Whitebox Web Exploit Development

Presented at DEF CON 32 (2024), Aug. 9, 2024, 9 a.m. (240 minutes).

Gain experience popping root shells on real world web applications and taking your hacking skills to the next level. Students will learn accessible and powerful vulnerability discovery techniques to identify, exploit and chain vulnerabilities for root shells. Getting hands-on experience using free and widely available Linux utilities to debug and dynamically monitor applications, to more effectively discover and exploit vulnerabilities. Using a whitebox approach students will rapidly discover and exploit non-trivial bugs. A progressive hint system will be used during the labs to incrementally reveal step-by-step progressions of each exploit exercise in case students are stuck or fall behind. Course Objectives: --Students will gain hands-on experience analyzing and developing exploits for real world application vulnerabilities. --Students will learn how to discover vulnerabilities and subsequently weaponize them in an exploit chain to spawn remote shells on application servers. --Students will gain experience using open source linux tools like strace and tcpdump to analyze application behavior and isolate vulnerabilities. --Students will gain experience weaponizing web application vulnerabilities and writing exploits Upon Completion of this training, attendees will know: --How to identify situations where openbox application vulnerability assessments are appropriate and how to leverage this powerful context. --How to utilize openbox penetration testing methodologies to achieve more thorough and effective assessments. --How to leverage vulnerability chaining to assemble multiple medium criticality findings into a single remote root exploit.

Presenters:

• Cale Smith - Amazon
  Cale Smith is a nerd who loves both building but also breaking, so he can get better at building. He is passionate about understanding how anything and everything works, improving security along the way is just a bonus. Also, he is passionate about sharing his passion and created this course to pass along some of the more accessible techniques he has picked. His professional career originated exclusively as a builder, but has been focusing on the security and breaking side for the last 15 years. During that time he has dabbled in the web weenie life, cloud, binary, IoT and mobile most recently. Currently he manages a device oriented AppSec team at Amazon. While AFK he is probably riding a bike or climbing rocks.
• Priyanka Joshi - Security Engineer, Ring AppSec at Amazon
  Priyanka Joshi started her career through the academic path of computer engineering followed by a masters degree in information security. Her learning journey truly began doing security engineering in the industry. She discovered her passion in the identity space during her first software security engineer job at an ancient mid sized company. There she focused on research, development, maintenance and security testing of OAuth2.0/OpenID implementations for over two years. In her current appsec engineer role at Amazon, she enjoys working on secure design assessments, bug bounty triage and fix validation, consults and security testing of web services. Outside of work, she enjoys hiking, sketching, music, watching anime and reading manga.

Similar Presentations:

• AppSec USA 2015 / Training (2 days) : Malware Crash Course
• DeepSec 2015 „DeepSec No. 9“ / Hacking Web Applications - Case Studies of Award-winning Bugs in Google, Yahoo, Mozilla and more
• SAINTCON 2019 / Next-Layer Hacking - Testing Web Services (SOAP, REST, GraphQL) Training