Blackhat Amsterdam 2012 : ToolsTube with Sumit Siddarth on Hacking XPath 2.0

Tools + Interview + ToolsTube NJ Ouchn todayMarch 19, 2012

Background
share close

The presentation will discuss the vulnerability XPATH Injection in depth and we will cover advanced exploitation techniques. We will talk about xpath 2.0 and how an attacker can not just obtain the XML document but also obtain files outside the current document. We will discuss how to exploit vulnerabilities blindly and the case when the application does not reveal anything (ie. compare this to a time based sql injection). Exfiltrating data over out of bound channel such as HTTP, DNS will also be discussed followed by some real life examples of the vulnerability found in the wild. Finally we will release an open-source tool to automate exploiting this vulnerability with all advanced exploitation features built in.

Sumit Siddharth (sid) works as a Head of Penetration Testing for 7safe in the UK. He specializes in Web application and database security and has over 7 years of experience with IT security. Sid has been a speaker at many international conferences such as Black Hat, Defcon, Owasp, Troopers, Sec-T etc. He has been an author of several white-papers, tools and security advisories. Sid holds the prestigious CREST certification and also runs the popular IT security blog http://www.notsosecure.com. He is also a contributing author to the book SQL Injection:Attacks and Defense (2nd Edition)

 

 

Written by: NJ Ouchn

Tagged as: , , , , .

Rate it
About the author
Avatar

NJ Ouchn

"Passion is needed for any great work, and for the revolution, passion and audacity are required in big doses"


Previous post

Similar posts

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *


LOGO

  • help@firwl.com
  • info@firwl.com


Products


Company


Contacts

Support


LOGO

  • help@firwl.com
  • info@firwl.com


Products


Company


Contacts

Support