Random Number Generator in PHP

Channel:
United States All Hacking Cons
Subscribers:
5,970
Published on ● Video Link: https://www.youtube.com/watch?v=R5jp_KrFiwU


Duration: 59:25
11 views
0

We present a number of novel, practical, techniques for exploiting randomness vulnerabilities in PHP applications. We focus on the predictability of password reset tokens and demonstrate how an attacker can take over user accounts in a web application via predicting the PHP core randomness generators.

Our suite of new techniques and tools go far beyond previously known attacks (e.g. Kamkar and Esser) and can be used to mount attacks against all PRNG of the PHP core system even when it is hardened with the Suhosin extension. Using them we demonstrate how to create practical attacks for a number of very popular PHP applications (including Mediawiki, Gallery, osCommerce and Joomla) that result in the complete take over of arbitrary user accounts.

While our techniques are designed for the PHP language, the principles behind ]them are independent of PHP and readily apply to any system that utilizes weak randomness generators or low entropy sources.

We will also release tools that assist in the exploitation of randomness vulnerabilities and exploits for some vulnerable applications.
Presented By:
Nils
Rafael Dominguez Vega

Black Hat - USA - 2012 Hacking conference
#hacking, #hackers, #infosec, #opsec, #IT, #security



Other Videos By All Hacking Cons


2021-12-31Detecting Vulnerabilities in Virtual Devices with Conformance Testing
2021-12-31BinaryPig Scalable Malware Analytics in Hadoop
2021-12-31Javascript Static Security Analysis Made Easy with JSPrime
2021-12-31Just In Time Code Reuse The More Things Change, the More They Stay the Same
2021-12-31Hacking for Fun & Profit
2021-12-31Web Exploit Toolkits
2021-12-31Secure Browser Plugins
2021-12-31Bouncer Land
2021-12-31Trust, Security and Society Presented By Bruce Schneier
2021-12-31Ghost in the Air Traffic
2021-12-31Random Number Generator in PHP
2021-12-31BlackOps
2021-12-31We have you by the Gadgets
2021-12-31Torturing OpenSSL
2021-12-31Probing The Mobile Operating Networks
2021-12-31Find Me in your Database
2021-12-31Digging Deep into the Flash Sandboxes
2021-12-31The Big Picture
2021-12-31SQL Injections
2021-12-31File Disinfection Framework Striking back at the Polymorphic Viruses
2021-12-31Easy Local Windows Kernel Exploitation


Tags:
data
hacker
security
computer
cyber
internet
technology
hacking
attack
digital
virus
information
hack
online
crime
password
code
web
concept
thief
protection
network
scam
malware
secure
identity
phishing
software
access
safety
theft
system
firewall
communication
privacy
binary
account
spy
programmer
program
spyware
hacked
hacking conference
conference
learn
how to
2022
cybersecurity
owned
break in
google
securing
exploit
exploitation
recon
social engineering
Nils
Rafael Dominguez Vega