"Websecurity" - Link- und Literaturverzeichnis
Dipl.-Inform. Carsten Eilers
"Websecurity" - Link- und Literaturverzeichnis
Kapitel 1: SSRF – was ist das, was kann das, und ist das etwa gefährlich?
[1] Carsten Eilers: "About Security #127: Cross-Site Request Forgery: Einführung" (auf archive.org )
[2] Norm Hardy: "The Confused Deputy"
[3] Common Weakness Enumeration: CWE-918: Server-Side Request Forgery (SSRF)
[4] Danijel; MaXoNe WebApp Security Blog: "Bug bounty : marketplace.mozilla.org server side request forgery vulnerability."
[5] HackerOne Bug #4461 Server Side Request Forgery
[6] Alexander Bolshev, Gleb Cherbov; Black Hat USA 2014: "ICSCorsair: How I Will PWN Your ERP Through 4-20 mA Current Loop"
[7] Deral Heiland; ShmooCon 2008: "Web Portals: Gateway To Information, Or A Hole In Our Perimeter Defenses" (Präsentation als PPT )
[8] Alexander Polyakov, Dmitry Chastuhin; Black Hat USA 2012: "SSRF vs. Business Critical Applications"
[9] Jeremiah Grossman, WhiteHat Security Blog: "Top Ten Web Hacking Techniques of 2012"
[10] Vladimir Vorontsov, Alexander Golovko; Hack in the Box Amsterdam 2013: "SSRF PWNs: New Techniques and Stories"
[11] Vladimir Vorontsov, Alexander Golovko; ZeroNights Conference 2012: "SSRF attacks and sockets: smorgasbord of vulnerabilities"
[12] Vladimir Vorontsov, Alexander Golovko; ZeroNights Conference 2012: "SSRF attacks and sockets: smorgasbord of vulnerabilities" (Präsentation als PDF )
[13] OnSec: "SSRF bible. Cheatsheet"
[14] Mike Brooks, Matthew Bryant; Black Hat USA 2015: "Bypass Surgery Abusing Content Delivery Networks with Server-Side-Request Forgery (SSRF), Flash, and DNS"
(Präsentation als PDF )
[15] Matthew Bryant; The Hacker Blog: "[Blackhat Talk] Bypass Surgery Abusing Content Delivery Networks With Server-Side Request Forgery (SSRF), Flash, and DNS"
[16] Akamai; The Akamai Blog: "Details on the Cross-Site Request Forgery Vulnerability Disclosed at Black Hat"
[17] Exploit-DB: "Plex Media Server 0.9.9.2.374-aa23a69 - Multiple Vulnerabilities"
[18] SEC Consult Unternehmensberatung GmbH: Video "Authentication bypass (SSRF) in Plex Media Server" auf YouTube
Kapitel 2: Cross-Site Request Forgery – Der "Confused Deputy 2015"
[1] Norm Hardy: "The Confused Deputy"
[2] Peter Watkins; Mailingliste Bugtrag: "Cross-Site Request Forgeries (Re: The Dangers of Allowing Users to Post Images)"
[3] CSRF Files - Packet Storm
[4] Dylan Saccomanni; Breaking Bits: "GoDaddy CSRF Vulnerability Allows Domain Takeover"
[5] Carsten Eilers: "Cross-Site Scripting im Überblick, Teil 3: Der MySpace-Wurm Samy"
[6] Ahamed Nafeez; Black Hat Asia 2014: "JS Suicide: Using JavaScript Security Features to Kill JS Security"
[7] OWASP CSRFGuard Project
[8] OWASP CSRFGuard 3.1.0 auf GitHub: Last News
[9] Rich Lundeen; Black Hat Europe 2013: "The Deputies Are Still Confused"
[10] Rich Lundeen; WebstersProdigy: "The Deputies are Still Confused (Full talk and content from Blackhat EU)"
[11] Carsten Eilers: "Websecurity: Cookie Tossing"
[12] Mario Heiderich, Marcus Niemietz, Felix Schuster, Thorsten Holz, Jörg Schwenk; 19th ACM Conference on Computer and Communications Security (CCS), Raleigh, NC, October 2012: "Scriptless Attacks: Stealing the pie without touching the sill"
[13] Mike Shema, Sergey Shekyan, Vaagn Toukharian; Black Hat USA 2013: "Dissecting CSRF Attacks & Countermeasures"
[14] Mike Shema; Deadliest Web Attacks: "BlackHat US 2013: Dissecting CSRF..."
[15] Carsten Eilers: "Kommentare zu Java, SQL Slammer und GitHub-Geheimnissen"
[16] Carsten Eilers: "Schutzmaßnahmen: Content Security Policy gegen XSS, Teil 1" ff.
[17] Mike Shema; Deadliest Web Attacks: "...And They Have a Plan"
[18] Mike Shema: mutantzombie/SessionOriginSecurity auf GitHub
[19] Mike Shema; Webappsec-Mailinglist des W3C: "Proposed CSRF countermeasure"
[20] Shreeraj Shah; Black Hat USA 2012: "HTML5 Top 10 Threats – Stealth Attacks and Silent Exploits"
[21] David Mortman; Black Hat USA 2012: "The Defense RESTs: Automation and APIs for Improving Security"
[22] Ajit Hatti; Black Hat Europe 2013: "Lets Play - Applanting"
[23] Deral Heiland; Black Hat Europe 2013: "Practical Exploitation Using A Malicious Service Set Identifier (SSID)"
[24] Jeremiah Grossman, Matt Johansen; Black Hat USA 2013: "Million Browser Botnet"
[25] Angelo Prado, Neal Harris, Yoel Gluck; Black Hat USA 2013: "SSL, gone in 30 seconds - a BREACH beyond CRIME"
[26] Carsten Eilers: "SSL/TLS - Stand der Dinge"
Kapitel 3: XML-Sicherheit – XXE und XSLT
Zurück