AREA41 2018 Technical Workshops

The workshops consist of technical hands-on training sessions with renowned security experts.
Limited space may be available on site, but better register ahead.
More will be added later...

Eventbrite - AREA41 2018 Security Conference

UploadScanner workshop - Filing Fiddly Files

Teachers: Tobias "floyd" Ospelt

Date: Friday, June 15, 14:00 - 17:10

Tickets: It is free, but you need to reserve a seat.

Location: Xtra (same venue as conference)

Testing web applications is a standard task for every penetration tester. Various automated and semi-automated security testing tools exist. However, they all lack suitable tests for web-based file uploads. Web-based file uploads are critical components of web applications, provide a large attack surface and therefore require proper security testing. While a lot of techniques for file upload testing are known, they often lack proper documentation, are very specific to one use case and require extensive hand-tailoring to each application. Therefore, a file upload testing extension for most pentester's favorite tool - Portswigger's Burp Proxy - was implemented. The developed Burp extension is aiming to automate the testing as far as possible and requires configuration only where necessary. The tool covers various techniques, such as resizing images before uploading them, injecting code into file formats while keeping the file format intact and trying to automatically identify requests performing non-multipart file uploads. The Burp extension's entire code will be released on github after this workshop. Due to lack of other tools, we hope for this tool to become a de-facto standard for testing file uploads.

Description This workshop will give an introduction to the yet unreleased UploadScanner extension developed by modzero AG for Portswigger's Burp Proxy software. The goal is to show pentesters, security analysts and (future) bug bounty hunters how to use the extension to find security issues in web applications that provide any kind of file upload possibility. Participants get the unique chance to use the extension before its official release at area41 in June 2018. The extension already allowed identifying several security issues during pentests and also identified an issue in a website that offers bug bounties.

The workshop covers basic aspects of file uploads such as multipart HTTP requests and other file upload requests. It also explains how security issues can be detected and which requests to the web application are necessary. After this introduction, participants will install the UploadScanner on their machines. The different features of the UploadScanner are then explained and combined with hands-on exercises. If there is time, participants can pick their own bug bounty target, scan it and who knows, maybe write a report for a bug bounty program...

About the author The workshop is held by Tobias "floyd" Ospelt, security analyst at modzero AG and author of the UploadScanner extension. He is a penetration tester working for modzero AG and a researcher in various fields of the IT security world. In the past years he collected a bug bounty from Twitter by finding a TLS race condition in their iOS application, developed a technique to crack Java JKS private keys, used a lot of electricity for his fuzzing farm and wrote several Burp extensions. When he's not developing memory corruption exploits on ARM, running evil wireless access points or developing tools for the AFL fuzzer, he tries to break Android related security mechanisms.

Prerequisites for participants
- Basic understanding of the HTTP protocol
- Simple usage of Burp Proxy software and how to install a Burp Python extension
- Basic knowledge of most web application security issues
- A laptop (Windows or OSX or VM) with administrative privileges
- Installed Burp Pro. As the extension works only with Burp Pro version, a trial license has to be requested for the workshop. Please get in touch if that's not possible for you.

Eventbrite - AREA41 2018 Security Conference