Lesser known Application Vulnerabilities Which are Costing Companies $$$$

the desktop of it decoding talking about months are known application vulnerabilities yes audio degree Kevin is an application sultans with experience working in several fortune 500 companies you get to choose which ones they are whatever would be like whichever ones you wanted to be yeah she's worked there oh and don't forget to knock that's probably an apartment by yourself here people good good alright yes I'm going to talk about some lesser-known application vulnerabilities at 40 minutes to hike sliders and things pretty quickly here hope you see some types of questions at the end but I'm going to throw off with the look assorted folding questions because it's lazy I presume and everyone hopefully had a few drinks by now so just going to

feel for the crowd I'm gonna post adhere our pen testers all analyst security practitioners or some sort what's up ah that's good it's good anybody to bunk down and on the side we bar that same group or you're just trying to dodge the bug Valley not there any okay uh anyone developers on earth great honor lot colors good that's great and anyone just like a up here just cool up so uh this is me accessibility access movie on Twitter can see your application security consultant for Jude is iam thank you for giving me the day off today so that I can make up our weekends I'm good I'm a bit of a baller building tumble upon her

keyboard anyone why work [ __ ] I can do has industry place that I have I kind of saw last person things sometimes and make some trouble for people usually myself also a mate brings goodness and a fragrance out there Oh three people are gone yeah cos like ah I'm also hunted a lot thicker thicker got their DIY via YouTube fishermen 18 de querer Thank You boys that's me and we're going to talk about apps Tech in 2017 looks a lot like this [Laughter] so when we thought about in 2017 we're making the headlines and what's keeping us busy darlings so for the three people here doing bug bounties we see wanted to raise their

hand but those are cube right now we'll get more of that here involvement we're now up to seven digits on DVD because we get Aundre orderlies we needed to make that longer we're experiencing naive in 2009 Soulja everyday we're finding these angles rated reinvented the difference in the curated circumstances everything's connected this is a surprise anyone I'm afraid to talk into my nest cam and that's me in the [ __ ] car like at all in regards of my card drawn like all that the stuff and whatever the crypto ransoms paid a lot change currency today so what does that really mean for us that means a lot of work anyone out there and access who is looking for

additional work because I can give you some names or clothes that are hiring grim communities experience how many folks out there are going through the over closures read through some of the great material out there any wonder status or MIDI subscribe to your blog applica have authority alarm on your wall we tweaked the bells rang you negotiations on ah it is closers are awesome if you're not reading tactical to be the zero block and release it you should be every time you need to something oh my god I got a check for that ex accept it because that was unbelievable code per day if you happen to be in security and you care about ethics

there is never-ending get hungry codes out there if you could stage in D for rest of your life there's some drama out there and you learn the out security world I will point fingers or name games but the codec drama yeah and I didn't say there's a requirement to stay up to date things are involving a lot of our platforms are kind of rehab and things just rehab in a different way however the bond abilities are new intriguing interesting and staying up to date on this all is again itself will not God so without further ado I'm going to improve some does this is we should be looking at in our day-to-day lot if you are

familiar are not familiar with something if you have questions I want this to be interactive raise your hand happy to get some questions answered upfront you don't have to include in it okay this is Liam here is familiar with a lot top ten that's over half fantastic I like to talk about the drama three 2013 version but that's me so this is a lot that you're not familiar with it is the top 10 web application security vulnerabilities there in some Ouija boards that way we're creating in this top 10 list but there's no business up right yet injection covers a huge majority of different type of injection vulnerabilities for broken into categories we have broken off medication

sets and session management refused one profit scripting into your direct object reference any one of those those are my favorite you feed into dirt again or what happened fine thermostat by one okay there's no one else's bank account um hearing misusing is huge I read a study a few weeks ago and I'm already water could come on the spot but what it does it's facility wasn't this together actually cook in that the the Verizon DVR breaches basket lock top 10 freshly ground look was the most prevalent thing because I'm saying you're telling you usually wears out objections I'm putting it on TV we're not dropping stripping a little drop a turkey legs to a big

breach and any major way where we know there'd be folks out there we know there's anything you can do you're running arbitrary code your router on someone's machine but the end today where's the breach what is that map out it and whatever event formula this person used and again not trying to to the great event but they said that security misconfigurations was the number one alleged in those breaches you know what Andrew a with that we're done covering but about here today you can look at the rest of the stuff alright so jump right in here anyone here a server-side the quest for dreams one two and greatly we're going to talk on so server-side requests ordinary this

