Hacker Days: Raining shells in AWS by chaining vulnerabilities
Details
We will have some short talks and Riyaz's session will start by 6 pm. No Forms required to be filled. Feel free to walk in.
Title: OWASP rules and cloud security controls that would have avoided breaches such as Capital One breach
Abstract:
Capital One recently fell victim to one of the biggest breaches of 2019. Over 100 million records containing PII (Personal Identifiable Information) are now readily available within the public domain. The records supplied data linked to social security numbers, credit scores, names, birthdates, email addresses, credit limits, and home addresses just to name a few. Reports indicate that the breach was successful by way of an insider threat that was a former Amazon software engineer working in the cloud division. Additionally, after further review, the compromise was associated with poorly configured firewall protocols within AWS that assisted in the data loss breach.
By the end of the session participant will be able to:
- Properly configure security profiles within cloud and network architecture to include port and protocol management.
- Identify technologies and parameters for proper implementation of Identity Access Management Programs, including AAA (Authentication, Authorization, Accounting) to combat insider threats.
- Understand functionality and considerations when selecting a toolchain for monitoring and mitigation of attacks, including applications of ML and AI
- Address risk mapping and the correlation between “Sensitive Data Exposure” and “Broken Authentication” risks identified in OWASP 10.
About the speaker:
Cody Mercer is a Security Solutions Architect at Wallarm. Prior to joining Wallarm, he has worked in all sectors to include government, military, private, public. Additionally, Cody served over 12 years in the United States Navy as a Cryptographer and Signal/Human Intelligence Operator. As a certified ethical-hacker, he has spent the last several years participating in penetration testing, red/blue team operations, social engineering, and Threat Intelligence development.
Title: Raining shells in AWS by chaining vulnerabilities
Abstract:
Attackers encounter application vulnerabilities that give them access to the data that the application processes or in some cases the underlying operating system. Using this access, attackers can move laterally to other servers and devices on the network. This holds true for on-prem as well as cloud deployments. However, a major twist with cloud infrastructure is that with attackers can move not only between servers on the cloud but also between cloud services themselves. In this session, we shall see examples of web application vulnerabilities that use one or more cloud services and how these vulnerabilities can be chained to achieve greater access to other cloud services in AWS or the entire AWS account itself.
If any of the attendees want to follow through the content, they can use the repository that will be made public post the talk.
By the end of workshop participants will be able to:
-
Chain common web application vulnerabilities to achieve access to infrastructure
-
Get shells on the cloud infra using various techniques specific to AWS (and other cloud) setups
Pre-requisites:
- If you want to practice the attacks shown in the talk post the session, then
- Basic knowledge of using the Linux command line
- AWS account setup for payments (you should be able to go to Services > EC2)
About Trainer:
Riyaz Walikar (@wincmdfu) currently heads the Offensive Security Team at Appsecco and is responsible for the assessment and delivery of Web and Mobile Application Security Testing engagements. He is a OSCP certified Web Application Pentester, Security evangelist and researcher. He has been active in the security community for the better part of the last 10 years. He has been actively involved with the Bangalore OWASP and null chapter for the last 7 years and is one of the OWASP and null Bangalore chapter leads.
