Hidden in Plain Site: Disclosing Information via Your APIs - Peter Yaworski, Bugcrowd's LevelUp 2017
Рет қаралды 13,692
Күн бұрынIn this presentation, I'll walk through a number of information disclosure vulnerabilities I've found in mature programs overlooked by other researchers specifically in HTML page sources and APIs. In doing so, I'll demonstrate the design pattern in Rails that makes this an easy mistake to make, especially when combined with a front end JavaScript library like React or Angular.
Have questions? Ask them on the Bugcrowd forum: bgcd.co/2thaRxc
Join Bugcrowd today: bgcd.co/2up2fUH
@oai9106 4 жыл бұрын
Thanks to Bugcrowd as well as Mr. Peter Yaworski .
@sowhatsupeirik 4 жыл бұрын
Great talk Peter! Your a treat in webhacking and security in general.
@eliasibrahim1055 6 жыл бұрын
Thank you Peter, this lesson really expanded my way of hunting.
@decalresponds3066 7 жыл бұрын
This issue of failing to remove the proper column extracts from data returned by API operations created via code reuse requires really detailed table security to even begin to prevent. Aside from GRANT and REVOKE, I'm not sure ANSI SQL offers any other access control statements. Various technology-specific extensions to the DAL, DDL and DML (Data Access, Data Definition and Data Modification Languages) may exist depending on the RDBMS and DBA. However, even the most comprehensive security policies/constraints aren't going to stop application business logic errors--no excuses can be made for the developers there.
@watchlistsclips3196 3 жыл бұрын
You are so sweet like the hacker who saved the internet marcus hutchins.
@huzifaahmed1426 Жыл бұрын
your ideas stil dangourase ✌ still high
Bugcrowd
Рет қаралды 6 М.
Bugcrowd
Рет қаралды 22 М.
DonTheDeveloper
Рет қаралды 264 М.
OWASP Stockholm
Рет қаралды 33 М.
Bugcrowd
Рет қаралды 8 М.
FISPECKT
Рет қаралды 200 М.