Conference:  Global AppSec Dublin 2023

Authors: Michael Bargury

2023-02-15

Why focus on heavily guarded crown jewels when you can dominate an organization through its shadow IT? Low-Code applications have become a reality in the enterprise, with surveys showing that most enterprise apps are now built outside of IT, with lacking security practices. Unsurprisingly, attackers have figured out ways to leverage these platforms for their gain. In this talk, we demonstrate a host of attack techniques found in the wild, where enterprise No-Code platforms are leveraged and abused for every step in the cyber killchain. You will learn how attackers perform an account takeover by making the user simply click a link, move laterally and escalate privileges with zero network traffic, leave behind an untraceable backdoor, and automate data exfiltration, to name a few capabilities. All capabilities will be demonstrated with POCs, and their source code will be shared. Next, we will drop two isolation-breaking vulnerabilities that allow for privilege escalation and cross-tenant access. We will explain how these vulnerabilities were discovered and assess their pre-discovery impact. Finally, we will introduce an open-source recon tool that identifies opportunities for lateral movement and privilege escalation through low-code platforms.

Conference:  ContainerCon 2022

Authors: Shubham Jain, Neha Gupta

2022-06-23

Kepler is an open-source tool for automating contract testing and generating test cases. It offers both SDK and agent implementations to capture requests and responses, and can be integrated with testing libraries and frameworks.

• Kepler is an open-source tool for automating contract testing and generating test cases
• It offers both SDK and agent implementations to capture requests and responses
• Kepler can be integrated with testing libraries and frameworks
• Kepler is working on adding features such as data protection and test suites