Headless Browser Hide and Seek

Presented at AppSec USA 2014, Sept. 19, 2014, 3 p.m. (45 minutes)

Headless browsers have quietly become indispensable tools for security teams, researchers, and attackers focusing on web applications. Tools like PhantomJS enable anyone to interact with highly dynamic websites to find vulnerabilities, performance bottlenecks, and even automate attacks. This presentation will dive into the offensive use of these tools, and how to counteract them in practice. This will include techniques used by attackers to find vulnerabilities in websites, and how security teams can use these techniques to perform their own daily security practice. With these base established, we will delve into an extended analysis of techniques that malicious browsers use to impersonate real end-users, and the countermeasures security teams can use to expose them. We will provide examples of how to collect threat forensics and attacker attribution data when malicious browsers are detected on your site. Lastly we will review vulnerabilities in headless browsers themselves and provide recommendations to ensure that your tools aren't turned against you. Introduction to Headless Browsers - What it is and how it works - Legitimate uses and how you can benefit - Malicious Use of PhantomJS - Impersonate a legitimate browser - Fuzzing a web application - Find performance bottlenecks Exploiting the Exploiter - How attackers attempt to hide - How to expose them on your site - Additional evasion and techniques and countermeasures Demonstrations - Example of attacking with phantomJS with subsequent detection - Arbitrary code execution on up-to-date remote PhantomJS - Various ways of abusing remote PhantomJS Counter-attacking and Attribution - How to turn a headless browser against the attacker - Vulnerabilities in PhantomJS - Best practices for using headless browsers safely

Presenters:

  • Bei Zhang - Senior Software Engineer - Shape Security
    Bei Zhang is a Senior Software Engineer at Shape Security, focused on analysis and countermeasures of automatic web attacks. Previously, he worked at the Chrome team at Google with a focus on the Chrome Apps API. His interests include web security, source code analysis, and algorithms.
  • Sergey Shekyan - Principal Engineer - Shape Security
    Sergey Shekyan is a Principal Engineer at Shape Security, where he is focused on the development of the new generation web security product. Prior to Shape Security, he spent 4 years at Qualys developing their on demand web application vulnerability scanning service. Sergey presented research at security conferences around the world, covering various information security topics. Sergey has spoken at BlackHat USA, HITB Amsterdam, PHDays, H2HC, and other security conferences.

Links:

Similar Presentations: