Finding 0days in Enterprise Web Applications

Presented at May Contain Hackers (MCH2022), July 24, 2022, 7 p.m. (50 minutes)

Enterprise web applications have been deployed rapidly to the internet over the last ten years. Often, these applications remain secure, purely due to how difficult it is getting a copy of the source code. Unsurprisingly, some of the most popular enterprise web applications contain critical pre-authentication vulnerabilities. This presentation discusses how to get your hands on enterprise web applications and how to audit them for vulnerabilities, demonstrated through the disclosure of multiple 0days in popular enterprise web applications. When performing offensive source code analysis, the road to critical pre-authentication vulnerabilities usually involves a treacherous journey. From obtaining the source code, to mapping out sources and sinks, this presentation will take you on this journey to finding critical bugs in the following software: - IBM Websphere Portal / HCL Digital Experiences - Solarwinds Web Help Desk - Sitecore Experience Platform - VMWare Workspace One UEM (AirWatch) By experiencing the discovery process of 0days in popular enterprise web applications, this process can be repeated on the enterprise applications your company uses. The vulnerabilities discussed in this presentation have all gone through a responsible disclosure process.

Presenters:

  • Shubham Shah / Shubs as Shubham Shah
    Shubham Shah is the co-founder and CTO of Assetnote. Shubham is a prolific bug bounty hunter in the top 50 hackers on HackerOne and has presented at various industry events including QCon London, Kiwicon, AusCert, BSides Canberra and CrikeyCon. In his free time, Shubham enjoys performing high impact application security research.

Links:

Similar Presentations: