SlideShare a Scribd company logo

The-Power-Of-Recon (1)-poerfulo.pptx.pdf

N
nezidsilva

the power of recon

Technology
1 of 46
Download to read offline
THE POWER OF RECON OrwaGodfahter
ABOUT ME • Orwa Atyat (OrwaGodfather) from Jordan • Full time bug hunter (Starting bug bounty 2020) • Bugcrowd P1 Warrior Rank: Top 3 • 500+ critical/high bug submitted • HOF: Meta / Google / Microsoft / Apple • Hack CupWinner 2022/2023 & Team Captain • 10+ 0Days/CVEs
Microsoft IIS Testing Response Manipulation Methods &Tips
IIS Microsoft IIS tilde directory enumeration this vulnerability allow to detect short names of files and directories in IIS app by using some vectors in several versions of Microsoft IIS. as an attacker can find important files and folders that they are not normally visible. Next parts in IIS Discovering , Tools , Wordlist for fuzzing , Testing , Tips Last part in IIS Example for critical bugs….. screenshot screenshot screenshot screenshot screenshot
IIS Discovering 1) Nuclei Template nuclei-templates/fuzzing/iis-shortname.yaml https://github.com/projectdiscovery/nucleitemplates/blob/d6636f9169920d3ccefc692bc1a6136e2deb9205/fuzzing/iis-shortname.yaml 2) Wappalyzer extenstion screenshot screenshot screenshot screenshot screenshot
IIS Discovering 3) Shodan 🡺 http.title:"IIS" Company dork Ssl:"Bsides Ahmedabad Inc." http.title:"IIS" Host dork Ssl.cert.subject.CN:"bsidesahmedabad.in" http.title:"IIS" screenshot screenshot screenshot screenshot screenshot
IIS Tools For Testing 1) IIS Tilde Enumeration (Burp Extension) 2) Shortscan tool Github [to detect short names of files and directories] 3) JetBrains dotPeek [to analyze files such as dll file and export the source of that file] 4) visual studio code [for read/review the code/source]
IIS 5) ffuf Web directory brute forcer Wordlist https://github.com/orwagodfather/WordList/blob/main/iis.txt Its can be used on vulnerable and normal IIS app Its can be used on other web apps
IIS Testing Sortscan basic usage $ shortscan https://url/ Burp Extension IIS Tilde Enumeration Copy the target url and scan **NOTE** any valid dir endpoint such as 403,401,301,200 etc… scan that endpoint again , not just the url
IIS Testing example $ shortscan https://bsidesahmedabad.in/ $ shortscan https://bsidesahmedabad.in/admin/ $ shortscan https://bsidesahmedabad.in/test/ FFUF fuzzing $ ffuf -w iis.txt -u https://bsidesahmedabad.in/FUZZ $ ffuf -w iis.txt -u https://bsidesahmedabad.in/shortnameFUZZ Shortname-FUZZ / shortname_FUZZ
IIS
IIS
IIS
IIS Tips to complete the shortname and get a valid Dir/file https://IIS/ [+] Identified directories: 1 |_ DS_STO~1 Identified files: 1 |_ DESKTOP~1.ZIP 1) FFUF $ ffuf -w iis.txt -u https://IIS/ds_stoFUZZ $ ffuf -w iis.txt -u https://IIS/desktopFUZZ.zip $ ffuf -w iis.txt -u https://IIS/desktop-FUZZ.zip $ ffuf -w iis.txt -u https://IIS/desktop_FUZZ.zip $ ffuf -w iis.txt -u https://IIS/desktop%20FUZZ.zip
IIS Tips to complete the shortname and get a valid Dir/file 2) Github dorking Path:/ds_sto
IIS Tips to complete the shortname and get a valid Dir/file 3) Chat AI
IIS Tips to complete the shortname and get a valid Dir/file 4) Intruder (numbers 0-100000)/Etc….
IIS Dir: QBTEST~1 🡺 after fuzzing I found a valid endpoint redirect to test login QBTESTicare
IIS Example for critical bugs… 1 full source backup |_ admin~1.ZIP 🡺 with previous tips found admin_backup.zip what i got ??? * credentials in source file * machine key * valid unauth upload endpoint 🡺 uploaded a shell to RCE
IIS Example for critical bugs… 3) DLL file 🡺 export source 🡺 Access to AWS credentials File: UTILIT~1.DLL 🡺 UTILITies.dll 🡺 send it to JetBrains dotPeek exported the project 🡺 start code review
IIS and there's a more and more and more..... references https://learn.microsoft.com/en-us/previous-versions/aspnet/2wawkw1c(v=vs.100) https://book.hacktricks.xyz/pentesting-web/deserialization/exploiting-__viewstate-knowing-the-secret https://github.com/bitquark/shortscan https://twitter.com/ctbbpodcast/status/1688607912434819073 https://www.youtube.com/watch?v=HrJW6Y9kHC4 https://www.youtube.com/watch?v=cqM-MdPkaWo https://www.youtube.com/watch?v=HU89u0rQXf4
RESPONSE MANIPULATION Authentication Bypass Permissions: Edit , ADD , Del etc.. Prices & Currency
RESPONSE MANIPULATION
RESPONSE MANIPULATION
