»Hacking 50 Million users using 123456«
2019-05-16, 11:40–12:20, Main Hall

We will show unique exploitation techniques of uncommon flaws which automated scanners will never detect. Includes payment gateway bypasses, SQLIs, RCEs, etc.

The talk will revolve around a 200day+ hack authorized by a VC on its investments as a black box red teaming where we will show some interesting business logic bypasses on payment gateways etc, patching well-known tools to return more juice, bland server misconfiguration case studies, network hopping, pivoting, escalations, SQL data exfiltration and many other techniques that led us to the data of over 6 firms under the VC housing ~50 Million users.

Bonus case studies collected when red-teaming a billion dollar pharmaceutical firm including the testing of Scientific Data Management Systems and Electronic Lab Notebooks where we could, in fact, reconfigure chemical formulas and sampling devices. Our journey of Pre-GDPR Carnage as red-teamers with a license to kill.