SlideShare a Scribd company logo

"Inter- application vulnerabilities. hunting for bugs in secure applications" - Marcin Szydłowski

PROIDEA
PROIDEA

For the last couple of years I have been participating in various public and private bug bounty programmes including United Airlines, ING, RBS, EU or Synack. Usually these programmes are run by security-mature companies which take a lot of effort to make sure that their applications are secure. So how is that even possible that they are still vulnerable to well-known issues like XSS or IDOR which should not exist in 2019 anymore? Presentation will share information about common “inter-application” vulnerabilities encountered during testing process and emphasize the need of appropriate security testing at each stage of system life cycle. During 45 minutes long talk I will present several real-life examples of "inter-application" vulnerabilities, explain the root causes of these issues and propose steps which could be taken to avoid these vulnerabilities in the future.

Technology
1 of 40
Download to read offline
Inter-application vulnerabilities hunting for bugs in secure applications CONFIDENCE 2019 @securityksl Marcin Szydłowski
TABLE OF CONTENTS Introduction Presentation background – why I’m even here? 1 3 Real life examples Several examples of these inter-application vulnerabilities and their root causes. Inter-application vulnerabilities So what actualy are we going to talk about? 2 4 What can I do now!? Where can I find these vulnerabilities or how can I avoid them? 5 Q&A In case you want to know something more
#whoami • Marcin Szydlowski (@securityksl) • Worked as a cybersecurity consultant (pentests, red team, etc.) • Currently responsible for secure system deployment in a global company • Bug bounty hunter & member of Synack Red Team (rank 0x03) • Participated in programmes such as Hack the Pentagon, United Airlines and number of private programmes via Synack and HackerOne
Hunting for bugs in secure applications • Changed company, started to participate in Bug Bounty programmes regularly • Regularly does not mean full-time (nor part-time) • Dark side of bug bounty programmes exists
Presentation background – problem statement How to find unique vulnerabilities in web applications of security-mature companies in a limited time?
How your pentest environment looks like? HTTPS test.example.comUser
How the production environment looks like? HTTPS example.comUser mail.example.com user.example.com legacy.example.com
How the production environment looks like in 2019? HTTPS api.example.com example.comUser mail.example.com user.example.com legacy.example.com Caching server/LB/WAF OAUTH other.example.com S3 example.com HTTPSHTTPS
Who covers the delta? „Integration with other systems will be performed once we know our application is secure” „Other components have already been tested by other independent companies” „Test environment is isolated from the Internet for security reasons” „XYZ functionality is out of scope as it is not ready yet” „E-mail sending is disabled not to flood our helpdesk with e-mails” „Only ZYX functionalities are in scope” Integration testing to the rescue?
What is in scope of integration testing? Integration testing (sometimes called integration and testing, abbreviated I&T) is the phase in software testing in which individual software modules are combined and tested as a group. Integration testing is conducted to evaluate the compliance of a system or component with specified functional requirements.
Integration testing presented on a Venn diagram People who understand system A People who understand system B Pentesters (security people) People involved in integration testing
Integration testing – reality kicks in People who understand system A People who understand system B Pentesters (security people) People involved in integration testing
Am I exploiting the technology or the process? • Web application security testing covers only specific components of the system as it is often performed on isolated or non-fully developed environment • Pentesters often do not understand the business process behind the application • Various applications (system components) are tested by various teams (or even companies) • Responsibility for integration testing is often blurred • Security is not the first priority of integration testing ??? PROFIT!!! Acceptance rate - 44% 27 unique vulnerabilities reported in 11 months Probably testing for less then 5 hours/week on average
Inter-application vulnerabilities – the definition Vulnerabilities, which require playing with at least two different systems (or system components) to be exploited successfully.
Case #1 - Story of a desktop application • Major international company • Set of web applications in scope • No vulnerabilities identified in the last couple of months • Google recon identified that users e-mail addresses are disclosed via Google searches as they are transmitted in GET parameter • It was not possible to identify that particular endpoint during application walkthrough Some other application component must exist
Money for nothing and XSSes for free • Desktop application of that vendor publicly available for download after registration • Most of the functionalities were not resulting in any requests being sent to the web server, but... • License renewal and forgot password functionalities resulted in HTTP requests with the parameters never encountered before. • Two XSSes with <script>alert(1)</script> payload right away (Bounty! X2). • Forgot password mechanism - root cause of e-mail address disclosure identified (Bounty!) • More was yet to come...
Fun part begins • So how this license renewal mechanism actualy works? POST /license.aspx Host: renewal.example.com ID=123456 renewal.example.comUser Here is your license number! AVX123ZSAJ1213124 I’m redirecting you to buy.example.com And by the way here you also have license numbers of other users as this is clearly vulnerable to IDOR... This is my license number and I’m authenticated as Marcin I want to renew my license. buy.example.com Redirecting you to payment page where you have info on subscribtion days left
What confidential actualy means? • So we have a huge number of license IDs – potentially all of them. • Do not mix license IDs with license keys. • Who really knows if some data is confidential? What makes it confidential? • License numbers allows you to get more info on product type and number subscribtion days left • Not really confidential data :( • But...
Inter-application dependency kicks in! • There is one more web application of the same vendor, which allows (surprise surprise) to renew licenses ☺ • So you are authenticated in the application, you provide your license ID and you are redirected to the very same payment page. • But what happens when you are not authenticated? POST /license.aspx Host: renewal2.example.com LicenseID=AVX123ZSAJ1213124 renewal2.example.comUser You need to authenticate. Let me redirect you to the login web page. I will provide the e-mail address associated with this LicenseID to speed up authentication process. • Insecure direct object reference leads to disclosure of e-mail addresses of all customers (Bounty!)
We are not done yet. • So we are redirected to authentication web page and our e-mail is automatically submitted. How does it work? renewal2.example.com User You need to authenticate. Let me redirect you to the SSO web page. I will provide e- mail address associated with this LicenseID automatically. GET /redirect.aspx?email=ksl@test. com&otherparameters... Host: renewal2.example.com 302 – let me redirect you to sso.example.com?code=base64st ring (not decryptable) sso.example.com Login page with your email
We are not done yet. • So we are redirected to authentication web page and our e-mail is automatically submitted. How does it work? renewal2.example.com User You need to authenticate. Let me redirect you to the SSO web page. I will provide e- mail address associated with this LicenseID automatically. GET /redirect.aspx?email=”><script >alert(1)</script>&otherparame ters... Host: renewal2.example.com 302 – let me redirect you to sso.example.com?code=base64st ring (not decryptable) sso.example.com Login page with your email. XSS in e-mail field! Reflected XSS on login page (Bounty!)