is business katakana cheat not good electronic record race but you're kind of making someone do something that they didn't really want to do so we can call it uh similar to products forgery but basically attackers use certified request forgeries to probe internal port and then consuls get around I can whitelist peek at this control it yeah sounds fun I was fine after that right so uh we're talking about it full disclosure I took this image from that Parker I did not create this they had not finished and using it so if I am mr. Thackeray user and interacting with your web server up here there are already lots of all or delete English audience utilize your server to do my

pain and bypass me altogether next all of server side request ordering for them or what that looked like and this is what it look like imagine this is an HTTP request get a fee thought Pittsburghers domain and you're talking there's good and because they did more cache it or the one that gets muscle today or they want to increase their a three bills because pin for both their s-300 or a good bottle and three and it's punku buttons URL bring alright but instead of making you go out and fetch that a lot of quasi stuff they decide they're going to pull that back for whatever you have ACI easier way they see them what happened but this is user

controllable dead right so what if I change from because Pittsburgh 2015 - although s3 super secret password manager all right and now what if you as an organization I see whitelisted ETSU proceed to that ministry or function but only come from your internal server but now I'm controlling requests that are actually originating from your server out at three not just bypass Euler - like now you might be thinking your self okay the house you can manage at the self bathroom users that's where some little tricky some of it may be blind you might have to rely on say how long the request hook answer using boolean logic or what happened but the end of the day you are

supplying an end user the ability to make requests to arbitrary resources that is fully controllable from the user side but the originating from your third there's a different version of it which of you may be more familiar with it's a health external entity injection so sspe is pretty simple basically you have these BCD declarations at the top of your XML and basically what you could do if it's it direct smell a lot of parser rose or vision and all of that good stuff you can actually declare external entities irregular using HTTPS because Pittsburg calm and what have you and amazingly this halo here simcha see it interviews with audio yes enough when that's red this is declared up here and compared in

brief some system and adult I'm just looking pool this died in at least from this this external site so it reaches out right so this is very very similar to the previous example except for we've known about this for a while as XML I can see a lot of the parsers and the server bust up is a type of box to protect against it but at the end of the day it's the same vulnerability basically you are utilizing the internal system or the idea of dynamic and pulling down content on bananas it's rotating from the server side and easy to work damage so we talked about a server side request forgeries the first thing we want to look at the cobweb how

do you identify what just look like how can we protect ourselves so the easiest and most thorough way through this is the source analysis because all of our source is repose our life easy to review and don't have any alarms koves so we get to be bleep point that say without ganna people in that age just coming from these are controllable data right right okay ah yeah so this goes out to pan - I don't know anything out locks and or checkmark the web inspector fortify whatever it is it does it's out of the box of watching poisonous and say hey other bands there's some type of change source this is user controllable data I don't know anyone that watches

hwagok as SSRS but I'm sure speedy training center to do it but most likely you're going to be seeing this owner ability show up at run convey a human interaction right ten pet serves on analyst or actually can see that parameter put that into contact try out for a lot of a or ellen see if you can resolve from an extra Monty sorry if it results from the server's IP or an I found agent so England here use our flat collaborator couple people so Burke library it basically is instant the first week web application proxy that can solve on a server somewhere just exposed to the Internet and what happens is and you are utilizing work to do your skin extracted

inning it will actually generate a DNS request and team behind the Sun tables that are looking to reach that out to this collaborator server so this these calls that are coming from URL that was the creatives which have a crazy do it it can then that goes back to the tables which it originated from be affirmed but again you have to have a set up something that's out of boss and it requires a little bit of work at the other days to remediate it is pretty straightforward we talked about this in context of other co-op and zone you never trust user inputs we always say that man's eyes don't allow either insolence don't expose server side pause

so at the end of days you want to reach out to pull down dynamic content don't put it as a printer in a poster or Easter egg or whatever I just do that also kind of met back in that function right do the query you don't allow that to be exposed from from from the outside and as I happen to mention it xml card for doubly disable DTD represent declaration to this effect yourself again XML EES SP all right from Sophie okay the dips one anti automation this one down pretty straightforward simple verb another time it's very rare that I've done with an assessment where I work and don't like bar comes out of anti

automation when we're putting some different objects today I'll talk about three very specific things SMS use out of a lot medicator at bat in dpi okay I know it's probably a little grainy little Hardesty does anyone know what this is little little bit circle for dots in it training for external service the number one SMS service out there you've all heard of it willow Lily over 100k okay one for good so this is a framework to basically utilize Herschel framework they will send SMS messages on under services behalf right so this is almost as big players ever to spend on that that's the Jews eater I found authentication short codes or hey your balance is low on your

