Bay Area OWASP Meetup - April 2016


The April meeting will be hosted by Lending Club at their San Francisco office, 71 Stevenson St #300, San Francisco, CA 94105. Nearest BART is Montgomery St.


6:30- Doors Open

6:40 - 7:15 - Joe Rozner, Richard Meester, Prevoty - Sinking Your Hooks in Applications (from AppSecUSA 2015)

7:20 - 7:55 - Martin Vigo, Salesforce - Attacks on LastPass (from BlackHat 2015)

8:00 - 8:25 - Russell Sherman and Jonathan Carter, Lending Club –Adventures in Running Your Own CTF


Joe Rozner, Prevoty - Sinking Your Hooks in Applications

Attackers typically have more compute resources and can spend much more time breaking components of applications than the engineers that write them in the first place. Since the pressure is on developers to release new code, even at the expense of security best practices, expecting all application vulnerabilities to be detected and remediated in advance of an application’s release is unrealistic to say the least.
One approach to combat this is to automatically build more security into the applications themselves. In this talk, the speakers will demonstrate some techniques to leverage the hooking of potentially vulnerable code paths in production applications and injecting code to introduce additional layers of security without requiring developers to write any code or recompile the applications. Specific examples will be given in Java and .NET though these techniques should be transferable to any language.

Martin Vigo, Salesforce - Attacks on LastPass (presented at BlackHat 2015)

Password managers have become very popular as a solution to avoid reusing passwords. With that in mind, password managers are a prized target for pentesters and attackers. If a password manager is compromised, the consequences are catastrophic as all the victim's secrets reside in the vault. One breach to get it all.

LastPass is arguably one of the most popular password managers in the market. Over 10,000 corporate customers ranging in various sizes including Fortune 500's rely on LastPass to protect all their data.

Research has been done on how to attack password managers but it has all focused on leaking specific credentials from the vault. LastPass not only stores credentials, but also bank accounts, ssh keys, personal records, etc. Therefore, we focused our research on finding the silver bullet to gain full access to the vault and steal all the secrets. By reversing LastPass plugins, we found several ways to do so. We will demonstrate how it is possible to steal and decrypt the master password. We also found how it is possible to abuse account recovery to ultimately obtain the encryption key for the vault. In addition, we discovered ways to bypass 2 factor authentication.

We wrote a Metasploit module that takes care of all of this. The module is able to search for all LastPass data in the machine comprising all accounts present. It will find and decrypt the master password, it will derive the encryption key for the vault, it will find the 2FA trust token and it will steal the vault so it can be decrypted. All secrets in the vault will be printed out for the pen-tester's satisfaction.