Director of Research at PortSwigger
Hunting evasive vulnerabilities: finding flaws that others miss
Do you ever wonder about the vulnerabilities you've missed? Why didn't they show themselves - and will they be discovered by somebody else later?
Certain vulnerabilities have a knack for evading auditors. As we enter the age of continuous security, knowing how to unearth these is becoming an essential skill. This is true whether you're the first to look at a target and don't want to leave any gifts for the next person, or one of many and just don't want to leave empty-handed.
In this session, I'll pick out evasive vulnerabilities found across a decade of web security research, exploring what factors hid both individual bugs and entire attack classes - and what gave them away. They're a diverse bunch - they may be too advanced or too stupid, well-masked, hiding in plain sight, or armoured by inconvenience. By examining them, I'll extract both specific techniques and broad principles that you can apply to find other overlooked flaws. I'll also explore what definitely doesn't work, because I've learnt quite a bit about that too.
This talk is intended to be useful to anyone interested in finding or understanding vulnerabilities. Please note that some of these techniques are distinctly lazy - if you'd prefer to be told to try harder, that can be arranged.
James 'albinowax' Kettle is the Director of Research at PortSwigger - his latest work includes HTTP desync attacks and automating hunting unknown vulnerability classes. He loves working on inventing novel techniques to hack websites, implementing them into Burp Scanner, and then seeing hackers in the community using his techniques to find new vulnerabilities. He also wrote three of the ten most popular Burp Suite extensions - ActiveScan++, HTTP Request Smuggler, and Backslash Powered Scanner. He's a well-known figure in the hacking community, despite only taking up hacking after becoming bored of playing Counter-Strike at university. He has presented at numerous prestigious venues, most recently on HTTP Desync Attacks at DEFCON, and on Practical Web Cache Poisoning at BlackHat USA. In his spare time he's an avid cyclist, often as a means of getting away from his computer (which he bought using a bounty payout, with Bitcoin).