chat if anybody is hanging out watching track one feel free to start talking in the track one channel on discord you're also welcome to start

giving us some questions over in the track one live QA channel in the meantime let's introduce our guests for right now we have olek and we have poontester or I'm sure you two will come up with better ways to explain how

to pronounce your names but thank you very much for joining us today give us the name of the talk that you did and we'll start asking you some silly questions about it okay yeah so that the talk was room for escape is

scribbling outside the lines of template security a talk around content management systems and in particular the template engines used in these if you have any questions about the dog or anything else maybe he wouldn't

help you just feel free to answer to ask anything how do you like your your handle pronounced I pronounce it pon tester pon tester know if that's a better yeah I think that we just entered into one of the mighty

conversation you know the arguments in the hacker world if it's pwn or pwn so we're gonna go with pwn because that sounds a little bit better so I like to go let's give your give your a little bit of an intro about myself yeah we'll click over to you I am security researcher for already more than 10

years and working for a micro focus Spotify and I'm happy to have chance to work with pwn tester for a couple years already and it's our fourth chart research and I'm happy with this results and all hope to get something

similar in the next years absolutely for I I will retire yeah so that's a good segue actually to talk to while we're waiting for people to come up with some good questions for you tell us a little bit about some of the this

is definitely not your first talk here at DEFCON so just briefly give us some background on where you came from and what the earlier talks were so that people know how to reach back and find you in the archives and then maybe touch on how does this one feel different than the other talks that

you've done okay so I think the first one that we did together was Friday the 13th JSON attacks no actually it was sorry it was JNDI injections it was first one

Did we present that at DEFCON or just at Blackhat? Just at Blackhat you're right so the first one that we presented together was the JNDI injection the full title was something like JNDI injection... how was that? Dreamland to RC something. Like a trip

to RC... I don't know I don't remember the title anymore. That was around JNDI injection in in Java world there are ecosystems which was then used for

many of the visualization gadgets so that was a good one and then before that one I presented at DEFCON one with Dennis Cruth and Abe Kang that was called resting in your laurels will will get you pwned or pwned. Yeah that was a nice one so

the first one that we did together was this about JNDI injection attacks then the one the first one that when we presented at DEFCON and we had to drink our shots as newbie speakers was this one about JSON attacks JSON visualization attacks. Gotcha. And then last year we presented single sign-on

worse SSO worse the token menace where we presented an attack on SAML implementation in Microsoft stacks that was a flow in .NET framework and now this year we repeat again as a team with with this one. Excellent we

really appreciate that you both came out to do that so you two did as we're waiting for people to jump in with more questions you did present me with one that I'm going to sneakily slide in here as if somebody else asked

it the vulnerabilities that you disclose all seem to require that the attacker have user-level access to the system is that true is that a hurdle for most people? Oh see now I'm talking over you so your turn you go. Okay I think it's mostly true and still depends on applications on configuration or

specific configuration but to be able to perform such attacks attackers should be able to create or at least modify some template and in most cases it's at least user-level account for SharePoint it's just user-level account it's default configuration and just user-level account any user can do this

for other applications it still depends sometimes it's just user level sometimes you need to be like writer or some other roles more powerful roles sometimes even administrator so one requirement for our attack attackers

should be able to manage these templates or ISPX pages in case of SharePoint. Okay so maybe not the the minimum is just they have to be able to to deal with the SharePoint side they have to be able to control that

but it's not necessarily that. So for SharePoint it's a bit simpler any user can have access to own private site and can manage it it's your site and you can use this at least this site for

performing attacks for other applications yes it depends on configuration depends on the permission for specific projects for specific subsites and other things. Okay so I was going to add that our assumption

in this talk is that we were able or the attacker were able to control the templates right so and then our research was around breaking outside of those sandboxes so in a similar way that we may present

something around breaking mitigations for buffer overflows but our research was not how to find those buffer overflows in the first place so I'm saying that because apart from being able to control the contents of the template different vectors may include things like server-side template