account or whatnot a lot of these are using Scalia's API use this you can see here that for example short code best messages for high-volume clients are pack a penny pervenche right so not a whole lot of money but what happens if we don't forget the corn that utilize this forced a password reset or say Nocenti your latest info on that's why we products via text message in any one magical book happens you're not protecting innovation on the API calls this bill is going to go through the route I seen this I I'm doing today holy [ __ ] we were just leading lead um with a huge service charge because someone ran a fighter for

purposely ran or bill on this as a net service just to stand users or predicts and whatnot ah and well because this SMS I used to work in silence on my network they go and why are so many many years this is our consensus the infrastructure is old is a fallback to not even like 20 or one Jeter Network before all of that involved bathroom that's why unless you can detect message is an area the Union have service others gone through because it's an old service and because it's cold cost a lot of money to transmit though so when you add the carrier charges on top of a provider to Tullio you get really costly bills so

if I were to run up 300,000 best messages in a matter of seconds against your API is charging you half a penny per message that's a significant difference your start up with using cannot mount functionality either the one it would want to pay that bill for simple inside automation miss in my fat metrics or AP icon into another unprotected resource today I remember a rainbow here about this guy Facebook last year he found that you reset your password Facebook send you it out about out of day in deck connectors okay enter this code in and when you enter that code we will validate that server-side and then note you are either user who sent has a reason it it's

Miller with this pretty you know well done concept so this guy tested this on Facebook okay I'm forced to think I just run rural millions or whatever that odel number of blank carriers are to think yeah and this reports the thing is see if I can get in someone's account you try that on production can avail like on our network but then you try to not data because for whatever reason everything that work in production is in beta you can just log into beta is up facebook.com/ with your production cred and then to in and you can try out a new feature or as an auditor them now basically allows you to do ah but he drop same thing and

brute force on beta here sure enough they were missing their API anteye automation controls in beta so what he did is he just forced through the pin code you know 1 5 4 0 1 0 0 & 1 0 to better Sarah was actually able to basically force reset someone password reset with complete loop course right so they were doing the repeater production environment but unfortunately they failed at data and that led to that automation last which caused real world path and he was a copy 10 or 15 grand for figure it out so who was going to do bug bounty from you leave your accrual is right there some silly but that is a

big big big money so there's what the general API is used so other work with some the financials out there and there things like you know stop services or Bloomberg alerts or whatever that someone once little Bob charging for and those services actually caught certain providing money even though you may see it in your user interface on the website they all look there's a newsfeed coming from XYZ source it says that the analytics are showing the XYZ stock is going to go up tomorrow there's a good chance to the provider with any of that information is actually paying for those calls from some servers on the backend what's that exposed to be a female X or

or what have you and user is able to invoke those queries directly or you'll have a throttle property words reaching out every time because you're against cash and they ring up in a 10,000 queries against a denied and now again you're putting two bills for someone else being silly and trying to secure you a non-public API bunch of times your key is being used right so um something to be cognizant up I didn't have a really good example to show something that's Ben's allowed most likely because this wouldn't be really seen by end-user this is something that we serve providing speeds our bill goes low or has come from why we all sudden seeing $10,000 from bloomberg xyb API and the

end-user had no idea they even caused that or they did they were pretty knowledgeable so if foundation in general again identification you're really look this through source code analysis I don't know again of a scanner out there looking for in that automation fallacy to your post so if you do [ __ ] after this and I can add my little list of not try them but that can be your airplane to look for is when you're looking for your code if you're having third-party reviews definitely look for areas that may be prone to abuse services a you pay money for services that you're relying on security out of and communication or services Vista rely on their parties you make

sure that your perception is again in the automation if they're triggered by a user generated event and of course menial hesitation sentences again something you're going to find traffic offender solve mouse is something with that sort humans are considerate finding me sort of thing if they can see clearly from a-z remediation rates on it right so it is if you have all of a sudden surge from certain quantities your cookie or whatever in a server-side session that is query from that server to cost you money and it seems out of normal behavior or it's above a certain threshold limit back gray less then one every five seconds or 10 seconds the user model doesn't say hey things are a

little bit slow but from recession that's a game huge huge gain from your size they are legitimately trying to amuse it CAPTCHA where applicable or reCAPTCHA any would be the you get not robots click the click a question you're done anyone knows their community they're competing books in years this monkey obvious there's a new recapture that your actions all you probably don't know that because you don't see it it's actually off the page you're busy SS or is my brain somewhere and how that works is just Google's reputation of you so if you ever are the Panda [ __ ] repetitive music a caption here you know so much you need to be monitored as I can I can

