Surprise features that you didn’t ask for - Mike Haworth

Server Side Request Forgery

  • Could access services on localhost
  • Access other hosts in DMZ
  • Bypass host-based authentication systems

Vulnerable systems:

  • memcached
  • couchdb

Urllib: accepts file://

Pycurl accepts gopher://

Memcached: gopher://

Preventing: blacklist is error prone.

XML External Entity (XXE):

Safer: (opens new window)

Signed cookies - session data is visible to user.

Also unless it’s got discount applied, just reapply discount. Can have a unique number that is issued each time we give discount.

Don’t use pickle as could execute shellcode but instead use JSON.

Pentesting challenges: (opens new window)