Frans Rosén - Breaking and abusing specifications and policies - SecurityFest 2018 скачать в хорошем качестве

Frans Rosén - Breaking and abusing specifications and policies - SecurityFest 2018

Breaking and abusing specifications and policies – Let’s Encrypt, cloud storage vulns and verification bypasses Last year at Secfest, Frans Rosén talked about DNS hijacking using cloud services. This time, he approaches technologies where verification methods actually exists and how to break them. Let’s Encrypt closed down one of their three blessed verification methods due to a bug Frans found in January. Cloud storage containers already patched from being publicly exposed are still often vulnerable to full modification, extraction and deletion by abusing weak policies and application logic. Frans goes through some weak design patterns, policy structures and explains how to bypass them which have netted him over $45,000 in bug bounties.