Nytro Posted January 6, 2013 Report Posted January 6, 2013 Blended Threats And Javascript: A Plan For Permanent Network Compromise Description: This is a version of the talk I gave at Black Hat USA 2012, updated specifically for the AppSec USA audience. The original BlackHat slides are available at "scribd.com/doc/101185061/Blended-Threats-and-JavaScript", and the source code used in the demonstrations is available at "github.com/superevr/ddwrt-install-tool".During Black Hat 2006, it was shown how common Web browser attacks could be leveraged bypass perimeter firewalls and "Hack Intranet Websites from the Outside." In the years since, the fundamental problems were never addressed and the Intranet remains wide open, probably because the attack techniques described had important limitations. These limitations prevented mass scale and persistent compromise of network connected devices, which include but are not limited to home broadband routers. Now in 2012, with the help of new research and next-generation technologies like HTML5, browser-based Intranet attacks have overcome many of the old limitations and improved to a new degree of scary.This presentation will cover state-of-the-art browser-to-network threats launched with JavaScript, using zero to minimal user interaction and complete every step of the exploit attack cycle. Starting with enumeration and discovery, escalating the attack further upstream and into embedded network devices, and ultimately mass-scale permanent compromise.*****Speaker: Phil Perviance, Application Security Consultant, AppSec Consulting, Inc.Phil Purviance is an Application Security Consultant for AppSec Consulting where he researches application security vulnerabilities and performs penetration testing. Phil's body of work includes the discovery and proof-of-concept exploitations of critical security vulnerabilities, design flaws, and system weaknesses in hundreds of custom web sites and web application frameworks. Phil also consults with clients and recommends helpful countermeasures that are useful to mitigate serious security vulnerabilities. Phil's recent exploit talks include the security of HTML5, and the revealing of cross-site scripting vulnerabilities in Skype for iOS. When asked, "Why do you look for bugs in popular websites," he answers, "Because it's fun!" Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Blended Threats and JavaScript: A Plan for Permanent Network Compromise - Phil Perviance on VimeoSursa: Blended Threats And Javascript: A Plan For Permanent Network Compromise Quote
