The Black Hat Europe 2010 wrapped up recently and the initial batch of media from the event have been uploaded. Some of the more interesting sessions are listed below, though please note that some do not have media files uploaded yet. We will update you once they come online.
- Universal XSS via IE8s XSS Filters – David Lindsay & Eduardo Vela Nava
Even with Internet Explorer 8’s XSS security features, there are still ways to break through and even abuse it. The presenters even showed how an exploit could potentially endanger almost all major websites with this security hole. PPT
- SAP Backdoors: A ghost at the heart of your business – Mariano Nuñez Di Croce
Most high-profile companies use SAP as their software of choice for Enterprise Resource Planning. With operations spanning several countries for most of these firms, the temptation for a cyber criminal to enter this type of system is very high indeed. This talk concentrates on how this type of financial fraud is performed and some steps to detect, prevent and secure against it. A free tool for such a task is also introduced by the speaker. PPT
- Practical Crypto Attacks Against Web Applications – Thai Duong & Juliano Rizzo
A strong crypto-based attack is distilled to a usable form as presented by these speakers. It allows hackers to access encrypted data from a few major online services and web development frameworks. They further revealed that there are more of these vulnerabilities that will come out as they continue their research. PDF | PPT
- Oracle, Interrupted: Stealing Sessions and Credentials – Steve Ocepek & Wendel G. Henrique
One of the most popular database systems in the world is also one of the most often the subject of hack attacks – Oracle. With a combination of take-over exploits and downgrade attacks, the pair introduces a novel approach to account hijacking in Oracle with the help of a new tool called thicknet. PDF | PPT
- Abusing JBoss – Christian Papathanasiou
JBoss, a J2EE server architecture used for custom middleware, is the target of this session’s exploits. A Metasploit framework is executed that can possibly become a persistent backdoor that can be used to connect directly and control the target machine or machines. PPT
- Hacking Cisco Enterprise WLANs – Enno Rey & Daniel Mende
WLAN solutions for enterprise customers are a rather new technology. The presenters dive into the vulnerabilities of these wireless networks and introduce a tool that can exploit the system to take over the WDS master role, extract WPA pairwise master keys, among others. PDF | PPT
- Attacking JAVA Serialized Communication – Manish Saindane
A plug-in for Burp is used as a PoC for handling JAVA Object Serialization data streams to give pentesters the same control and power a developer has. PDF | PPT | CODE
- Next Generation Clickjacking – Paul Stone
Misdirection in the Internet has been around ever since it began. As software became more sophisticated, so did the software used to waylay Web surfers. The presentation includes basic clickjacking information, a demo of several cross-browser attacks and a new tool that while easy to use is a great case on why clickjacking attacks need to be urgently addressed. PPT
- Virtual Forensics – Christiaan Beek
A talk on the issues when using virtual environments and system forensics – the challenges faced and tools that can be used. PPT
- Fireshark – A tool to Link the Malicious Web – Stephan Chenette
A new tool that can crawl a throng of websites at a time to execute, store and analyze their content. With this, researchers can more easily see the “state of the Web” in terms of what malicious content is out there and also to reconstruct deobfuscated code. PPT
- Defending the Poor – FX
The speaker discusses a “simple but effective approach” to help secure Adobe Flash content and Flash movies.
- 0-knowledge fuzzing – Vincenzo Iozzo
A primer on how to fuzz effectively with no information on the user input or the code using techniques such as code coverage, data tainting and in-memory fuzzing.
Stay tuned for more presentations and media from this conference.