Demystifying the Server-Side

By Rajanish Pathak

Elevator Pitch

Some server-side mysteries, the unveiling of the lesser-known techniques, and how inconsistency in the URL parsing and treating of certain elements by the server-side components that usually go undetected and can open up big gaps are waiting to be demystified.!

Description

Introduction to the Server Side attacks

XXE Attacks -Introduction

  • XXE in file parsing
  • XXE Exploitation over OOB channels
  • XXE when OOB fails

SSRF Server Side Request Forgery -Introduction

  • SSRF to access internal network / read internal files
  • SSRF to gain Shell

Remote code execution

  • OS command Injection vs Remote Code Execution (RCE)
  • RCE via debug messages
  • RCE via file uploads
  • RCE via SSTI
  • Exploiting code injection and data extraction over OOB channel

Hacking a multilayered architecture - Reverse Proxies

  • Basics of Reverse Proxy
  • Common Misconfigurations in Reverse Proxy
  • Java web servers Path Parameter
  • Different server inconsistencies [Nginx / Apache Misconfigurations]
  • Case Study F5 Auth Bypass

KEY TAKEAWAYS

The lesser-known techniques of exploiting the server-side vulnerabilities will be demystified during the course of 4 hours.

WHO SHOULD TAKE THIS COURSE

  • Web developers,
  • Security Engineers,
  • Bug Bounty Hunters,
  • Anyone who wants to upgrade his or her skill set.

STUDENT REQUIREMENTS

Students must bring their own laptops and have admin/root access on it. The laptop must have a virtualization software (virtual box / VMWare) pre-installed. The laptop should have at least 4 GB RAM and 20 GB of free disk space dedicatedly for the VM.

SPEAKERS

  • Harsh Jaiswal - Application security engineer @Vimeo
  • Rahul Maini - Security @Emirates
  • Rajanish Pathak - Software Security Researcher @xen1thlabs

Notes

KEY TAKEAWAYS

The lesser-known techniques of exploiting the server-side vulnerabilities will be demystified during the course of 4 hours.

WHO SHOULD TAKE THIS COURSE

  • Web developers,
  • Security Engineers,
  • Bug Bounty Hunters,
  • Anyone who wants to upgrade his or her skill set.

STUDENT REQUIREMENTS

Students must bring their own laptop and have admin/root access on it. The laptop must have a virtualization software (virtual box / VMWare) pre-installed. The laptop should have at least 4 GB RAM and 20 GB of free disk space dedicatedly for the VM.

SPEAKERS

  • Harsh Jaiswal - Application security engineer @Vimeo
  • Rahul Maini - Security @Emirates
  • Rajanish Pathak - Software Security Researcher @xen1thlabs