General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.
General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
Regardless on how sophisticated your framework is, how many layers of firewalls and mitigation techniques that are put in place, there's a common weakness that often gets overlooked: the insecure direct object reference. The flaw exist everywhere: WordPress with username enumeration issues. Twitter where remote attackers could delete credit cards for the ad service and to OculusVR with a horizontal privilege escalation vulnerability which got disclosed recently.
This presentation done at DeepSec 2014 focuses on using PowerShell for Client Side attacks. New scripts which are part of the open-source toolkit Nishang were also released. NIshang is toolkit in PowerShell for Penetration Testing
The Unintended Risks of Trusting Active DirectoryWill Schroeder
This presentation was given at Sp4rkCon 2018. It covers the combination of Active Directory and host-based security descriptor backdooring and the associated security implications.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
Thick Client Penetration Testing
You will learn how to do pentesting of Thick client applications on a local and network level, You will also learn how to analyze the internal communication between web services & API.
This presentation was given at BSides Austin '15, and is an expanded version of the "I hunt sys admins" Shmoocon firetalk. It covers various ways to hunt for users in Windows domains, including using PowerView.
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
Regardless on how sophisticated your framework is, how many layers of firewalls and mitigation techniques that are put in place, there's a common weakness that often gets overlooked: the insecure direct object reference. The flaw exist everywhere: WordPress with username enumeration issues. Twitter where remote attackers could delete credit cards for the ad service and to OculusVR with a horizontal privilege escalation vulnerability which got disclosed recently.
This presentation done at DeepSec 2014 focuses on using PowerShell for Client Side attacks. New scripts which are part of the open-source toolkit Nishang were also released. NIshang is toolkit in PowerShell for Penetration Testing
The Unintended Risks of Trusting Active DirectoryWill Schroeder
This presentation was given at Sp4rkCon 2018. It covers the combination of Active Directory and host-based security descriptor backdooring and the associated security implications.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
Thick Client Penetration Testing
You will learn how to do pentesting of Thick client applications on a local and network level, You will also learn how to analyze the internal communication between web services & API.
43. SQL Injection (1/3)
• news.php?id=3
– SELECT * FROM news WHERE id=3
• news.php?id=sleep(123)
– SELECT * FROM news WHERE id=sleep(123)
• news.php?id=3 and left(pwd, 1)='a'
– SELECT * FROM news WHERE id=3 and left(pwd, 1)='a'
44. SQL Injection (2/3)
• login.asp # admin / 123456
– SELECT * FROM user WHERE name='admin' and pwd=
'123456'
• login.asp # admin'--
– SELECT * FROM user WHERE name='admin'--' and ……
• login.asp # admin';DROP table ...
– SELECT * FROM user WHERE name='admin';DROP
table user;--' and ……
45. SQL Injection (3/3)
• news.asp?id=3;EXEC master..xp_cmdshell
'net user sa /add';--
– SELECT * FROM news WHERE id=3;EXEC
master..xp_cmdshell 'net user orange /add';--
• 使用者輸入汙染了 SQL 語句。