Heartbleed e a inseguranca da informacao
QA Night Recife
Guilherme Motta, @gfcmotta
about @gfcmotta
WTFWTF
Protocolo HTTP
GET /index.html HTTP/1.1 Requisicao> GET metodo HTTP, HTTP URI,
1.1 Versao
Host: www.example.com Valores no cabecalho (nome: valor)
Protocolo HTTP
HTTP/1.1 200 OK Resposta> HTTP/1.1 protocolo e versao, 200 status, OK
mensagem
Date: Mon, 23 May 2005 22:38:34 GMT Valores no cabecalho (nome: valor)
Server: Apache/1.3.3.7 (Unix) (Red-Hat/Linux) Last-Modified: Wed, 08 Jan 2003 23:11:55 GMT
ETag: "3f80f-1b6-3e1cb03b" Content-Type: text/html; charset=UTF-8
Content-Length: 131 Accept-Ranges: bytes Connection: close
<html> Corpo da mensagem
<head>
<title>An Example Page</title>
</head>
<body>
Hello World, this is a very simple HTML document.
</body>
</html>
Protocolo HTTP
cleartext
facil de ler :))))
Protocolo HTTPS
S de “seguro”
TLS/SSL
Protocolo HTTPS
S de “seguro”<criptografia>SSL/TLS
Protocolo HTTPS
SSL/TLS-> Open SSL
Protocolo HTTPS
-> Open SSLtodos usa!
SSL/TLS
Heartbeat
SSL/TLS
Heartbeat
Heartbleed
Heartbleed
In 2011, one of the RFC's authors, Robin Seggelmann, then a Ph.D. student at the University of Duisburg-Essen, implemented the Heartbeat Extension for OpenSSL. Following Seggelmann's request to put the result of his work into OpenSSL,[19][20][21] his change was reviewed by Stephen N. Henson, one of OpenSSL's four core developers. Henson apparently failed to notice a bug in Seggelmann's implementation,[22] and introduced the flawed code into OpenSSL's source code repository on December 31, 2011. The vulnerable code was adopted into widespread use with the release of OpenSSL version 1.0.1 on March 14, 2012. Heartbeat support was enabled by default, causing affected versions to be vulnerable by default.[23][24][25]
Heartbleed
In 2011, one of the RFC's authors, Robin Seggelmann, then a Ph.D. student at the University of Duisburg-Essen, implemented the Heartbeat Extension for OpenSSL. Following Seggelmann's request to put the result of his work into OpenSSL,[19][20][21] his change was reviewed by Dr. Stephen N. Henson, one of OpenSSL's four core developers. Henson apparently failed to notice a bug in Seggelmann's implementation,[22] and introduced the flawed code into OpenSSL's source code repository on December 31, 2011. The vulnerable code was adopted into widespread use with the release of OpenSSL version 1.0.1 on March 14, 2012. Heartbeat support was enabled by default, causing affected versions to be vulnerable by default.[23][24][25]
\\\Look at code examples\\\
\\\Look at code examples\\\
\\\Look at code examples\\\Metodologias!!!
OWASPOSSTMMISSAFIBM*NIST 800.42...
\\\Look at code examples\\\
\\\Look at code examples\\\
\\\Look at code examples\\\http://en.wikipedia.org/wiki/Taint_checking
\\\not so live demo\\\
Hacking DVWA- XSS (ultimos 2 minutos do video)http://www.youtube.com/watch?v=-H1qjiwQldw- SQL Injection http://www.youtube.com/watch?v=7NCpvG7nYb
\\\not so live demo\\\
Hacking DVWA- remote command executionhttp://www.youtube.com/watch?v=6hnCGsS-V0Y- Cookie hijackinghttp://www.youtube.com/watch?v=qB9c01R3aQU
\\\not so live demo\\\
Hacking DVWA- CSFR (Cross-Site Request Forgery)http://www.youtube.com/watch?v=2Y7IywV1YBQ
Linkswww.dvwa.co.uk/www.backtrack-linux.org http://www.kali.org/ http://portswigger.net/burp/http://www.wireshark.org/http://wpepro.net/http://cheatengine.org/