Leveraging web application vulnerabilities to gather open source intelligence
This talk aims to introduce the audience to how web application vulnerabilities can be used for the purpose of building a self-sufficient open source intelligence arsenal.
Karan Saini is a Policy Officer at the Centre for Internet and Society
No video of the event yet, sorry!
The talk will primarily focus on the prevalence of the following types of flaws:
- overly permissive application programming interfaces
- business logic errors
- insecure direct object reference attacks
- use of insecure identifiers
Through providing real life examples of discovered issues, the talk will provide a starting point for where and how resourceful OSINT can be found and collected. Further, the talk will also touch upon how developers can avoid baking these issues into their services and products and how end users can avoid becoming a part of these databases. The talk will also cover targeting ‘hyper local’ service providers for the purpose of building categorised data repositories.
- Talk overview:
- What is OSINT?
- Why build your own arsenal?
- How can web application vulnerabilities help?
- Minor case study on the uses of OSINT
- Targeting location-specific service providers
- Usual suspects: What to look out for
- Numeric Identifiers, API(s), IDOR(s), Weak Auth;
- Slides with examples
- Execution: “The good stuff”
- Scraping the information, OR
- Creating tools to query at will.
- As developers: What to avoid? (Reference: IETF doc on numeric IDs, OWASP on identifiers and IDOR)
- As users: What to avoid? (protective techniques)
- 2019 May 25 - 12:00
- 30 min
- Garden Area
- hillhacks 2019
- Main Conference (24-27 May)