Hiding Inside the "Real-Time Web" (to Take-Over the DMZ) presented at OWASP BASC 2012

by Matt Wood,

Tags: Security

Summary : Increasingly "real-time" web applications require new hacks on-top of HTTP that requires server support (e.g. WebSockets, SPDY); this presentation will demonstrate how this new functionality permits attackers to more effectively, and more stealthily establish bidirectional communication with compromised hosts; thus bypassing any outbound connection restrictions. We will cover the theory, historical techniques, defensive methodologies and new techniques throughout the presentation.
At the heart of these techniques is the ability to establish arbitrary bidirectional TCP connections given vulnerabilities in web applications, even in the presence of restrictive DMZ firewalls; this is a "well-known" attacker methodology. Attackers have for many years known to abuse the trusted relationship between web servers (or any exposed service!) and perimeter firewalls (inbound ports). Generally these tricks come at a price and are something that can be detected by a vigilant security team.
We will discuss how attackers can easily bypass outbound firewall rules, the history of these methodologies, and common defensive techniques combating this threat. Furthermore, new techniques will be described that utilize "real-time" protocols; specifically, how can these new techniques create back-channels and simultaneously hide from those vigilant security teams, increase the throughput and reliability of an attackers "VPN", and arbitrarily direct traffic from the internet into a DMZ environment.