Paul Sebastian Ziegler

221
“I Honorably Assure You: It is Secure” Hacking in the Far East Paul S. Ziegler / HITB2012KL Wednesday, October 10, 12

Transcript of Paul Sebastian Ziegler

Page 1: Paul Sebastian Ziegler

“I Honorably Assure You: It is Secure”

Hacking in the Far East

Paul S. Ziegler / HITB2012KL

Wednesday, October 10, 12

Page 2: Paul Sebastian Ziegler

Introduction

Wednesday, October 10, 12

Page 3: Paul Sebastian Ziegler

IntroductionIn 60 seconds or less

Wednesday, October 10, 12

Page 4: Paul Sebastian Ziegler

Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 5: Paul Sebastian Ziegler

PentesterWednesday, October 10, 12

Page 6: Paul Sebastian Ziegler

TecFeeds

Paul Sebastian Ziegler

Cross-Site Scripting (XSS) ist die Schwachstelle in Webanwendungen schlechthin. Wie kaum eine andere Technik kombiniert diese Technik einfache Methoden und Ansätze zu letztendlich verheerenden Angrif-fen. Jedoch ist das Wissen um diese Schwachstelle und die damit ver-bundenen Angriffe derzeitig lediglich Sicherheitsexperten vorbehal-ten. Es existieren zwar umfangreiche Berichte und Dokumentationen, aber diese können zumeist nur von Insidern verstanden werden. Der normale Programmierer oder Nutzer, der sich mit Cross-Site Scripting auseinandersetzen muss, bleibt in der Regel außen vor.Dieses TecFeed ist bemüht, das zu ändern. In einfachen Schritten führt Sie der Autor in das komplexe Thema ein. Sie werden lernen, was Cross-Site Scripting ist und wie man mit seiner Hilfe Webanwen-dungen angreifen kann. Nach der Lektüre dieses TecFeeds werden Sie in der Lage sein, Schwachstellen zu erkennen und zu beheben.

INHALT

Einleitung | 2

Aufbau eines XSS-Angriffs

gegen eine ungesicherte

Webanwendung | 2

Effekte, die ein Angreifer

durch XSS hervorrufen kann | 8

Schutzmechanismen,

die zu kurz greifen | 19

Der Aufbau starker Schutz-

mechanismen – Escapen und

listenbasiertes Filtern | 36

Das Gefahrenpotenzial von XSS

heute und in naher Zukunft | 47

Zusammenfassung | 52

Anhang A – Liste verschiedener

Angriffsvektoren | 53

Anhang B – safehtml | 54

Über den Autor | 72

Danksagung | 72

Cross-Site Scripting

www.tecfeeds.de

Wednesday, October 10, 12

Page 7: Paul Sebastian Ziegler

Tokyo

Wednesday, October 10, 12

Page 8: Paul Sebastian Ziegler

AsiaWednesday, October 10, 12

Page 9: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 10: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 11: Paul Sebastian Ziegler

Anything else?Ask!

Feeling stalkerish?http://observed.de

Wednesday, October 10, 12

Page 12: Paul Sebastian Ziegler

Before we begin

Wednesday, October 10, 12

Page 13: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 14: Paul Sebastian Ziegler

Less of this

HateWednesday, October 10, 12

Page 15: Paul Sebastian Ziegler

Well then...

Wednesday, October 10, 12

Page 16: Paul Sebastian Ziegler

Three Wise Monkeys

Wednesday, October 10, 12

Page 17: Paul Sebastian Ziegler

See No Evil

Wednesday, October 10, 12

Page 18: Paul Sebastian Ziegler

See No Evil

Hear No Evil

Wednesday, October 10, 12

Page 19: Paul Sebastian Ziegler

See No Evil

Hear No Evil

Speak No Evil

Wednesday, October 10, 12

Page 20: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 21: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 22: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 23: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 24: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 25: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 26: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 27: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 28: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 29: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 30: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 31: Paul Sebastian Ziegler

“Hacker”

Wednesday, October 10, 12

Page 32: Paul Sebastian Ziegler

“I humbly apologize, but I must ask you to kindly

leave this establishment.”