RESPONSE MANIPULATION Authentication Bypass examples… • Standard login 🡺 302 login page redirection with large Content-Length • Bypassed authentication using Burp Suite Match And Replace. • Tip: If the response is 302 with a big Content-Length try to bypass it • Login page response • HTTP/1.1 302 Found • Location: ../login/?redirect=//location/?5 • Replacement content • Deleted header Location: ../login/?redirect=//location/?5 • HTTP/1.1 200 OK • Match And Replace type: response header match : HTTP/1.1 302 Found replace: HTTP/1.1 200 ok • Match And Replace type: response header match : Location: ../login/?redirect=//location/?5 replace:
RESPONSE MANIPULATION Authentication Bypass examples… Request POST /Account/Login HTTP/1.1 Host: XXXX {"username":"bsides","password":"orwaBsides"} Tip: 1 replace [400 bad request] to [200 ok] 2 replace [false] to [true] its can be done via match and replace Response HTTP/1.1 400 Bad Request Connection: close Content-Type: xxxxx Server: xxxxx false
RESPONSE MANIPULATION Authentication Bypass examples… Create account in the employee login panel • Replaced the registration value • Created an employee account and retrieved login panel privileges Response {"registration ":false,"Etc……… Replaced contents {"registration ":true,"Etc………
RESPONSE MANIPULATION Permissions examples… Normal Response "login_permission":user," "Admin":false, " {"permissions":["can_read"]} {"status":"0"} {"status":"failure"} Replaced Response "login_permission":admin," "Admin":true, " {"permissions":["can_read","can_write"]} {"status":"1"} {"status":"success"}
RESPONSE MANIPULATION Prices & Currency examples… Normal Response "code":"USD,","baseAmount":99.10," Replaced Responses "code":"USD,","baseAmount":10.99,“ "code":"USD,","baseAmount":0.99," "code":"USD,","baseAmount":9.10," "code":"INR,","baseAmount":99.10,“ "code":“EUR,","baseAmount":99.10,"
METHODS &TIPS 1) Bypass waf using origin IP via match & replace in burp 2) My method about get more sub domains via amass 3) My method about discovering more domains & 3rd party’s & endpoints
METHODS &TIPS 1) Bypass waf using origin IP via match & replace in burp best resources to find origin IPs • shodan.io 🡺 Ssl.cert.subject.CN:"domain/subdomain" • en.fofa.info 🡺 normal search for domain/subdomain • search.censys.io 🡺 normal search for domain/subdomain • securitytrails.com 🡺 normal search for domain/subdomain
METHODS &TIPS any ip can be use as origin IP for this tip as example [400 bad request IP] Example for Origin IP from shodan Ssl.cert.subject.CN:"godfather.orwa.com" godfather.orwa.com 🡺 200 /Waf 127.0.0.1 🡺 400 bad request ===>
METHODS &TIPS Match & Replace Type: Request header Match: Origin IP Replace:Waf host Now when you visit the origin IP 🡺 https://ip/ the response 200 you will have access to host app without waf
METHODS &TIPS
METHODS &TIPS 2) My method about get more sub domains via amass * Add API Keys / Credentials to amass config file /home/.config/amass/ * 2 steps to run amass …. Step 1 amass enum -passive -norecursive -noalts -d bsidesahmedabad.in -o sudomins.txt Step 2 amass enum -passive -norecursive -noalts -df sudomins.txt -o more-subdomains.txt testing on Ex appcheck 🡺 normal 230 sub 🡺 step 1 259 sub 🡺 step 2 326 sub
METHODS &TIPS 3) My method about discovering more domains & 3rd party’s & endpoints •Urlscan.io/search Ex. bsidesahmedabad.in keywords bsidesahmedabad.* / bsidesahmedabad-* Remove duplicate results Ex. [bsides.* -bsidesahmedabad.in] Ex. [bsidesahmedabad.* -bsidesahmedabad.in] Ex. [bsidesahmedabad.in -www.bsidesahmedabad.in -help.bsidesahmedabad.in]
METHODS &TIPS EX:
METHODS &TIPS • bing & google dorking keywords site:domain.com Remove duplicate results -site:duplicate.domain.com Ex. site:bsidesahmedabad.in -site:supprot.bsidesahmedabad.in
METHODS &TIPS EX:
METHODS &TIPS • Mixing Fofa & Shodan search engines Getting Favicon hash from fofa
METHODS &TIPS
METHODS &TIPS Favicon hash form fofa it can be used on shodan via dork http.favicon.hash:xxxxxxxxxx
METHODS &TIPS Favicon hash help customers to locate the spam/fake/phishing hosts…. References for more tips for dorking in sohdan and for finding more endpoints The Power Of Shodan https://www.youtube.com/watch?v=WgMGLlpznao
METHODS &TIPS • Endpoints Tool (Waymore) https://github.com/xnl-h4ck3r/waymore • Wayback Machine (web.archive.org) • Common Crawl (index.commoncrawl.org) • AlienVault OTX (otx.alienvault.com) • URLScan (urlscan.io)
METHODS &TIPS • checking endpoints manually is more useful EX: host.com/xxx/xxxx/xxx.zi [.zip] host.com/xxx/xxxx/xxx.p [php/pdf] host.com/xxx/xxxx/xxx.ex [exe]
THANK YOU https://twitter.com/godfatherorwa https://bugcrowd.com/orwagodfather https://hackerone.com/mr-hakhak

Recommended

Recon for Bug Bounty by Agnibha Dutta.pdf
Recon for Bug Bounty by Agnibha Dutta.pdfRecon for Bug Bounty by Agnibha Dutta.pdf
Recon for Bug Bounty by Agnibha Dutta.pdfnull - The Open Security Community
 
[GitOps] Argo CD on GKE (v0.9.2).pdf
[GitOps] Argo CD on GKE (v0.9.2).pdf[GitOps] Argo CD on GKE (v0.9.2).pdf
[GitOps] Argo CD on GKE (v0.9.2).pdfJo Hoon
 
Automating Backup & Archiving with AWS and CommVault
Automating Backup & Archiving with AWS and CommVaultAutomating Backup & Archiving with AWS and CommVault
Automating Backup & Archiving with AWS and CommVaultAmazon Web Services
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...
Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...
Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...Amazon Web Services
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a JediYaroslav Babin
 

Recommended

Recon for Bug Bounty by Agnibha Dutta.pdf
Recon for Bug Bounty by Agnibha Dutta.pdfRecon for Bug Bounty by Agnibha Dutta.pdf
Recon for Bug Bounty by Agnibha Dutta.pdfnull - The Open Security Community
 
[GitOps] Argo CD on GKE (v0.9.2).pdf
[GitOps] Argo CD on GKE (v0.9.2).pdf[GitOps] Argo CD on GKE (v0.9.2).pdf
[GitOps] Argo CD on GKE (v0.9.2).pdfJo Hoon
 
Automating Backup & Archiving with AWS and CommVault
Automating Backup & Archiving with AWS and CommVaultAutomating Backup & Archiving with AWS and CommVault
Automating Backup & Archiving with AWS and CommVaultAmazon Web Services
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsAEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programsMikhail Egorov
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...
Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...
Build a Hybrid Cloud Architecture Using AWS Landing Zones (ENT304-R1) - AWS r...Amazon Web Services
 
XXE: How to become a Jedi
XXE: How to become a JediXXE: How to become a Jedi
XXE: How to become a JediYaroslav Babin
 
마이크로 서비스를 위한 AWS Cloud Map & App Mesh - Saeho Kim (AWS Solutions Architect)
마이크로 서비스를 위한 AWS Cloud Map & App Mesh - Saeho Kim (AWS Solutions Architect)마이크로 서비스를 위한 AWS Cloud Map & App Mesh - Saeho Kim (AWS Solutions Architect)
마이크로 서비스를 위한 AWS Cloud Map & App Mesh - Saeho Kim (AWS Solutions Architect)Amazon Web Services Korea
 
카프카 기반의 대규모 모니터링 플랫폼 개발이야기
카프카 기반의 대규모 모니터링 플랫폼 개발이야기카프카 기반의 대규모 모니터링 플랫폼 개발이야기
카프카 기반의 대규모 모니터링 플랫폼 개발이야기if kakao
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityMikhail Egorov
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngDmitry Evteev
 
Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018
Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018
Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018Amazon Web Services
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
CloudFront最近の事例と間違った使い方
CloudFront最近の事例と間違った使い方CloudFront最近の事例と間違った使い方
CloudFront最近の事例と間違った使い方Hirokazu Ouchi
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
ALM과 DevOps 그리고 Azure DevOps
ALM과 DevOps 그리고 Azure DevOpsALM과 DevOps 그리고 Azure DevOps
ALM과 DevOps 그리고 Azure DevOpsTaeyoung Kim
 
[GuideDoc] Deploy EKS thru eksctl - v1.22_v0.105.0.pdf
[GuideDoc] Deploy EKS thru eksctl - v1.22_v0.105.0.pdf[GuideDoc] Deploy EKS thru eksctl - v1.22_v0.105.0.pdf
[GuideDoc] Deploy EKS thru eksctl - v1.22_v0.105.0.pdfJo Hoon
 
704DESK - 무료 헬프스크 & ITSM
704DESK - 무료 헬프스크 & ITSM 704DESK - 무료 헬프스크 & ITSM
704DESK - 무료 헬프스크 & ITSM 아이티 쉐어드
 
신입 개발자가 스타트업에서 AWS로 살아남는 이야기 - 조용진, 모두의 캠퍼스 :: AWS Summit Seoul 2019
신입 개발자가 스타트업에서 AWS로 살아남는 이야기 - 조용진, 모두의 캠퍼스 :: AWS Summit Seoul 2019신입 개발자가 스타트업에서 AWS로 살아남는 이야기 - 조용진, 모두의 캠퍼스 :: AWS Summit Seoul 2019
신입 개발자가 스타트업에서 AWS로 살아남는 이야기 - 조용진, 모두의 캠퍼스 :: AWS Summit Seoul 2019Amazon Web Services Korea
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Entity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applicationsEntity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applicationsMikhail Egorov
 
오픈소스로 만드는 DB 모니터링 시스템 (w/graphite+grafana)
오픈소스로 만드는 DB 모니터링 시스템 (w/graphite+grafana)오픈소스로 만드는 DB 모니터링 시스템 (w/graphite+grafana)
오픈소스로 만드는 DB 모니터링 시스템 (w/graphite+grafana)I Goo Lee
 
신뢰성 높은 클라우드 기반 서비스 운영을 위한 Chaos Engineering in Action (윤석찬, AWS 테크에반젤리스트) :: ...
신뢰성 높은 클라우드 기반 서비스 운영을 위한 Chaos Engineering in Action (윤석찬, AWS 테크에반젤리스트) :: ...신뢰성 높은 클라우드 기반 서비스 운영을 위한 Chaos Engineering in Action (윤석찬, AWS 테크에반젤리스트) :: ...
신뢰성 높은 클라우드 기반 서비스 운영을 위한 Chaos Engineering in Action (윤석찬, AWS 테크에반젤리스트) :: ...Amazon Web Services Korea
 
SD-WANって何だろう。使い方を知ってみよう(AWS分)
SD-WANって何だろう。使い方を知ってみよう(AWS分)SD-WANって何だろう。使い方を知ってみよう(AWS分)
SD-WANって何だろう。使い方を知ってみよう(AWS分)Yukihiro Kikuchi
 
