Scanning your way into internal systems via URLScan
12 Aug 2022
Comprehensive Talk
Scanning your way into internal systems via URLScan
Rojan Rijal
Abstract
URLScan has been frequently used by anti-phishing techniques to identify potentially malicious websites. However, a misconfigured scan could sometimes expose internal assets, domains, and sensitive information to the public. GitHub had a similar event in 2021 where internal repository names got exposed due to a misconfigured scan set.
The talk will cover various technologies and their internal usage at sample companies. Once the technologies are covered the talk will explore how these technologies can be queried in URLScan to identify sensitive information disclosed by companies.
The talk will start by explaining and highlighting SaaS technologies that oftentime leak sensitive information of a company. In addition to the technologies, the talk will proceed to explain how to use extracted information for privilege escalation or access to internal resources. The technologies covered will include at minimum: Microsoft Office 365, GSuite, Salesforce, GitHub and SAML providers.
Once the technologies are covered, the talk will cover how URLScan can help identify these resources en masse. This specific section of the talk will go over various search queries and regex searches that can be used to reliably retrieve information from these technologies. Once the basic queries are covered, the talk will then explore specific queries that can be combined to reliably pull information for a given company.
The end of the talk will also show sample examples with real companies who I have found to have disclosed sensitive information.
At the end of the talk, attendees will be able to walk out with exact queries they can run to find if their company or their target is disclosing sensitive information. In addition, they will also be able to use some disclosed information to further escalate their access internally.