YoVDO

Finding 0days in Enterprise Web Applications

Offered By: NahamSec via YouTube

Tags

NahamCon Courses Server-Side Request Forgery (SSRF) Courses XML External Entity (XXE) Injection Courses Web Application Security Courses Zero-Day Vulnerabilities Courses Attack Surface Analysis Courses

Course Description

Overview

Explore advanced techniques for discovering zero-day vulnerabilities in enterprise web applications in this conference talk from NahamCon2022. Delve into the intricacies of HCL Digital Experience, IBM Websphere Portal, Lotus Domino, Solarwinds Web Help Desk, and Sitecore's Experience Platform. Learn how to decompile JARs, identify attack surfaces, chain vulnerabilities, and craft exploits for post-auth RCE via directory traversal. Gain insights on variant hunting, super SSRF, and leveraging hardcoded credentials in development and production environments. Master the art of source code analysis, payload crafting, and encryption key retrieval to enhance your offensive security skills.

Syllabus

Intro
What is HCL Digital Experience /IBM Websphere Portal
Decompiling JARS
Finding The Attack Surface
Finding the endpoint . One of the hardest bits of source code analysis when finding bugs through grep is identifying the endpoint that the configfiles/code are triggered by . This one was easy, they were deployed under/wps/
Chaining a Lotus Domino Open Redirect
Variant Hunting • Discovering other occurrences of similar vulnerabilities
Super SSRF
Variant Hunting #2
Chaining the vulnerability through IBM KC
Fail: Another attempt at XXE
Post Auth RCE via Directory Traversal
References
What is Solarwinds Web Help Desk? . Basically a central ticket management system for your enterprise • Connect with Solarwinds Orion
Development Hardcoded Credentials
Production Hardcoded Credentials
What does this let us access? . These credentials let us access a big part of the Spring web app embedded in this software . The most interesting controller for this was found at /helpdesk/WEB-INF
Hibernate Query Routes
Putting it all together
Exploit Writeup
What is Sitecore's Experience Platform?
Grabbing Sitecore Source Code
Mapping out the attack surface
Discovering the vulnerable endpoint . When we investigated some of the files inside the sitecore/hel directory, we following contents
Report.cs
ReportDataSerializer.cs
Crafting a payload
Final RCE Payload
Blob Handler.ashx
Encryption Function
Getting the Master Key
Default Master Key


Taught by

NahamSec

Related Courses

Introduction to OWASP Top 10 Security Risks
A Cloud Guru AWS SimuLearn: Cyber Security Threats
Amazon Web Services via AWS Skill Builder AWS SimuLearn: Edge Protection
Amazon Web Services via AWS Skill Builder Cloud Security Scanner: Qwik Start
Google via Google Cloud Skills Boost OWASP Top 10: Broken Access Control
Codecademy