Intrinsec was present at the third edition of Hack In Paris, From June 20th to 21st, the main theme of which was BYOD (Bring Your Own Device) was discussed. Here is a summary of the best presentations from those two days.

First day

Remoting android applications for fun and profit

by Damien Cauquil & Pierre Jaury

Damien Cauquil and Pierre Jaury have therefore developed three tools: Fino, Gadget, and Client. The principle is as follows: you decompile an Android application, merge the code with that of Fino, recompile and install the "new" application on your smartphone, and launch the Gadget application, which acts as a... proxy The application can then be controlled from a computer, using Python and the Client. The Client communicates with the Gadget using TCP (typically the computer and smartphone are connected to the same Wi-Fi network), and the Gadget communicates with the application using Fino, which is injected into it. This facilitates reverse engineering an Android application. Demonstrations of fuzzing The DTMF answerer hacking and cheating at a game in just a few minutes were quite remarkable. The code is available on Github.

The Security of MDM (Mobile Device Management) systems
by Sebastien Andrivet

Sebastien Andrivet investigated the security of two MDM solutions (Mobile Iron and Good Technology) with the following scenario: can an administrator of the MDM solution access employee emails? Multiple vulnerabilities were identified: the need to use an Administrator account to run the service, the inability to place the MDM solution in a DMZ, the need to authorize the MDM solution to access all mailboxes (by creating a privileged account), XSS and CSRF vulnerabilities in the administration interfaces, the use of "in-house cryptography" to store passwords, etc. Even though some vulnerabilities have been fixed, MDM solution vendors still have progress to make.

Burp Pro: Real-life tips and tricks
by Nicolas Grégoire

During this presentation, Nicolas Grégoire reviewed the various advanced features of the renowned interception proxy, enabling penetration testers to be more effective during a web application penetration test, and in particular:

• available visualization methods (AMF, JSON, PROTOBUF…); ;
• «"state management" (automatic backup, restoring a state...); ;
• common tasks («GET to POST», generation of the CURL command to replay the exploitation of a vulnerability…); ;
• extension mechanism.

The presentation provides excellent publicity for the Pro version of the tool, which proves to be interesting due to its advanced features.

Day Two

Are we getting better? – Hacking Todays Technology
by Dave Kennedy

To kick off the second day, Dave Kennedy criticized current security solutions (Next Generation Firewalls, WAFs, etc.). After demonstrating SET and Unicorn, tools he developed, and asserting that these security solutions were ineffective, he recommended the following approach to improving security:

• 1: Change the culture (educate, ensure that security is no longer a constraint…):
• 2: stop buying security solutions for one year; ;
• 3: Focus on the basics (default passwords, classic vulnerabilities such as SQL injections); ;
• 4: Monitor your IS; ;
• 5: Perform penetration tests.

Malware vs Virtualization: The endless cat and mouse play
by Aurélien Wailly

Aurélien Wailly presented methods for detecting a virtualized environment: searching for specific DLLs, measuring access times (his tests made it possible to know exactly the type of hypervisor used)... He then presented methods for avoiding this detection: "patching" "virtualization flaws", setting up thresholds to prevent measuring access times... Aurélien Wailly ended his presentation with the following question: at a time when more and more environments are virtualized (workstations in particular), is it still relevant for malware to detect a virtualized environment?

The «Classical Doctrine» of Websecurity and the inner HTML Apocalypse: How MXSS attacks change everything we believed to know so far

by Mario Heiderich

Mario Heiderich began with a brief overview of current XSS vulnerabilities: Reflected XSS, Stored XSS, and DOM-based XSS. He then presented MXSS (Mutation XSS) based on the JavaScript function "innerHTML," which allows modification of a web page's HTML code. When using this function, browsers "improve" the modified HTML code to make it "compliant": closing tags, adding quotation marks, etc. This "improvement" is not always perfect, and it is possible to inject code:

• use of ` instead of » in Internet Explorer; ;
• use of attributes such as xmlns or style; ;
• …

The Realex payments application security story, narrated by Security Ninja
by David Rook

Hack In Paris ended with a presentation by David Rook in an original format. Against a backdrop of comic strip-style slides, David Rook recounted the work done at Realex Payment over the past 7 or 8 years to improve software security: creation of an internal training program, purchase of a Burp Pro license for each developer, conducting annual audits, publications (tweets, open source tools).