injection or maybe for example if there is a cross-site scripting vulnerability in that page you can use that to fool a victim in to submit a malicious template in your behalf or maybe there is a cross-site request for data that you cannot use in order to manipulate or modify the template

content so we didn't really care about how you were able to get access to the content it may be because you have access to like Alexa under explained is then the normal case for example in things like SharePoint or a wiki for example where you can edit your own articles and things like that but maybe in other systems some of the ones that we reported like office

for example they were vulnerable to server-side template injection and for example in some cases we were able to request trial accounts in content management systems that were deployed on the cloud like in server software as service architectures and with those trial accounts we were able we were

able to own those servers and compromise the underlying service so in a big way you've given us another step in our chain another tool to escalate how much damage we can do once we have a foothold exactly

excellent what what level of access were you using to get that remote code execution were you just a regular user and able to escalate that far so in some cases like Alexander explained for some point just having an account in certain like regular user account allows you to create your own site and

then you can control the template of the ASP X page in this case for certain point and then you can use that to get remote code execution on the underlying server in other cases like X wiki just a regular user as well other systems like for example Atlassian Confluence you were required

to be administrator in order to edit a template so in those systems either you are an administrator so it's kind of more like an insider attack or maybe those systems are vulnerable as I explained before you find a cross-site scripting vulnerability and you can escalate from cross-site scripting to remote code execution by being able to fool the victim in to submit or

modify a template on your rehab okay so can you give us a little bit of background on how you came upon this type of research what was your entry point into doing this attack it's not easy to answer it's just usual when

you have some target that allows you something and you think wow it's a lot of thing for attackers and it start game and you try to use one thing to bypass something to for example SharePoint it allows you to upload ASPX

pages so you first thing why we cannot put only a code there and execute code there no we cannot why we cannot and game starts and it's not

only SharePoint there are a lot of such such server or services that allows you to define some templates for for dynamic content and you actually you can access getters you can access some methods you can access some objects like we cannot abuse them well let's try well let's see what we can

do what we can do father with all this stuff and it start our research investigation and I bet then we have such results you had chained it down I'm on mute so you pushed it down that direction that makes sense and it

I'm assuming then we're kind of talking to a general mindset when you're doing your normal day-to-day work you find something that's a little funny and you just can't let it go I mean this is a that greater question about what does it take to be a hacker it's always nice to hear people who are out

there in the world doing these presentations doing this research talk to the rest of us who are getting our feet wet in the world of web application security or whatever the the whatever your niche is you know how

do the rest of you folks who are getting all of the success doing these cool presentations and research how do you approach these how do you know when you have something cool so in my case and continuing Alexander responds I guess I started this research because all it came to me and said like okay I

found these four different ways of breaking the server in safe mode so he said like maybe if we also look at the Java side we get something interesting

that can be interesting like a full research like something that is more self-contained somehow and then he told me like can you take a look at some of the like most popular engines in Java and when I was there I was like okay let's see it's before I started looking at in the implementation of those engines and do like code review and things like that it was like okay

I'm here I get access I assume that I get access to that template what can I do now what objects are available so I started looking and inspecting the template context by debugging the applications and setting some some break points and then I was surprised that I was able to access thousands of objects

that were non intentionally exposed they were like they're indirectly exposed by other objects and with that big amount attack surface it was like this is going to be easy to find something that I can I've used to get remote execution that was the case and then as a second part of the

research we started looking at the implementation of those libraries and then we found some specific flaws in the implementation the way they were checking block list for example or gaps on those block list or things like that that I explained in the talk. That was that was your entry you all of a sudden like I have

something and then you spent a significant amount of time checking testing the boundaries of the thing that you had until you worked your way towards where we are now that's that makes sense so it's good to hear hear from you folks kind of where you're coming from on that so a few different

content management systems that you looked at and I imagine at some point you just kind of run out of time to keep checking things do you think that there are still more out there that people could follow your techniques and do the same kind of thing to to find vulnerabilities is that also going

to be an area that you plan to continue to research or you guys kind of done with this one? Definitely there should be a lot of products we think that is there a lot of products as you mentioned they're just couple of them under our focus and actually for example if you're talking about

