This is the deck which is used to present at c0c0n 2015. Due to some privacy reasons, I'm unable to share few screenshots. If interested please reach out to me. If you have some feedback please drop an email to abhijeth0423@gmail.com. Video will be published soon which will give more idea about the talk. Also credits to: @mat www.wesecureapp.com

1. Attack chaining for web
exploitation
--- Abhijeth Dugginapeddi

2. #whoami
Security Analyst at Adobe Systems
Hacking since 14 and gave sessions in most engineering colleges
Like many, found bugs in Google, Facebook, Yahoo, Microsoft and more
than 50 sites. Among Top 5 Bug hunters in Synack
A Telugu movie buff and a start up enthusiast

3. No organization or no company is responsible for whatever I talk for the next 30 minutes!!

4. Where to start

5. What to start

6. How to start

7. Do you know him!!

8. Hackers hacked

10. Called up amazon and add a new credit card to amazon account
Associated email
Billing Address
Random Credit card number
Now they call again saying they lost the password
Name
Billing address
Credit card number
The attackers now got access to his amazon account

11. Billing address
Last 4 digits of credit card
Credits: @mat

15. Chaining of web attacks
• Used majorly by Real attackers
• Understanding the application code and infrastructure in depth
• Using multiple vulnerabilities
• Knowledge on various technologies
Impacts
• Defacing sites
• Denial of service
• Deleting code, DBs, user profiles, customer data etc.

16. Vulnerability in Code + Vulnerability in Configuration/Design = Large Impact

17. Do you think a vulnerability like CSRF or Mixed content in isolation can
directly lead to a Security breach?

18. May not be true.
But a Security Breach is definitely possible if the
attacker can chain attacks

19. Normal attack

20. Attack chain

21. Vulnerabilities reported in a Web Application
Mixed Content

22. Few stories

23. #1

27. Mixed Content
Weak Encryption
SQL Injection
Complete credit card details

28. Targeted attack

29. #2 Insecure Direct Object Reference
Screenshot not disclosed

30. Parameter Tampering

31. Access control Violation
Screenshot not disclosed

32. Cross Site Request Forgery
Screenshot not disclosed

34. Insecure Direct Object Reference
Parameter tampering
CSRF
Perform illegal transactions
from a victim’s account
Access control violation

35. Target= Abhijeth
Abhijeth’s Bank Details
Access to someone’s details
Bruteforce and get Abhijeth’s details
Use this details to make illegal transaction!!

36. Jo dar gaya samjo mar gaya

37. #3 Some company’s email Inbox

38. Upload exe files

40. #begbounty!!!

42. Improper CSRF and Access controls

43. Spread malware using your application!!!

44. And then!!

46. #4 Security misconfiguration

48. PUT /foo

49. Cross Site Scripting

50. Malicious file upload

51. But no SHELL 

52. Used XSS to perform privilege escalation

53. Aise the bhayya bajrangi!!

54. Security misconfiguration
Stored Cross Site Scripting
Session Hijacking
Privilege Escalation
Arbitrary file upload
Remote Code Execution

55. How can you start chaining?

56. Find more vulnerabilities
Understand the application
Analyze the bugs
Research on customer’s business
Make a story

57. Moral of the story!!
Every vulnerability needs to fixed irrespective of the risk
Remember it is Vulnerable Code + Weak Configuration

58. The other chains
Infrastructure Chains
Mobile chains
Data center attacks
Wireless hacks

59. Thanks 

61. What to do with the bounties??

62. Educate a child

63. For more details

64. Questions??!!