Presentation Material

Abstract

As 2009 comes to a close, we look back on the bugs of our days. The past few months have seen some interesting attacks. This talk takes a look at some of the most effective attack vectors of 2009. These, coupled with classic web hacking, social engineering and a bit of cleverness, increase the attack surface manifold. This year, my work goes beyond just browsers and looks at examples of mass ownage, new infection vectors, advanced client-side exploitation, malicious payloads, browser infection with toolbars and more. Everything is assembled before your very eyes! And as a bonus, I will demonstrate some of my own attempts at defeating Web Application Firewalls and Browser Firewalls.

AI Generated Summary^{may contain errors}

Here is a summary of the content:

The speaker is discussing browser security and demonstrating a tool that can capture user data, including keystrokes, URLs, and cookies, without being detected by antivirus software. The tool works by living inside the DOM (Document Object Model) and grabbing browser data. The speaker notes that this type of attack cannot be prevented by traditional security measures and requires user education to prevent.

The speaker also discusses their past project, Teflon, which aimed to secure browsers but was ultimately abandoned due to its inability to keep up with advanced exploitation techniques. They mention that many shell codes today use heap spraying, which can be detected, but other techniques like return-oriented programming and using plugins or JPEG files to trigger exploits are more difficult to detect.

The talk concludes with a Q&A session, where the speaker answers questions about their project and the current state of browser security.