FlowMate

Presented at DEF CON 31 (2023), Aug. 11, 2023, noon (115 minutes)

Imagine pentesting a large web application with hundreds of pages and forms, as well as user roles and tenants. You discover that your chosen username is reflected in many locations inside the application, but you don't have a detailed overview. You want to test whether the chosen username is handled properly or allows for injection attacks, such as Cross-Site Scripting or Server-Site Template Injection. Now you face the challenge of finding all locations where your payloads appear when injecting into the username. In large applications, you'll likely miss some, potentially leaving vulnerabilities undetected. This is where FlowMate comes into play, our novel tool to detect data flows in applications for enhanced vulnerability assessments. FlowMate consists of two components: A BurpSuite plugin and a data flow graph based on Neo4j. It records inputs to the application as you go through the pages exploring the application and searches for occurrences of the captured inputs in the responses. This results in a graph that can be visualized and searched for parameters of interest and where they're occurring on the site. Understanding the data flows of an application helps to significantly improve the test coverage and bring your pentesting to the next level.

Presenters:

• Nicolas Schickert
  Nicolas Schickert is security researcher and penetration tester at usd AG, an information security company based in Germany. He is in charge of SAP specific penetration tests at the usd HeroLab. In this role, Nicolas is responsible for the collection of SAP related knowledge and the development of new analysis tools. He is interested in reverse engineering and vulnerability research and has published several zero-day vulnerabilities, not only in the context of SAP.
• Florian Haag
  Florian Haag is a senior security consultant at usd AG with experience in penetration testing, software security assessments as well as code reviews. He is specialized in penetration tests of thick client applications, leveraging his background in software development to reverse engineer proprietary client applications and network protocols. In previous scientific work, he worked on novel approaches to application-level data flow analysis to improve penetration testing coverage. In addition, he analyzed website clones used in phishing campaigns and the frameworks that are used by fraudsters to create and operate cloned websites.

Similar Presentations:

• AppSec USA 2017 / HUNT: Data Driven Web Hacking & Manual Testing
• DEF CON 21 (2013) / HTTP Time Bandit
• Still Hacking Anyway (SHA2017) / Digital personal locker: New paradigm in handling personal (health) data