Wednesday, October 10, 12

Page 33: Paul Sebastian Ziegler

\(^_^)/Wednesday, October 10, 12

Page 34: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 35: Paul Sebastian Ziegler

Exploitation Vector:Invest your time into

intelligence gathering or exploitation - not covert

operation.

Wednesday, October 10, 12

Page 36: Paul Sebastian Ziegler

TheInvisibilityCloak

Wednesday, October 10, 12

Page 37: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 38: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 39: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 40: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 41: Paul Sebastian Ziegler

Invisible Cloak You Say?

• Obliterates badge requirements (even better when talking on a cellphone in English)

• Reduces random police ID checks from once a month to never

• Lets you get away with virtually any social violation

Wednesday, October 10, 12

Page 42: Paul Sebastian Ziegler

Works differently in South Korea

Wednesday, October 10, 12

Page 43: Paul Sebastian Ziegler

Honor Cloak• Gets you service in restaurants as a

foreigner

• Triples native’s willingness to communicate in English / Japanese / Signs

• Strangers will walk you to the location you search for and randomly carry your stuff instead of running away or screaming

• Taxi acquisition time reduced to less than 60 seconds

Wednesday, October 10, 12

Page 44: Paul Sebastian Ziegler

Honor Cloak

• Taxi drivers actually drop you off at your door instead of kicking you out at the nearest intersection

• In short: If you’re a foreign male, putting on a suit in Korea teleports you into a different country

Wednesday, October 10, 12

Page 45: Paul Sebastian Ziegler

Swarm Effect

Wednesday, October 10, 12

Page 46: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 47: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 48: Paul Sebastian Ziegler

Class Effect

Wednesday, October 10, 12

Page 49: Paul Sebastian Ziegler

The three classes of foreigners

Wednesday, October 10, 12

Page 50: Paul Sebastian Ziegler

The three classes of foreigners

Military

Wednesday, October 10, 12

Page 51: Paul Sebastian Ziegler

The three classes of foreigners

Military

English Teachers

Wednesday, October 10, 12

Page 52: Paul Sebastian Ziegler

The three classes of foreigners

Military

English Teachers

Business

Wednesday, October 10, 12

Page 53: Paul Sebastian Ziegler

The three classes of foreigners

Military

English Teachers

Business

Wednesday, October 10, 12

Page 54: Paul Sebastian Ziegler

Also Works in Hong Kong

“Hey, look - it’s another banker!”

Wednesday, October 10, 12

Page 55: Paul Sebastian Ziegler

Exploitation Vector

Wednesday, October 10, 12

Page 56: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 57: Paul Sebastian Ziegler

If all else fails, use the “dumb foreigner” card.

Wednesday, October 10, 12

Page 58: Paul Sebastian Ziegler

Home Insecurity

Wednesday, October 10, 12

Page 59: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 60: Paul Sebastian Ziegler

“Apartment”

Wednesday, October 10, 12

Page 61: Paul Sebastian Ziegler

“Mansion”

Wednesday, October 10, 12

Page 62: Paul Sebastian Ziegler

“Apartment”

• Cheap (rent & construction)

• Wood and Paper

• Not guaranteed to withstand a strong earthquake

• The concept of security just doesn’t apply

Wednesday, October 10, 12

Page 63: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 64: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 65: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 66: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 67: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 68: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 69: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 70: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 71: Paul Sebastian Ziegler

“To prevent crime, you are prohibited by national law to create a copy of your key.”

-- AMMS Estate Rental Agreement (2008)

Wednesday, October 10, 12

Page 72: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 73: Paul Sebastian Ziegler

“Mansion”

• You’ll need to sell a kidney to afford one

• Sturdy construction

• Earthquake resistant

• Central lock

• (Often) Including security services

Wednesday, October 10, 12

Page 74: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 75: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 76: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 77: Paul Sebastian Ziegler

Safe!

Wednesday, October 10, 12

Page 78: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 79: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 80: Paul Sebastian Ziegler

Damn it!

