Presented at
ToorCon San Diego 15 (2013),
Oct. 19, 2013, noon
(50 minutes).
In this hands-on talk, we will introduce new targeted techniques and research that enable an attacker to reliably retrieve encrypted secrets (session identifiers, CSRF tokens, OAuth tokens, email addresses, ViewState hidden fields, etc.) from an HTTPS channel. We will demonstrate that this new compression oracle is real and practical by executing a PoC against a major enterprise product in under 30 seconds - from any modern browser or even an email client. We will describe the algorithms behind the attack, how the usage of basic statistical analysis can be applied to extract data from dynamic pages, as well as practical mitigations. Finally, to provide the community with the ability to build on our research, determine levels of exposure, and deploy appropriate protection, we will release the BREACH tool.
Presenters:
-
Angelo Prado
as @PradoAngelo
Angelo Prado is a Lead Product Security Engineer at Salesforce.com. He has worked as a software and security engineer for Microsoft and Motorola. Angelo has been involved with the security community for over 8 years, and he has spoken at Black Hat USA, Georgetown University (Washington, D.C.), Comillas University (Madrid) and GSICKMinds (Coruña, Spain). His passions & research include web application security, windows security, browsers, malware analysis and Spanish Jamón.
-
Yoel Gluck
as @GluckYoel
Yoel Gluck is a security researcher with 12 years of experience in the industry. He is currently a Lead Product Security Engineer at Salesforce.com. Yoel graduated from Bar-Ilan University (Israel) with a B.Sc in Computer Science and Math. Using his experience as a software engineer, he attempts to break applications by analyzing developer design patterns. His research areas include web application, network, virtualization, encryption, and email security. When he's not busy analyzing security risks, he enjoys spending time with his two-year-old daughter.
Links:
Similar Presentations: