Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Hacking IIS

NahamSec via YouTube

Overview

Dive into advanced IIS server hacking techniques in this 22-minute conference talk from NahamCon2021. Explore HTTPAPI 2.0 asset management, VHost hopping, local file disclosure in ASP.NET MVC applications, and complex XXE vectors. Learn to resolve 404 errors, access internal admin panels, leverage web.config files, and perform source code analysis using DNSpy. Discover logical fuzzing techniques for files and folders, and gain insights into ASP.NET Viewstate deserialization and targeting dependencies. Perfect for security professionals looking to enhance their IIS hacking skills.

Syllabus

Intro
Have you seen this before?
Resolving the HTTPAPI 2.0 404 Error
After fixing the host header
Accessing an internal admin panel via VHost Hopping ($1900)
Accessing the VHost
Reap the benefits
Typical Local File Disclosure in C#
Local file disclosure? web.config is your friend.
ASP.NET Viewstate Deserialization
Targeting Dependencies
Source Code Analysis through DNSpy
Navigating through DNSpy
Constraints
Local DTDs (Attempt 1)
Stack Trace But No Love
Local DTDs (Attempt 2)
Logical fuzzing of files and folders
More resources on hacking IIS

Taught by

NahamSec

Reviews

Start your review of Hacking IIS

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.