YoVDO

Finding 0days in Enterprise Web Applications

Offered By: NahamSec via YouTube

Tags

NahamCon Courses Server-Side Request Forgery (SSRF) Courses XML External Entity (XXE) Injection Courses Web Application Security Courses Zero-Day Vulnerabilities Courses Attack Surface Analysis Courses

Course Description

Overview

Explore advanced techniques for discovering zero-day vulnerabilities in enterprise web applications in this conference talk from NahamCon2022. Delve into the intricacies of HCL Digital Experience, IBM Websphere Portal, Lotus Domino, Solarwinds Web Help Desk, and Sitecore's Experience Platform. Learn how to decompile JARs, identify attack surfaces, chain vulnerabilities, and craft exploits for post-auth RCE via directory traversal. Gain insights on variant hunting, super SSRF, and leveraging hardcoded credentials in development and production environments. Master the art of source code analysis, payload crafting, and encryption key retrieval to enhance your offensive security skills.

Syllabus

Intro
What is HCL Digital Experience /IBM Websphere Portal
Decompiling JARS
Finding The Attack Surface
Finding the endpoint . One of the hardest bits of source code analysis when finding bugs through grep is identifying the endpoint that the configfiles/code are triggered by . This one was easy, they were deployed under/wps/
Chaining a Lotus Domino Open Redirect
Variant Hunting • Discovering other occurrences of similar vulnerabilities
Super SSRF
Variant Hunting #2
Chaining the vulnerability through IBM KC
Fail: Another attempt at XXE
Post Auth RCE via Directory Traversal
References
What is Solarwinds Web Help Desk? . Basically a central ticket management system for your enterprise • Connect with Solarwinds Orion
Development Hardcoded Credentials
Production Hardcoded Credentials
What does this let us access? . These credentials let us access a big part of the Spring web app embedded in this software . The most interesting controller for this was found at /helpdesk/WEB-INF
Hibernate Query Routes
Putting it all together
Exploit Writeup
What is Sitecore's Experience Platform?
Grabbing Sitecore Source Code
Mapping out the attack surface
Discovering the vulnerable endpoint . When we investigated some of the files inside the sitecore/hel directory, we following contents
Report.cs
ReportDataSerializer.cs
Crafting a payload
Final RCE Payload
Blob Handler.ashx
Encryption Function
Getting the Master Key
Default Master Key


Taught by

NahamSec

Related Courses

OWASP Top 10 - A4:2017 - XML External Entities
Cybrary OWASP Top 10: #3 Sensitive Data Exposure and #4 External Entities (XXE)
LinkedIn Learning Protecting Against XML External Entity and Deserialization Attacks in ASP.NET and ASP.NET Core
Pluralsight Secure Coding: Identifying and Mitigating XML External Entity (XXE) Vulnerabilities
Pluralsight Uncle Rat's XXE Handbook
Udemy