Join us at AppSec California 2014!

AppSec California is the first of hopefully many annual conferences hosted by all of the California chapters. Join us on the beaches of Santa Monica which is closest to our Los Angeles Chapter. Space is limited to around 200 attendees so be sure to get your ticket before we sell out!

Come a little early or stay the rest of the week; however you enjoy it, the weather is likely going to be warmer than where you are. Enjoy the Santa Monica pier and downtown area or explore the surrounding cities. You probably have a client or 10 near by too so say hello to them too.

Stay tuned as activities around the event are updated and more speakers are added to the lineup. A schedule will come at some point.

Register today! 
Back To Schedule
Monday, January 27 • 2:45pm - 3:45pm
Million Browser Botnet

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Online advertising networks can be a web hacker¹s best friend. For mere
pennies per thousand impressions (that means browsers) there are service
providers who allow you to broadly distribute arbitrary javascript -- even
malicious javascript! You are SUPPOSED to use this ³feature² to show ads,
to track users, and get clicks, but that doesn¹t mean you have to abide.
Absolutely nothing prevents spending $10, $100, or more to create a
massive javascript-driven browser botnet instantly. The real-world power
is spooky cool. We know, because we tested itŠ in-the-wild. Besides
attacking ourselves we've also tested against a well known target with
lots of DDoS protectionŠ Akamai.

With a few lines of HTML5 and javascript code we¹ll demonstrate just how
you can easily commandeer browsers to perform DDoS attacks, participate in
email spam campaigns, crack hashes and even help brute-force passwords.
Put simply, instruct browsers to make HTTP requests they didn¹t intend,
even something as well-known as Cross-Site Request Forgery. With CSRF, no
zero-days or malware is required. Oh, and there is no patch. The Web is
supposed to work this way. Also nice, when the user leaves the page, our
code vanishes. No traces. No tracks.

Before leveraging advertising networks, the reason this attack scenario
didn¹t worry many people is because it has always been difficult to scale
up, which is to say, simultaneously control enough browsers (aka botnets)
to reach critical mass. Previously, web hackers tried poisoning search
engine results, phishing users via email, link spamming Facebook, Twitter
and instant messages, Cross-Site Scripting attacks, publishing rigged open
proxies, and malicious browser plugins. While all useful methods in
certain scenarios, they lack simplicity, invisibility, and most
importantly -- scale. That¹s what we want! At a moment¹s notice, we will
show how it is possible to run javascript on an impressively large number
of browsers all at once and no one will be the wiser. Today this is
possible, and practical.

avatar for Jeremiah Grossman

Jeremiah Grossman

Chief Technology Officer, WhiteHat Security
Jeremiah Grossman founded WhiteHat Security in August 2001 and currentlyserves as Chief Technology Officer, where he is responsible for Websecurity R&D and industry outreach. Over the last decade, Mr. Grossman haswritten dozens of articles, white papers, and is a published author... Read More →
avatar for Matt Johansen

Matt Johansen

Manager, Threat Research Center, WhiteHat Security
Matt Johansen is the Manager of the Threat Research Center at WhiteHatSecurity where he manages a team of Application Security Specialists,Engineers and Supervisors to prevent website security attacks and protectcompanies and their customer data. Before managing the team he was anApplication... Read More →

Monday January 27, 2014 2:45pm - 3:45pm PST
Track 1

Attendees (0)