Dinis Cruz Blog

A personal blog about: transforming Web Application Security into an 'Application Visibility' engine, the OWASP O2 Platform, Application/Data interoperability and a lot more

Pages

Home
AppSec Presentations
OWASP O2 Platform
Real-Time Vulnerability Feedback in VisualStudio
About

Wednesday, 7 August 2013

Slides for DefCon presentation on "RESTing On Your Laurels will Get YOu Pwned"

Here are the slides for the DefCon talk Me, Abe and Alvaro presented at DefCon 21

All demo files are at the https://github.com/o2platform/DefCon_RESTing repository.

See these blog posts for details on the demos:

Using XMLDecoder to execute server-side Java Code on an Restlet application (i.e. Remote Command Execution)
Neo4J CSRF payload to start processes (calc and nc) on the server

Posted by Unknown at 00:25

Email This BlogThis!Share to X Share to Facebook Share to Pinterest

Labels: DefCon, Java, REST, Security, XmlDecoder

Newer Post Older Post Home

Search

Labels

AngularJS (32) AppSensor (1) ASP.NET MVC (5) Atom (1) Azure (13) BBC (1) BDD (2) Book (22) BSIMM (3) Cassini (1) CatNet (17) Checkmarx (18) Chrome (11) Code Cafe (1) Code Club (5) Code Coverage (1) CodingLab (4) Coffee-Script (1) Company Tips (1) Contract Work (10) CSharp (1) DefCon (9) Design (16) Development (8) Diagram (1) Down memory lane (1) Eclipse (37) Education (6) ESAPI (4) ESTAPI (5) Exploits (1) Firebase (7) FluentNode (4) FluentSharp (22) Football (1) Fortify (8) Frameworks (3) Funny (2) Future Self (3) Fuzzing (6) FxCop (1) Gamification (3) GenerationZ (6) Git (38) GitHub (40) Google (13) Graphs (1) Groovy (8) Half-baked Idea (16) HTML 5 (1) IBM (30) Ideas (1) IKVM (1) Jade (1) Java (27) Javascript (3) JIRA (5) JIRA Book (5) Jni4Net (15) Job Oportunity (4) JRebel (4) JsTestDriver (2) JustCode (5) Karma Point (1) Karma Points (1) KarmaJS (7) Kernel (1) Lambda (1) LeanPub (19) Learn-to-Code (4) Linux (3) Live Writer (6) London (3) Markdown (3) Mass Assignment (2) Maths (1) MediaWiki (1) Minecraft (3) Misc (1) Mobile Security (1) MVC (4) NCrunch (8) NDepend (3) NGit (5) NodeJS (12) NuGet (5) NUnit (11) O2 (1) O2 Platform (226) O2 Platform Tool (25) O2 Script (2) O2Platform (14) Open Source (1) OS-Summit (1) OSx (6) OunceLabs (13) OWASP (99) OWASP MIA (14) Owasp Summit (23) Patterns (1) PCI (1) PDFs (17) Philosophy (78) PhotoBox Group (3) Portugal (1) PostSharp (1) Presentation (20) Privacy (2) Quality (9) Question (5) Rant (32) Raspberry PI (2) RazorSharp (4) REPL (55) REST (7) RfP (2) RISK (1) Roslyn (14) Sandboxing (2) SAST (31) SecDevOps (62) Security (71) Security as BRAKES (1) Security as TAX (24) Security Champions (7) Security Innovation (4) Selenium (10) Services (5) Simple Microsoft (5) Simplicity (1) Software Quality (24) Sport (1) Spring Framework (17) TeamCity (9) TeamMentor (238) TeamMentor Content (1) TeamMentor Security (14) Testing (13) Threat Modeling (4) To add to O2 (6) To Read (9) Tools (41) Training (1) Trillions (6) Unit Tests (17) UnitTests (2) Video (23) Visualization (10) VisualStudio (30) WAF (2) Wardley_Maps (2) WatiN (13) WebGoat .NET (2) WebStorm (4) WinAPI (25) Windows 8 (5) Wish lists (1) WPF (3) xkcd (1) XmlDecoder (5) XStream (4)

Subscribe using RSS

Posts

Posts

Comments

Comments

Blog Archive

► 2018 (11)
- ► December (3)
- ► October (3)
- ► June (2)
- ► March (2)
- ► February (1)

► 2017 (29)
- ► December (1)
- ► October (1)
- ► June (3)
- ► May (17)
- ► April (7)

► 2016 (141)
- ► December (19)
- ► November (20)
- ► October (46)
- ► September (13)
- ► June (9)
- ► May (7)
- ► April (4)
- ► March (6)
- ► February (14)
- ► January (3)

► 2015 (33)
- ► December (4)
- ► November (2)
- ► October (3)
- ► July (2)
- ► June (3)
- ► May (9)
- ► April (2)
- ► February (1)
- ► January (7)

► 2014 (92)
- ► December (3)
- ► November (5)
- ► September (2)
- ► August (9)
- ► July (7)
- ► June (2)
- ► May (7)
- ► April (6)
- ► March (18)
- ► February (16)
- ► January (17)

▼ 2013 (368)
- ► December (26)
- ► November (12)
- ► October (4)
- ► September (24)
- ▼ August (21)
- ► July (11)
- ► June (45)
- ► May (47)
- ► April (39)
- ► March (53)
- ► February (20)
- ► January (66)

► 2012 (426)
- ► December (56)
- ► November (74)
- ► October (105)
- ► September (14)
- ► August (8)
- ► July (4)
- ► June (31)
- ► May (53)
- ► April (76)
- ► March (4)
- ► January (1)

► 2011 (71)
- ► December (1)
- ► November (13)
- ► October (11)
- ► August (4)
- ► July (21)
- ► June (5)
- ► May (4)
- ► April (1)
- ► March (4)
- ► February (6)
- ► January (1)

► 2010 (65)
- ► November (8)
- ► October (15)
- ► September (3)
- ► August (2)
- ► July (6)
- ► June (10)
- ► May (4)
- ► January (17)

► 2009 (46)
- ► December (7)
- ► November (11)
- ► September (16)
- ► August (6)
- ► July (1)
- ► June (2)
- ► May (1)
- ► January (2)

► 2008 (7)
- ► December (2)
- ► November (1)
- ► September (4)

Popular Posts

Using AngularJS in Eclipse, Part 1) The Basics

This is the first of four posts on how to run (inside Eclipse) the examples provided in AngularJS 's home page: Using AngularJS in Ec...
New design for o2platform blog and links to post categories

UPDATE: See also New design for this blog I just spent some time at the O2 Blog where I selected a new theme and categorized all 80 p...
Installing Gradle on OSX

Gradle is a build automation solution which can be downloaded from http://www.gradle.org/downloads and is an really powerful 'Groovy ...
Setting up a Minecraft server in Azure (for use at weekly CodeClub session)

For almost one year, I've been doing a weekly CodeClub session at one of my kids schools, and sometimes at a local restaurant (see here...
Using AngularJS in Eclipse, Part 2) Add Some Control

This is the second of four posts on how to run (inside Eclipse) the examples provided in AngularJS 's home page: Using AngularJS in E...
C# example of using Firebase REST API

Once I got my head around how Firebase worked (see here multiple Firebase related posts ), my next step was to figure out a way to send dat...
XStream "Remote Code Execution" exploit on code from "Standard way to serialize and deserialize Objects with XStream" article

At the DefCon 2013 I co-presented (with Abraham and Alvaro ) the "RESTing On Your Laurels will Get YOu Pwned" , which showed a n...
Bypassing asp.net request validation detection, but it is a vulnerability?

Defence in Depth is a good strategy, specially since part of its core principles is the idea that some of the security measures applied wil...
Alternatives to IE WebBrowser Control in .NET

UPDATE (Jun/13) : see When the best way to automate Chrome is to use ... Chrome (with examples on Google search, direct AngularJS scope ma...
Using XMLDecoder to execute server-side Java Code on an Restlet application (i.e. Remote Command Execution)

At the DefCon REST Presentation we did last week (see slides here ), after the Neo4J CSRF payload to start processes (calc and nc) on the...

Copyright Creative Commons. Picture Window theme. Theme images by mammuth. Powered by Blogger.