Wednesday, October 10, 12

Page 81: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 82: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 83: Paul Sebastian Ziegler

Reducing Lock Efficiency to basically

zero-

In 4 easy steps

Wednesday, October 10, 12

Page 84: Paul Sebastian Ziegler

Entropy:

20^8Wednesday, October 10, 12

Page 85: Paul Sebastian Ziegler

1. Legally prohibit mail locks with more than 3

digit combinations

Wednesday, October 10, 12

Page 86: Paul Sebastian Ziegler

Entropy:

20^3Wednesday, October 10, 12

Page 87: Paul Sebastian Ziegler

2. Legally force all locks to open in a clockwise-

clockwise-counterclockwise

pattern

Wednesday, October 10, 12

Page 88: Paul Sebastian Ziegler

Entropy:

1000Wednesday, October 10, 12

Page 89: Paul Sebastian Ziegler

3. Legally force the first two digits of the

combination to be the same

Wednesday, October 10, 12

Page 90: Paul Sebastian Ziegler

Entropy:

100Wednesday, October 10, 12

Page 91: Paul Sebastian Ziegler

4. Don’t integrate a separate opening

crank, but simply open once the correct

combination is entered

Wednesday, October 10, 12

Page 92: Paul Sebastian Ziegler

Time per attempt:

1.5 seconds

Wednesday, October 10, 12

Page 93: Paul Sebastian Ziegler

50% unlock chance75 Seconds

100% unlock chance150 Seconds

Wednesday, October 10, 12

Page 94: Paul Sebastian Ziegler

Jumping to Korea...

Wednesday, October 10, 12

Page 95: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 96: Paul Sebastian Ziegler

Entropy:

10^8Wednesday, October 10, 12

Page 97: Paul Sebastian Ziegler

Well, albeit not a law, most locks only take up

to 4 digits...

Wednesday, October 10, 12

Page 98: Paul Sebastian Ziegler

Entropy:

10^4Wednesday, October 10, 12

Page 99: Paul Sebastian Ziegler

And the majority of them are not wired to

any monitoring...

Wednesday, October 10, 12

Page 100: Paul Sebastian Ziegler

Or block you out after numerous attempts...

Wednesday, October 10, 12

Page 101: Paul Sebastian Ziegler

Time per attempt:

0.85 seconds

Wednesday, October 10, 12

Page 102: Paul Sebastian Ziegler

50% unlock chance66 Minutes 38 Seconds

100% unlock chance133 Minutes 16 Seconds

Wednesday, October 10, 12

Page 103: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 104: Paul Sebastian Ziegler

+ =

Wednesday, October 10, 12

Page 105: Paul Sebastian Ziegler

Counter Exploitation:Work from the

assumption that if someone wants to get into your place - they

will.Wednesday, October 10, 12

Page 106: Paul Sebastian Ziegler

Corporate Insecurity

Wednesday, October 10, 12

Page 107: Paul Sebastian Ziegler

“Lifetime Employment”• Get a mediocre wage

• Guaranteed mediocre raises

• You can not be fired or laid off

• If you survive to retirement, the company pays you around 75% of your last wage until you die

• If you die, it pays your spouse until their death

Wednesday, October 10, 12

Page 108: Paul Sebastian Ziegler

“Bonus”

• Officially rewards good work

• Unofficially often dependent on overtime

• Can contribute up to 50% to annual wage

• Easy tool to keep employees in line

Wednesday, October 10, 12

Page 109: Paul Sebastian Ziegler

Don’t fuck up

Wednesday, October 10, 12

Page 110: Paul Sebastian Ziegler

Don’t fuck up

Requires Action

Wednesday, October 10, 12

Page 111: Paul Sebastian Ziegler

Make a judgement call that could potentially

save the company a lot and seems very clear.

Incur a small loss

Wednesday, October 10, 12

Page 112: Paul Sebastian Ziegler

Make a judgement call that could potentially

save the company a lot and seems very clear.

Incur a small loss

You fucked up.Wednesday, October 10, 12

Page 113: Paul Sebastian Ziegler

Pedantically stick to protocol even though it

is wrong for the current case and cost the company millions.

Wednesday, October 10, 12

Page 114: Paul Sebastian Ziegler

Pedantically stick to protocol even though it

is wrong for the current case and cost the company millions.

Promotion secured.Wednesday, October 10, 12

Page 115: Paul Sebastian Ziegler

Also, don’t work too fast and stay until 1am to secure that bonus.

Wednesday, October 10, 12

Page 116: Paul Sebastian Ziegler

Also, don’t work too fast and stay until 1am to secure that bonus.

(Alternatively become a contractor.)

