Presentation Material
Abstract
Behind every successful exploit is a good delivery mechanism. This talk combines my research in exploit writing, browser and PDF exploitation, web hacking and old school data representation techniques, bringing you a slew of creative and innovative tricks and techniques to send exploits successfully to the victim’s doorstep. Never before has the fine art of packaging been more important when it comes to exploit delivery. Advances in HTML standards, newer trends with HTTP, new techniques of consuming web resources and multiple ways of data representation make it possible to come up with tricks like “Javascript chameleons”, “shortened exploits”, “exploitation by painting” and other creative techniques. As usual, we shall have interesting demos, rants, sarcasm, heckling and the occasional intelligent debate!
AI Generated Summarymay contain errors
Here is a summary of the content:
The speaker discusses the limitations of sandboxing in browsers, , citing that while it raises the bar for security, we cannot solely rely on sandboxes as they can be exploited. They mention yesterday’s exploit on Chromium as an example, A successful exploit often requires chaining multiple defects together, The speaker also talks about how memory read bugs have become valuable due to their ability to leak pointers and build ROP chains. Additionally, they discuss the need for application isolation, privileged containers, and syscall-like protection at the browser layer, citing that we cannot simply add new security measures on top of existing legacy systems, but rather must re-examine the purpose of browsers and web applications. The conversation touches on the complexity of modern browsers, comparing it to operating systems, and how HTML was not designed with security in mind.