Registration Closing Date Apr.26 18:00.

CYBERSEC 2021 uses cookies to provide you with the best user experience possible. By continuing to use this site, you agree to the terms in our Privacy Policy. I Agree

May 4-6 at Taipei Nangang Exhibition Center, Hall 2

Luke

Luke

Software Engineer, IBM

A 10-year experience software engineer, and also have the hacker spirit. Found vulnerabilities on Slack, Google, Facebook.

Taiwan's Cybersecurity Researchers
701 Vulnerability Research Lab
  • May 6th (Thu)
  • 10:00 - 10:30
  • 7F 701H

What makes Slack vulnerable to blind SSRF attack

In this session, I'll explain the meaning and purpose of the different X-Forwarded-XXX headers. Next, I'll show how the attackers can bypass the IP Ban by the application via the wrong setting of X-Forwarded-For, or even ban other victim's IP. Last, I'll demo the blind SSRF vulnerabilities I found in Slack, which is due to the misconfiguration of the X-Forwarded-Host setting. It should make everyone knows more about the X-Forwarded-XXX headers.

Intermediate
SecDevOpsWeb SecurityWeb Service Security
Read More