ever being uploaded! Yes, download without upload! RFD is a new web based attack that extends reflected attacks beyond the context of the web browser. Attackers can build malicious URLs which once accessed, download files, and store them with any desired extension, giving a new malicious meaning to reflected input, even if it is properly encoded. Moreover, this attack allows running shell commands on the victim's computer.

How bad is it? By using this attack on Google.com, Bing.com and others, I created the first cross-social-network worm that is downloadable from trusted sites like Google.com, completely disables same-origin-policy, steals all browser cookies, and spreads itself throughout all social networks such as Facebook, Twitter, Google+, and LinkedIn.


Presenters:

  • Oren Hafif - Trustwave
    Oren is a Security Researcher at Trustwave. He is a member of Trustwave's SpiderLabs -the advanced security team focused on security research, penetration testing, and application security. At Trustwave, Oren works in the SpiderLabs Research Division where he focuses on vulnerability research and innovative solutions for Trustwave's WebDefend Web Application Firewall product. Oren has performed over 400 security audits and penetration tests, dozens of security training sessions, and reported critical security vulnerabilities in products of large software vendors, such as: Google, Facebook, Microsoft, PayPal, Adobe, Oracle, IBM, SAP, and BEA. Oren has been acknowledged by many of these companies in their research hall-of-fames as being a top contributor. Before joining Trustwave, Oren was the Application Security Leader at Hacktics, the largest Advanced Security Center of Ernst & Young. Oren is also a Certified Information Systems Security Professional (CISSP).

Links:

Similar Presentations: