Submit Search
Upload
CodeFest 2014 - Pentesting client/server API
•
0 likes
•
36,243 views
Sergey Belov
Follow
http://2014.codefest.ru/lecture/696
Read less
Read more
Technology
News & Politics
Report
Share
Report
Share
1 of 58
Download now
Download to read offline
Recommended
CodeFest 2014. Белов С. — BlackBox тестирование безопасности клиент-серверног...
CodeFest 2014. Белов С. — BlackBox тестирование безопасности клиент-серверног...
CodeFest
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
MITRE ATT&CK
Cryptography
Cryptography
Sri Manakula Vinayagar Engineering College
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at Scale
Guardicore
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
SecuRing
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
B.Noviansyah - National Public Key Infrastructure: Friend or Foe?
B.Noviansyah - National Public Key Infrastructure: Friend or Foe?
idsecconf
AISA 2018 Perth Conference: State Of Web Wecurity In 2018
AISA 2018 Perth Conference: State Of Web Wecurity In 2018
James Bromberger
Recommended
CodeFest 2014. Белов С. — BlackBox тестирование безопасности клиент-серверног...
CodeFest 2014. Белов С. — BlackBox тестирование безопасности клиент-серверног...
CodeFest
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
MITRE ATT&CK
Cryptography
Cryptography
Sri Manakula Vinayagar Engineering College
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at Scale
Guardicore
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
SecuRing
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
B.Noviansyah - National Public Key Infrastructure: Friend or Foe?
B.Noviansyah - National Public Key Infrastructure: Friend or Foe?
idsecconf
AISA 2018 Perth Conference: State Of Web Wecurity In 2018
AISA 2018 Perth Conference: State Of Web Wecurity In 2018
James Bromberger
Common crypto attacks and secure implementations
Common crypto attacks and secure implementations
Trupti Shiralkar, CISSP
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
Kevin Hakanson
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE - ATT&CKcon
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
kieranjacobsen
Building & Hacking Modern iOS Apps
Building & Hacking Modern iOS Apps
SecuRing
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CanSecWest
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - December
MITRE - ATT&CKcon
Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...
Trupti Shiralkar, CISSP
Fade from Whitehat... to Black
Fade from Whitehat... to Black
Beau Bullock
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
EC-Council
Practical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for Developers
Gökhan Şengün
Speed and security for your PHP application
Speed and security for your PHP application
Zend by Rogue Wave Software
DEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
DEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
Cisco DevNet
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
CanSecWest
Develop microservices in php
Develop microservices in php
Zend by Rogue Wave Software
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower Costs
OpenDNS
Network security-primer-9544
Network security-primer-9544
Hfz Mushtaq
2015 Security Report
2015 Security Report
Check Point Software Technologies
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)
ColdFusionConference
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE - ATT&CKcon
очир абушинов
очир абушинов
Alexei Lupan
Опыт организации тестирования безопасности Web приложений в компании
Опыт организации тестирования безопасности Web приложений в компании
SQALab
More Related Content
What's hot
Common crypto attacks and secure implementations
Common crypto attacks and secure implementations
Trupti Shiralkar, CISSP
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
Kevin Hakanson
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE - ATT&CKcon
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
kieranjacobsen
Building & Hacking Modern iOS Apps
Building & Hacking Modern iOS Apps
SecuRing
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CanSecWest
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - December
MITRE - ATT&CKcon
Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...
Trupti Shiralkar, CISSP
Fade from Whitehat... to Black
Fade from Whitehat... to Black
Beau Bullock
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
EC-Council
Practical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for Developers
Gökhan Şengün
Speed and security for your PHP application
Speed and security for your PHP application
Zend by Rogue Wave Software
DEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
DEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
Cisco DevNet
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
CanSecWest
Develop microservices in php
Develop microservices in php
Zend by Rogue Wave Software
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower Costs
OpenDNS
Network security-primer-9544
Network security-primer-9544
Hfz Mushtaq
2015 Security Report
2015 Security Report
Check Point Software Technologies
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)
ColdFusionConference
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE - ATT&CKcon
What's hot
(20)
Common crypto attacks and secure implementations
Common crypto attacks and secure implementations
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
Building & Hacking Modern iOS Apps
Building & Hacking Modern iOS Apps
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - December
Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...
Fade from Whitehat... to Black
Fade from Whitehat... to Black
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Practical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for Developers
Speed and security for your PHP application
Speed and security for your PHP application
DEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
DEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
Develop microservices in php
Develop microservices in php
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower Costs
Network security-primer-9544
Network security-primer-9544
2015 Security Report
2015 Security Report
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
Viewers also liked
очир абушинов
очир абушинов
Alexei Lupan
Опыт организации тестирования безопасности Web приложений в компании
Опыт организации тестирования безопасности Web приложений в компании
SQALab
CodeFest 2012 - Пентест на стероидах
CodeFest 2012 - Пентест на стероидах
Sergey Belov
Тестирование защищенности веб-приложений
Тестирование защищенности веб-приложений
SQALab
Nginx warhead
Nginx warhead
Sergey Belov
Attacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
(Не)безопасный frontend
(Не)безопасный frontend
Sergey Belov
ZeroNights - SmartTV
ZeroNights - SmartTV
Sergey Belov
современная практика статического анализа безопасности кода веб приложений
современная практика статического анализа безопасности кода веб приложений
Sergey Belov
Сергей Полаженко - Security Testing: SQL Injection
Сергей Полаженко - Security Testing: SQL Injection
SQALab
Автоматизация тестирования веб-сервисов посредством SOAP UI
Автоматизация тестирования веб-сервисов посредством SOAP UI
automated-testing.info
Тестирование безопасности: PHP инъекция
Тестирование безопасности: PHP инъекция
SQALab
Практика тестирования web сервисов
Практика тестирования web сервисов
SQALab
Онлайн безопасность - фактор #1 в SEO
Онлайн безопасность - фактор #1 в SEO
Yuriy Titkov
якимович нагрузочное тестирование клиент серверных приложений
якимович нагрузочное тестирование клиент серверных приложений
sef2009
Нагрузочное тестирование клиент-серверных приложений
Нагрузочное тестирование клиент-серверных приложений
SQALab
Ui testing how intel does this
Ui testing how intel does this
Alexei Lupan
Кейс: Как два сеошника за год сделали +$2М к обороту компаний.
Кейс: Как два сеошника за год сделали +$2М к обороту компаний.
Andrey Kapeltsov
Contacto server API in PHP
Contacto server API in PHP
Hem Shrestha
API
API
guest7e8175a
Viewers also liked
(20)
очир абушинов
очир абушинов
Опыт организации тестирования безопасности Web приложений в компании
Опыт организации тестирования безопасности Web приложений в компании
CodeFest 2012 - Пентест на стероидах
CodeFest 2012 - Пентест на стероидах
Тестирование защищенности веб-приложений
Тестирование защищенности веб-приложений
Nginx warhead
Nginx warhead
Attacking thru HTTP Host header
Attacking thru HTTP Host header
(Не)безопасный frontend
(Не)безопасный frontend
ZeroNights - SmartTV
ZeroNights - SmartTV
современная практика статического анализа безопасности кода веб приложений
современная практика статического анализа безопасности кода веб приложений
Сергей Полаженко - Security Testing: SQL Injection
Сергей Полаженко - Security Testing: SQL Injection
Автоматизация тестирования веб-сервисов посредством SOAP UI
Автоматизация тестирования веб-сервисов посредством SOAP UI
Тестирование безопасности: PHP инъекция
Тестирование безопасности: PHP инъекция
Практика тестирования web сервисов
Практика тестирования web сервисов
Онлайн безопасность - фактор #1 в SEO
Онлайн безопасность - фактор #1 в SEO
якимович нагрузочное тестирование клиент серверных приложений
якимович нагрузочное тестирование клиент серверных приложений
Нагрузочное тестирование клиент-серверных приложений
Нагрузочное тестирование клиент-серверных приложений
Ui testing how intel does this
Ui testing how intel does this
Кейс: Как два сеошника за год сделали +$2М к обороту компаний.
Кейс: Как два сеошника за год сделали +$2М к обороту компаний.
Contacto server API in PHP
Contacto server API in PHP
API
API
Similar to CodeFest 2014 - Pentesting client/server API
Microservices Manchester: Security, Microservces and Vault by Nicki Watt
Microservices Manchester: Security, Microservces and Vault by Nicki Watt
OpenCredo
End to End Security - Check Point
End to End Security - Check Point
Harry Gunns
FIDO Masterclass
FIDO Masterclass
FIDO Alliance
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
tdc-globalcode
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Márcio Rosa
[WSO2Con USA 2018] Design and Implementation of the Veridium Authenticator: A...
[WSO2Con USA 2018] Design and Implementation of the Veridium Authenticator: A...
WSO2
Expanding APIs beyond the Web
Expanding APIs beyond the Web
Tim Messerschmidt
Check point presentation june 2014
Check point presentation june 2014
David Berkelmans
Steam Learn: HTTPS and certificates explained
Steam Learn: HTTPS and certificates explained
inovia
Cisco APIs: An Interactive Assistant for the Web2Day Developer Conference
Cisco APIs: An Interactive Assistant for the Web2Day Developer Conference
Cisco DevNet
2018 06 Presentation Cloudguard IaaS de Checkpoint
2018 06 Presentation Cloudguard IaaS de Checkpoint
e-Xpert Solutions SA
How to Implement Organization Wide Cyber Hygiene?
How to Implement Organization Wide Cyber Hygiene?
SecPod
Meeting rooms are talking! are you listening?
Meeting rooms are talking! are you listening?
Cisco DevNet
Better watch your apps - MJ Keith
Better watch your apps - MJ Keith
m j
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Codemotion
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Codemotion
Integrating WordPress With Web APIs
Integrating WordPress With Web APIs
randyhoyt
Network software gotovaya
Network software gotovaya
Vlad Demensky
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
CODE BLUE
2018 06 Presentation Cloudguard SaaS de Checkpoint
2018 06 Presentation Cloudguard SaaS de Checkpoint
e-Xpert Solutions SA
Similar to CodeFest 2014 - Pentesting client/server API
(20)
Microservices Manchester: Security, Microservces and Vault by Nicki Watt
Microservices Manchester: Security, Microservces and Vault by Nicki Watt
End to End Security - Check Point
End to End Security - Check Point
FIDO Masterclass
FIDO Masterclass
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
[WSO2Con USA 2018] Design and Implementation of the Veridium Authenticator: A...
[WSO2Con USA 2018] Design and Implementation of the Veridium Authenticator: A...
Expanding APIs beyond the Web
Expanding APIs beyond the Web
Check point presentation june 2014
Check point presentation june 2014
Steam Learn: HTTPS and certificates explained
Steam Learn: HTTPS and certificates explained
Cisco APIs: An Interactive Assistant for the Web2Day Developer Conference
Cisco APIs: An Interactive Assistant for the Web2Day Developer Conference
2018 06 Presentation Cloudguard IaaS de Checkpoint
2018 06 Presentation Cloudguard IaaS de Checkpoint
How to Implement Organization Wide Cyber Hygiene?
How to Implement Organization Wide Cyber Hygiene?
Meeting rooms are talking! are you listening?
Meeting rooms are talking! are you listening?
Better watch your apps - MJ Keith
Better watch your apps - MJ Keith
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Integrating WordPress With Web APIs
Integrating WordPress With Web APIs
Network software gotovaya
Network software gotovaya
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
2018 06 Presentation Cloudguard SaaS de Checkpoint
2018 06 Presentation Cloudguard SaaS de Checkpoint
Recently uploaded
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
naman860154
Slack Application Development 101 Slides
Slack Application Development 101 Slides
praypatel2
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Patryk Bandurski
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
Neo4j
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Enjoy Anytime
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
null - The Open Security Community
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
ThousandEyes
The transition to renewables in India.pdf
The transition to renewables in India.pdf
Competition Advisory Services (India) LLP
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
Ridwan Fadjar
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
soniya singh
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
Scott Keck-Warren
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
Scott Keck-Warren
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
shyamraj55
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
Deakin University
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Alan Dix
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
carlostorres15106
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
AndikSusilo4
Recently uploaded
(20)
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
Slack Application Development 101 Slides
Slack Application Development 101 Slides
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Hyderabad Call Girls Khairatabad ✨ 7001305949 ✨ Cheap Price Your Budget
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
The transition to renewables in India.pdf
The transition to renewables in India.pdf
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
CodeFest 2014 - Pentesting client/server API
1.
Pentesting client/server API Sergey
Belov
2.
$ whoami © 2002—2014,
Digital Security 2 • Senior Security Auditor at Digital Security • BugHunter: Google, Yandex, Badoo, Yahoo +++ • Writer: habrahabr, Xakep magazine • CTF: DEFCON 2012 CTF Final, Chaos Construction CTF’2013 • Speaker: CodeFest 2012, ZeroNights 0x03 • Trainer: Hack in Paris’2014, BlackHat’2014 USA (soon)
3.
What are we
talking about? © 2002—2014, Digital Security 3 API
4.
What are we
talking about? © 2002—2014, Digital Security 4 API
5.
Hacking via API ©
2002—2014, Digital Security 5
6.
Hacking via API ©
2002—2014, Digital Security 6
7.
Hacking via API ©
2002—2014, Digital Security 7 From interface to API methods
8.
Hacking via API ©
2002—2014, Digital Security 8
9.
Hacking via API ©
2002—2014, Digital Security 9
10.
Hacking via API ©
2002—2014, Digital Security 10
11.
Hacking via API ©
2002—2014, Digital Security 11
12.
Hacking via API ©
2002—2014, Digital Security 12 What should we test? • Logic! • Bypassing restrictions (sqli/xss) • Parameter tampering Developing • Stop hacks and custom implementation in API! Really
13.
Hacking via API ©
2002—2014, Digital Security 13
14.
Hacking via API ©
2002—2014, Digital Security 14 ZIP
15.
Hacking via API ©
2002—2014, Digital Security 15 42 Kb…
16.
Hacking via API ©
2002—2014, Digital Security 16 42 Kb… …10 Gb?
17.
Hacking via API ©
2002—2014, Digital Security 17 42 Kb… …10 Gb? …100 Gb?
18.
Hacking via API ©
2002—2014, Digital Security 18 42 Kb… …10 Gb? …100 Gb? …100 Tb?
19.
Hacking via API ©
2002—2014, Digital Security 19 42 Kb… …10 Gb? …100 Gb? …100 Tb? …4.5 Pb! http://www.unforgettable.dk/
20.
Hacking via API ©
2002—2014, Digital Security 20 Say HELLO to ZIP BOMB!
21.
Hacking via API ©
2002—2014, Digital Security 21 The evil of JavaScript and
22.
Hacking via API ©
2002—2014, Digital Security 22
23.
Hacking via API ©
2002—2014, Digital Security 23
24.
Hacking via API ©
2002—2014, Digital Security 24 http://habrahabr.ru/post/186160/
25.
Hacking via API ©
2002—2014, Digital Security 25 Crypto
26.
Hacking via API ©
2002—2014, Digital Security 26 Query signing Sign = sha*(…+DATA+…) APIkey
27.
Hacking via API ©
2002—2014, Digital Security 27
28.
Hacking via API ©
2002—2014, Digital Security 28 But why?
29.
Hacking via API ©
2002—2014, Digital Security 29 Say hello again. To length extension attack
30.
Hacking via API ©
2002—2014, Digital Security 30 A=1&B=2&C=3 07ce36c769ae130708258fb5dfa3d37ca5a67514 TOKEN=sha1(KEY+DATA)
31.
Hacking via API ©
2002—2014, Digital Security 31 Some have hijacked just 1 request…
32.
Hacking via API ©
2002—2014, Digital Security 32 What does the attacker know? • Original data • Sign (token)
33.
Hacking via API ©
2002—2014, Digital Security 33 What does the attacker want? Change some data / change params
34.
Hacking via API ©
2002—2014, Digital Security 34 A=1&B=2&C=3x80x00x00…x02&C=4
35.
Hacking via API ©
2002—2014, Digital Security 35 Can sign new query without API key! Vkontakte: sig = md5(name1=value1name2=value2api_secret) Mail.RU sig = md5(uid + params + private_key) http://www.vnsecurity.net/2010/03/codegate_challenge15_sha1_padding_attack
36.
Hacking via API ©
2002—2014, Digital Security 36 Request hijacking… How?
37.
Hacking via API ©
2002—2014, Digital Security 37
38.
Hacking via API ©
2002—2014, Digital Security 38
39.
Hacking via API ©
2002—2014, Digital Security 39
40.
Hacking via API ©
2002—2014, Digital Security 40
41.
Hacking via API ©
2002—2014, Digital Security 41
42.
Hacking via API ©
2002—2014, Digital Security 42
43.
Hacking via API ©
2002—2014, Digital Security 43
44.
Hacking via API ©
2002—2014, Digital Security 44
45.
Hacking via API ©
2002—2014, Digital Security 45 XML? XML entities!
46.
Hacking via API ©
2002—2014, Digital Security 46 DTD Example: <!ENTITY writer "Donald Duck."> <!ENTITY copyright "Copyright W3Schools."> XML example: <author>&writer;©right;</author>
47.
Hacking via API ©
2002—2014, Digital Security 47 XML entities? External Entity!
48.
Hacking via API ©
2002—2014, Digital Security 48 <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <foo>&xxe;</foo>
49.
Hacking via API ©
2002—2014, Digital Security 49 <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM “expect://id" >]> <foo>&xxe;</foo>
50.
Hacking via API ©
2002—2014, Digital Security 50 XML Bombs!
51.
Hacking via API ©
2002—2014, Digital Security 51 <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz>
52.
What are we
talking about? © 2002—2014, Digital Security 52 Man in the Middle
53.
Hacking via API ©
2002—2014, Digital Security 53 Examples?
54.
Hacking via API ©
2002—2014, Digital Security 54 2013-11-19 by Reginaldo Silva
55.
Hacking via API ©
2002—2014, Digital Security 55 https://www.facebook.com/BugBounty/posts/778897822124446 http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution
56.
Hacking via API ©
2002—2014, Digital Security 56 Testing: • https://www.owasp.org/index.php/Testing_for_XML_Injection_(OWASP-DV-008) • XXE to RCE https://gist.github.com/joernchen/3623896 Development: • Disable entities
57.
Hacking via API ©
2002—2014, Digital Security 57 Finally: • Re-test all interface restrictions; • Specific compressions; • JS callbacks; • Crypto + SSL test + hardcoded credentials (hackapp.com); • XML - XXE; • Anything else :]
58.
twitter.com/sergeybelove sbelov@dsec.ru Digital Security в
Москве: (495) 223-07-86 Digital Security в Санкт-Петербурге: (812) 703-15-47 Hacking via API Thanks for your attention! Questions? © 2002—2014, Digital Security 58
Download now