SharePoint it is not automated approach it just manual and just to find some projects and we try to show this pattern in our presentation and I believe there's still a lot of thing to look for in SharePoint in specifically and about other content even not content management system in any other

system like it may be a email server so if you can define template for dynamic content for some after creation emails it can be a starting point for

your research as well so our purpose of our research our presentation just show our our our patterns our approaches and say hey guys we use this and we got such results like 30 new vulnerabilities you can use the same

it's not only for offensive side it's it's for defensive as well guys if you developing something that go on in this bucket you need to look on these areas

to check this because you can see what can happen so of course anybody welcome to continue this research about myself I'm not sure I need to have some rests vacation couple month after that maybe but usually if

you can see our talks they're not linear we are jumping from one to the another topic it's it's more interesting for me but I'm not I do not know maybe maybe if I still find something interesting I will continue but for the next year you'll be honest it will be more difficult because

competition will be more higher and maybe it's better to believe this for others and try to find some in your areas yeah based on how all the different presentations that YouTube described earlier it seems like you two work together really well and finding these types of things I know some

people earlier were asking how should somebody go about starting out research and picking out targets do you have any suggestions for people on how they can just kind of start getting into the type of research field that you two do seem to really do really well so I don't think that one is easy to

answer so it's just like at least for me being up-to-date with the latest research from other people in the in the community and industry or maybe

reading articles that are not as directly related with what you do so for example I think that the JNDI injection that was the first one that we did together started out of reading an article about a malware analysis and in that malware analysis the malware was using some JNDI lookups we found

that interesting we started researching that and that that led to the JNDI injection attack as part of that attack we found some gadgets that were using setters instead of like magic methods in like Java visualization and so on and we found that as an entry point to the JSON visualization

attacks that we did like following year so sometimes one thing take you to the to the next one and sometimes they are not even related like jumping from JNDI to a JSON visualization or a master visualization so sometimes just like reading a lot of stuff gives you ideas sometimes you just are playing with

something in your regular work and then you find something interesting and you just pull the thread and find something else so it's just I mean things are not going to come to you you have to be actively reading looking for things and then you will always find something that is interesting and

you can pull the thread and find something more if you just stay passive like reading but not asking yourself why things are working in such or such other way then I don't think that there is room for research and my suggestion not to be focused on the results of the talk my career study

it's very difficult to on the first year to be accepted in black cat or Defcon or something like that and produce such other results I would suggest just to be focused on something some area what you like this and you are passionate on that and follow for new research try to

understand each new novel technique and maybe try own thing maybe you have ideas and be patient I think I do not know for me it took a couple years to get some if your new stuff will start to give you results and you can

start to think about how to summarize this and present to others and just to to start career from let's talk at Defcon it's for me it's difficult to imagine you need to have some background to this area and produce something new

and for this unit here not years you need time or for somebody it's it's month for somebody it's years but still for me it's main target it's it's it's my passion in in that areas areas not just talking Defcon Defcon its

results if you have results you can present it in Defcon if you do not have results let's wait let's try other other direction but you need to like this without passion makes it difficult I love that you two said it really quite different things there in one case you have hey I was reading an article and then I thought really deep about that article but it would

seem like it was something different from your previous research and then the other answer would be I just really like this stuff and I learned everything I could about it so it's it's nice to hear the two different two different sides if not the two different sides about how to approach a new topic and how to find something cool in it which is probably why they

work together so well and have had so much great research through the years we have very different approaches for everything so it's it's it's like even research is different and I'm one thing and one approach of ours just completely different approach for example I never read documentation

before I research it took more time but I have some some some rule do not open documentation are aware of stuff is documentation and can find something more quickly that is a significant quickly so um what did we not get to

see during this presentation I know you've already talked about when you your presentations tend to jump around a little bit so maybe you have

the opportunity to hit more content or whatever you wanted to present during your your go but due to time or due to not having it fully formed in your head what would you have liked to have put into this presentation where there are more time more ability so there is a lot of content that is not in the