Amazon OpenSearch Deep dive - 내부구조, 성능최적화 그리고 스케일링
Amazon OpenSearch Deep dive - 내부구조, 성능최적화 그리고 스케일링Amazon OpenSearch Deep dive - 내부구조, 성능최적화 그리고 스케일링
Amazon OpenSearch Deep dive - 내부구조, 성능최적화 그리고 스케일링Amazon Web Services Korea
 
AWS re:Invent 2016: Deep Dive: AWS Direct Connect and VPNs (NET402)
AWS re:Invent 2016: Deep Dive: AWS Direct Connect and VPNs (NET402)AWS re:Invent 2016: Deep Dive: AWS Direct Connect and VPNs (NET402)
AWS re:Invent 2016: Deep Dive: AWS Direct Connect and VPNs (NET402)Amazon Web Services
 
Pentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A PrimerPentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A PrimerBrian Hysell
 
Hacking IIS - NahamCon.pdf
Hacking IIS - NahamCon.pdfHacking IIS - NahamCon.pdf
Hacking IIS - NahamCon.pdfdistortdistort
 
IIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration VulnerabilityIIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration VulnerabilityMicah Hoffman
 

More Related Content

What's hot

마이크로 서비스를 위한 AWS Cloud Map & App Mesh - Saeho Kim (AWS Solutions Architect)
마이크로 서비스를 위한 AWS Cloud Map & App Mesh - Saeho Kim (AWS Solutions Architect)마이크로 서비스를 위한 AWS Cloud Map & App Mesh - Saeho Kim (AWS Solutions Architect)
마이크로 서비스를 위한 AWS Cloud Map & App Mesh - Saeho Kim (AWS Solutions Architect)Amazon Web Services Korea
 
카프카 기반의 대규모 모니터링 플랫폼 개발이야기
카프카 기반의 대규모 모니터링 플랫폼 개발이야기카프카 기반의 대규모 모니터링 플랫폼 개발이야기
카프카 기반의 대규모 모니터링 플랫폼 개발이야기if kakao
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityMikhail Egorov
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngDmitry Evteev
 
Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018
Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018
Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018Amazon Web Services
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
CloudFront最近の事例と間違った使い方
CloudFront最近の事例と間違った使い方CloudFront最近の事例と間違った使い方
CloudFront最近の事例と間違った使い方Hirokazu Ouchi
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
ALM과 DevOps 그리고 Azure DevOps
ALM과 DevOps 그리고 Azure DevOpsALM과 DevOps 그리고 Azure DevOps
ALM과 DevOps 그리고 Azure DevOpsTaeyoung Kim
 
[GuideDoc] Deploy EKS thru eksctl - v1.22_v0.105.0.pdf
[GuideDoc] Deploy EKS thru eksctl - v1.22_v0.105.0.pdf[GuideDoc] Deploy EKS thru eksctl - v1.22_v0.105.0.pdf
[GuideDoc] Deploy EKS thru eksctl - v1.22_v0.105.0.pdfJo Hoon
 
704DESK - 무료 헬프스크 & ITSM
704DESK - 무료 헬프스크 & ITSM 704DESK - 무료 헬프스크 & ITSM
704DESK - 무료 헬프스크 & ITSM 아이티 쉐어드
 
신입 개발자가 스타트업에서 AWS로 살아남는 이야기 - 조용진, 모두의 캠퍼스 :: AWS Summit Seoul 2019
신입 개발자가 스타트업에서 AWS로 살아남는 이야기 - 조용진, 모두의 캠퍼스 :: AWS Summit Seoul 2019신입 개발자가 스타트업에서 AWS로 살아남는 이야기 - 조용진, 모두의 캠퍼스 :: AWS Summit Seoul 2019
신입 개발자가 스타트업에서 AWS로 살아남는 이야기 - 조용진, 모두의 캠퍼스 :: AWS Summit Seoul 2019Amazon Web Services Korea
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
Entity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applicationsEntity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applicationsMikhail Egorov
 
오픈소스로 만드는 DB 모니터링 시스템 (w/graphite+grafana)
오픈소스로 만드는 DB 모니터링 시스템 (w/graphite+grafana)오픈소스로 만드는 DB 모니터링 시스템 (w/graphite+grafana)
오픈소스로 만드는 DB 모니터링 시스템 (w/graphite+grafana)I Goo Lee
 
신뢰성 높은 클라우드 기반 서비스 운영을 위한 Chaos Engineering in Action (윤석찬, AWS 테크에반젤리스트) :: ...
신뢰성 높은 클라우드 기반 서비스 운영을 위한 Chaos Engineering in Action (윤석찬, AWS 테크에반젤리스트) :: ...신뢰성 높은 클라우드 기반 서비스 운영을 위한 Chaos Engineering in Action (윤석찬, AWS 테크에반젤리스트) :: ...
신뢰성 높은 클라우드 기반 서비스 운영을 위한 Chaos Engineering in Action (윤석찬, AWS 테크에반젤리스트) :: ...Amazon Web Services Korea
 
SD-WANって何だろう。使い方を知ってみよう(AWS分)
SD-WANって何だろう。使い方を知ってみよう(AWS分)SD-WANって何だろう。使い方を知ってみよう(AWS分)
SD-WANって何だろう。使い方を知ってみよう(AWS分)Yukihiro Kikuchi
 
Amazon OpenSearch Deep dive - 내부구조, 성능최적화 그리고 스케일링
Amazon OpenSearch Deep dive - 내부구조, 성능최적화 그리고 스케일링Amazon OpenSearch Deep dive - 내부구조, 성능최적화 그리고 스케일링
Amazon OpenSearch Deep dive - 내부구조, 성능최적화 그리고 스케일링Amazon Web Services Korea
 
