Rating is available when the video has been rented.
This feature is not available right now. Please try again later.
Published on Nov 26, 2015
Talk Description: SSRF vulnerabilities (aka CWE-918) allows attackers to submit arbitrary URL to vulnerable applications, and have the application (or one of its components) browse this URL. The talk describes my latest findings regarding this narrow field of AppSec. Of course, being under NDA during my penetration tests, I’ll only covering bugs reported to bounties programs. That includes Yahoo, Facebook, Prezi, PayPal, Stripe, CoinBase, and more!
Highlights: I was able to compromise some large service providers and earned around 50,000$ for that. Several blacklists were bypassed using little-known quirks in the parsing of URL.