Summing up • 3 Reflected Cross-Site Scriptings on critical subdomains • One IDOR vulnerability leading to complete disclosure of customer database (e-mails) • Incorrectly set indexing protection leading to disclosure of user e-mails in Google 5 bounties for 5 vulnerabilities identified only by downloading a single desktop application Identified XSSes were exploitable with basic XSS payload - <script>alert(1)</script> 4 out of 5 were well-known vulnerabilities - listed in last 3 editions of OWASP TOP 10...
Case #2 - Single-sign on, multiple XSSes • Major web page • Set of web applications used for different purposes (subscriptions, estore, auctions, etc.) • Payouts were offered only for high/critical vulnerabilities (SQLi, RCE, Persistent XSS) • WAF in place for certain subdomains
That tricky registration mechanism • Number of applications in scope of program allowed to create account in the application • Account created in any of these web apps was valid for all the other applications in scope • User e-mail address was published in each of these web applications – in most cases it was encoded • Filtering mechanism existed during registration, emails address needs to be provided in a valid format • But what actualy is a valid format for e-mail addresses?
What actualy is a valid e-mail format? • E-mail address format is defined in RFC 5321 and RFC 5322 • Better explained in Wikipedia • This makes ”<script>alert(1)</script>”@gmail.com address completely fine from the RFC perspective • Most of the web pages does not allow to register yourself with these addresses.... But some do ☺
Let the persistent XSSes begin! • One of these web pages in scope allowed to register yourself with ”<script>alert(1)</script>”@gmail.com address, however it encoded malicious characters properly • However, some other web page in scope did not allow funny e-mail addresses, but output encoding mechanism was not there • Remember that tricky registration mechanism? ??? • Most likely the only impacted person would be the account owner... • ... but you never know - Persistent XSS in Profile Overview section (Bounty!) ☺ PROFIT!!!
Moar XSSes!!! • Seems that certain well-known applications which are often integrated with web pages also allow to use „quoted” e-mail addresses • Application in scope supported PayPal payments • And PayPal supported „quoted” e-mail addresses ☺ Let me purchases that item store.example.comUser How do you want to pay? PayPal. And here is my PayPal account which is ”<script>alert(1)</script>”@gmail.com OK, mail address seems valid, I’m redirecting you to PayPal web page
Moar XSSes!!! paypal.comUser I can see that you are ”<script>alert(1)</script>”@gmail.com and you are coming from store.example.com. Authenticate yourself to pay with PayPal. Changed my mind, I’m cancelling the payment. No worries, let me redirect you back to store.example.com
Noone expected the scope change! • store.example.com has a full list of successful/unsuccessful transactions with details about success/failure • PayPal e-mail address used during transaction is presented in transaction details and is not encoded ??? • Bug Bounty programme rules changed in the meantime (probably after i got paid for the 1st XSS) • Persistent XSSes which have no clear impact on other users were excluded from program scope  NO PROFIT!!!
Case #2 – Summary • 2 persistent XSS identified and 1 bounty received for simple vulnerability • Excellent example why input filtering might not be enough to secure your web application • It also seems that this company does not rely on pre-approved code snippets for e-mail verification, as mechanism worked differently between applications • Update [May 2019] – 3 persistent XSSes in e-mail address identified on 3 well-known web pages for travelers – total bounty 2130 $
Case #3 – E-mails, e-mails everywhere • It is more series of cases related to e-mail sending functionalities • Web applications in scope? Pretty much everything – ecommerce, airlines, FMCG, cybersecurity • Thing in common? All of them were sending emails from the application to the end user
Case #3.1 – Me, myself and I ecommerce.com Bob I want to Chat with Alan! POST Msg=Chat message:Hello World! Alan Message from: Bob <gasr23basd1axne@ ecommerce.com> Hello World! Reply to: Bob <gasr23basd1axne@ ecommerce.com> Hello Bob! Chat with Alan Bob: Hello World! Alan: Hello Bob! Just by knowing Bob’s temporary e-mail address i can spoof Alan’s messages. Bob’s temporary e-mail address is not visible in the web browser, but it is visible in JSON responses... I can negotiate prices and contract terms with myself, non-repudiation is being affected • Well-known international web page • Couple of months without vulnerability reported
Case #3.2 – Mail content spoofing ebanking.com Harry I want to steal Bob’s password! POST /reset.php HTTP/1.1 Host: evilebanking.com email=bob@test.pl This is a password reset e-mail. To reset your password please access: https://evilebanking.com/newpasswo rd?Token=H81nasj3as73jmd Bob Hey! That is an e-mail from my bank! evilebanking.com User: Bob Password:Secret12#
Insecure HTTP headers • This is not just about e-mails. Spoofing text message (SMS) content via host header modification was identified. • It is not just about Host header. Other cases of spoofing were identified (e.g. X-Forwarded- Host header, or X-Akamai-Original-Url header) • Summing up, I reported these 5 times, but 3 times they were duplicates • The more fancy header, the less chance it has already been reported by someone
Case #3.3 – Spidering does not work anymore • Applications send multiple e-mails (newsletters, password reset, account activation, notifications) • URLs (functionalities) which are embeded in these e-mails are often vulnerable to numerous attacks • „Unsubscribe” functionality – vulnerable to reflected XSS (Bounty!) • IDOR in „Newsletter settings” functionality leads to unauthorized data modification (Duplicate) • „Welcome” e-mail contains URLs with parameters never encountered before (Bounty!) • Hyperlink included in e-mail vulnerable to IDOR and ultimately leads to account takeover (Bounty!) • Password reset e-mails contain URLs. User e-mail address is sent in GET parameters. Google indexes these URLs and e-mail values (Bounty! X2)
Bug Bounty Hunter/Pentester – Quick wins • Register an account in your application with ”<script>alert(1)</script>”@gmail.com • Go to „My profile” section or equivalent • PROFIT!!! • Subscribe to all newsletters, notifications, promotions, gift cards. • Create new account, forget password, restore password, unsubscribe, delete account. • Check received e-mails for hyperlinks with fancy parameters. Look for XSSes, IDORs. • PROFIT!!! • Register an account • Initiate password reset request • Substitute Host header value with some other domain name. • Add X-Forwarded-Host and X-Original-URL headers with some other domain name. • Check received e-mails for spoofed hyperlinks • PROFIT!!!
How to avoid these issues? - Basics • During testing process analyze all the application interfaces and non-standard way of inputting data • Make sure that your integration tests cover security aspects such as input validation • Make sure to follow defense-in-depth principle (e.g. by implementing both input filtering and output encoding whenever possible) • Make sure that your TEST environment is as similar to PROD environment as possible and that scope of your security tests include all of the system components and functionalities. Pay special attention to: • Email sending functionalities and email messages • Account creation and password reset process • Authentication using 3rd party services (Google, Facebook, etc.)
How to avoid these issues? - Advanced • Ensure that you security testing team: • understands the business processes supported by the application • is aware of all interfaces with the other applications and has a sufficient support to perform security scenarios during integration tests • has a good understanding of the entire tested ecosystem • Regularly perform Google dorking to identify any cases of unintentional public access to sensitive data or functions • Analyze any cases of cross-system data dependencies which may lead to obtaining sensitive information by unauthorized individual. Implement cross-system segregation of duties wherever possible.
More thoughts on that?
Q&A Inter-application vulnerabilities hunting for bugs in secure applications @securityksl Marcin Szydlowski