AWS re:Invent 2016: Deep Dive: AWS Direct Connect and VPNs (NET402)
AWS re:Invent 2016: Deep Dive: AWS Direct Connect and VPNs (NET402)AWS re:Invent 2016: Deep Dive: AWS Direct Connect and VPNs (NET402)
AWS re:Invent 2016: Deep Dive: AWS Direct Connect and VPNs (NET402)Amazon Web Services
 
Pentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A PrimerPentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A PrimerBrian Hysell
 

What's hot (20)

마이크로 서비스를 위한 AWS Cloud Map & App Mesh - Saeho Kim (AWS Solutions Architect)
마이크로 서비스를 위한 AWS Cloud Map & App Mesh - Saeho Kim (AWS Solutions Architect)마이크로 서비스를 위한 AWS Cloud Map & App Mesh - Saeho Kim (AWS Solutions Architect)
마이크로 서비스를 위한 AWS Cloud Map & App Mesh - Saeho Kim (AWS Solutions Architect)
 
카프카 기반의 대규모 모니터링 플랫폼 개발이야기
카프카 기반의 대규모 모니터링 플랫폼 개발이야기카프카 기반의 대규모 모니터링 플랫폼 개발이야기
카프카 기반의 대규모 모니터링 플랫폼 개발이야기
 
A Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications securityA Hacker's perspective on AEM applications security
A Hacker's perspective on AEM applications security
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
 
Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018
Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018
Amazon VPC: Security at the Speed Of Light (NET313) - AWS re:Invent 2018
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
CloudFront最近の事例と間違った使い方
CloudFront最近の事例と間違った使い方CloudFront最近の事例と間違った使い方
CloudFront最近の事例と間違った使い方
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
 
ALM과 DevOps 그리고 Azure DevOps
ALM과 DevOps 그리고 Azure DevOpsALM과 DevOps 그리고 Azure DevOps
ALM과 DevOps 그리고 Azure DevOps
 
[GuideDoc] Deploy EKS thru eksctl - v1.22_v0.105.0.pdf
[GuideDoc] Deploy EKS thru eksctl - v1.22_v0.105.0.pdf[GuideDoc] Deploy EKS thru eksctl - v1.22_v0.105.0.pdf
[GuideDoc] Deploy EKS thru eksctl - v1.22_v0.105.0.pdf
 
704DESK - 무료 헬프스크 & ITSM
704DESK - 무료 헬프스크 & ITSM 704DESK - 무료 헬프스크 & ITSM
704DESK - 무료 헬프스크 & ITSM
 
신입 개발자가 스타트업에서 AWS로 살아남는 이야기 - 조용진, 모두의 캠퍼스 :: AWS Summit Seoul 2019
신입 개발자가 스타트업에서 AWS로 살아남는 이야기 - 조용진, 모두의 캠퍼스 :: AWS Summit Seoul 2019신입 개발자가 스타트업에서 AWS로 살아남는 이야기 - 조용진, 모두의 캠퍼스 :: AWS Summit Seoul 2019
신입 개발자가 스타트업에서 AWS로 살아남는 이야기 - 조용진, 모두의 캠퍼스 :: AWS Summit Seoul 2019
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
 
Entity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applicationsEntity provider selection confusion attacks in JAX-RS applications
Entity provider selection confusion attacks in JAX-RS applications
 
오픈소스로 만드는 DB 모니터링 시스템 (w/graphite+grafana)
오픈소스로 만드는 DB 모니터링 시스템 (w/graphite+grafana)오픈소스로 만드는 DB 모니터링 시스템 (w/graphite+grafana)
오픈소스로 만드는 DB 모니터링 시스템 (w/graphite+grafana)
 
신뢰성 높은 클라우드 기반 서비스 운영을 위한 Chaos Engineering in Action (윤석찬, AWS 테크에반젤리스트) :: ...
신뢰성 높은 클라우드 기반 서비스 운영을 위한 Chaos Engineering in Action (윤석찬, AWS 테크에반젤리스트) :: ...신뢰성 높은 클라우드 기반 서비스 운영을 위한 Chaos Engineering in Action (윤석찬, AWS 테크에반젤리스트) :: ...
신뢰성 높은 클라우드 기반 서비스 운영을 위한 Chaos Engineering in Action (윤석찬, AWS 테크에반젤리스트) :: ...
 
SD-WANって何だろう。使い方を知ってみよう(AWS分)
SD-WANって何だろう。使い方を知ってみよう(AWS分)SD-WANって何だろう。使い方を知ってみよう(AWS分)
SD-WANって何だろう。使い方を知ってみよう(AWS分)
 
Amazon OpenSearch Deep dive - 내부구조, 성능최적화 그리고 스케일링
Amazon OpenSearch Deep dive - 내부구조, 성능최적화 그리고 스케일링Amazon OpenSearch Deep dive - 내부구조, 성능최적화 그리고 스케일링
Amazon OpenSearch Deep dive - 내부구조, 성능최적화 그리고 스케일링
 
AWS re:Invent 2016: Deep Dive: AWS Direct Connect and VPNs (NET402)
AWS re:Invent 2016: Deep Dive: AWS Direct Connect and VPNs (NET402)AWS re:Invent 2016: Deep Dive: AWS Direct Connect and VPNs (NET402)
AWS re:Invent 2016: Deep Dive: AWS Direct Connect and VPNs (NET402)
 
Pentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A PrimerPentesting Modern Web Apps: A Primer
Pentesting Modern Web Apps: A Primer
 

Similar to The-Power-Of-Recon (1)-poerfulo.pptx.pdf

Hacking IIS - NahamCon.pdf
Hacking IIS - NahamCon.pdfHacking IIS - NahamCon.pdf
Hacking IIS - NahamCon.pdfdistortdistort
 
IIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration VulnerabilityIIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration VulnerabilityMicah Hoffman
 
Chandra Prakash Thapa: Make a WordPress Multisite in 20 mins
Chandra Prakash Thapa: Make a WordPress Multisite in 20 minsChandra Prakash Thapa: Make a WordPress Multisite in 20 mins
Chandra Prakash Thapa: Make a WordPress Multisite in 20 minswpnepal
 
APIs REST Usables con Hypermedia por Javier Ramirez, para codemotion
APIs REST Usables con Hypermedia por Javier Ramirez, para codemotionAPIs REST Usables con Hypermedia por Javier Ramirez, para codemotion
APIs REST Usables con Hypermedia por Javier Ramirez, para codemotionjavier ramirez
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon praguehernanibf
 
Worcamp2012 make a wordpress multisite in 20mins
Worcamp2012 make a wordpress multisite in 20minsWorcamp2012 make a wordpress multisite in 20mins
Worcamp2012 make a wordpress multisite in 20minsChandra Prakash Thapa
 
OSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin BačovskýOSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin BačovskýNETWAYS
 
Wordpress Security & Hardening Steps
Wordpress Security & Hardening StepsWordpress Security & Hardening Steps
Wordpress Security & Hardening StepsPlasterdog Web Design
 
WordPress Tips and Tricks (DFW Meetup)
WordPress Tips and Tricks (DFW Meetup)WordPress Tips and Tricks (DFW Meetup)
WordPress Tips and Tricks (DFW Meetup)Stephanie Leary
 
Salesforce Admin's guide : the data loader from the command line
Salesforce Admin's guide : the data loader from the command lineSalesforce Admin's guide : the data loader from the command line
Salesforce Admin's guide : the data loader from the command lineCyrille Coeurjoly
 
PHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source ProjectPHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source Projectxsist10
 
Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014Micah Hoffman
 
Heavy Web Optimization: Backend
Heavy Web Optimization: BackendHeavy Web Optimization: Backend
Heavy Web Optimization: BackendVõ Duy Tuấn
 
Simplify your professional web development with symfony
Simplify your professional web development with symfonySimplify your professional web development with symfony
Simplify your professional web development with symfonyFrancois Zaninotto
 
Mastering WordPress Vol.1
Mastering WordPress Vol.1Mastering WordPress Vol.1
Mastering WordPress Vol.1Wataru OKAMOTO
 
Exam Overview 70-533 Implementing Azure Infrastructure Solutions
Exam Overview 70-533 Implementing Azure Infrastructure SolutionsExam Overview 70-533 Implementing Azure Infrastructure Solutions
Exam Overview 70-533 Implementing Azure Infrastructure SolutionsGustavo Zimmermann (MVP)
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Php My Sql Security 2007
Php My Sql Security 2007Php My Sql Security 2007
Php My Sql Security 2007Aung Khant
 
BP-6 Repository Customization Best Practices
BP-6 Repository Customization Best PracticesBP-6 Repository Customization Best Practices
BP-6 Repository Customization Best PracticesAlfresco Software
 
CodeIgniter PHP MVC Framework
CodeIgniter PHP MVC FrameworkCodeIgniter PHP MVC Framework
CodeIgniter PHP MVC FrameworkBo-Yi Wu
 

Similar to The-Power-Of-Recon (1)-poerfulo.pptx.pdf (20)

Hacking IIS - NahamCon.pdf
Hacking IIS - NahamCon.pdfHacking IIS - NahamCon.pdf
Hacking IIS - NahamCon.pdf
 
IIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration VulnerabilityIIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration Vulnerability
 
Chandra Prakash Thapa: Make a WordPress Multisite in 20 mins
Chandra Prakash Thapa: Make a WordPress Multisite in 20 minsChandra Prakash Thapa: Make a WordPress Multisite in 20 mins
Chandra Prakash Thapa: Make a WordPress Multisite in 20 mins
 
APIs REST Usables con Hypermedia por Javier Ramirez, para codemotion
APIs REST Usables con Hypermedia por Javier Ramirez, para codemotionAPIs REST Usables con Hypermedia por Javier Ramirez, para codemotion
APIs REST Usables con Hypermedia por Javier Ramirez, para codemotion
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon prague
 
Worcamp2012 make a wordpress multisite in 20mins
Worcamp2012 make a wordpress multisite in 20minsWorcamp2012 make a wordpress multisite in 20mins
Worcamp2012 make a wordpress multisite in 20mins
 
OSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin BačovskýOSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
OSCamp #4 on Foreman | CLI tools with Foreman by Martin Bačovský
 
Wordpress Security & Hardening Steps
Wordpress Security & Hardening StepsWordpress Security & Hardening Steps
Wordpress Security & Hardening Steps
 
WordPress Tips and Tricks (DFW Meetup)
WordPress Tips and Tricks (DFW Meetup)WordPress Tips and Tricks (DFW Meetup)
WordPress Tips and Tricks (DFW Meetup)
 
Salesforce Admin's guide : the data loader from the command line
Salesforce Admin's guide : the data loader from the command lineSalesforce Admin's guide : the data loader from the command line
Salesforce Admin's guide : the data loader from the command line
 
PHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source ProjectPHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source Project
 
Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014Everyone Matters In Infosec 2014
Everyone Matters In Infosec 2014
 
Heavy Web Optimization: Backend
Heavy Web Optimization: BackendHeavy Web Optimization: Backend
Heavy Web Optimization: Backend
 
Simplify your professional web development with symfony
Simplify your professional web development with symfonySimplify your professional web development with symfony
Simplify your professional web development with symfony
 
