BruCON 0x10

In this talk we'll explore the opportunities that protocol & standards transformations provide for attackers in environments with an API microservice architecture.

Transformation of user input happens automatically when protocols & standards support certain encodings.

When API backends are constructing their own API calls to 2nd order API's using user input, "chained transformations" happen. This allows an attacker to construct payloads that only manifest in harmful form after a certain number of transformations. The payloads are often too obfuscated to be recognized by the perimeter Web Application Firewall.

This type of vulnerability is present even in hardened targets. Pentesters and bugbounty hunters can maximize the attack surface and increase impact using this bug.