Wednesday, October 10, 12

Page 117: Paul Sebastian Ziegler

Example A

Wednesday, October 10, 12

Page 118: Paul Sebastian Ziegler

1) Run nmap on customer network

Wednesday, October 10, 12

Page 119: Paul Sebastian Ziegler

1) Run nmap on customer network

2) Find Windows NT4 box

Wednesday, October 10, 12

Page 120: Paul Sebastian Ziegler

1) Run nmap on customer network

2) Find Windows NT4 box

3) Find IRC server running on NT4 box

Wednesday, October 10, 12

Page 121: Paul Sebastian Ziegler

1) Run nmap on customer network

2) Find Windows NT4 box

3) Find IRC server running on NT4 box

4) Find it runs on port 31337

Wednesday, October 10, 12

Page 122: Paul Sebastian Ziegler

1) Run nmap on customer network

2) Find Windows NT4 box

3) Find IRC server running on NT4 box

4) Find it runs on port 31337

How do you react?

Wednesday, October 10, 12

Page 123: Paul Sebastian Ziegler

“We’ll check into it.”

Wednesday, October 10, 12

Page 124: Paul Sebastian Ziegler

2 Weeks Pass

Wednesday, October 10, 12

Page 125: Paul Sebastian Ziegler

“We have decided against shutting down or altering the affected

machine...”

Wednesday, October 10, 12

Page 126: Paul Sebastian Ziegler

“Because the guy who set it up no longer

works here...”

Wednesday, October 10, 12

Page 127: Paul Sebastian Ziegler

“And we have no idea what it does...”

Wednesday, October 10, 12

Page 128: Paul Sebastian Ziegler

“But it might be important, so we’ll just

leave it running.”

Wednesday, October 10, 12

Page 129: Paul Sebastian Ziegler

Checklist

I didn’t touch it

It is not obviously horribly broken from a middle management PoV

If we get hacked, someone else “did it”

I still get my raise and keep my job

Wednesday, October 10, 12

Page 130: Paul Sebastian Ziegler

Example B

Wednesday, October 10, 12

Page 131: Paul Sebastian Ziegler

Setting

Wednesday, October 10, 12

Page 132: Paul Sebastian Ziegler

Client operates an SaaS API that integrates into

their dashboard.

Wednesday, October 10, 12

Page 133: Paul Sebastian Ziegler

Japanese company integrates their product

with it.

Wednesday, October 10, 12

Page 134: Paul Sebastian Ziegler

If the API isn’t called for 24 hours, an error

message is displayed.

Wednesday, October 10, 12

Page 135: Paul Sebastian Ziegler

Of 25 possible causes, number 22 names

“there may be issues with your encryption

certificate”.

Wednesday, October 10, 12

Page 136: Paul Sebastian Ziegler

What do you do?

Wednesday, October 10, 12

Page 137: Paul Sebastian Ziegler

Company Client

Wednesday, October 10, 12

Page 138: Paul Sebastian Ziegler

Company Client

Wednesday, October 10, 12

Page 139: Paul Sebastian Ziegler

Company Client

Wednesday, October 10, 12

Page 140: Paul Sebastian Ziegler

Company Client

Wednesday, October 10, 12

Page 141: Paul Sebastian Ziegler

Company Client

Wednesday, October 10, 12

Page 142: Paul Sebastian Ziegler

Company Client

Wednesday, October 10, 12

Page 143: Paul Sebastian Ziegler

Company Client

Wednesday, October 10, 12

Page 144: Paul Sebastian Ziegler

Company Client

Wednesday, October 10, 12

Page 145: Paul Sebastian Ziegler

Company Client

Wednesday, October 10, 12

Page 146: Paul Sebastian Ziegler

Company Client

Wednesday, October 10, 12

Page 147: Paul Sebastian Ziegler

Company Client

Wednesday, October 10, 12

Page 148: Paul Sebastian Ziegler

Company Client

?

Wednesday, October 10, 12

Page 149: Paul Sebastian Ziegler

Solution?

Wednesday, October 10, 12

Page 150: Paul Sebastian Ziegler

2 months in, I suggested the client removed the SSL warning, then call the company and say

they fixed the problem.

Wednesday, October 10, 12

Page 151: Paul Sebastian Ziegler

Product was launched within 24 hours.

Wednesday, October 10, 12

Page 152: Paul Sebastian Ziegler

ChecklistIt says it may be the certificate

I didn’t put my neck out and escalated it

No one put their neck out

The entire operation delayed launch by 2 months and cost hundreds of thousands of dollars

Client took responsibility

I still get my raise and keep my job

Wednesday, October 10, 12

Page 153: Paul Sebastian Ziegler

Exploitation Vectors

Wednesday, October 10, 12

Page 154: Paul Sebastian Ziegler

1) Stuff won’t be fixed.

Wednesday, October 10, 12

Page 155: Paul Sebastian Ziegler

2) Create a responsibility setting and no one disturbs

you.

Wednesday, October 10, 12

Page 156: Paul Sebastian Ziegler

“I am here on behalf of *unreachable high ranking manager*.

Will YOU be responsible when he finds out you disturbed my work?”

Wednesday, October 10, 12

Page 157: Paul Sebastian Ziegler

Wires? Where we’re going we don’t need

wires!

Wednesday, October 10, 12

Page 158: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 159: Paul Sebastian Ziegler

Cellphone hotspots

Wednesday, October 10, 12

Page 160: Paul Sebastian Ziegler

Access filtered by a mix of Mac Address and User-Agent sent to

Gateway

Wednesday, October 10, 12

Page 161: Paul Sebastian Ziegler

Absolutely Secure

Wednesday, October 10, 12

Page 162: Paul Sebastian Ziegler

However Korea takes the Cake here

Wednesday, October 10, 12

Page 163: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 164: Paul Sebastian Ziegler

Exploitation Vector:Yeah, gee, I wonder

what anyone could ever do with anonymous

open internet access.

Wednesday, October 10, 12

Page 165: Paul Sebastian Ziegler

Speaking of Korea

Wednesday, October 10, 12

Page 166: Paul Sebastian Ziegler

Taking all guesses - what’s the browser

market share for IE in Korea.

Wednesday, October 10, 12

Page 167: Paul Sebastian Ziegler

97%Wednesday, October 10, 12

Page 168: Paul Sebastian Ziegler

Ninety-Seven-Percent

Wednesday, October 10, 12

Page 169: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 170: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 171: Paul Sebastian Ziegler

Adaption of SSL

Wednesday, October 10, 12

Page 172: Paul Sebastian Ziegler

SEED• Published in 1998 by the Korean

Information Security Agency

• 128-bit Block Cypher

• Alternative to SSL

• Required for online banking, online shopping, government transactions, etc

• Works as an ActiveX plugin compatible with some IE and Windows versions

Wednesday, October 10, 12

Page 173: Paul Sebastian Ziegler

Effects• Extremely slow adaption to new Windows

versions

• Alternative browsers and OSs are virtually useless

• Also integrated with most cellphones (the iPhone was the first non-Korean cellphone sold)

• Very poor understanding of SSL

Wednesday, October 10, 12

Page 174: Paul Sebastian Ziegler

Many SEED variations allow for user

identification, leading to a low perceived need

for security.

Wednesday, October 10, 12

Page 175: Paul Sebastian Ziegler

Many SEED variations allow for user

identification, leading to a low perceived need

for security.

More on this later...

Wednesday, October 10, 12

Page 176: Paul Sebastian Ziegler

Exploitation Vector

FUDWednesday, October 10, 12

Page 177: Paul Sebastian Ziegler

Oppan SEED Style

Wednesday, October 10, 12

Page 178: Paul Sebastian Ziegler

Too-Near Field Communication

Wednesday, October 10, 12

Page 179: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 180: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 181: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 182: Paul Sebastian Ziegler

Why?

• Used virtually everywhere

• Always carried on body

• Automatically recharged or charged to phone bill (loose and/or high limits)

• Accepted by lots of online stores

• Stores your purchase history and reveals it without authentication

Wednesday, October 10, 12

Page 183: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 184: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 185: Paul Sebastian Ziegler

Location Tracking

Purchase Tracking

Wednesday, October 10, 12

Page 186: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 187: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 188: Paul Sebastian Ziegler

Location Tracking

Purchase Tracking

Buying stuff on other people’s tab

Wednesday, October 10, 12

Page 189: Paul Sebastian Ziegler

Location Tracking

Purchase Tracking

Buying stuff on other people’s tab

Wednesday, October 10, 12

Page 190: Paul Sebastian Ziegler

But Paul, Felica Cards only work across

millimeters.You couldn’t possibly

get that close to a person with a reader

without them noticing!Wednesday, October 10, 12

Page 191: Paul Sebastian Ziegler

You, sir or ma’am, have obviously never seen the Tokyo morning

rush-hour.

