Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Anton Lopanitsyn - Initial reconnaissance of we...

DC7499
November 10, 2018
Research
0
270

Anton Lopanitsyn - Initial reconnaissance of web applications.

Often, everything that is right in front of your eyes is being checked more meticulously than parts inaccessible to the average user. We are looking for hidden functionality of web applications for the subsequent search for vulnerabilities.

DC7499

November 10, 2018
Tweet

More Decks by DC7499

See All by DC7499
Sergey Sobko - Hackashop: Hackathon + Pentest + Workshop [RU]
defcon
0
480
Dmitry Sklyarov - Intel ME: Security keys Genealogy, Obfuscation and other Magic
defcon
0
240
Dmitry Volkov - Private messengers: without pain??
defcon
1
220
Andrey Skuratov and Sergey Migalin - DNS tunneling in 2018. What is that, and what to do with it?
defcon
1
190
Sergey Belov - Another side of Bug Bounty programs
defcon
0
280
Dmitry Sklyarov - Intel ME: Flash file system explained
defcon
0
450
Maxim Goryachiy & Mark Ermolov - Inside Intel Management Engine
defcon
0
510
Sergey Golovanov - Indecent Response 2018
defcon
0
430
Kupreev Oleg & Putin Vladimir - Your very own driver for the custom NVMe device from the scratch: reading of the flash memory of iPhone 7
defcon
1
530

Other Decks in Research

See All in Research
Weekly AI Agents News! 9月号 論文のアーカイブ
masatoto
1
120
LiDARとカメラのセンサーフュージョンによる点群からのノイズ除去
kentaitakura
0
130
研究の進め方 ランダムネスとの付き合い方について
joisino
PRO
55
19k
第 2 部 11 章「大規模言語モデルの研究開発から実運用に向けて」に向けて / MLOps Book Chapter 11
upura
0
380
marukotenant01/tenant-20240826
marketing2024
0
510
SNLP2024:Planning Like Human: A Dual-process Framework for Dialogue Planning
yukizenimoto
1
330
大規模言語モデルのバイアス
yukinobaba
PRO
4
700
日本語医療LLM評価ベンチマークの構築と性能分析
fta98
3
640
Introducing Research Units of Matsuo-Iwasawa Laboratory
matsuolab
0
920
Weekly AI Agents News! 10月号 論文のアーカイブ
masatoto
1
250
Large Vision Language Model (LVLM) に関する最新知見まとめ (Part 1)
onely7
18
3.1k
FOSS4G 山陰 Meetup 2024@砂丘 はじめの挨拶
wata909
1
110

Featured

See All Featured
Fireside Chat
paigeccino
34
3k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
169
50k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
Designing for Performance
lara
604
68k
The Invisible Side of Design
smashingmag
298
50k
Building a Scalable Design System with Sketch
lauravandoore
459
33k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
8.2k
Adopting Sorbet at Scale
ufuk
73
9.1k
How To Stay Up To Date on Web Technology
chriscoyier
788
250k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k
Faster Mobile Websites
deanohume
305
30k

Transcript

  1. Предварительная разведка веб-приложений Bo0oM

  2. subdomain enumeration • theharvester • recon-ng • aquatone • Sn1per

    • Massdns • Aquatone • Amass

  3. directory enumeration • Dirbuster • Dirsearch • Wfuzz • Hehdirb

  4. None
  5. None

  6. diff Length - 5 Length - 5

  7. Расстояние Левенштейна

  8. SLIDE NAME

  9. Дерево DOM Document Object Model

  10. Обогащение словаря

  11. Обогащение словаря

  12. Обогащение словаря

  13. Обогащение словаря PARSE_JS = False: python3 ParamPP.py -u "https://vk.com/login" ['m',

    'b', 'u', 'al’] PARSE_JS = True: python3 ParamPP.py -u "https://vk.com/login" ['b', 'm', 'al', 'async', 'u', 'ad_video']

  14. Ограничение веб-серверов

  15. Param-Pam-Pam https://github.com/Bo0oM/ParamPamPam #TODO • Json data • Keep-alive • Ченить-там-еще

  16. Param-miner

  17. Q? @i_bo0om @webpwn