Sunday, August 28, 2011

SIM201 Hack-Ed - The Attackers are coming!

Kirk Jackson & Andy Prow
Apologies that this post is fairly nonsensical. I've put my raw NZ TechEd 2011 notes up here for my reference. I'd like to think that I'll refine them over time, but that probably won't be the case.
TechEd Online

1st Phase is discovery

Cross Site Scripting (XSS)

Javascript rendered back to another client. E.g. Embedding the <script> tag in a comment box.

Weaponized XSS Attack - allows for interaction with the clients browser by the third party.

Reflected XSS

XSS Forgery

Using twitter feeds for XSS attacks.

Paros - local proxy
Burp proxy

Very important to check that the credit card authorized amount was the amount expected amount.

SQL injection attack

SQLMAP - python script

exec xp_cmdshell'dir c:\'--

www.owasp.org 20 September 2011
www.kiwicon.org 5&6 November 2011
www.ruxcon.org.au 19 & 20 November 2011