Recommended

"Meet Me in the Middle: Threat Indications & Warning to enable Operational Th...
"Meet Me in the Middle: Threat Indications & Warning to enable Operational Th..."Meet Me in the Middle: Threat Indications & Warning to enable Operational Th...
"Meet Me in the Middle: Threat Indications & Warning to enable Operational Th...PROIDEA
 
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ..."Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...PROIDEA
 
BlueHat v18 || The law of unintended consequences - gdpr impact on cybersecur...
BlueHat v18 || The law of unintended consequences - gdpr impact on cybersecur...BlueHat v18 || The law of unintended consequences - gdpr impact on cybersecur...
BlueHat v18 || The law of unintended consequences - gdpr impact on cybersecur...BlueHat Security Conference
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!MITRE ATT&CK
 
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...Bruno Caseiro
 
BlueHat v18 || software supply chain attacks in 2018 - predictions vs reality
BlueHat v18 || software supply chain attacks in 2018 - predictions vs realityBlueHat v18 || software supply chain attacks in 2018 - predictions vs reality
BlueHat v18 || software supply chain attacks in 2018 - predictions vs realityBlueHat Security Conference
 
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...BlueHat Security Conference
 
CrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
CrowdStrike Webinar: Taking Dwell-Time Out of Incident ResponseCrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
CrowdStrike Webinar: Taking Dwell-Time Out of Incident ResponseBrendon Macaraeg
 

Recommended

"Meet Me in the Middle: Threat Indications & Warning to enable Operational Th...
"Meet Me in the Middle: Threat Indications & Warning to enable Operational Th..."Meet Me in the Middle: Threat Indications & Warning to enable Operational Th...
"Meet Me in the Middle: Threat Indications & Warning to enable Operational Th...PROIDEA
 
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ..."Is your browser secure? Breaking cryptography in PKI based systems, opening ...
"Is your browser secure? Breaking cryptography in PKI based systems, opening ...PROIDEA
 
BlueHat v18 || The law of unintended consequences - gdpr impact on cybersecur...
BlueHat v18 || The law of unintended consequences - gdpr impact on cybersecur...BlueHat v18 || The law of unintended consequences - gdpr impact on cybersecur...
BlueHat v18 || The law of unintended consequences - gdpr impact on cybersecur...BlueHat Security Conference
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!MITRE ATT&CK
 
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...
Reduciendo riesgos a través de controles de acceso, manejo de privilegios y a...Bruno Caseiro
 
BlueHat v18 || software supply chain attacks in 2018 - predictions vs reality
BlueHat v18 || software supply chain attacks in 2018 - predictions vs realityBlueHat v18 || software supply chain attacks in 2018 - predictions vs reality
BlueHat v18 || software supply chain attacks in 2018 - predictions vs realityBlueHat Security Conference
 
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...BlueHat v18 || Modern day entomology - examining the inner workings of the bu...
BlueHat v18 || Modern day entomology - examining the inner workings of the bu...BlueHat Security Conference
 
CrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
CrowdStrike Webinar: Taking Dwell-Time Out of Incident ResponseCrowdStrike Webinar: Taking Dwell-Time Out of Incident Response
CrowdStrike Webinar: Taking Dwell-Time Out of Incident ResponseBrendon Macaraeg
 
David Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & RansomwareDavid Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & RansomwareCSNP
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course contentShivamSharma909
 
(SACON) Nilanjan, Jitendra chauhan & Abhisek Datta - How does an attacker kno...
(SACON) Nilanjan, Jitendra chauhan & Abhisek Datta - How does an attacker kno...(SACON) Nilanjan, Jitendra chauhan & Abhisek Datta - How does an attacker kno...
(SACON) Nilanjan, Jitendra chauhan & Abhisek Datta - How does an attacker kno...Priyanka Aash
 
Cyber security privacy-and-blockchain-perspective-14 nov2018-v01-public
Cyber security privacy-and-blockchain-perspective-14 nov2018-v01-publicCyber security privacy-and-blockchain-perspective-14 nov2018-v01-public
Cyber security privacy-and-blockchain-perspective-14 nov2018-v01-publicSecunoid Systems Inc
 
How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...Ulf Mattsson
 
Global Cybersecurity Blockchain Group
Global Cybersecurity Blockchain GroupGlobal Cybersecurity Blockchain Group
Global Cybersecurity Blockchain GroupMaeva Ghonda
 
Identity based proxy-oriented data uploading and remote data integrity checki...
Identity based proxy-oriented data uploading and remote data integrity checki...Identity based proxy-oriented data uploading and remote data integrity checki...
Identity based proxy-oriented data uploading and remote data integrity checki...Shakas Technologies
 
DON'T Use Two-Factor Authentication...Unless You Need It!
DON'T Use Two-Factor Authentication...Unless You Need It!DON'T Use Two-Factor Authentication...Unless You Need It!
DON'T Use Two-Factor Authentication...Unless You Need It!Priyanka Aash
 
MITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE - ATT&CKcon
 
State of the ATT&CK - ATT&CKcon Power Hour
State of the ATT&CK - ATT&CKcon Power HourState of the ATT&CK - ATT&CKcon Power Hour
State of the ATT&CK - ATT&CKcon Power HourAdam Pennington
 
Cloud security live hack - final meetup
Cloud security live hack - final meetupCloud security live hack - final meetup
Cloud security live hack - final meetupAWS User Group North (Manchester)
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Adam Pennington
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) MITRE ATT&CK
 
State of Cybersecurity: 2016 Findings and Implications
State of Cybersecurity: 2016 Findings and ImplicationsState of Cybersecurity: 2016 Findings and Implications
State of Cybersecurity: 2016 Findings and ImplicationsPriyanka Aash
 
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...MITRE - ATT&CKcon
 
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy BeyondTrust
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilitiesOWASP
 
Security testing
Security testingSecurity testing
Security testingKhizra Sammad
 

More Related Content

What's hot

David Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & RansomwareDavid Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & RansomwareCSNP
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course contentShivamSharma909
 
(SACON) Nilanjan, Jitendra chauhan & Abhisek Datta - How does an attacker kno...
(SACON) Nilanjan, Jitendra chauhan & Abhisek Datta - How does an attacker kno...(SACON) Nilanjan, Jitendra chauhan & Abhisek Datta - How does an attacker kno...
(SACON) Nilanjan, Jitendra chauhan & Abhisek Datta - How does an attacker kno...Priyanka Aash
 
Cyber security privacy-and-blockchain-perspective-14 nov2018-v01-public
Cyber security privacy-and-blockchain-perspective-14 nov2018-v01-publicCyber security privacy-and-blockchain-perspective-14 nov2018-v01-public
Cyber security privacy-and-blockchain-perspective-14 nov2018-v01-publicSecunoid Systems Inc
 
How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...Ulf Mattsson
 
Global Cybersecurity Blockchain Group
Global Cybersecurity Blockchain GroupGlobal Cybersecurity Blockchain Group
Global Cybersecurity Blockchain GroupMaeva Ghonda
 
Identity based proxy-oriented data uploading and remote data integrity checki...
Identity based proxy-oriented data uploading and remote data integrity checki...Identity based proxy-oriented data uploading and remote data integrity checki...
Identity based proxy-oriented data uploading and remote data integrity checki...Shakas Technologies
 
DON'T Use Two-Factor Authentication...Unless You Need It!
DON'T Use Two-Factor Authentication...Unless You Need It!DON'T Use Two-Factor Authentication...Unless You Need It!
DON'T Use Two-Factor Authentication...Unless You Need It!Priyanka Aash
 
MITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE - ATT&CKcon
 
State of the ATT&CK - ATT&CKcon Power Hour
State of the ATT&CK - ATT&CKcon Power HourState of the ATT&CK - ATT&CKcon Power Hour
State of the ATT&CK - ATT&CKcon Power HourAdam Pennington
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Adam Pennington
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) MITRE ATT&CK
 
State of Cybersecurity: 2016 Findings and Implications
State of Cybersecurity: 2016 Findings and ImplicationsState of Cybersecurity: 2016 Findings and Implications
State of Cybersecurity: 2016 Findings and ImplicationsPriyanka Aash
 
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...MITRE - ATT&CKcon
 
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy BeyondTrust
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 

What's hot (20)

David Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & RansomwareDavid Klein - Defending Against Nation Sate Attackers & Ransomware
David Klein - Defending Against Nation Sate Attackers & Ransomware
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
 
(SACON) Nilanjan, Jitendra chauhan & Abhisek Datta - How does an attacker kno...
(SACON) Nilanjan, Jitendra chauhan & Abhisek Datta - How does an attacker kno...(SACON) Nilanjan, Jitendra chauhan & Abhisek Datta - How does an attacker kno...
(SACON) Nilanjan, Jitendra chauhan & Abhisek Datta - How does an attacker kno...
 
Cyber security privacy-and-blockchain-perspective-14 nov2018-v01-public
Cyber security privacy-and-blockchain-perspective-14 nov2018-v01-publicCyber security privacy-and-blockchain-perspective-14 nov2018-v01-public
Cyber security privacy-and-blockchain-perspective-14 nov2018-v01-public
 
How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...How the latest trends in data security can help your data protection strategy...
How the latest trends in data security can help your data protection strategy...
 
Global Cybersecurity Blockchain Group
Global Cybersecurity Blockchain GroupGlobal Cybersecurity Blockchain Group
Global Cybersecurity Blockchain Group
 
Identity based proxy-oriented data uploading and remote data integrity checki...
Identity based proxy-oriented data uploading and remote data integrity checki...Identity based proxy-oriented data uploading and remote data integrity checki...
Identity based proxy-oriented data uploading and remote data integrity checki...
 
DON'T Use Two-Factor Authentication...Unless You Need It!
DON'T Use Two-Factor Authentication...Unless You Need It!DON'T Use Two-Factor Authentication...Unless You Need It!
DON'T Use Two-Factor Authentication...Unless You Need It!
 
MITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - NovemberMITRE ATT&CKcon Power Hour - November
MITRE ATT&CKcon Power Hour - November
 
State of the ATT&CK - ATT&CKcon Power Hour
State of the ATT&CK - ATT&CKcon Power HourState of the ATT&CK - ATT&CKcon Power Hour
State of the ATT&CK - ATT&CKcon Power Hour
 
Cloud security live hack - final meetup
Cloud security live hack - final meetupCloud security live hack - final meetup
Cloud security live hack - final meetup
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
 
State of Cybersecurity: 2016 Findings and Implications
State of Cybersecurity: 2016 Findings and ImplicationsState of Cybersecurity: 2016 Findings and Implications
State of Cybersecurity: 2016 Findings and Implications
 
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
 
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
 

Similar to "Inter- application vulnerabilities. hunting for bugs in secure applications" - Marcin Szydłowski

[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilitiesOWASP
 
Security Testing
Security TestingSecurity Testing
Security TestingISsoft
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptSilverGold16
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingAndrew McNicol
 
Wrong slides! Please check description for correct deck
Wrong slides! Please check description for correct deck Wrong slides! Please check description for correct deck
Wrong slides! Please check description for correct deck Benedek Menesi
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Andrew McNicol
 
Ebusiness Auditing
Ebusiness AuditingEbusiness Auditing
Ebusiness Auditingnewarttech
 
OWASP TOP 10 by Team xbios
OWASP TOP 10 by Team xbiosOWASP TOP 10 by Team xbios
OWASP TOP 10 by Team xbiosVi Vek
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security Zane Lackey
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointAndrew McNicol
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointAndrew McNicol
 
Microsoft365 from a Hacker's Perspective
Microsoft365 from a Hacker's PerspectiveMicrosoft365 from a Hacker's Perspective
Microsoft365 from a Hacker's PerspectiveBenedek Menesi
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
Andrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
Andrew and Zac RVA-Beyond-Automated-Testing-2016.pptAndrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
Andrew and Zac RVA-Beyond-Automated-Testing-2016.pptBUSHRASHAIKH804312
 

Similar to "Inter- application vulnerabilities. hunting for bugs in secure applications" - Marcin Szydłowski (20)

[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities
 
Security testing
Security testingSecurity testing
Security testing
 
Security testing
Security testingSecurity testing
Security testing
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
 
BSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated TestingBSidesDC 2016 Beyond Automated Testing
BSidesDC 2016 Beyond Automated Testing
 
Vulnerabilities in Web Applications
Vulnerabilities in Web ApplicationsVulnerabilities in Web Applications
Vulnerabilities in Web Applications
 
