OWASP AppSec Days Singapore 2024

Out of Bound (OOB) tools (such as Interact.sh, Burp collaborator, etc) are powerful tools for penetration testers who want to find and exploit blind vulnerabilities. Blind vulnerabilities are those that do not show any output in the response, making them hard to detect and OOB tools can make the vulnerable server send a request to a controlled server, where the tool can capture the request and reveal the vulnerability. OOB tools are especially useful for finding SSRF, SQLi, XXE, RCE vulnerabilities, and can also be used to exfiltrate data from the target. They are often used in manual penetration testing activities where pentesters or attackers send requests to the web server using these tools to identify the presence of vulnerability. This happened in Log4J and Text4shell vulnerability exploitation too where mass scanning took place. In this talk, we will discuss about how to effectively leverage this known concept of Out of band testing to identify security vulnerabilities that are actively being tested for or exploited using techniques such as process hierarchy validation, request baselining, etc. In this talk, we will also discuss how to identify and hunt for OOB adversarial infrastructure using techniques such as response fingerprinting, network analysis, and process execution logs. This will help them identify attacks known or unknown against web applications. The talk will also cover some case studies of real-world attacks where OOB tools were used or detected. This talk will give you a comprehensive overview of the various techniques that can be used by defenders to detect unusual out of bound requests originating out of web applications.