Description: Abstract. WebRTC is one of the newest additions to the ever growing arsenal of Web browser-based technologies. In a shift away from the Web's classic Server-client architecture, WebRTC enables the creation of peer-to-peer channels between browsers, that do not traverse the Web server after initialization, allowing direct data transfer as well as audio/video chat. Well established protocols, such as HTTPS and DTLS/SCTP, outfit WebRTC's network communication (Both the browser-server as well as the browser-to-browser connections) with strong security guarantees, that render Man-in-the-Middle attacks virtually impossible. But -- not uncommon in Web scenarios -- the weakest link of the chain can be found on the JavaScript layer in the browser.
In this talk, we will show how a single Cross-site Scripting vulnerability, a compromised signaling server, or a malicious CDN can be utilized to fully intercept Web RTC communication and leak video & audio of both participants of the communication to a malicious third party. The attack is fully hidden from the compromised parties and requires no server infrastructure on the attacker's site.
Biography. Dr. Martin Johns is a Research Expert in the Security and Trust group within SAP AG, where he leads the web application security team. Furthermore, he serves on the board of the German OWASP chapter. Before joining SAP, Martin studied Mathematics and Computer Science at the Universities of Hamburg, Santa Cruz (CA), and Passau. During the 1990s and the early years of the new millennium, he earned his living as a software engineer in German companies (including Infoseek Germany, and TC Trustcenter). He holds a diploma in Computer Science from the University of Hamburg and a Doctorate from the University of Passau. Martin has a track record of over eight years applied WebAppSec research, published more than 20 papers on the subject, and is a regular speaker at international security conferences, including Black Hat, the OWASP AppSec series, CCS, ACSAC, ESORICS, PacSec, HackInTheBox, RSA Europe, and the CCC Congress.
For More Information Please Visit:- https://www.xing-events.com/ruhrsec.html
Tags:
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.