1. InfoconDB
  2. DeepSec
  3. DeepSec 2013 „Secrets, Failures, and Visions“
  4. The Boomerang Effect - Using Session Puzzling To Attack Apps From The Backend

The Boomerang Effect - Using Session Puzzling To Attack Apps From The Backend

Presented at DeepSec 2013 „Secrets, Failures, and Visions“, Unknown date/time (Unknown duration).

It's not as easy as it used to be. Although applications without security flaws are still considered a fairy tale, the implementation of application security mechanisms is improving. Authentication enforcement procedures, privilege enforcement layers, input validation mechanisms, web application firewalls and a wide variety of security controls have become an integral part of many applications. This is where session puzzling and session race conditions (TSRC) come in. These under-emphasized attack patterns are designed to allow both new and traditional attack vectors to bypass security mechanisms and attack the application from a trusted resource: the session attributes and database values - *locations that are rarely validated*. Their detection process, however, was tedious, long, and in many cases, even arbitrary… until now. The release of the Diviner project enhances the detection process, helping pen-testers to identify these exposures, bypass traditional security mechanisms, and justify the implementation of designated session variable overloading prevention mechanisms.

Presenters:

  • Shay Chen - Hacktics ASC, Ernst & Young
    Shay Chen is the CTO of Hacktics, an advanced security center of Ernst & Young. As a victim of the law of familiarity, a decade of exposure to common vulnerabilities was enough to shift his focus to abnormal hacking methodologies and new attack vectors. He is also a prominent blogger and researcher, and is responsible for many security publications, including new application-level attacks, testing methodologies and open source projects. As the co-author of the platforms "Diviner" and "WAVSEP" he was involved in the publication of several large-scale researches in the field of automated security scanners. Shay is an experienced speaker, has been instructing a variety of information security courses for the past 8 years, and had multiple appearances in international conferences, including Blackhat, Hacktivity, AppSecUSA and others.

Links:

Similar Presentations: