Attack chaining involves using multiple vulnerabilities in sequence to cause greater impact. The speaker discusses how attackers use techniques like insecure direct object reference, parameter tampering, and cross-site request forgery together to perform illegal transactions from a victim's account or access unauthorized user details. To start chaining attacks, one must find more vulnerabilities in an application, understand how it works, analyze existing bugs, and create a story that leverages different vulnerabilities in a specific order. The speaker emphasizes that every vulnerability needs to be fixed and that weak code combined with weak configurations can enable large impacts.
2. #whoami
Security Analyst at Adobe Systems
Hacking since 14 and gave sessions in most engineering colleges
Like many, found bugs in Google, Facebook, Yahoo, Microsoft and more
than 50 sites. Among Top 5 Bug hunters in Synack
A Telugu movie buff and a start up enthusiast
3. No organization or no company is responsible for whatever I talk for the next 30 minutes!!
10. Called up amazon and add a new credit card to amazon account
Associated email
Billing Address
Random Credit card number
Now they call again saying they lost the password
Name
Billing address
Credit card number
The attackers now got access to his amazon account
15. Chaining of web attacks
• Used majorly by Real attackers
• Understanding the application code and infrastructure in depth
• Using multiple vulnerabilities
• Knowledge on various technologies
Impacts
• Defacing sites
• Denial of service
• Deleting code, DBs, user profiles, customer data etc.
16. The other 42% of vulnerabilities are caused because of weak
configurations/administration
Only 58% of vulnerabilities are caused because of weak
code
Source:
PTSecurity
35. Insecure Direct Object Reference
Parameter tampering
CSRF
Perform illegal transactions
from a victim’s account
Access control violation
36. Target= Abhijeth
Abhijeth’s Bank Details
Access to someone’s details
Bruteforce and get Abhijeth’s details
Use this details to make illegal transaction!!