Upload
code-blue
View
141
Download
3
Embed Size (px)
Citation preview
DESIGN TEMPLATES TO IMPROVE THE QUALITY AND PRODUCTIVITY
CODE BLUE 2016Presented by Isao Takaesu
Web
WebWeb0
About the speaker: Web: : : http://www.mbsd.jp/blog/Black Hat Asia 2016 ArsenalAISECjp MBSD
CODE BLUE 2016
3Black Hat Asia ArsenalSAIVSAI1
AgendaSAIVSMBSDCODE BLUE 2016
2
MBSDCODE BLUE 2016
3
MBSDCODE BLUE 201624 (IPA)
2IPA244
MBSDCODE BLUE 2016
245
MBSDCODE BLUE 2016
6
MBSDCODE BLUE 2016Web
Web7
WebMBSDCODE BLUE 2016Web
WebWeb8
WebMBSD
Web Server
Web Apps
CODE BLUE 2016Web
Web9
WebMBSD
Web Server
Web Apps
SQLi?XSS?
CODE BLUE 2016Web
WebSQLiXSSWeb10
WebMBSDCODE BLUE 2016
11
WebMBSD
Web Server
Web Apps
CODE BLUE 2016
SQLi?XSS?
WebAI12
AISAIVSMBSDCODE BLUE 2016WebAISAIVSSpider Artificial Intelligence Vulnerability Scanner
SAIVSAIAISAIVS13
SAIVSMBSD Web CODE BLUE 2016
14
SAIVSMBSD Web CODE BLUE 2016
Web15
MBSDCODE BLUE 2016
Top
Login
Register
Confirm
Contact Us
My Page
Complete
Send message
WebWeb16
MBSDCODE BLUE 2016
Top
Login
Register
Confirm
Contact Us
My Page
Complete
Send message
My pageLogin17
MBSDCODE BLUE 2016
Top
Login
Register
Confirm
Contact Us
My Page
Complete
Send message
Complete18
MBSDCODE BLUE 2016
Top
Login
Register
Confirm
Contact Us
My Page
Complete
Send message
Web1119
MBSDWebCODE BLUE 2016
20
MBSD
CODE BLUE 2016
21
MBSD
CODE BLUE 2016
22
MBSD
???????????????CODE BLUE 2016
NameEmail23
MBSDCODE BLUE 2016
24
3MBSD CODE BLUE 2016
25
MBSDCODE BLUE 2016
26
MBSDCODE BLUE 2016
27
MBSDCODE BLUE 2016
28
3MBSD CODE BLUE 2016
29
MBSD
CODE BLUE 2016
30
MBSD
CODE BLUE 2016
Sign inEmailPassword31
MBSDCODE BLUE 2016
32
MBSD)WAFCODE BLUE 2016
33
MBSDSPAM0.672 HAM0.03SPAM10HAM 30http://wana.jpSPAM40HAM 10SPAM30HAM 40SPAM70HAM 50SPAM80HAM 5SPAMHAMCODE BLUE 2016
SPAM/HAMSPAM/HAMSPAMSPAM34
MBSD
CODE BLUE 2016
35
MBSDSign in
Password
CODE BLUE 2016
HTMLHFORM36
MBSDEmail, User ID, Password, Sign in Email, Password, Confirm, Sign up Word, Text, String, Sort, Search Credit, Account, Expire, Purchase Password, Old Password, Change
CODE BLUE 2016 keywords : Sign in, Email, Password
50WebWebHTMLSign inEmailPassword37
MBSDEmail, User ID, Password, Sign in Email, Password, Confirm, Sign up Word, Text, String, Sort, Search Credit, Account, Expire, Purchase Password, Old Password, Change
CODE BLUE 2016
38
MBSD
CODE BLUE 2016
39
3MBSD () CODE BLUE 2016
40
MBSDCODE BLUE 2016
41
MBSDCODE BLUE 2016
errorsdoesnt matchinvalid42
MBSDCODE BLUE 2016
43
MBSDCODE BLUE 2016
44
MBSD2 errors prohibited this user from being saved There were problems with these fields:
CODE BLUE 2016
HTML
45
MBSDgood, valid, success, normal, fine, clean, nice, can, match, confirmation, ok, finish, thank bad, invalid, failure, error, problem, unmatch, doesnt match, cant, too, wrong, ng, blank
CODE BLUE 2016 keywords : errors, problem, doesnt match, invalid
errorsproblemdoesnt match
46
MBSDgood, valid, success, normal, fine, clean, nice, can, match, confirmation, ok, finish, thank bad, invalid, failure, error, problem, wrong, doesnt match, cant, too, ng, blank
CODE BLUE 2016
47
MBSDCODE BLUE 2016
48
3MBSD () () CODE BLUE 2016
49
MBSDCODE BLUE 2016
Isao [email protected]
NameEmailPassword
50
MBSDCODE BLUE 2016(MLP)Q
QMLP51
MLPMBSD)CODE BLUE 2016
MLPMLP52
DataLabel012
CODE BLUE 2016MBSD
XXX784X0YYY300Y0ZZZ10
MLP
MLPMLPMLPMLPMLPMLP53
MLP014679425970401967CODE BLUE 2016MBSD
MLPMLP9MLP54
QQMBSD)CODE BLUE 2016
QQ55
MBSDCODE BLUE 2016
a1 a2 a3 a4
s s ( a | s ) ( s | s, a ) r = R( s, a, s )
Q( s, a )
QQsassassaQQQQQ56
MBSDCODE BLUE 2016
MLPQ
p1=abc, xyzp1=123, 12ap1=abc@xxx
MLPQMLPWebMLPQMLPMLP57
MBSDCODE BLUE 2016
MLPQ
p1=abc, xyzp1=123, 12ap1=abc@xxx
MLP58
MBSDabc, abcdef, aBc, aBcdEf, ABCDEF 123, 12345, 4111111111111111 abc123, 123abc, aBc123, 1a2b3c abc!, abc!#$, abcdef!, abcdef!#$ 123!, 123!#$, 12345!, !#$12345 abc123!, 123abc!, abc!123, !#$%&a1 [email protected], [email protected]
CODE BLUE 2016INPUT TYPE text, password
MLPhiddencheckboxselectGUItextpasswordMLP59
MBSDMLPCODE BLUE 2016
MLPQ
p1=abc, xyzp1=123, 12ap1=abc@xxx
MLPINDEXMLPINDEX60
MBSDCODE BLUE 2016
MLPQ
p1=abc, xyzp1=123, 12ap1=abc@xxx
MLP61
MBSDMLPCODE BLUE 2016
MLPQ
p1=abc, xyzp1=123, 12ap1=abc@xxx
MLP62
MBSDCODE BLUE 2016
MLPQ
p1=abc, xyzp1=123, 12ap1=abc@xxx
63
MBSDQCODE BLUE 2016
MLPQ
p1=abc, xyzp1=123, 12ap1=abc@xxx
MLP64
MBSDMLPCODE BLUE 2016
MLPQ
p1=abc, xyzp1=123, 12ap1=abc@xxx
MLP65
MBSD300CODE BLUE 2016
MLPQ
p1=abc, xyzp1=123, 12ap1=abc@xxx
30066
MBSDCODE BLUE 2016300
30067
MBSDCODE BLUE 2016
68
WebMBSDOWASP Broken Web AppsCODE BLUE 2016
WebOWASP Broken Web Apps69
SAIVSMBSDCODE BLUE 2016
BodgeIt
peruggia
WackoPicko
YazdSAIVS 300Web Apps
Web30070
MBSDIDabc, abcdef, aBc, aBcdEf, ABCDEF Passwordabc123!, 123abc!, abc!123, !#$%&a1 FirstNameabc, abcdef, aBc, aBcdEf, ABCDEF LastNameabc, abcdef, aBc, aBcdEf, ABCDEF Email [email protected], [email protected] Usernameabc, abcdef, aBc, aBcdEf, ABCDEF Signatureabc, abcdef, aBc, aBcdEf, ABCDEF
CODE BLUE 2016
FirstNameabcdef171
MBSDCODE BLUE 2016
!!
UsernameName72
MBSDCODE BLUE 2016
73
MBSDCODE BLUE 2016word2vec
Word2Vec74
word2vecMBSDCODE BLUE 2016)Input : e-mailwordcos distanceemail0.956302mail0.927386reply0.920610
formulaanswerIraq - ViolenceJordanHuman - AnimalEthicsJapan Tokyo + FranceParis
Word2Vec1e-mailemailmailreply175
MBSDCODE BLUE 2016)interpretation further. However, if anyone wishes to discuss this, Im certainly willing (either offline - e-mail - or Stephen In article [email protected] (Mathemagician) writes: Just what do gay people do that straightcarries archives of old alt.atheism.moderated articles and assorted other files. For more information, send mail to [email protected] saying help send atheism/index and it will mail back a reply. mathew Ansend mail to [email protected] saying help send atheism/index and it will mail back a reply. mathew An Introduction to Atheism by Mathew. This article attempts to provide a general introductione-mailmailreply
Word2VecWord2Vecsendarticlee-mailmailreply76
word2vecMBSDCODE BLUE 2016The 20 Newsgroups data set.2)Graphics, MS-Windows, HardwareCryptography, Electronics, SpaceMotorcycles, Baseball, Hockey
The 20 Newsgroups data set2Web77
SAIVSMBSDCODE BLUE 2016
Windows
Crypt
Hardware
SpaceSAIVSThe 20 Newsgroups data setword2vec
SAIVS78
MBSDemail0.956302mail0.927386E-mail0.900249address0.893337reply0.865438contact0.846801message0.792930chat0.754903newsgroup0.747636
CODE BLUE 2016names0.962508username0.939661nickname0.933694naming0.898254surname0.863966initials0.861093firstname0.849641lastname0.847604title0.782467
homepage0.794415blog0.752945site0.708534webpage0.701838portal0.701374forum0.692067com0.641086archive0.537914org0.531096
10Target websiteTarget nameTarget e-mail
e-mailemailmailaddressnamenamesusernamefirstname1079
MBSDemail0.956302mail0.927386E-mail0.900249address0.893337reply0.865438contact0.846801message0.792930chat0.754903newsgroup0.747636
CODE BLUE 2016names0.962508username0.939661nickname0.933694naming0.898254surname0.863966initials0.861093firstname0.849641lastname0.847604title0.782467
homepage0.794415blog0.752945site0.708534webpage0.701838portal0.701374forum0.692067com0.641086archive0.537914org0.531096
Target websiteTarget nameTarget e-mail
80
MBSDemail0.956302mail0.927386E-mail0.900249address0.893337reply0.865438contact0.846801message0.792930chat0.754903newsgroup0.747636
CODE BLUE 2016names0.962508username0.939661nickname0.933694naming0.898254surname0.863966initials0.861093firstname0.849641lastname0.847604title0.782467
homepage0.794415blog0.752945site0.708534webpage0.701838portal0.701374forum0.692067com0.641086archive0.537914org0.531096
[email protected] aBcdEf http://hoge.comTarget websiteTarget nameTarget e-mail
81
3MBSD () () ()CODE BLUE 2016
82
MBSDTargetOWASP Broken Web Apps CycloneCODE BLUE 2016
WebOWASP Broken Web AppsCyclone83
MBSDCODE BLUE 2016
Top
Login
Register
Confirm
User Search
CompleteRegister
WebLoginUser Search84
MBSDCODE BLUE 2016
Top
Login
Register
Confirm
User Search
CompleteRegister
85
MBSDCODE BLUE 2016
Top
Login
Register
Confirm
User Search
CompleteRegister
MLP86
MBSDCODE BLUE 2016
Top
Login
Register
Confirm
User Search
CompleteRegister
87
MBSDCODE BLUE 2016
Top
Login
Register
Confirm
User Search
CompleteRegister
User Search88
MBSDCODE BLUE 2016
Web89
SAIVSMBSD Web CODE BLUE 2016
SAIVS90
MBSDCODE BLUE 2016
Web91
MBSDCODE BLUE 2016Web
Web92
MBSDCODE BLUE 2016Reflected Cross-Site Scripting (RXSS)
XSS93
RXSSMBSD
Case 3 - RXSS
http://xxx/case3/?input=testDataINPUTVALUECODE BLUE 2016
XSSinputINPUTVALUE94
RXSS: MBSD
Case 3 - RXSS
alert('XSS');">
http://xxx/case3/?input="/>alert(XSS');HTMLCODE BLUE 2016
inputINPUTVALUEINPUTJavaScriptXSSJavaScript95
RXSSMBSD
Case 4 - RXSS
alert('XSS');">
SCRIPThttp://xxx/case4/?input="/>alert(XSS');CODE BLUE 2016
inputSCRIPTJavaScriptXSS96
RXSSMBSD
Case 4 - RXSS
http://xxx/case4/?input=onmouseout=alert(XSS')CODE BLUE 2016
inputSCRIPTJavaScriptSCRIPTJavaScriptXSSHTMLJavaScript97
RXSS3MBSD HTML JavaScript CODE BLUE 2016
XSS98
MBSDCODE BLUE 2016
99
MBSDCODE BLUE 2016
XSS100
MBSDCODE BLUE 2016
101
RXSS3MBSD HTML JavaScript CODE BLUE 2016
HTMLJavaScriptHTMLJavaScript102
MBSDHTMLJavaScriptLSTMCODE BLUE 2016
LSTM103
LSTMLong-Short Term MemoryMBSD)CODE BLUE 2016
LSTM104
LSTMLong-Short Term MemoryMBSD)CODE BLUE 2016
105
MBSDCODE BLUE 2016from Andrej Karpathy blog)static int indicate_policy(void){ int error; if (fd == MARN_EPT) { if (ss->segment < mem_total) unblock_set_blocked(); else ret = 1; goto bail; } segaddr = in_SB(in.addr); selector = seg / 16;static void settings(struct *tty){ if (tty == tty) disable_single_st_p(dev); pci_disable_spool(port); return 0;}
static void command(struct seq_file *m){ int column = 32 : noquoteJavaScript xxxHTML xxx
CODE BLUE 2016
5119
MBSD
JS
MLPsCriPtURL encode
Event handlerQ
"< >
CODE BLUE 2016
MLP120
MBSD" '>alert();alert();
CODE BLUE 2016
5121
MBSD
JS
MLPsCriPtURL encode
Event handlerQ
"< >
CODE BLUE 2016
MLP122
MBSD'noquoteHTML event handler">xxx">xxxxxxJavaScript ";alert();//[CR][LF]alert();";alert();//
CODE BLUE 2016
SAIVS123
MBSD
JS
MLPsCriPtURL encode
Event handlerQ
"< >
MLPCODE BLUE 2016
MLPINDEX124
MBSD
JS
MLPsCriPtURL encode
Event handlerQ
"< >
CODE BLUE 2016
MLP125
MBSD
JS
MLPsCriPtURL encode
Event handlerQ
"< >
MLPCODE BLUE 2016
MLP126
MBSD
JS
MLPsCriPtURL encode
Event handlerQ
"< >
CODE BLUE 2016
127
MBSD
JS
MLPsCriPtURL encode
Event handlerQ
"< >
QCODE BLUE 2016
MLP128
MBSD
JS
MLPsCriPtURL encode
Event handlerQ
"< >
MLPCODE BLUE 2016
MLP129
MBSD
JS
MLPsCriPtURL encode
Event handlerQ
"< >
100CODE BLUE 2016
100130
MBSDCODE BLUE 2016100
100131
MBSDCODE BLUE 2016
132
WebMBSDWAVSEPCODE BLUE 2016ReflectedXSS GET Input VectorCase06IMG SRC < , > < , >"onmouseover=alert(3122);"Case10SCRIPT onClick , < , > " , < , >';alert(3122);//Case27JavaScript [CR][LF]alert(3122);//
WAVSEPXSS133
SAIVSMBSDCODE BLUE 2016
Case06
Case08
Case10
Case27SAIVSWAVSEP100
WAVSEP100
134
RXSS3MBSD HTML JavaScript CODE BLUE 2016
RXSS135
MBSDSAIVS 1 2CODE BLUE 2016
SAIVSRXSSSAIVS2136
MBSD
Web Server
Web AppsSAIVS
CODE BLUE 20161
137
MBSD
Web Server
Web AppsSAIVS
CODE BLUE 20161
138
MBSD
Web Server
Web AppsSAIVS
CODE BLUE 20161
139
HTML/JS(LSTMMBSD
Web Server
Web AppsSAIVS
CODE BLUE 20161
LSTMHTMLJavaScriptHTML140
HTML / JavaScriptMBSD
Web Server
Web AppsSAIVS
CODE BLUE 20161
alert(3122);
LSTM141
RXSSMBSD
Web Server
Web AppsSAIVS
CODE BLUE 20161
alert(3122);
142
RXSS 2MBSD
Web Server
Web AppsSAIVS
CODE BLUE 20161
RXSS
RXSS1RXSSRXSS143
MBSD
Web Server
Web AppsSAIVS
CODE BLUE 20162
D0i7Q"VW53N'nT7t0alert(3122);kc5i3ueFj8
http://xxx/reflect/full1?in=lasther=''%3E%3C/form%3ED0i7Q%22VW53N'nT7t0%3Cscript%3Ealert(3122);kc5i3%3C/script%3EueFj81Case1CODE BLUE 2016
RXSSSAIVS1151
MBSDCase1CODE BLUE 2016
152
RXSSMBSDTargetwebseclabCODE BLUE 2016Case/reflect/full1BODY /reflect/textarea1TEXTAREA /reflect/onmouseoverINPUT/reflect/js4_dqSCRIPT
153
MBSDReflected XSS in textarea (textarea1)Textarea injection test
saivs12345
http://xxx/reflect/textarea1?in=saivs12345TEXTAREACase2CODE BLUE 2016
TEXTAREATEXTAREA154
MBSDReflected XSS in textarea (textarea1)Textarea injection test
7Q7pN"MBPcc'PA6tzalert(3122);WKr8JfowCP
http://xxx/reflect/textarea1?in=%3C/textarea%3E7Q7pN%22MBPcc'PA6tz%3Cscript%3Ealert(3122);WKr8J%3C/script%3EfowCP1Case2CODE BLUE 2016
SAIVSTEXTAREATEXTAREA1RXSS155
MBSDCase2CODE BLUE 2016
156
RXSSMBSDTargetwebseclabCODE BLUE 2016Case/reflect/full1BODY /reflect/textarea1TEXTAREA /reflect/onmouseoverINPUT/reflect/js4_dqSCRIPT
157
MBSD
Reflected XSS - attribute injection in tags (dq.2)Update Your Preferences
Homepage: alert()" name="in" size="40">
http://xxx/xss/reflect/onmouseover?in=>alert()INPUTCase3CODE
BLUE 2016
INPUTVALUESCRIPTRXSS158
MBSD
Reflected XSS - attribute injection in tags (dq.2)Update Your Preferences
Homepage: