Low Code High Risk - Enterprise Domination via Low Code Abuse - TIB AV-Portal

Low Code High Risk - Enterprise Domination via Low Code Abuse

00:00

8

Bargury, Michael

Formal Metadata

Title

Low Code High Risk - Enterprise Domination via Low Code Abuse

Title of Series

Number of Parts

85

Author

Bargury, Michael

Contributors

N. N. (Moderation)

License

CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.

Identifiers

10.5446/62229 (DOI)

Publisher

Release Date

Language

Content Metadata

Subject Area

Computer Science

Genre

Conference/Talk

Abstract

Why focus on heavily guarded crown jewels when you can dominate an organization through its shadow IT? Low-Code applications have become a reality in the enterprise, with surveys showing that most enterprise apps are now built outside of IT, with lacking security practices. Unsurprisingly, attackers have figured out ways to leverage these platforms for their gain. In this talk, we demonstrate a host of attack techniques found in the wild, where enterprise No-Code platforms are leveraged and abused for every step in the cyber killchain. You will learn how attackers perform an account takeover by making the user simply click a link, move laterally and escalate privileges with zero network traffic, leave behind an untraceable backdoor, and automate data exfiltration, to name a few capabilities. All capabilities will be demonstrated with POCs, and their source code will be shared. Finally, we will introduce an open-source recon tool that identifies opportunities for lateral movement and privilege escalation through low-code platforms.

Speech

Text

Image

00:00

Menu (computing)Enterprise architectureCodeFocus (optics)Computer animation

00:53

Information securityPoint cloudPerspective (visual)CodePlane (geometry)Computer fontAdditionMultiplication signTwitterMereologyInternet der Dinge2 (number)Point cloudCASE <Informatik>Information securityEnterprise architectureComputing platformSpacetimePerspective (visual)EntropiecodierungSelf-organizationComputer animation

02:55

CodeTime evolutionProduct (business)Mobile appMobile WebEnterprise architectureSystem programmingSoftware as a serviceMultiplication signMereologyEnterprise architectureCASE <Informatik>Data storage deviceEntropiecodierungInformation securityKeyboard shortcutService (economics)SoftwareInterface (computing)Axiom of choiceMacro (computer science)EmailComputing platformCartesian coordinate systemPoint cloud10 (number)Computing platformIdentity managementSelf-organizationBuildingPower (physics)Hacker (term)Moment (mathematics)Web pageGame controllerOffice suiteDrop (liquid)Drag (physics)Computer animation

06:33

GEDCOMAuthenticationDemosceneToken ringInformationFacebookGoogolCompilerSQL ServerDependent and independent variablesEmailService (economics)Group actionSoftware as a serviceRight angleMultiplication signEncryptionAuthenticationComputing platformTrailPower (physics)CuboidOrder (biology)Token ringComputer clusterFunctional (mathematics)MereologyConnected spacePerspective (visual)10 (number)Operator (mathematics)Cartesian coordinate systemSoftwareWindowIdentity managementShared memoryDefault (computer science)DataflowQuicksortRevision controlRoutingHacker (term)RootDifferent (Kate Ryan album)Information securityIntegrated development environmentEntropiecodierungEnterprise architectureComputing platformSelf-organizationBusiness modelPoint (geometry)Office suiteServer (computing)WebsiteComputer fileElectronic mailing listGastropod shellAutomationScheduling (computing)Computer animation

13:02

RootComputing platformEmailVirtual machineService (economics)MalwareLink (knot theory)Metropolitan area networkDependent and independent variablesE-learningEvent horizonEntropiecodierungCartesian coordinate systemSoftwareEntire functionData storage deviceToken ringComputing platformDomain nameMereologyOrder (biology)Power (physics)Point cloudPort scannerConnected spaceSoftware as a serviceIdentity managementTable (information)Line (geometry)EmailDifferent (Kate Ryan album)Functional (mathematics)WindowWeb browserLatent heatLink (knot theory)Content (media)QuicksortElectronic mailing listMaterialization (paranormal)Multiplication signConnectivity (graph theory)Self-organizationGoodness of fitComputing platformWrapper (data mining)Computer wormGastropod shellSingle-precision floating-point formatLocal ringConfiguration spaceShared memoryComputer animation

19:31

Cartesian coordinate systemWindowGame theorySelf-organizationShared memoryHacker (term)Operator (mathematics)MereologyOrder (biology)Identity managementConnected spaceMultilaterationEmailSystem administratorLink (knot theory)Power (physics)FlagKey (cryptography)Computer animation

21:25

MereologyComputing platformEntropiecodierungSelf-organizationComputer animation

21:56

Machine codeHacker (term)BlogComputing platformComputer fileCore dumpBroadcast programmingEncryptionWritingDrop (liquid)Group actionPower (physics)Data managementConvex hullElectronic mailing listComputer wormConnected spaceDataflowLatent heatAttribute grammarOrder (biology)Term (mathematics)Group actionPower (physics)Multiplication signSingle-precision floating-point formatInformation securityWebsiteComputing platformEntire functionComputing platformComputer fileSoftwareRandomizationDatabaseTwitterElectronic mailing listRevision controlLoginMereologyCovering spacePoint cloudRemote procedure callInformationCartesian coordinate systemDependent and independent variables1 (number)Hacker (term)Domain nameSlide rulePoint (geometry)EntropiecodierungComputer animation

29:29

Revision controlCommon Language InfrastructureControl flowFactory (trading post)BlogWrapper (data mining)Backdoor (computing)Electronic program guideOrder (biology)Power (physics)Computing platformVector spaceComputer animation

30:46

Default (computer science)Sheaf (mathematics)Operator (mathematics)Computing platformEntropiecodierungDifferent (Kate Ryan album)Hacker (term)QuicksortSelf-organizationSoftware developerRight angleCartesian coordinate systemComputer animation

32:06

Web portalPower (physics)Web pageComputing platformInstance (computer science)Sign (mathematics)Default (computer science)Mobile appStandard deviationCommunications protocolAccess SQLTable (information)Uniform resource locatorMortality rateBlogLeakVariable (mathematics)Token ringSimultaneous localization and mappingScale (map)Computer-generated imageryVideoconferencingVulnerability (computing)Key (cryptography)AuthenticationEmailEvent horizonElectronic mailing listData storage deviceMachine codeClient (computing)CodeInformationGroup actionString (computer science)Query languageConvex hullMaxima and minimaError messageDatenverknüpfungCryptographyZoom lensAdditionEnterprise architecturePlane (geometry)Information securitySystem identificationInstallation artBackdoor (computing)Self-organizationConfiguration spaceProxy serverDatabaseDefault (computer science)Cartesian coordinate systemObject (grammar)Service (economics)Computing platformPower (physics)AuthenticationToken ringForm (programming)MereologyData storage deviceCASE <Informatik>Enumerated typeQuicksortWeb portalFocus (optics)Error messageElectronic mailing listEnterprise architectureState of matterInformation securityComputing platformPasswordElectronic program guideMultilaterationHacker (term)Ubiquitous computingPredictabilityBlock (periodic table)Drop (liquid)WebsiteBackdoor (computing)Configuration spaceInformationRow (database)Integrated development environmentFlagProxy serverOrder (biology)SpacetimeConnected spaceNumbering schemeSelf-organizationGlobale BeleuchtungDomain nameStandard deviationMultiplication signEntropiecodierungSensitivity analysisEstimatorVariable (mathematics)

40:00

Computer animation

Transcript: English(auto-generated)