Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Web Exploitation

31 views

Published on

A walk through of how to think about Web Exploitation. Focuses less on performing SQL injections and more on how to properly enumerate and evaluate functionality.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Web Exploitation

  1. 1. Web Exploitation November 14th, 2018
  2. 2. Get Involved ● Discord - discord.gg/kuejt8p
  3. 3. Events ● November 28th - Windows Exploitation ● December 5th - Stress Buster - ECSS 4.619
  4. 4. SQL Injection is useless* if the server isn’t using SQL
  5. 5. OR: “Why I fail at Web Exploitation”
  6. 6. Why is Web Exploitation difficult?
  7. 7. We don’t know what is running!
  8. 8. 2 Questions of Web Exploitation ● What can I do? ● What does the server do when I do that?
  9. 9. What are developers bad at? ● Deserialization ● Escaping input to be rendered/executed ● Making sure only the right people can do the “right” things
  10. 10. Web Primer
  11. 11. Client-side Technologies ● HTML ● CSS ● Javascript (Good for execution malicious code in a users browser)
  12. 12. Server-side Technologies Yes
  13. 13. Server-side Technologies (I’ve seen and exploited) ● PHP - CSAW 2016 ● Python - Hack The Box ● NodeJS - Hack The Box ● Bash - CSAW 2016 ● Java - Hack The Box ● Rust - TexSAW 2017 ● C - Hack The Box
  14. 14. Web Exploitation is a game of search and research
  15. 15. What can I do? - Tips ● Reverse engineer known page functionality, see how it communicates with the server (Burp / Inspect Element + Console) ● Check common directories for additional functionality ● Bruteforce common directories/files for additional functionality (gobuster) ● Bruteforce subdomains for additional functionality (gobuster)
  16. 16. What does the server do when I do that? - Tips ● Fuzz inputs (send ;:’”!@#$%^&*(((()-_=+) ● Research assumed functionality, look for how people have exploited it in the past (OWASP Top 10) ● Look for UNIQUE functionality that you haven’t seen elsewhere (Unique inclusion of special protections like a strict CSP) - Particularly useful if you know the application is or used to be vulnerable
  17. 17. Making life easy
  18. 18. Goals ● Reading files off disk ● Executing code on the remote server
  19. 19. Case Study - DevOops
  20. 20. Additional Thoughts
  21. 21. A “Modern” Web Architecture

×