actual talk in the actual video but it's available in the white paper that we released as part of the talk it's simply that we were not able to feed all the content in those 40 minutes apart from that that's something that

just didn't fit into the time allocated for the video I think that I would also like to have look into other languages we just focus on dotnet and Java and maybe for dotnet I would also have looked into other content management systems that are different from certain maybe I don't know I'm not

really very familiar with dotnet ecosystems but for example dotnet nuke is a potential target that we just didn't have time to look into actually we have more fundings and usually when when when you start to search something you have more fundings but you need to to collect them in

some topic in some scope of course a lot of think out of scope maybe for later research maybe for for some blog post maybe not maybe it's not interesting like that it depends if you have like two hours talk maybe we

will include some some new stuff for SharePoint there was something interesting stuff because there was some playing with roles and other thing but I think current current our white paper meets what what what what we draw before this white paper and it talks and it's it's more interesting

when you have a lot of stuff it's not good as well because it's very difficult to focus on on something even this stuff you have two parts and dot net and Java it's a bit different Java has a lot of templating giants dot net has only SharePoint it's a bit difficult to fall to keep focus

audience for these two parts I think if you want to include something else maybe it's better to have separate talk not even one of them this to build a new talk yeah make sense it's nice to to be able to isolate down we always keep some approach you say that in English like something like seeds

roads for the next up something that looks promising maybe it's a new way into a new road that can lead to something so yeah that's also something

that we normally don't include in the talks that's that you're never going to retire from this are you there's always going to be something new and interesting to do a talk on it's difficult because competition from year to year it is it's more harder and harder a lot of new guys and a lot of old guys and it's not easy let's hope that you have motivation and time and

resources for new researchers we like this life will show so we have about five minutes left in our scheduled time here is there anything that you like what's your call to action yeah where would you direct people to to

keep poking at this or what's something that as you were hunting through all of this that you were like oh this would be something that I want somebody to look at but maybe I don't have the background of the time or what's the

gap yeah there's your question that was it yeah so as I said we didn't look at other languages I know there is a lot of research around template injection in JavaScript and Python but yeah so those are some boxes well and

probably those unboxed need to be bypassed so if a good direction for people like wanting to look into this area of research is looking at how these other languages implement some boxes and maybe try to find a way to

break them actually we have two different dotnet and Java languages I think if we found something similar in these two languages we can assume that many other are affected it's not problem languages it's a problem in design actually it's very difficult to implement good sandbox for this cases I

it's it's it's very difficult a lot of potential areas and we try to highlight the most obvious of them and I think it's a good idea to look any places in any any languages in any system in any other place that makes

sense well thank you for that um do if you would be so kind you can toss us in probably the track one channel would be a good place for this any place that folks can contact you later since this is a new format we can actually put

down if there's an email address or a Twitter profile or something that or a github you could post that in the chat I don't know if you can hear me I can as a matter of fact oh maybe I can hear you we might have just lost

in but you're back yeah I'm back I lost all of you well welcome back so we were just chatting about if there is a you know github or a Twitter profile or an email or something that you I believe you put something like that in your talk but can everybody hear me well yeah yeah so my personal Twitter handle is

obviously and also I work for in the github security lab where all the advisories for the different content management systems with the details about how we were able to exploit them or break their sandboxes are being

published some of them have been published already some of them are still to be published so you may also want to follow that one I think it's gh security lab yes you can you could type that into the track one channel at

your leisure and people can see that there if there's and that's pretty much that's the last of the questions I have I want to thank you both very much for building this presentation and taking time out of your day to come and do this QA with us this is what makes this community better than anything else

I've ever been a part of so thank you very much for your efforts and I hope to see more from you folks in the near future thank you very much for having us and hopefully yeah we'll come present again in in depthcon next year and definitely dip next time in person well I appreciate it I have a

great rest of your day enjoy the con and to everyone watching you should be able to see here in the next little while the contact information show up in the track one that channel otherwise we will see you for the next one bye

everyone