API-Induced SSRF: How Apple Pay Scattered Vulnerabilities Across the Web

Channel:
United States All Hacking Cons
Subscribers:
6,380
Published on ● Video Link: https://www.youtube.com/watch?v=UIYGp7vurDE


Duration: 33:04
11 views
0

Joshua Maddux | Software Engineer / Security Researcher, PKC Security
Location: Islander FG
Date: Thursday, August 8 | 11:00am-11:50am
Format: 50-Minute Briefings
Tracks: Web AppSec, Applied Security

The 2016 WWDC saw the dawn of Apple Pay Web, an API that lets websites embed an Apple Pay button within their web-facing stores. Supporting it required a complex request flow, complete with client certificates and a custom session server. This proved detrimental, since Apple failed to caution against important side effects of taking in untrusted URLs. As a result, many new SSRF vulnerabilities entered the world. Worse yet, while they were exploitable and discoverable in similar ways, they were spread across distinct codebases in several programming languages, so could not be patched in any generic way.

Apple is not alone - in the process of gluing the web together, Twilio, Salesforce, and others have all created similarly broad attack surfaces. When companies fail to take an honest, empathetic look at how clients will use a product, they shove along hidden security burdens. Those who integrate with an API have less context than those who create it, so are in a worse position to recognize these risks.

Engineers have been talking about defensive programming for decades, but top companies still have trouble practicing it. In this talk, we explore these mistakes with demos of affected software, and propose actionable ways of rethinking API security.

Black Hat - USA - 2019 Hacking conference
#hacking, #hackers, #infosec, #opsec, #IT, #security



Other Videos By All Hacking Cons


2022-01-07Biometric Authentication Under Threat Liveness Detection Hacking
2022-01-07Hunting for Bugs, Catching Dragons
2022-01-07Exploiting Qualcomm WLAN and Modem Over The Air
2022-01-07I'm Unique, Just Like You: Human Side-Channels and Their Implications for Security and Privacy
2022-01-07All the 4G Modules Could be Hacked!
2022-01-07Exploiting the Hyper V IDE Emulator to Escape the Virtual Machine
2022-01-07Infighting Among Russian Security Services in the Cyber Sphere
2022-01-07All Your Apple are Belong to Us: Unique Identification and Cross-Device Tracking of Apple Devices
2022-01-07Exploring the New World : Remote Exploitation of SQLite and Curl
2022-01-07Firmware Cartography: Charting the Course for Modern Server Compromise
2022-01-07API-Induced SSRF: How Apple Pay Scattered Vulnerabilities Across the Web
2022-01-07Fantastic Red-Team Attacks and How to Find Them
2022-01-07Arm IDA and Cross Check Reversing the Boeing 787's Core Network
2022-01-07Finding a Needle in an Encrypted Haystack: Detect the Most Prevalent Attacks on Active Directory
2022-01-07Flying a False Flag: Advanced C2, Trust Conflicts, and Domain Takeover
2022-01-07Attacking and Defending the Microsoft Cloud (Office 365 & Azure AD)
2022-01-07GDPArrrrr: Using Privacy Laws to Steal Identities
2022-01-07Finding Our Path: How We're Trying to Improve Active Directory Security
2022-01-07Ghidra - Journey from Classified NSA Tool to Open Source
2022-01-07Bounty Operations: Best Practices and Common Pitfalls to Avoid in the First 6-12 Months
2022-01-07Attacking Electric Motors for Fun and Profit


Tags:
data
hacker
security
computer
cyber
internet
technology
hacking
attack
digital
virus
information
hack
online
crime
password
code
web
concept
thief
protection
network
scam
fraud
malware
secure
software
access
system
firewall
privacy
binary
account
spy
programmer
program
spyware
hacked
hacking conference
conference
how to
2022
2021
cybersecurity
owned
break in
google
securing
exploit
exploitation
recon
social engineering
Joshua Maddux
apple pay
SSRF
vulnerabilities
codebases
salesforce