Mastering WordPress Vol.1
Mastering WordPress Vol.1Mastering WordPress Vol.1
Mastering WordPress Vol.1
 
Exam Overview 70-533 Implementing Azure Infrastructure Solutions
Exam Overview 70-533 Implementing Azure Infrastructure SolutionsExam Overview 70-533 Implementing Azure Infrastructure Solutions
Exam Overview 70-533 Implementing Azure Infrastructure Solutions
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
Php My Sql Security 2007
Php My Sql Security 2007Php My Sql Security 2007
Php My Sql Security 2007
 
BP-6 Repository Customization Best Practices
BP-6 Repository Customization Best PracticesBP-6 Repository Customization Best Practices
BP-6 Repository Customization Best Practices
 
CodeIgniter PHP MVC Framework
CodeIgniter PHP MVC FrameworkCodeIgniter PHP MVC Framework
CodeIgniter PHP MVC Framework
 

Recently uploaded

costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 

Recently uploaded (20)

costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 

The-Power-Of-Recon (1)-poerfulo.pptx.pdf

  • 2. ABOUT ME • Orwa Atyat (OrwaGodfather) from Jordan • Full time bug hunter (Starting bug bounty 2020) • Bugcrowd P1 Warrior Rank: Top 3 • 500+ critical/high bug submitted • HOF: Meta / Google / Microsoft / Apple • Hack CupWinner 2022/2023 & Team Captain • 10+ 0Days/CVEs
  • 3. Microsoft IIS Testing Response Manipulation Methods &Tips
  • 4. IIS Microsoft IIS tilde directory enumeration this vulnerability allow to detect short names of files and directories in IIS app by using some vectors in several versions of Microsoft IIS. as an attacker can find important files and folders that they are not normally visible. Next parts in IIS Discovering , Tools , Wordlist for fuzzing , Testing , Tips Last part in IIS Example for critical bugs….. screenshot screenshot screenshot screenshot screenshot
  • 6. IIS Discovering 3) Shodan 🡺 http.title:"IIS" Company dork Ssl:"Bsides Ahmedabad Inc." http.title:"IIS" Host dork Ssl.cert.subject.CN:"bsidesahmedabad.in" http.title:"IIS" screenshot screenshot screenshot screenshot screenshot
  • 7. IIS Tools For Testing 1) IIS Tilde Enumeration (Burp Extension) 2) Shortscan tool Github [to detect short names of files and directories] 3) JetBrains dotPeek [to analyze files such as dll file and export the source of that file] 4) visual studio code [for read/review the code/source]
  • 8. IIS 5) ffuf Web directory brute forcer Wordlist https://github.com/orwagodfather/WordList/blob/main/iis.txt Its can be used on vulnerable and normal IIS app Its can be used on other web apps
  • 9. IIS Testing Sortscan basic usage $ shortscan https://url/ Burp Extension IIS Tilde Enumeration Copy the target url and scan **NOTE** any valid dir endpoint such as 403,401,301,200 etc… scan that endpoint again , not just the url
  • 10. IIS Testing example $ shortscan https://bsidesahmedabad.in/ $ shortscan https://bsidesahmedabad.in/admin/ $ shortscan https://bsidesahmedabad.in/test/ FFUF fuzzing $ ffuf -w iis.txt -u https://bsidesahmedabad.in/FUZZ $ ffuf -w iis.txt -u https://bsidesahmedabad.in/shortnameFUZZ Shortname-FUZZ / shortname_FUZZ
  • 11. IIS
  • 12. IIS
  • 13. IIS
  • 14. IIS Tips to complete the shortname and get a valid Dir/file https://IIS/ [+] Identified directories: 1 |_ DS_STO~1 Identified files: 1 |_ DESKTOP~1.ZIP 1) FFUF $ ffuf -w iis.txt -u https://IIS/ds_stoFUZZ $ ffuf -w iis.txt -u https://IIS/desktopFUZZ.zip $ ffuf -w iis.txt -u https://IIS/desktop-FUZZ.zip $ ffuf -w iis.txt -u https://IIS/desktop_FUZZ.zip $ ffuf -w iis.txt -u https://IIS/desktop%20FUZZ.zip
  • 15. IIS Tips to complete the shortname and get a valid Dir/file 2) Github dorking Path:/ds_sto
  • 16. IIS Tips to complete the shortname and get a valid Dir/file 3) Chat AI
  • 17. IIS Tips to complete the shortname and get a valid Dir/file 4) Intruder (numbers 0-100000)/Etc….
  • 18. IIS Dir: QBTEST~1 🡺 after fuzzing I found a valid endpoint redirect to test login QBTESTicare
  • 19. IIS Example for critical bugs… 1 full source backup |_ admin~1.ZIP 🡺 with previous tips found admin_backup.zip what i got ??? * credentials in source file * machine key * valid unauth upload endpoint 🡺 uploaded a shell to RCE
  • 20. IIS Example for critical bugs… 3) DLL file 🡺 export source 🡺 Access to AWS credentials File: UTILIT~1.DLL 🡺 UTILITies.dll 🡺 send it to JetBrains dotPeek exported the project 🡺 start code review
  • 21. IIS and there's a more and more and more..... references https://learn.microsoft.com/en-us/previous-versions/aspnet/2wawkw1c(v=vs.100) https://book.hacktricks.xyz/pentesting-web/deserialization/exploiting-__viewstate-knowing-the-secret https://github.com/bitquark/shortscan https://twitter.com/ctbbpodcast/status/1688607912434819073 https://www.youtube.com/watch?v=HrJW6Y9kHC4 https://www.youtube.com/watch?v=cqM-MdPkaWo https://www.youtube.com/watch?v=HU89u0rQXf4
  • 22. RESPONSE MANIPULATION Authentication Bypass Permissions: Edit , ADD , Del etc.. Prices & Currency
  • 25. RESPONSE MANIPULATION Authentication Bypass examples… • Standard login 🡺 302 login page redirection with large Content-Length • Bypassed authentication using Burp Suite Match And Replace. • Tip: If the response is 302 with a big Content-Length try to bypass it • Login page response • HTTP/1.1 302 Found • Location: ../login/?redirect=//location/?5 • Replacement content • Deleted header Location: ../login/?redirect=//location/?5 • HTTP/1.1 200 OK • Match And Replace type: response header match : HTTP/1.1 302 Found replace: HTTP/1.1 200 ok • Match And Replace type: response header match : Location: ../login/?redirect=//location/?5 replace:
  • 26. RESPONSE MANIPULATION Authentication Bypass examples… Request POST /Account/Login HTTP/1.1 Host: XXXX {"username":"bsides","password":"orwaBsides"} Tip: 1 replace [400 bad request] to [200 ok] 2 replace [false] to [true] its can be done via match and replace Response HTTP/1.1 400 Bad Request Connection: close Content-Type: xxxxx Server: xxxxx false
  • 27. RESPONSE MANIPULATION Authentication Bypass examples… Create account in the employee login panel • Replaced the registration value • Created an employee account and retrieved login panel privileges Response {"registration ":false,"Etc……… Replaced contents {"registration ":true,"Etc………
  • 28. RESPONSE MANIPULATION Permissions examples… Normal Response "login_permission":user," "Admin":false, " {"permissions":["can_read"]} {"status":"0"} {"status":"failure"} Replaced Response "login_permission":admin," "Admin":true, " {"permissions":["can_read","can_write"]} {"status":"1"} {"status":"success"}
  • 29. RESPONSE MANIPULATION Prices & Currency examples… Normal Response "code":"USD,","baseAmount":99.10," Replaced Responses "code":"USD,","baseAmount":10.99,“ "code":"USD,","baseAmount":0.99," "code":"USD,","baseAmount":9.10," "code":"INR,","baseAmount":99.10,“ "code":“EUR,","baseAmount":99.10,"
  • 30. METHODS &TIPS 1) Bypass waf using origin IP via match & replace in burp 2) My method about get more sub domains via amass 3) My method about discovering more domains & 3rd party’s & endpoints
  • 31. METHODS &TIPS 1) Bypass waf using origin IP via match & replace in burp best resources to find origin IPs • shodan.io 🡺 Ssl.cert.subject.CN:"domain/subdomain" • en.fofa.info 🡺 normal search for domain/subdomain • search.censys.io 🡺 normal search for domain/subdomain • securitytrails.com 🡺 normal search for domain/subdomain
  • 32. METHODS &TIPS any ip can be use as origin IP for this tip as example [400 bad request IP] Example for Origin IP from shodan Ssl.cert.subject.CN:"godfather.orwa.com" godfather.orwa.com 🡺 200 /Waf 127.0.0.1 🡺 400 bad request ===>
  • 33. METHODS &TIPS Match & Replace Type: Request header Match: Origin IP Replace:Waf host Now when you visit the origin IP 🡺 https://ip/ the response 200 you will have access to host app without waf
  • 35. METHODS &TIPS 2) My method about get more sub domains via amass * Add API Keys / Credentials to amass config file /home/.config/amass/ * 2 steps to run amass …. Step 1 amass enum -passive -norecursive -noalts -d bsidesahmedabad.in -o sudomins.txt Step 2 amass enum -passive -norecursive -noalts -df sudomins.txt -o more-subdomains.txt testing on Ex appcheck 🡺 normal 230 sub 🡺 step 1 259 sub 🡺 step 2 326 sub
  • 36. METHODS &TIPS 3) My method about discovering more domains & 3rd party’s & endpoints •Urlscan.io/search Ex. bsidesahmedabad.in keywords bsidesahmedabad.* / bsidesahmedabad-* Remove duplicate results Ex. [bsides.* -bsidesahmedabad.in] Ex. [bsidesahmedabad.* -bsidesahmedabad.in] Ex. [bsidesahmedabad.in -www.bsidesahmedabad.in -help.bsidesahmedabad.in]
  • 38. METHODS &TIPS • bing & google dorking keywords site:domain.com Remove duplicate results -site:duplicate.domain.com Ex. site:bsidesahmedabad.in -site:supprot.bsidesahmedabad.in
  • 40. METHODS &TIPS • Mixing Fofa & Shodan search engines Getting Favicon hash from fofa
  • 42. METHODS &TIPS Favicon hash form fofa it can be used on shodan via dork http.favicon.hash:xxxxxxxxxx
  • 43. METHODS &TIPS Favicon hash help customers to locate the spam/fake/phishing hosts…. References for more tips for dorking in sohdan and for finding more endpoints The Power Of Shodan https://www.youtube.com/watch?v=WgMGLlpznao
  • 44. METHODS &TIPS • Endpoints Tool (Waymore) https://github.com/xnl-h4ck3r/waymore • Wayback Machine (web.archive.org) • Common Crawl (index.commoncrawl.org) • AlienVault OTX (otx.alienvault.com) • URLScan (urlscan.io)
  • 45. METHODS &TIPS • checking endpoints manually is more useful EX: host.com/xxx/xxxx/xxx.zi [.zip] host.com/xxx/xxxx/xxx.p [php/pdf] host.com/xxx/xxxx/xxx.ex [exe]