Wednesday, October 10, 12

Page 192: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 193: Paul Sebastian Ziegler

Location Tracking

Purchase Tracking

Buying stuff on other people’s tab

Wednesday, October 10, 12

Page 194: Paul Sebastian Ziegler

Top 3 Hit List

Wednesday, October 10, 12

Page 195: Paul Sebastian Ziegler

#3 Airport Security

Wednesday, October 10, 12

Page 196: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 197: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 198: Paul Sebastian Ziegler

#2 Ultra Secure JavaScript

Wednesday, October 10, 12

Page 199: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 200: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 201: Paul Sebastian Ziegler

Wednesday, October 10, 12

Page 202: Paul Sebastian Ziegler

#1 Korean-Japanese Web Development

(The Grand Finale)

Wednesday, October 10, 12

Page 203: Paul Sebastian Ziegler

SettingJapaneseCompany

KoreanCompany

Wednesday, October 10, 12

Page 204: Paul Sebastian Ziegler

SettingJapaneseCompany

KoreanCompany

Wednesday, October 10, 12

Page 205: Paul Sebastian Ziegler

SettingJapaneseCompany

KoreanCompany

Wednesday, October 10, 12

Page 206: Paul Sebastian Ziegler

SettingJapaneseCompany

KoreanCompany

Wednesday, October 10, 12

Page 207: Paul Sebastian Ziegler

SettingJapaneseCompany

KoreanCompany

Wednesday, October 10, 12

Page 208: Paul Sebastian Ziegler

SettingJapaneseCompany

KoreanCompany

Wednesday, October 10, 12

Page 209: Paul Sebastian Ziegler

SettingJapaneseCompany

KoreanCompany

Wednesday, October 10, 12

Page 210: Paul Sebastian Ziegler

SettingJapaneseCompany

KoreanCompany

Wednesday, October 10, 12

Page 211: Paul Sebastian Ziegler

SettingJapaneseCompany

KoreanCompany

Wednesday, October 10, 12

Page 212: Paul Sebastian Ziegler

Critical Flaws

• Users not being logged in if name contains special characters

• Too quick session timeout annoying potential users

• Dislike colors

• Annoying SSL error

• Credit Card numbers stored in plain text

Wednesday, October 10, 12

Page 213: Paul Sebastian Ziegler

Non-Critical Flaws

• SQL Injection on Login Form

• 207 counts of XSS

• Admin console “secured” by JavaScript

Wednesday, October 10, 12

Page 214: Paul Sebastian Ziegler

Non-Critical Flaws

• SQL Injection on Login Form

• 207 counts of XSS

• Admin console “secured” by JavaScript

“We can launch with those. No one would check that.”

Wednesday, October 10, 12

Page 215: Paul Sebastian Ziegler

SSLWednesday, October 10, 12

Page 216: Paul Sebastian Ziegler

SSLWednesday, October 10, 12

Page 217: Paul Sebastian Ziegler

Are we screwed?

Wednesday, October 10, 12

Page 218: Paul Sebastian Ziegler

Yes.\<°_°>/

Wednesday, October 10, 12

Page 219: Paul Sebastian Ziegler

Questions?

Wednesday, October 10, 12

Page 220: Paul Sebastian Ziegler

Attribution• Slide 7 - apple 94

• Slide 8 - paukrus

• Slide 13 - Unknown. If you’re the artist, drop me a line and I’ll buy you a beer.

• Slide 14 - PSY

• Slide 16 - Anderson Mancini

• Slide 37 - Warner Brothers

• Slide 48 - diloz

• Slide 49 - Martijn Booister

• Slide 55 - Disney

• Slide 96 - Milre

• Slide 174 - PSY

• Slide 188 - d0b33

Wednesday, October 10, 12

Page 221: Paul Sebastian Ziegler

Thank you for listening!

Wednesday, October 10, 12