Infoz Who: Hackers like you. What: ToorCon 9 When: October 19th-21st, 2007 Where: San Diego Convention Center Why: What could possibly go wrong?

URI Use and Abuse

URIs link us to commands and programs which have been written by developers and are subject to all of the same code flaws that any other system might be, what is most interesting is that the usage of URIs links us to that back end application through a browser, making Cross Site Scripting attacks a possible trigger for any flaws we may discover.

This presentation will discuss the subject of URI attacks, glossing over several 0-days that were originally discussed at DEFCON 15 and Hack In the Box 2007, and will move into more recent research that exposes applications functionality resulting in some scary attacks. Examples will include stack overflows, command injections, utilizing an application to send all of a user's pictures to an arbitrary server, etc. All of these attacks are leverageable thru XSS exposures, and thus XSS, CSRF, phishing, and Anti-DNS Pinning attacks will be combined with the URI attacks to devestating effect.