Wrong slides! Please check description for correct deck
Wrong slides! Please check description for correct deck Wrong slides! Please check description for correct deck
Wrong slides! Please check description for correct deck
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10
 
Ebusiness Auditing
Ebusiness AuditingEbusiness Auditing
Ebusiness Auditing
 
OWASP TOP 10 by Team xbios
OWASP TOP 10 by Team xbiosOWASP TOP 10 by Team xbios
OWASP TOP 10 by Team xbios
 
Effective approaches to web application security
Effective approaches to web application security Effective approaches to web application security
Effective approaches to web application security
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
BSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPointBSidesJXN 2016: Finding a Company's BreakPoint
BSidesJXN 2016: Finding a Company's BreakPoint
 
Sql securitytesting
Sql securitytestingSql securitytesting
Sql securitytesting
 
BSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPointBSides Philly Finding a Company's BreakPoint
BSides Philly Finding a Company's BreakPoint
 
Microsoft365 from a Hacker's Perspective
Microsoft365 from a Hacker's PerspectiveMicrosoft365 from a Hacker's Perspective
Microsoft365 from a Hacker's Perspective
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Andrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
Andrew and Zac RVA-Beyond-Automated-Testing-2016.pptAndrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
Andrew and Zac RVA-Beyond-Automated-Testing-2016.ppt
 

Recently uploaded

FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlPeter Udo Diehl
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
 
КАТЕРИНА АБЗЯТОВА «Ефективне планування тестування ключові аспекти та практ...
КАТЕРИНА АБЗЯТОВА «Ефективне планування тестування ключові аспекти та практ...КАТЕРИНА АБЗЯТОВА «Ефективне планування тестування ключові аспекти та практ...
КАТЕРИНА АБЗЯТОВА «Ефективне планування тестування ключові аспекти та практ...QADay
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Alison B. Lowndes
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Product School
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backElena Simperl
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsVlad Stirbu
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...Elena Simperl
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsPaul Groth
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
КАТЕРИНА АБЗЯТОВА «Ефективне планування тестування ключові аспекти та практ...
КАТЕРИНА АБЗЯТОВА «Ефективне планування тестування ключові аспекти та практ...КАТЕРИНА АБЗЯТОВА «Ефективне планування тестування ключові аспекти та практ...
КАТЕРИНА АБЗЯТОВА «Ефективне планування тестування ключові аспекти та практ...
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 

"Inter- application vulnerabilities. hunting for bugs in secure applications" - Marcin Szydłowski

