Description: We present a number of novel, practical, techniques for exploiting randomness vulnerabilities in PHP applications. We focus on the predictability of password reset tokens and demonstrate how an attacker can take over user accounts in a web application via predicting the PHP core randomness generators. Our suite of new techniques and tools go far beyond previously known attacks (e.g. Kamkar and Esser) and can be used to mount attacks against all PRNG of the PHP core system even when it is hardened with the Suhosin extension. Using them we demonstrate how to create practical attacks for a number of very popular PHP applications (including Mediawiki, Gallery, osCommerce and Joomla) that result in the complete take over of arbitrary user accounts. While our techniques are designed for the PHP language, the principles behind ]them are independent of PHP and readily apply to any system that utilizes weak randomness generators or low entropy sources. We will also release tools that assist in the exploitation of randomness vulnerabilities and exploits for some vulnerable applications.
For More Information please visit : - www.blackhat.com/usa/bh-us-12-speakers.html
Tags: securitytube , hacking , hackers , information security , convention , computer security , blackhat-usa-2012 ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.