HostSplit: Exploitable Antipatterns in Unicode Normalization

Channel:
United States All Hacking Cons
Subscribers:
5,970
Published on ● Video Link: https://www.youtube.com/watch?v=XiVzw1j3mLQ


Duration: 40:18
14 views
1

Jonathan Birch | Senior Security Software Engineer, Microsoft
Location: Breakers GHI
Date: Thursday, August 8 | 3:50pm-4:40pm
Format: 50-Minute Briefings
Tracks: Web AppSec, Applied Security

This talk demonstrates new exploit techniques that leverage Unicode normalization behavior to bypass URL security filters and, in some cases, allow one domain to impersonate another. Where previous attacks against internationalized domain names relied on visual spoofing, these attacks fool software with URL strings that are parsed as belonging to one hostname but resolved as belonging to a different host name.

The vulnerabilities that enable these attacks are widespread, because they result from practical compromises in implementing IDNA standards. The author of this talk identified several new CVE's which will be discussed, including vulnerabilities in Edge/IE, .NET, Python, Java, Office 365, and Gmail. A more general exploit pattern against OAuth is also explained.

Although some platform-level problems have already been corrected, many of the fixes for these vulnerabilities will need to be made at an application level. It is likely that there are still many software packages with Unicode normalization vulnerabilities of this type.

This talk discusses methods to test for these vulnerabilities as well as coding and design best practices for preventing them.

Black Hat - USA - 2019 Hacking conference
#hacking, #hackers, #infosec, #opsec, #IT, #security



Other Videos By All Hacking Cons


2022-01-08Rogue7 Rogue Engineering Station Attacks on S7 Simatic PLCs
2022-01-08PeriScope An Effective Probing and Fuzzing Framework for the Hardware OS Boundary
2022-01-07Attacking iPhone XS Max
2022-01-07Come Join the CAFSA - Continuous Automated Firmware Security Analysis
2022-01-07Defense Against Rapidly Morphing DDOS
2022-01-07Automation Techniques in C++ Reverse Engineering
2022-01-07He Said, She Said – Poisoned RDP Offense and Defense
2022-01-07Command Injection in F5 iRules
2022-01-07Battle of Windows Service: A Silver Bullet to Discover File Privilege Escalation Bugs Automatically
2022-01-07Denial of Service with a Fistful of Packets: Exploiting Algorithmic Complexity Vulnerabilities
2022-01-07HostSplit: Exploitable Antipatterns in Unicode Normalization
2022-01-07Behind the scenes of iOS and Mac Security
2022-01-07How Do Cyber Insurers View The World?
2022-01-07Controlled Chaos: The Inevitable Marriage of DevOps & Security
2022-01-07Detecting Deep Fakes with Mice
2022-01-07Behind the Scenes: The Industry of Social Media Manipulation Driven by Malware
2022-01-07Detecting Malicious Files with YARA Rules as They Traverse the Network
2022-01-070-days & Mitigations: Roadways to Exploit and Secure Connected BMW Cars
2022-01-07Critical Zero Days Remotely Compromise the Most Popular Real Time OS
2022-01-07DevSecOps : What, Why and How
2022-01-07How to Detect that Your Domains are Being Abused for Phishing by Using DNS


Tags:
data
hacker
security
computer
cyber
internet
technology
hacking
attack
digital
virus
information
hack
online
crime
password
code
web
concept
thief
protection
network
scam
fraud
malware
secure
identity
criminal
phishing
software
access
safety
theft
system
firewall
communication
business
binary
account
spy
programmer
spyware
hacked
hacking conference
conference
learn
how to
2022
2021
cybersecurity
owned
break in
google
securing
exploit
exploitation
recon
social engineering
Jonathan Birch