How to own a bank: Six connecting CVEs in an emulated mainframe environment
Demonstrating the effectiveness of red teaming mentality during execution of penetration tests, web applications and infrastructure. This is discussed in an interactive, fun and energetic manner. Thinking outside the scope of tests and apply an offensive methodology that ensures looking at the full chain and business processes.
With help of practical and fun stories, a set of ground rules and ideas are shared with the crowd, taking them on a journey through my mind. How to perform and excel at all tasks given by your boss and ensure that the board understands why cyber security is important.
During the talk, amongst other things the exploitation will be demonstrated with a video that was taken for the client. It shows how a simple cross side scripting can lead to a cascade that in the end leads to a full code execution as root through a CSRF vulnerability.Combining authorization bypasses, xss and csrf a multitude of less critical issues in multiple interconnected systems results in a complete compromise of a mainframe systems.
This security assessment resulted in six groups of CVEs in late 2017 and one new CVE in 2018.
The way to discover these type of issues is not through standard web application tests with products like Nessus or acunetix. While these help massively, human intelligence and critical thinking skills are vital to understand what is happening how.
Besides being able to find technical issues, they must be presented to management in such a way they they understand the urge of problems. During the talk, practical guidelines and tips will be given how to do this in a non technical way so that follow up is guaranteed.