group forces things go in the incognito mode or in private inspire call and see if you happen to be a captain or see if your usual kickbox but not a robot turns into a click all the cat pictures or find all the signs animal can outsource their and legacy right because what Google is doing is they below these first part is looking on you that they're referencing to know hey this guy this is what we got right it goes with Google a lot he goes to Gmail we are Emily cookies new artery Halloween analytics we know we've got a robot there's humor identity is Perl script those cookies are going to go on your Perl script 12 dozen now that Perl

script is being thrown about a caption where your users are either cooking a chat box or all you have to do anything all right so the day's a look at this how you pictured or breaking your schedule is buggy picture outsource with my picture to put bar somewhere those days are numbered and at the end of the day if you're paying for a service like a bird feed or what have you - a kind of even though in the arms of Bloomberg but you're paying for some other speed I will getting it up to date sound ribbit it's a great idea and the user once you reach out for both of the date but catching in that type of context when

you're paying for data for user makes the whole head of loss 10 okay um this one is API keys leakage I know everyone's probably thinking about it it's again but there's some really good stories here and these are really really important to protect um how many of you have seen her of a BITC beacon Co Rico right yeah I was doing an assessment in a while that update at the end solution and whatever reason the NBN provider it want to give the copy of their SDK the next you have to be get to be a customer to see our software development kit like what I want to iterate the I as I'm tester you know

we're going to responsibly to close this up through your customer I got a big guy now you need on the license book or we'll give you our our SDK so pop it in as I did it was gonna get someone has a full listing on yet I'm going through it into the major retail major retailer has a full copy of the MVS SBA so not only that they had their API key hard-coded to it on disk Oh Mike no this won't work cuz I should rip it heaven works but should let them know if it so those and have expose and it's right guess it'll work you know come one of those things always ending up to your imagination

yeah so it doesn't happen all the time willingly or unwillingly people are putting adi feeds into their source code repos and then exposing those every goes out for those internet doesn't get an untaught but you want to sound like hey I grow a guy II that breach on github House passes optimize another 90 seconds bumpers making up same bitters cause it's crazy for different permutations of API team so don't do that all other types does open source intelligence I haven't worked with a guy symptoms protected to my manager he created cool call of a freak on Angie and her real ng instant created that who and yes yeah okay oh so there's all the great modulo my

here it's assistant out his tool but if you're looking for or intelligence recon in g zom use it in see what kind of crazy data you can get that every once awhile we'll have a client who wants to do with the truly blackbox assessments okay again and if you get in then maybe we'll give you prayers but it adverse and again come back to be with pages and pages and pages of credential dumps and source code repos and all kinds of stuff and the essence our experiences all right for me to be creative easy school of the birth engineering just really up it plays the thick client app html5 i side of stuff or mobile apps right give a

mobile app knows someone is reversing that someone is to look at that actually some folks in this room from from SDI or certain are probably looking at that so no there's you harmful apip no matter how you try to often it no matter what you do to try to spaghetti slow that thing together runtime someone's going to figure that out someone's going to do your api key and if it's not harden or you know something that it should be able to be seen by outsiders it's going to be used on fire picked up local file inclusion and directory traversal right so I'm presenting on anyone see here to ask you week's creds cannot an article about a

big attach right hander something or other this was any of you like to break down what happen on that step that goes to speculations is showing that basically those awesome sets read and then they're that openness um fun money is on something like this being the cause of the leak of those I have any president Saturn dollars but at the end of the day that was my money my good work again another colleague of mine John Poland keeps without the trails dynamic regardless I bought a real guy but this is crazy thing if you if you google real dynamic durjan TV the person pops up these dudes knowledge on bullet it's ridiculous levy how you can get those file inclusions

and full bottle off of local file system then you're going to store them in places on the server they might be song look there's another story on AP IP and we'll remember this million dollar Instagram does that brings the tunas last year your name on the snuff ah LinkedIn here and how to give out anyone oh it caused a lot of drama there was like this guy would say it did and I would say most from Facebook with ain't dead and the truth is probably somewhere in between but let's just break down what happened you can kind of see be working so so I plugged on me both they do a lot of recon they do a lot of

searching out there for like scope creep because all the low-hanging fruit all good stuff is done on like Facebook Tom main they look what else is out there it is owned by the same organization that I could go freeze and break into and then maybe you benefited something bigger so the government's do this he found that Instagram had external sense to basing portals and it's the sense audacity to some types of an interface and he tried a bunch of like credentials up being weak passwords get in all of the day then he started doing some research and realized that there was is remote code execution vulnerability incentives oh they see them leverage to then at the

