Explore path normalization vulnerabilities and their exploitation in this conference talk from Hack.lu 2018. Delve into various case studies, including Nginx off-by-slash failures, Spring and Rails 0days, and RCE vulnerabilities in Uber and Amazon. Learn about polyglot URL paths, spotting vulnerabilities, and techniques for finding these issues. Examine the dangers of reverse proxy interactions, ACL bypasses through inconsistencies, and authentication bypasses via misconfigurations. Discover how log injection can lead to RCE and how code reuse bugs can result in Expression Language injection. Gain insights into mitigation strategies and summarize key takeaways for improving web application security.
Overview
Syllabus
Intro
Orange Tsai
Agenda
Polyglot URL path
Why path normalization
Can you spot the vulnerability?
Nginx off-by-slash fail
How to find this problem?
Spring Oday - CVE-2018-1271
Bonus on Spark framework
Rails Oday - CVE-2018-3760
For the RCE lover
URL path parameter
When reverse proxy meets...
How danger it could be?
Uber bounty case
Bynder RCE case study
Inconsistency to ACL bypass
Misa New Password
Misconfiguration to auth bypass
Log injection to RCE
Private bounty case
Amazon RCE case study
Path normalization bug leads to ACL bypass
Seam Feature
Code reuse bug leads to Expression Language injection
EL blacklist bypassed leads to Remote Code Execution
Mitigation
Summary
Taught by
Cooper
