When exploits are blind - Chris Dale

Publisert av NUUG

Demonstration based presentation. Only intro and outro powerpoint slides. Demonstrate user enumeration using timing attacks. Especially prominent when companies have implemented bcrypt/scrypt/pbkdf#2. Attack vector which is very useful in many cases today, notably against Lync/Skype4B installations today. Further password spray into a solution. Discover, analyze and fully exploit reverse-shell command injection. How to find these across large systems? How dose vulnerability scanners work, and how do they detect this? Introduction to Burp Collaborator. Introduction to script for merging attack data into hundreds of Burp Collaborators. Discover, analyze and fully exploit blind SQL Injection. Demonstrating Burp Intruder cluster bomb attack to enumerate out table data. Recorded at the OWASP Norway Day by NUUG.