attack chaining for web exploitation
TRANSCRIPT
![Page 1: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/1.jpg)
Attack chaining for web exploitation
--- Abhijeth Dugginapeddi
![Page 2: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/2.jpg)
#whoami
Security Analyst at Adobe Systems
Hacking since 14 and gave sessions in most engineering colleges
Like many, found bugs in Google, Facebook, Yahoo, Microsoft and more than 50 sites. Among Top 5 Bug hunters in Synack
A Telugu movie buff and a start up enthusiast
![Page 3: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/3.jpg)
No organization or no company is responsible for whatever I talk for the next 30 minutes!!
![Page 4: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/4.jpg)
Where to start
![Page 5: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/5.jpg)
What to start
![Page 6: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/6.jpg)
How to start
![Page 7: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/7.jpg)
Do you know him!!
![Page 8: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/8.jpg)
Hackers hacked
![Page 9: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/9.jpg)
![Page 10: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/10.jpg)
Called up amazon and add a new credit card to amazon account
Associated emailBilling AddressRandom Credit card number
Now they call again saying they lost the password
NameBilling addressCredit card number
The attackers now got access to his amazon account
![Page 11: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/11.jpg)
Billing addressLast 4 digits of credit card
![Page 12: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/12.jpg)
![Page 13: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/13.jpg)
![Page 14: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/14.jpg)
![Page 15: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/15.jpg)
Chaining of web attacks• Used majorly by Real attackers• Understanding the application code and infrastructure in depth• Using multiple vulnerabilities• Knowledge on various technologies
Impacts• Defacing sites• Denial of service• Deleting code, DBs, user profiles, customer data etc.
![Page 16: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/16.jpg)
The other 42% of vulnerabilities are caused because of weak configurations/administration
Only 58% of vulnerabilities are caused because of weak code
Source: PTSecurity
![Page 17: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/17.jpg)
Vulnerability in Code + Vulnerability in Configuration = Large Impact
![Page 18: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/18.jpg)
Do you think a vulnerability like CSRF or Mixed content in isolation can directly lead to a Security breach?
![Page 19: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/19.jpg)
May not be true.
But a Security Breach is definitely possible if the attacker can chain these attacks
![Page 20: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/20.jpg)
Normal attack
![Page 21: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/21.jpg)
Attack chain
![Page 22: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/22.jpg)
Vulnerabilities reported in a Web Application
Mixed Content Unwanted methods allowed
Cookie Flags missingURL Redirection
Directory traversalWeak Ciphers
Banner Grabbing
Insecure Direct Object Reference
![Page 23: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/23.jpg)
Few stories
![Page 24: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/24.jpg)
This particular Request uses Insecure Transmission which will allow the attacker to sniff the request
![Page 25: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/25.jpg)
Using BurpSuite Decoder, the encoded value is decoded in plain text
![Page 26: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/26.jpg)
Encoded back by adding ‘ ‘or’ ‘1’ =‘1
![Page 27: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/27.jpg)
![Page 28: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/28.jpg)
Mixed Content
Weak Encryption
SQL Injection
Complete credit card details
![Page 29: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/29.jpg)
Targeted attack
![Page 30: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/30.jpg)
Insecure Direct Object Reference
![Page 31: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/31.jpg)
Parameter Tampering
![Page 32: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/32.jpg)
Access control Violation
![Page 33: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/33.jpg)
Cross Site Request Forgery
![Page 34: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/34.jpg)
![Page 35: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/35.jpg)
Insecure Direct Object Reference
Parameter tampering
CSRF
Perform illegal transactions from a victim’s account
Access control violation
![Page 36: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/36.jpg)
Target= AbhijethAbhijeth’s Bank Details
Access to someone’s details
Bruteforce and get Abhijeth’s details
Use this details to make illegal transaction!!
![Page 37: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/37.jpg)
Jo dar gaya samjo mar gaya
![Page 38: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/38.jpg)
Some company’s email Inbox
![Page 39: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/39.jpg)
Upload exe files
![Page 40: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/40.jpg)
![Page 41: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/41.jpg)
#begbounty!!!
![Page 42: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/42.jpg)
![Page 43: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/43.jpg)
Improper CSRF and Access controls
![Page 44: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/44.jpg)
Spread malware using your application!!!
![Page 45: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/45.jpg)
And then!!
![Page 46: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/46.jpg)
![Page 47: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/47.jpg)
Security misconfiguration
![Page 48: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/48.jpg)
![Page 49: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/49.jpg)
PUT /foo
![Page 50: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/50.jpg)
Cross Site Scripting
![Page 51: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/51.jpg)
Malicious file upload
![Page 52: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/52.jpg)
But no SHELL
![Page 53: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/53.jpg)
Privilege Escalation
![Page 54: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/54.jpg)
Aise the bhayya bajrangi!!
![Page 55: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/55.jpg)
Security misconfiguration
Stored Cross Site Scripting
Session Hijacking
Privilege Escalation
Arbitrary file upload
Remote Code Execution
![Page 56: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/56.jpg)
How can you start chaining?
![Page 57: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/57.jpg)
Find more vulnerabilities
Understand the application
Analyze the bugs
Research on customer’s business
Make a story
![Page 58: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/58.jpg)
Moral of the story!!
Every vulnerability needs to fixed irrespective of the risk
Remember it is Vulnerable Code + Weak Configuration
![Page 59: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/59.jpg)
The other chainsInfrastructure Chains
Mobile chains
Data center attacks
Wireless hacks
![Page 60: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/60.jpg)
Thanks
![Page 61: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/61.jpg)
![Page 62: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/62.jpg)
What to do with the bounties??
![Page 63: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/63.jpg)
Educate a child
![Page 64: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/64.jpg)
For more details
![Page 65: Attack chaining for web exploitation](https://reader035.vdocuments.mx/reader035/viewer/2022062523/58f073de1a28abd9788b4633/html5/thumbnails/65.jpg)
Questions??!!