Attacking Secondary Contexts in Web Applications

Presented at Kernelcon 2020 Virtual, March 28, 2020, 12:30 p.m. (60 minutes).

This talk explores attacking various 'secondary contexts' in web applications where data is being passed to an underlying internal HTTP server. We will explore the different approaches to targeting limited-access/internal APIs, the very strange interactions between different servers within the stack, and lastly the different types of vulnerabilities present in second stage HTTP services.

Presenters:

• Sam Curry
  Sam Curry is a full time bug bounty hunter and security consultant through 17security, LLC. He has been active in the security community since 2015 and runs a blog dedicated to advancing web application security research at samcurry.net.

Links:

• https://www.youtube.com/watch?v=hWmXEAi9z5w
• https://2020.kernelcon.org/cfp/K2020_scurry.pdf

Similar Presentations:

• Black Hat Asia 2017 / Hacking HTTP/2 - New Attacks on the Internet's Next Generation Foundation