From Web App to ATM: Why the Basics Matter

Presented at RVAsec 2018, June 7, 2018, 2 p.m. (50 minutes).

This is a technical application security discussion for junior penetration testers or anyone interested in the world of penetration testing. Advanced members of the community are welcome, but the content is geared at newer testers. From Web App to ATM will showcase a penetration test I performed where the only previous work done was web vulnerability scanners that completely missed the iceberg lurking just below the water. In this talk I will cover some "back to basics" of web app security and show real world examples of critical applications exposing these flaws. Unauthenticated APIs, forceful browsing, privilege escalation, and total ownage of ATMs managed by this app are all up for discussion.

Presenters:

• Travis McCormack - Walmart
  Travis has 10 years of experience in information security roles. Starting out as a Network Administrator and later SOC Analyst he has built his experience and knowledge up through blue teaming before deciding to try out offensive security. Travis has spent the past 2 years as a penetration tester primarily focused in application security with Cigital/Synopsys and now Walmart.

Links:

• https://rvasec2018.sched.com/event/EgC3/from-web-app-to-atm-why-the-basics-matter
• https://infocon.org/cons/RVAsec/RVAsec 2018/Travis McCormack - From Web App to ATM - Why the Basics Matter.mp4
• https://infocon.org/cons/RVAsec/RVAsec 2018/Travis McCormack - From Web App to ATM - Why the Basics Matter.eng.srt (subtitles)

Similar Presentations:

• Black Hat USA 2011 / Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
• DEF CON 19 (2011) / Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
• BSidesSF 2019 / Goldilocks and the Three ATM Attacks