00:00 - Introduction
01:03 - Start of nmap
02:00 - Talking about Varnish, then looking at the website
03:40 - Poking at the Forgot Password functionality and showing we can enumerate valid users
06:25 - Discovering a username in the HTML Source
07:10 - Start talking about Host Header Injection, showing the page will use the Host Header when building redirects
09:28 - Using host header injection in the password reset, in order to send the user a link that goes to our box
11:00 - Explaining host header injection password reset in depth
13:00 - Live Demo showing that Host Header Injection on Password Reset may not require user interaction, mail filters love clicking links.
14:10 - Sending an email to myself, then checked Burpsuite Collaborator and saw some bots clicked our link and sent us the token that was in the email!
16:43 - Showing what Robert can do in the web application and discovering some odd behavior on the /tickets/ page. Anything after the slash will return tickets and not 404!
21:10 - Identifying when Varnish decides to cache things by looking at the age header, and discovering whenever /static/ is in the URL it becomes cached and that the page doesn't check authorization before displaying cache
24:30 - Getting the administrator to click a link on /admin_tickets/static/Junk, which will cache /admin_tickets/ and allow anyone to view the admin_tickets page!
26:55 - Going in-depth with the Web Cache Deception attack and how Varnish works
27:50 - Showing the Varnish configuration
29:00 - Editing the Varnish configuration to add UserAgent as part of the caching logic to show it can have unique hashes per user. Then updating it to use Cookies instead
33:00 - Explaining the weird behavior with how the flask app does routing and allows the user to put /static/ in the URL and not have it go to the static directory
34:45 - Checking what Diego can run via sudo and discovering he can execute ml_security which appears to be some machine learning poc to look for XSS
40:10 - Getting the version of TensorFlow and looking for vulnerabilities in the library itself
41:30 - Exploiting TensorFlow 2.6.3 Save_Model_cli (CVE-2021-41228 and CVE-2022-29216)
Support the originator by clicking the read the rest link below.
