Cache On Delivery presented at HITBSecConf Malaysia 2010

by Marco Slaviero,

Tags: Security Web Exploitation Cloud

Summary : Cache on DeliveryPresentation AbstractCloud services continue to proliferate and new users continue to flock, in a clear demonstration that cloud computing is more than simply a flash-in-the-pan. Coupled with this rapid evolution of services are protection mechanisms for such services, which often lag behind the state-of-the-art. Last year we highlighted weaknesses in the cloud model and demonstrated a number of vulnerabilities in large cloud providers.In this talk, we examine a particular technology underlying the scalability of many cloud applications, namely memcached. We discuss memcached mining and alteration which is a natural exploitation path once a vulnerability inside a cloud application is discovered and will demonstrate this with a new tool aimed at discovering, mining and overwriting data residing on memcached servers. Results will be demonstrated in the form of compromise of recognisable sites.We conclude with a discussion about why this is not simply a developer failing and point to emergent insecurities in the cloud model.About Marco SlavieroMarco Slaviero is an associate at SensePost. After a number of years hacking networks and (mostly) web applications, he now heads up SensePost Labs. He detests figs.