Monday, 20 October 2008
It was awesome! My first conference and the first time I’ve ever spoken about security stuff. I was really nervous but after the first one I calmed down a bit. We presented a total of three times, two 30 minute slots and a final 50 minutes. It was a lot easier because there was three of us and we all shared the talk equally and it was pretty amazing that it worked because we only met in person when we got there.
The best part of the conference was meeting people with similar interests and talking about security stuff, I really enjoyed talking to Eduardo (Sirdarckcat), David Lindsay (Thornmaker), David Ross, Alex (Kuza55), Eric (Watch out for those banana men dude) and many more people.
Personally I think the best talk of the conference was about buffer overflow defenses in Windows (Mitigations Unplugged), I’m currently learning about these techniques and Matt did a great job of explaining every mitigation that Windows has. I can’t wait until I’m good enough to exploit these techniques
My part of the talk went well but I’ve just got to learn to slow down a bit and provide more explanation. Also turning the mic off when leaving the room would be a good idea
I went through my XSS vectors and I wanted to demo the creation of the final complex CSS expression vector but my Hackvertor tool wouldn’t fit on the damn screen I didn’t want to change the resolution in mid presentation. I might release a new video to the Bluehat site if I can get permission and if I actually record it. I then demoed my UTF-7 style sheet which is interesting, @charset at rule is not used much and I’m not sure if everyone knew it could be used to encode expressions
Finally I went through some CSS overlay (Click jacking) attacks and mitigation techniques. A browser level solution is needed here as all we’ve got currently is frame busters/breakers. If it was up to me I’d lock iframe/frame/object/applet styles and make them always visible but I can hear you designers shouting in the background.
Eduardo then described the best part of our talk IMO, the CSS attribute reader he came up with. It’s just plain awesome. When he described the technique to me via IM I thought it was cool but I couldn’t think of a viable attack situation however when meeting up he made it much clearer and we came up with a few good ideas on how it can be used in an attack.
David Lindsay then went through some more CSS hacking techniques, LAN scanning and history crawling. We then went on to demo our games and POC’s which was fun.
The last day I was invited to be on the WAF panel debate because someone dropped out, it was a great opportunity to express the real problem behind the countless amount of web sites with XSS and SQL injection holes. Nate and Mike really had some good views on the subject and I totally agreed with their opinion. We came to the conclusion that although a WAF can never be a perfect solution it does add some benefit however fix your code first and throw out the crappy books with examples like echo $_REQUEST['something'] in.
Before I forget my damn CSS paint application didn’t work Damn I should have simplified it for the presentation. Anyway here’s the fun demo:-
Other demos from our presentation are available here:-
Last but not least the slides:-