The attacker's footprint

Chaining low-severity bugs can lead to a full system compromise. We'll show you how to trace the attacker's every step.

#1about 10 minutes

Defining key cybersecurity tools and terminology

An overview of essential information security concepts and tools is provided, including nmap, Burp Suite, IDOR, LFI, and SIEM platforms.

#2about 16 minutes

Performing reconnaissance with an nmap port scan

The initial attack phase begins with an nmap scan to discover open ports and services, identifying potential web applications and an Apache server.

#3about 11 minutes

Gaining initial access with default credentials

After failed SQL injection attempts, access is gained by logging in with common default credentials and a path disclosure vulnerability is found via a malformed JSON.

#4about 13 minutes

Exploiting broken access control with cookie tampering

A base64-encoded cookie is manipulated to access another organization's data, and fuzzing reveals a hidden admin parameter to view sensitive information.

#5about 10 minutes

Reading sensitive files with a path traversal exploit

A known path traversal vulnerability in the Apache server is exploited to read the `/etc/passwd` file and a sensitive configuration file containing credentials.

#6about 1 minute

Achieving remote access via SSH with guessed credentials

Using the leaked username, the password from the configuration file is modified by incrementing the year to successfully log into the server via SSH.

#7about 21 minutes

Analyzing API logs to trace the attacker's steps

The defender analyzes API logs to identify failed SQL injection attempts, a successful login, parameter fuzzing, and cookie manipulation by observing response codes and body sizes.

#8about 15 minutes

Correlating web server and authentication logs

Apache and authentication logs are examined to find evidence of the nmap scan, the path traversal exploit, and the final successful SSH login after several failed attempts.

#9about 13 minutes

Demonstrating a SIEM for automated threat detection

A Security Information and Event Management (SIEM) tool is shown to automatically detect and flag suspicious activity, such as the nmap user agent, in real-time.

#10about 18 minutes

Summarizing vulnerabilities and key security recommendations

The workshop concludes with a summary of the attack chain and provides key recommendations for developers and defenders, such as patch management and maintaining high-quality logs.