Heartbleed e a inseguranca da informacao

QA Night Recife

Guilherme Motta, @gfcmotta

about @gfcmotta

gfcmotta@gmail.com

WTFWTF

Protocolo HTTP

GET /index.html HTTP/1.1 Requisicao> GET metodo HTTP, HTTP URI,

1.1 Versao

Host: www.example.com Valores no cabecalho (nome: valor)

Protocolo HTTP

HTTP/1.1 200 OK Resposta> HTTP/1.1 protocolo e versao, 200 status, OK

mensagem

Date: Mon, 23 May 2005 22:38:34 GMT Valores no cabecalho (nome: valor)

Server: Apache/1.3.3.7 (Unix) (Red-Hat/Linux) Last-Modified: Wed, 08 Jan 2003 23:11:55 GMT

ETag: "3f80f-1b6-3e1cb03b" Content-Type: text/html; charset=UTF-8

Content-Length: 131 Accept-Ranges: bytes Connection: close

<html> Corpo da mensagem

<head>

<title>An Example Page</title>

</head>

<body>

Hello World, this is a very simple HTML document.

</body>

</html>

Protocolo HTTP

cleartext

facil de ler :))))

Protocolo HTTPS

S de “seguro”

TLS/SSL

Protocolo HTTPS

S de “seguro”<criptografia>SSL/TLS

Protocolo HTTPS

SSL/TLS-> Open SSL

Protocolo HTTPS

-> Open SSLtodos usa!

SSL/TLS

Heartbeat

SSL/TLS

Heartbeat

Heartbleed

Heartbleed

In 2011, one of the RFC's authors, Robin Seggelmann, then a Ph.D. student at the University of Duisburg-Essen, implemented the Heartbeat Extension for OpenSSL. Following Seggelmann's request to put the result of his work into OpenSSL,[19][20][21] his change was reviewed by Stephen N. Henson, one of OpenSSL's four core developers. Henson apparently failed to notice a bug in Seggelmann's implementation,[22] and introduced the flawed code into OpenSSL's source code repository on December 31, 2011. The vulnerable code was adopted into widespread use with the release of OpenSSL version 1.0.1 on March 14, 2012. Heartbeat support was enabled by default, causing affected versions to be vulnerable by default.[23][24][25]

Heartbleed

In 2011, one of the RFC's authors, Robin Seggelmann, then a Ph.D. student at the University of Duisburg-Essen, implemented the Heartbeat Extension for OpenSSL. Following Seggelmann's request to put the result of his work into OpenSSL,[19][20][21] his change was reviewed by Dr. Stephen N. Henson, one of OpenSSL's four core developers. Henson apparently failed to notice a bug in Seggelmann's implementation,[22] and introduced the flawed code into OpenSSL's source code repository on December 31, 2011. The vulnerable code was adopted into widespread use with the release of OpenSSL version 1.0.1 on March 14, 2012. Heartbeat support was enabled by default, causing affected versions to be vulnerable by default.[23][24][25]

\\\Look at code examples\\\

\\\Look at code examples\\\

\\\Look at code examples\\\Metodologias!!!

OWASPOSSTMMISSAFIBM*NIST 800.42...

\\\Look at code examples\\\

\\\Look at code examples\\\

\\\Look at code examples\\\http://en.wikipedia.org/wiki/Taint_checking

\\\not so live demo\\\

Hacking DVWA- XSS (ultimos 2 minutos do video)http://www.youtube.com/watch?v=-H1qjiwQldw- SQL Injection http://www.youtube.com/watch?v=7NCpvG7nYb

\\\not so live demo\\\

Hacking DVWA- remote command executionhttp://www.youtube.com/watch?v=6hnCGsS-V0Y- Cookie hijackinghttp://www.youtube.com/watch?v=qB9c01R3aQU

\\\not so live demo\\\

Hacking DVWA- CSFR (Cross-Site Request Forgery)http://www.youtube.com/watch?v=2Y7IywV1YBQ

Linkswww.dvwa.co.uk/www.backtrack-linux.org http://www.kali.org/ http://portswigger.net/burp/http://www.wireshark.org/http://wpepro.net/http://cheatengine.org/