back spread or creating an outward selling time you can read this long if you want to get the exact details but what you then he found this config stuff on fire which had to be WS key in the config file which that's her Facebook Likes cool we would give you 10 grand for that you should have stopped there but he did all he then took this and ran over to the s3 auto scale bucket which had additional keys in it and he's not going he then took that and went over the third bucket but all the user made it in it and this guy's indeed that's again how about a facebook fraud and what user data visit

and this is completely outside of our what a program and what happening but at the end of the day it was this kita was exposed who identified was available to BMI lift system which should have never been there and let's be honest you have never been externally aging begin with uh maybe I can filter if you don't have certain sizes or jury bombs that's whatever um when we're talking about API key leakage remediation some is a pretty free simple but like packages make sure if you have something to close out to the wild you're patching it right um especially it's a admin portal or something like that those expose on necessary right if you have in Portal

try not to make an external be patient what is it this is an interesting one off with f3 and Burke are the key key to the notion of the federal environment they right now right you stand up a one-time environment to do a data transfer or you send up a one-time environment to do X Y V bug bounty hunters are going crazy right now figuring out ways to great general environment because even if their own and for our or three hours or it's participe torn down it's about it they're usually let less harden then the something you know is out there is easy or out the cloud because that's data little bit so if ever alarms are really

really big right now people are going crazy looking for different ways there's a bunch of interesting scripts out there people have told to people of written to try to enumerate ephemeral environment before they're torn down and you know of course they will trust no one right done exposure API keys of ability so wait there's more um I'm just going to watch for the biggest time and make sure I confer questions here if I've got admin portal it sounds silly people have admin portal available to be everywhere if you do that there's a very good chance that your monkey hard-coded correct that you forgot about or did you know over a visited right or maybe it's

not integrated to the sample that or a bee that were you know rescue organization is or maybe it ought to be looked at or your your idea or whatnot so as in portals are big baby size like baseball things right if you don't have a period under database if you're making a publicly accessible that's right for a disaster on a piece here is Asians everywhere I thought about that for hours just because in some of that header Lee is everyone seems you know competitors that are coming back from web servers anything lately I mean it's like this long of all the different headers and basically for its own existence and whatnot be cognizant that people are echoing that better from your

server that's all go you're fine all you have to do is look at it and they are looking at it and possibly some credentials something obviously this is right everywhere one thing kiddos I just wanted to say our peoples litter with password ratcheting anyone so time for rapid at a1 shaking head back arresting is basically today you have some old leaked hash absolute MD pop right and you want to pay how can we convert over users Tuesday Esther well instead of making it so the UH next login the user credentials will be upgraded experts you just ratchet the one into the next one so for instance if user logged in and they have an entry podcast what you

would first do is check to see if that cash match is the first algorithms and it doesn't then you use the first algorithm to feed into the second algorithm help said you've updated all your passwords to do memories are the password system and uses ratcheting one feeding it in together right so I'm not a long time if you want that easy step to basically take your old allocation either encrypting fridge or your non memory hard ashes and upgrade them to something like a trip so this is still where we are at the end of the day the other actively say is either lot of stuff just by reading up on lost reading bug bounties reports those other

sorts are awesome um one a local company uber who are has a fantastic value business by after one but they have insane report on from the walls that were found by their bug bounties earth and you read through them you can see little typically right oh man I would have just gone this extra step or if uber would not have done this XYZ way knocking maneuver but it's a really great tool out there that we can learn from it's free free here go out there will be billed the disclosures will be bug bounties there definitely a payday kids to themselves and what keep they fit in to this up any questions okay Oh workers season as far as going actually

penetration test yeah yeah so there's a great question the question was what falls in particular methodology framework org like you to use my gut I would be lying on a date dopey through that I certainly do there certainly mythology script that I run through things that I do when I'm starting off an assessment to get a little covered them a Buick at the end of the day I'm going to spend my time on VP forgiveness blog applause I was might have looking for the most critical things that I can find for an organization when I'm doing an assessment and those are not gonna be the things that are found by methodology and coverage in terms of capsule white

blanket or really have to narrow in so I use a and I use different tooling to get that coverage of the methodology framework and then I start breaking off what's going to constable another source covered in question fun ideas yes you been to a procrastination Google search to click there is a different way out look for it after wrapping yeah literally what mother yes yes ah da our divisions are you join the edgehog Google incorrect oh yeah after ratchet gal hope you do else thank you all [Applause]