Leveraging web application vulnerabilities to build an open source intelligence arsenal
Submitted by Karan Saini (@karansaini) on Saturday, 4 May 2019
This talk aims to introduce the audience to how web application vulnerabilities can be used for the purpose of building a self-sufficient open source intelligence arsenal.
The talk will primarily focus on the prevalence of the following types of flaws:
- overly permissive application programming interfaces
- business logic errors
- insecure direct object reference attacks
- use of insecure identifiers
Through providing real life examples of discovered issues, the talk will provide a starting point for where and how resourceful OSINT can be found and collected. Further, the talk will also touch upon how developers can avoid baking these issues into their services and products and how end users can avoid becoming a part of these databases. The talk will also cover targeting ‘hyper local’ service providers for the purpose of building categorised repositories.
- What is OSINT?
- Why build your own arsenal?
- How can web application vulnerabilities help?
- Minor case study on the uses of OSINT
Scoping: - Targeting location-specific service providers - Usual suspects: What to look out for Numeric Identifiers, API(s), IDOR(s), Weak Auth; - Slides with examples
Execution: “The good stuff” - Scraping the information, OR; - Creating tools to query information at will.
Prevention: - As developers: What to avoid?; - As users: What to avoid? (protective techniques).
Karan Saini is a Policy Officer at the Centre for Internet and Society.