BSides CT 2020 - Jon Williams - What You Can't See CAN Hurt You: SonarQube Privilege Escalation скачать в хорошем качестве

BSides CT 2020 - Jon Williams - What You Can't See CAN Hurt You: SonarQube Privilege Escalation

(full title: What You Can't See CAN Hurt You: SonarQube Privilege Escalation via Hidden API Calls) SonarQube is a source code static analyzer that is commonly used by developers and frequently left exposed. After gaining access to the application through a vulnerability or default credentials, you may not see any options for pivoting into the host environment. A thorough review of the API, however, reveals hidden commands that can be abused for arbitrary code execution and backdoor access. Learn how to exploit this attack chain and add another trick to your arsenal! Jon Williams got hooked on the Apple IIe at age 2 and has been messing around with computers ever since. After years of building websites and administering Linux systems, he discovered information security and, upon realizing companies would pay good money to get hacked, decided to become a penetration tester. He currently works for Bishop Fox, where he specializes in external network pen tests and exploit automation. When Jon isn’t stuck in front of a keyboard, you’ll most likely find him on a river or up a mountain somewhere around CT.