Web Form Hacking and Hijacking - PowerPoint PPT Presentation

1 / 11
About This Presentation
Title:

Web Form Hacking and Hijacking

Description:

Web Form Hacking and Hijacking A presentation by Nathan Kammerzell Overview Why are people doing this? Phishing scams Email injection Protecting Forms Email CAPTCHA ... – PowerPoint PPT presentation

Number of Views:230
Avg rating:3.0/5.0
Slides: 12
Provided by: kamm1
Category:

less

Transcript and Presenter's Notes

Title: Web Form Hacking and Hijacking


1
Web Form Hacking and Hijacking
  • A presentation by
  • Nathan Kammerzell

2
Overview
  • Why are people doing this?
  • Phishing scams
  • Email injection
  • Protecting Forms
  • Email
  • CAPTCHA
  • General

3
Why?
  • Because they can
  • Personal information
  • Business information
  • Spam
  • Spam Cartel
  • MONEY!

4
Phishing Scams
  • Social Engineering tactic
  • Goal Acquire passwords and other sensitive info.
  • Similarly named website, identical content
  • www.paypal.com or www.paypai.com?
  • www.ebay.com_at_members.tripod.com

5
Email Injection
  • Inject information into emails
  • Goal Using innocent sites for evil purposes
    (spam)
  • How they find you Spiders get email address or
    web form URL from the internet.

6
Injection (continued)
  • A little tweaking and the bot is ready to roll
  • The Headers
  • Bcc (list of spam victims)
  • Subject line, body content, etc. easily
    inserted.
  • Intended recipient gets garbage. Email logs
    reveal more information
  • Example of receipt -gt

7
  • Content-Type multipart/mixed
    boundary"1588588624"
    MIME-Version 1.0 Subject 40d7e77 To
    _at_.com From somejerk_at_aol.com
    This is a multi-part message in MIME format.
    --1588588624 Content-Type
    text/plain charset"us-ascii" MIME-Version
    1.0 Content-Transfer-Encoding 7bit yyo
    --1588588624--
    subjectejrkjfkn_at_nowhere.com --/snip--

8
Protecting Forms Email Injection
  • Email Script Parsing
  • Pre-filled information in your header can be
    changed by injection.
  • Important characters to filter , \n, \r

(I dont get it)
9
Protecting Forms CAPTCHA
  • CAPTCHA (Completely Automated Public Turing test
    to tell Computers and Humans Apart
  • Gimpy, EZGimpy, - CMU
  • Dictionary, 1 7 words, distorted
  • BaffleText - PARC
  • Nonsense, color -gt B/W -gt repeat
  • The Downside
  • Bad for the visually impaired
  • audio CAPTCHAs in development

10
Protecting Forms - General
  • robots.txt
  • User-agent
  • Disallow /ltpage.htmlgt
  • Client-side Redirection
  • meta tag
  • Thresholds and Timeouts
  • many, many more defenses!

11
Sources
  • http//palisade.paladion.net misc., internet
    security articles
  • http//anders.com article Form Post Hijacking
  • http//www.webappsec.org/whitepapers.shtml -
    misc. articles on internet security
Write a Comment
User Comments (0)
About PowerShow.com