  • 1. Inter-application vulnerabilities hunting for bugs in secure applications CONFIDENCE 2019 @securityksl Marcin Szydłowski
  • 2. TABLE OF CONTENTS Introduction Presentation background – why I’m even here? 1 3 Real life examples Several examples of these inter-application vulnerabilities and their root causes. Inter-application vulnerabilities So what actualy are we going to talk about? 2 4 What can I do now!? Where can I find these vulnerabilities or how can I avoid them? 5 Q&A In case you want to know something more
  • 3. #whoami • Marcin Szydlowski (@securityksl) • Worked as a cybersecurity consultant (pentests, red team, etc.) • Currently responsible for secure system deployment in a global company • Bug bounty hunter & member of Synack Red Team (rank 0x03) • Participated in programmes such as Hack the Pentagon, United Airlines and number of private programmes via Synack and HackerOne
  • 4. Hunting for bugs in secure applications • Changed company, started to participate in Bug Bounty programmes regularly • Regularly does not mean full-time (nor part-time) • Dark side of bug bounty programmes exists
  • 5. Presentation background – problem statement How to find unique vulnerabilities in web applications of security-mature companies in a limited time?
  • 6. How your pentest environment looks like? HTTPS test.example.comUser
  • 7. How the production environment looks like? HTTPS example.comUser mail.example.com user.example.com legacy.example.com
  • 8. How the production environment looks like in 2019? HTTPS api.example.com example.comUser mail.example.com user.example.com legacy.example.com Caching server/LB/WAF OAUTH other.example.com S3 example.com HTTPSHTTPS
  • 9. Who covers the delta? „Integration with other systems will be performed once we know our application is secure” „Other components have already been tested by other independent companies” „Test environment is isolated from the Internet for security reasons” „XYZ functionality is out of scope as it is not ready yet” „E-mail sending is disabled not to flood our helpdesk with e-mails” „Only ZYX functionalities are in scope” Integration testing to the rescue?
  • 10. What is in scope of integration testing? Integration testing (sometimes called integration and testing, abbreviated I&T) is the phase in software testing in which individual software modules are combined and tested as a group. Integration testing is conducted to evaluate the compliance of a system or component with specified functional requirements.
  • 11. Integration testing presented on a Venn diagram People who understand system A People who understand system B Pentesters (security people) People involved in integration testing
  • 12. Integration testing – reality kicks in People who understand system A People who understand system B Pentesters (security people) People involved in integration testing
  • 13. Am I exploiting the technology or the process? • Web application security testing covers only specific components of the system as it is often performed on isolated or non-fully developed environment • Pentesters often do not understand the business process behind the application • Various applications (system components) are tested by various teams (or even companies) • Responsibility for integration testing is often blurred • Security is not the first priority of integration testing ??? PROFIT!!! Acceptance rate - 44% 27 unique vulnerabilities reported in 11 months Probably testing for less then 5 hours/week on average
  • 14. Inter-application vulnerabilities – the definition Vulnerabilities, which require playing with at least two different systems (or system components) to be exploited successfully.
  • 15. Case #1 - Story of a desktop application • Major international company • Set of web applications in scope • No vulnerabilities identified in the last couple of months • Google recon identified that users e-mail addresses are disclosed via Google searches as they are transmitted in GET parameter • It was not possible to identify that particular endpoint during application walkthrough Some other application component must exist
  • 16. Money for nothing and XSSes for free • Desktop application of that vendor publicly available for download after registration • Most of the functionalities were not resulting in any requests being sent to the web server, but... • License renewal and forgot password functionalities resulted in HTTP requests with the parameters never encountered before. • Two XSSes with <script>alert(1)</script> payload right away (Bounty! X2). • Forgot password mechanism - root cause of e-mail address disclosure identified (Bounty!) • More was yet to come...
  • 17. Fun part begins • So how this license renewal mechanism actualy works? POST /license.aspx Host: renewal.example.com ID=123456 renewal.example.comUser Here is your license number! AVX123ZSAJ1213124 I’m redirecting you to buy.example.com And by the way here you also have license numbers of other users as this is clearly vulnerable to IDOR... This is my license number and I’m authenticated as Marcin I want to renew my license. buy.example.com Redirecting you to payment page where you have info on subscribtion days left
  • 18. What confidential actualy means? • So we have a huge number of license IDs – potentially all of them. • Do not mix license IDs with license keys. • Who really knows if some data is confidential? What makes it confidential? • License numbers allows you to get more info on product type and number subscribtion days left • Not really confidential data :( • But...
  • 19. Inter-application dependency kicks in! • There is one more web application of the same vendor, which allows (surprise surprise) to renew licenses ☺ • So you are authenticated in the application, you provide your license ID and you are redirected to the very same payment page. • But what happens when you are not authenticated? POST /license.aspx Host: renewal2.example.com LicenseID=AVX123ZSAJ1213124 renewal2.example.comUser You need to authenticate. Let me redirect you to the login web page. I will provide the e-mail address associated with this LicenseID to speed up authentication process. • Insecure direct object reference leads to disclosure of e-mail addresses of all customers (Bounty!)
  • 20. We are not done yet. • So we are redirected to authentication web page and our e-mail is automatically submitted. How does it work? renewal2.example.com User You need to authenticate. Let me redirect you to the SSO web page. I will provide e- mail address associated with this LicenseID automatically. GET /redirect.aspx?email=ksl@test. com&otherparameters... Host: renewal2.example.com 302 – let me redirect you to sso.example.com?code=base64st ring (not decryptable) sso.example.com Login page with your email
  • 21. We are not done yet. • So we are redirected to authentication web page and our e-mail is automatically submitted. How does it work? renewal2.example.com User You need to authenticate. Let me redirect you to the SSO web page. I will provide e- mail address associated with this LicenseID automatically. GET /redirect.aspx?email=”><script >alert(1)</script>&otherparame ters... Host: renewal2.example.com 302 – let me redirect you to sso.example.com?code=base64st ring (not decryptable) sso.example.com Login page with your email. XSS in e-mail field! Reflected XSS on login page (Bounty!)
  • 22. Summing up • 3 Reflected Cross-Site Scriptings on critical subdomains • One IDOR vulnerability leading to complete disclosure of customer database (e-mails) • Incorrectly set indexing protection leading to disclosure of user e-mails in Google 5 bounties for 5 vulnerabilities identified only by downloading a single desktop application Identified XSSes were exploitable with basic XSS payload - <script>alert(1)</script> 4 out of 5 were well-known vulnerabilities - listed in last 3 editions of OWASP TOP 10...
