Reflected File Download - A New Web Attack Vector
By Oren Hafif
"Attackers would LOVE having the ability to upload executable files to domains like Google.com, Facebook.com, and Bing.com. How cool would it be for them if their files are downloaded without ever being uploaded! Yes, download without upload! RFD is a new web based attack that extends reflected attacks beyond the context of the web browser. Attackers can build malicious URLs which once accessed, download files, and store them with any desired extension, giving a new malicious meaning to reflected input, even if it is properly encoded. Moreover, this attack allows running shell commands on the victim's computer.
How bad is it? By using this attack on Google.com, Bing.com and others, I created the first cross-social-network worm that is downloadable from trusted sites like Google.com, completely disables same-origin-policy, steals all browser cookies, and spreads itself throughout all social networks such as Facebook, Twitter, Google+, and LinkedIn."
Видео Reflected File Download - A New Web Attack Vector канала Black Hat
"Attackers would LOVE having the ability to upload executable files to domains like Google.com, Facebook.com, and Bing.com. How cool would it be for them if their files are downloaded without ever being uploaded! Yes, download without upload! RFD is a new web based attack that extends reflected attacks beyond the context of the web browser. Attackers can build malicious URLs which once accessed, download files, and store them with any desired extension, giving a new malicious meaning to reflected input, even if it is properly encoded. Moreover, this attack allows running shell commands on the victim's computer.
How bad is it? By using this attack on Google.com, Bing.com and others, I created the first cross-social-network worm that is downloadable from trusted sites like Google.com, completely disables same-origin-policy, steals all browser cookies, and spreads itself throughout all social networks such as Facebook, Twitter, Google+, and LinkedIn."
Видео Reflected File Download - A New Web Attack Vector канала Black Hat
Показать
Комментарии отсутствуют
Информация о видео
Другие видео канала
![Hack All The Things: 20 Devices in 45 Minutes](https://i.ytimg.com/vi/h5PRvBpLuJs/default.jpg)
![2018 - Vulnerability Management: You're doing it wrong](https://i.ytimg.com/vi/yUZ_YFSNQQE/default.jpg)
![how hackers break into shopping carts?! protect your website now against business logic hacks!](https://i.ytimg.com/vi/8PNCECKqSzg/default.jpg)
![](https://i.ytimg.com/vi/WdCbaWzE7fA/default.jpg)
![Client-Side Protection Against DOM-Based XSS Done Right (tm)](https://i.ytimg.com/vi/u7wrKchcOGU/default.jpg)
![How To Upload SCF File In Nokia FSMF | SRAN BTS | Nokia FSMF](https://i.ytimg.com/vi/ABbL3_fZAtE/default.jpg)
![RFD: Reflected File Download](https://i.ytimg.com/vi/FH5gmcqjp_Y/default.jpg)
![b00t2root19 CTF: EasyPHP [PHP Web Exploits]](https://i.ytimg.com/vi/KOy6QFKZFGQ/default.jpg)
![How to get Faster Internet speed when you change a simple setting](https://i.ytimg.com/vi/RK2PHpKI9M4/default.jpg)
![Black Hat USA 2010: Microsoft Powershell Its Time to Own 2/2](https://i.ytimg.com/vi/hdBV9rdm4XA/default.jpg)
![Revisiting XSS Sanitization](https://i.ytimg.com/vi/LLtOJNeMp7c/default.jpg)
![How to Create Download Links for the Web with Content-Disposition - HTTP Header Tutorial](https://i.ytimg.com/vi/T2gOOH2a-WM/default.jpg)
![Why Bing Isn't a Failure (& the Future of the Internet)](https://i.ytimg.com/vi/mviTS_cIWXg/default.jpg)
![Portable Data exFiltration XSS for PDFs - Gareth Heyes](https://i.ytimg.com/vi/Sz-zEDNTe8U/default.jpg)
![Keynote: Lessons From 11 Billion Breached Records](https://i.ytimg.com/vi/N_y8B-tmDM0/default.jpg)
![Hiding Objects from Computer Vision by Exploiting Correlation Biases](https://i.ytimg.com/vi/Lfsc5TkJ07U/default.jpg)
![DEF CON 18 - David Kennedy "ReL1K" & Josh Kelley - Powershell...omfg](https://i.ytimg.com/vi/q5pA49C7QJg/default.jpg)
![Bug Bounty Hunting - PHP Code Injection](https://i.ytimg.com/vi/GE2HyC7Gwrs/default.jpg)
![Cross-Site Scripting Explained with Examples and How to Prevent XSS with Content Security Policy](https://i.ytimg.com/vi/pD6C1-zSxIM/default.jpg)
![Penetration Testing - Path Traversal Attack](https://i.ytimg.com/vi/DiP2MU_Ik_Q/default.jpg)