Nytro Posted November 27, 2011 Report Posted November 27, 2011 (edited) BlackHat USA 2010: Bursztein - Bad Memories1 Introduction 2 Breaking into a WPA network with a Webpage 2.1 Dealing with Browser Behavior 2.2 Finding the router 2.3 Fingerprinting the router2.4 Login to the router2.5 Stealing WIFI information 2.6 Geolocalization 3 Defeating HTTPS via cache injection 3.1 How cache injection works3.2 Why cache injection are dangerous3.3 Exploiting Browser UI Inconsistency4 Attacking Facebook with Frame leak attack 185 Phone TapJacking 205.1 TapJacking Safari on Iphone 5.2 Other mobile browsers 6 Related Work7 ConclusionBad memories summarize our latest research results on offensive web technologies. The SecurityLab is a part of the Computer Science Department at Stanford University. Research projectsin the group focus on various aspects of network and computer security.While secure communication protocols have received a lot of attention and have been widelydeployed over the last few years, the way their sensitive data is stored remains a weak link inpractice. The purpose of this paper is to raise awareness of this fact and demonstrate that attackerscan make such secure communication protocols irrelevant by targeting the data storage mechanism.In this paper, we demonstrate the weakness of current storage mechanisms by showing the followingattacks: first, we show how an attacker can remotely locate and break into a Wifi networkby crafting a malicious web page that targets its access point. Secondly, we demonstrate how anattacker can inject a malicious library that is capable of compromising subsequent SSL sessions byleveraging the fact that websites trust external javascript libraries, such as Google Analytics. Wethen describe how to easily fool the user into accepting this malicious javascript library by exploitingbrowser UI corner cases. Next, we introduce frame leak attacks that are capable of extractingprivate information from the website (and not from the user) by leveraging the recent scrollingtechnique of Stone. Our frame leak attacks defeat click-jacking defenses that have previously beenconsidered secure. In addition, we illustrate how a frame leak attack works by demonstrating howto use it to extract Facebook profile information, bypassing Facebook’s framebusting defensesin the process. Finally, we develop a new attack called tap-jacking that uses features of mobilebrowsers to implement a strong clickjacking attack on phones. We show that tap-jacking on aphone is more powerful than traditional clickjacking attacks on desktop browsers, and thus implysmartphones should not be considered a secure form of data storage.Download:https://media.blackhat.com/bh-us-10/whitepapers/Bursztein_Gourdin_Rydstedt/BlackHat-USA-2010-Bursztein-Bad-Memories-wp.pdf Edited November 27, 2011 by Nytro Quote