  • 23. Case #2 - Single-sign on, multiple XSSes • Major web page • Set of web applications used for different purposes (subscriptions, estore, auctions, etc.) • Payouts were offered only for high/critical vulnerabilities (SQLi, RCE, Persistent XSS) • WAF in place for certain subdomains
  • 24. That tricky registration mechanism • Number of applications in scope of program allowed to create account in the application • Account created in any of these web apps was valid for all the other applications in scope • User e-mail address was published in each of these web applications – in most cases it was encoded • Filtering mechanism existed during registration, emails address needs to be provided in a valid format • But what actualy is a valid format for e-mail addresses?
  • 25. What actualy is a valid e-mail format? • E-mail address format is defined in RFC 5321 and RFC 5322 • Better explained in Wikipedia • This makes ”<script>alert(1)</script>”@gmail.com address completely fine from the RFC perspective • Most of the web pages does not allow to register yourself with these addresses.... But some do ☺
  • 26. Let the persistent XSSes begin! • One of these web pages in scope allowed to register yourself with ”<script>alert(1)</script>”@gmail.com address, however it encoded malicious characters properly • However, some other web page in scope did not allow funny e-mail addresses, but output encoding mechanism was not there • Remember that tricky registration mechanism? ??? • Most likely the only impacted person would be the account owner... • ... but you never know - Persistent XSS in Profile Overview section (Bounty!) ☺ PROFIT!!!
  • 27. Moar XSSes!!! • Seems that certain well-known applications which are often integrated with web pages also allow to use „quoted” e-mail addresses • Application in scope supported PayPal payments • And PayPal supported „quoted” e-mail addresses ☺ Let me purchases that item store.example.comUser How do you want to pay? PayPal. And here is my PayPal account which is ”<script>alert(1)</script>”@gmail.com OK, mail address seems valid, I’m redirecting you to PayPal web page
  • 28. Moar XSSes!!! paypal.comUser I can see that you are ”<script>alert(1)</script>”@gmail.com and you are coming from store.example.com. Authenticate yourself to pay with PayPal. Changed my mind, I’m cancelling the payment. No worries, let me redirect you back to store.example.com
  • 29. Noone expected the scope change! • store.example.com has a full list of successful/unsuccessful transactions with details about success/failure • PayPal e-mail address used during transaction is presented in transaction details and is not encoded ??? • Bug Bounty programme rules changed in the meantime (probably after i got paid for the 1st XSS) • Persistent XSSes which have no clear impact on other users were excluded from program scope  NO PROFIT!!!
  • 30. Case #2 – Summary • 2 persistent XSS identified and 1 bounty received for simple vulnerability • Excellent example why input filtering might not be enough to secure your web application • It also seems that this company does not rely on pre-approved code snippets for e-mail verification, as mechanism worked differently between applications • Update [May 2019] – 3 persistent XSSes in e-mail address identified on 3 well-known web pages for travelers – total bounty 2130 $
  • 31. Case #3 – E-mails, e-mails everywhere • It is more series of cases related to e-mail sending functionalities • Web applications in scope? Pretty much everything – ecommerce, airlines, FMCG, cybersecurity • Thing in common? All of them were sending emails from the application to the end user
  • 32. Case #3.1 – Me, myself and I ecommerce.com Bob I want to Chat with Alan! POST Msg=Chat message:Hello World! Alan Message from: Bob <gasr23basd1axne@ ecommerce.com> Hello World! Reply to: Bob <gasr23basd1axne@ ecommerce.com> Hello Bob! Chat with Alan Bob: Hello World! Alan: Hello Bob! Just by knowing Bob’s temporary e-mail address i can spoof Alan’s messages. Bob’s temporary e-mail address is not visible in the web browser, but it is visible in JSON responses... I can negotiate prices and contract terms with myself, non-repudiation is being affected • Well-known international web page • Couple of months without vulnerability reported
  • 33. Case #3.2 – Mail content spoofing ebanking.com Harry I want to steal Bob’s password! POST /reset.php HTTP/1.1 Host: evilebanking.com email=bob@test.pl This is a password reset e-mail. To reset your password please access: https://evilebanking.com/newpasswo rd?Token=H81nasj3as73jmd Bob Hey! That is an e-mail from my bank! evilebanking.com User: Bob Password:Secret12#
  • 34. Insecure HTTP headers • This is not just about e-mails. Spoofing text message (SMS) content via host header modification was identified. • It is not just about Host header. Other cases of spoofing were identified (e.g. X-Forwarded- Host header, or X-Akamai-Original-Url header) • Summing up, I reported these 5 times, but 3 times they were duplicates • The more fancy header, the less chance it has already been reported by someone
  • 35. Case #3.3 – Spidering does not work anymore • Applications send multiple e-mails (newsletters, password reset, account activation, notifications) • URLs (functionalities) which are embeded in these e-mails are often vulnerable to numerous attacks • „Unsubscribe” functionality – vulnerable to reflected XSS (Bounty!) • IDOR in „Newsletter settings” functionality leads to unauthorized data modification (Duplicate) • „Welcome” e-mail contains URLs with parameters never encountered before (Bounty!) • Hyperlink included in e-mail vulnerable to IDOR and ultimately leads to account takeover (Bounty!) • Password reset e-mails contain URLs. User e-mail address is sent in GET parameters. Google indexes these URLs and e-mail values (Bounty! X2)
  • 36. Bug Bounty Hunter/Pentester – Quick wins • Register an account in your application with ”<script>alert(1)</script>”@gmail.com • Go to „My profile” section or equivalent • PROFIT!!! • Subscribe to all newsletters, notifications, promotions, gift cards. • Create new account, forget password, restore password, unsubscribe, delete account. • Check received e-mails for hyperlinks with fancy parameters. Look for XSSes, IDORs. • PROFIT!!! • Register an account • Initiate password reset request • Substitute Host header value with some other domain name. • Add X-Forwarded-Host and X-Original-URL headers with some other domain name. • Check received e-mails for spoofed hyperlinks • PROFIT!!!
  • 37. How to avoid these issues? - Basics • During testing process analyze all the application interfaces and non-standard way of inputting data • Make sure that your integration tests cover security aspects such as input validation • Make sure to follow defense-in-depth principle (e.g. by implementing both input filtering and output encoding whenever possible) • Make sure that your TEST environment is as similar to PROD environment as possible and that scope of your security tests include all of the system components and functionalities. Pay special attention to: • Email sending functionalities and email messages • Account creation and password reset process • Authentication using 3rd party services (Google, Facebook, etc.)
  • 38. How to avoid these issues? - Advanced • Ensure that you security testing team: • understands the business processes supported by the application • is aware of all interfaces with the other applications and has a sufficient support to perform security scenarios during integration tests • has a good understanding of the entire tested ecosystem • Regularly perform Google dorking to identify any cases of unintentional public access to sensitive data or functions • Analyze any cases of cross-system data dependencies which may lead to obtaining sensitive information by unauthorized individual. Implement cross-system segregation of duties wherever possible.
  • 40. Q&A Inter-application vulnerabilities hunting for bugs in secure applications @securityksl Marcin Szydlowski