This course aims to teach learners a new exploit technique to target path normalization vulnerabilities. The goal is to introduce a novel attack surface that leverages the complexity of path normalization implementation, which has been overlooked by developers, making the proposed attack vector potent and versatile.
The course covers various topics such as identifying vulnerabilities in popular frameworks like Nginx, Spring, and Rails, understanding the risks associated with URL path parameters, reverse proxies, and misconfigurations leading to remote code execution.
The teaching method involves presenting real-world case studies, demonstrating the impact of path normalization bugs, and providing mitigation strategies.
This course is designed for cybersecurity professionals, penetration testers, web developers, and anyone interested in understanding and exploiting path normalization vulnerabilities.
Breaking Parser Logic - Take Your Path Normalization Off and Pop 0days Out
Overview
Syllabus
Intro
Orange Tsai
Agenda
Polyglot URL path
Why path normalization
Can you spot the vulnerability?
Nginx off-by-slash fail
How to find this problem?
Spring Oday - CVE-2018-1271
Bonus on Spark framework
Rails Oday - CVE-2018-3760
For the RCE lover
URL path parameter
When reverse proxy meets...
How danger it could be?
Am I affected by this vuln?
Uber bounty case
Bynder RCE case study
Inconsistency to ACL bypass
Misconfiguration to auth bypass
Log injection to RCE
Amazon RCE case study
Path normalization bug leads to ACL bypass
Seam Feature
Code reuse bug leads to Expression Language injection
EL blacklist bypassed leads to Remote Code Execution
Chain all together
Mitigation
Summary
Reference
Taught by
Black Hat
