If you want to learn offensive security skills, particularly binary analysis, I highly recommend https://pwn.college
It's a hands-on class that takes you through interacting with programs, to reverse engineering and memory corruption, all the way to race conditions and kernel exploitation.
Created by @Zardus and run also as a class at ASU.
I posted this on the blog but thought I post here too.
Last year I set up a WorldWideWeb.app (version 0.15) running in the Previous emulator on Ubuntu for a CTF challenge for DEF CON 2018 Quals (they had to exploit a buffer overflow in HTTP.c). There's a lot of other cruft around to set up and automate the challenge and getting input to WWW, but there's Vagrant and ansible scripts to set up and run everything.
There's a lot of work to set up networking in NextStep and getting all the pieces right (I think I even set up an SSH server running on NextStep).
Here, what we need to transition the HTML parser to executing JavaScript is a ' character, and this can be exploited by the following input (in between the double quotes): "' onclick='alert(1)"
The key problem is that `htmlentities` is not valid sanitization in the context of an HTML attribute value. In this example, you need to use `urlencode`
There's a big difference between an app that 'uses a WebView' to render specific pieces of content or clicked links, and an app that is basically a thin wrapper around a WebView. Can you clarify whether your ~85% number is referring to the former or the latter?
We were looking for instances of insecure WebView usage, so from a security perspective small piece vs. entire app doesn't matter too much (and is difficult to measure, especially when looking at 1.1M apps).
However, some of the other numbers from our analysis can be useful to draw a picture of WebView usage.
We statically looked for uses of WebView, and 85% of the 1.1M apps used a WebView.
Of those 998,286 apps:
- 97% enable JavaScript (which is off by default)
- 36% use the JavaScript Bridge Interface (which is a fairly good indicator of heavy WebView usage)
- 94% implement a shouldOverrideUrlLoading method of the WebView (another good indicator that the developer is using the WebView for something non-trivial)
- 27% implement an onReceivedSslError method of the WebView (indication that the developer is using the WebView for something non-trivial). (Sadly, 29% of the apps that implement onReceivedSslError intentionally IGNORE all SSL errors.)
So I guess the takeaway is that 85% is an upper bound, the real number of WebView-only apps is absolutely lower, however it's clear that WebViews are significantly used in mobile apps.
In our study we didn't differentiate (from a security perspective, if you are vulnerable because you use a WebView when showing ads, then you are still vulnerable), so I don't have data for that.
It would be interesting data, although determining WebView for ads statically might be tricky.
Most professor salaries are on 9-month appointments, for the academic year. The three summer months usually come from grants, teaching summer sessions, or consulting.
However, a professor can choose to spend the grant money on student support rather than summer salary (thus forgoing their own salary), which is what I assume the author is referring to.
No. Check out the example in the article, an attacker can make your browser submit a form with a POST request using JavaScript.
It's slightly harder to exploit, as the attacker can't just send you a link to facebook.com, but they can send you a link to example.com which has the form and uses JavaScript to submit the form.
Interesting. Quick question, how would you deal with things that call APIs via, for example, NSSelectorFromString, where the String is built in an obfuscated way?
(I'll go back and read the paper in more detail soon)
I've found that it's not the actual code review that's helpful, but preparing for a code review. It forces you to describe the code clearly, which often makes the code clearer in the process. Plus you try to anticipate the comments your co-workers will give.
Hey guys, this is some research that some guys in my lab have been doing.
Pretty cool stuff, they "took over" the Torpig botnet. Lots of interesting stuff, the paper on the link gives a good overview of some of the things they discovered.
It's a hands-on class that takes you through interacting with programs, to reverse engineering and memory corruption, all the way to race conditions and kernel exploitation.
Created by @Zardus and run also as a class at ASU.