reader-text" href="#content"> Skip to content
HITB-Invoice-Logo

thank you for joining us!

PRESENTATION SLIDES & MATERIALS

Getting Clear Text Passwords from an IdP & More: Our Research Methodology

Date

August 26, 2022

Time

17:00

Track

CommSec Track

We’ve recently reported several methods to achieve several privilege escalation in Okta by getting the clear text of any employee, including super-admins + other methods to impersonate super-admins and users by admins of org units, or outsource companies. These issues were dubbed #PassBleed, and were classified by Okta as inherent operational risks of their platform.

This talk will present the research process that led to the discovery of these non-vulnerabilities. We will share our internal research methodology based on using knowledge graphs for trust analysis and explain it through showing how we used it to discover these major weaknesses. Our methodology is useful to:

1. Automate vulnerability discovery
2. Enable research team collaboration
3. Visualize & Prioritize

The talk will include some technical details such as basic Matrix math, a bit of Python code, and a (single) raw JSON data dump. A small code example will probably be open-sourced a few days after the talk.

Speakers

Dr Kailong Wang

Researcher

National University Singapore

Dr. Wang Kailong is currently a research fellow at National University of Singapore (NUS). He received his PhD degree from School of Computing NUS in 2022. He has worked as a Research Assistant in NUS while pursuing his PhD degree from 2016 to 2021. His research interests include mobile and web security and privacy, and protocol verification. His works have appeared in the top conferences such as WWW and MobiCom.

Gal Diskin

Co-Founder & CTO

Authomize

Mr. Gal Diskin is a cybersecurity and AI researcher. He was previously the VP & head of Palo Alto Networks’ Israeli site, and is a serial entrepreneur. Mr. Diskin’s research has been featured in HITB, Defcon, Black Hat, CCC, and other conferences, spanning fields from low level security research such as hardware vulnerabilities, binary instrumentation, and car hacking to high level research on AI detection methods, Enterprise security, and Identity security. Mr. Diskin was also the technical lead and co-founder of Intel’s software security organization, as well as the CTO of Cyvera and HeXponent (co-founder) before their acquisition.

Kevin Chen

Senior Security Researcher

Huajiang “Kevin2600” Chen (Twitter: @kevin2600) is a senior security researcher. He mainly focuses on vulnerability research in wireless and Vehicle security. He is a winner of GeekPwn 2020 and also made to the Tesla hall of fame 2021. Kevin2600 has spoken at various conferences including KCON; DEFCON and CANSECWEST.

Li Siwei

Security Researcher

Li Siwei is a security researcher. He specializes in Big data analysis and AI Security.

Rahul Sasi

Founder, CEO

CloudSEK

Rahul Sasi is an Indian entrepreneur, Founder of CloudSEK, and a security expert. He was voted as the top influential Cyber Security person in 2015, he has made a significant open source contribution to the security landscape and is an invited speaker to over 20+ countries. He is part of the working committees of RBI and MeitY.
CloudSEK : https://cloudsek.com/
LinkedIn: https://www.linkedin.com/in/fb1h2s/

Vishal Singh

Senior Security Engineer

CloudSEK

Vishal Singh is working as a Senior Security Engineer at CloudSEK. His main responsibility includes handling the Research & Development of CloudSEK ASM. He loves automating manual effort tasks, and also likes net surfing & exploring new places in his free time.

Other Talks in This Track

Can a Fuzzer Match a Human

LOCATION

CommSec Track

DATE

August 26

TIME

16:30
TALK DETAILS

Getting Clear Text Passwords from an IdP & More: Our Research Methodology

LOCATION

CommSec Track

DATE

August 26

TIME

17:00
TALK DETAILS

Exploiting Race Condition Vulnerabilities in Web Applications

LOCATION

CommSec Track

DATE

August 26

TIME

17:30
TALK DETAILS

Biometrics System Hacking in the Age of the Smart Vehicle

LOCATION

CommSec Track

DATE

August 26

TIME

12:00
TALK DETAILS

Building an Army of Bots by Hijacking a Unicorn’s Twitter Handle

LOCATION

CommSec Track

DATE

August 25

TIME

12:00
TALK DETAILS

SEE YOU IN SINGAPORE

intercontinental singapore

80, Middle Road, Singapore 188966

follow us

Interested in being a sponsor or exhibitor? Email us to request for a sponsorship kit!

GOLD SPONSORS

CTF & CTF PRIZE SPONSOR

CF_logo_rgb_def

TCP/IP RECEPTION SPONSOR

watchtwr BLACK

SILVER SPONSORS

EXHIBITORS

Facebook-f Twitter Google-plus-g Pinterest

Copyright 2023 © All rights Reserved. Hack In The Box