Name: DEF CON 23 - Jason Haddix - How to Shot Web: Web and mobile hacking in 2015
Uploaded: 2022-05-14T05:08:16.000Z
Duration: 48 min 23 s
Description: VoiceTubeの動画で発音を聞きながら英語表現を覚えよう！学べる英語：

this is how to shot web web hacking and mobile hacking in

程度の副詞

2015. I really appreciate everyone being here he's way

smarter than me this is me I work for bug crowd I'm director

-- I manage a team of hackers behind the scenes by bounty can

you write the program. In 2014 I participated as a researcher.

This talk is about my mend I use to do web hack king as well as

stuff I learned from other researchers while doing this

work. What is this really about. It's just -- I put a lot of --

my wife says it's okay. So more specifically what I did I

started off with my mend which is a pen tester mend when I

started doing this, application assessment. And so, I then went

out manually parse d out all of the public researchers of all

the badasses bug hunter I new about a hundred visit -- -- as

well as people I new were good at it I went through ever

article from the beginning of the crowd source bug bounty seen

and also all of the Google and Facebook plans inter Bryce -- I

created a presentation what I disstilled around that

knowledge. This is kind of the stuff I'm going to bring in this

presentation. Bug bounty testing from web -- discovery

techniques, parameters often a tack useful fuzz strings, by

pacer filter and some too long I think is cooler than other too

long. Cool. So the first sections philosophy. So the

differences between kind of bug bounty hunting and being a web

pen test templet both sides and they are both right but when you

get down to the practical work you introduce a lot of stuff

here, up under dues time ton to a security tester they are not

use to exesion when you are doing this kind of stuff unless

you are playing in CTF I played in CFF's I was kind of used to

it. You are only -- for what you find and not the hours you put

in, so, I mean this is a basic overview of how they differ the

talk is more about the technical stuff. Yeah, you basically

tailor method based around finding stuff in 20 percent as

opposed top 80 percent application assessment we'll go

into how that 80/20 rule kind of fits in the rest of the slides.

So if you are doing regular web app assess. -- this is usually

what you are trained from and what your internal method is

built off mostly any of the good consultants use and authors are

you know super great testers, right but these take from you A

to Z and you even though them find good bugs they take a long

time to complete in full scale. So bug bounties are different if

you want to do web hack and these are what you go for my

talk as little bit different. Let's talk about discovery in

web application assessment for a bounty. What you want to do is

basically find the road less traveled if you are aiming to

get paid I think so, you can a tack the flag ship application

that the company has, right. That's not where the

vulnerability is going to be that application has been tested

by a pen test team probably had a bug bounty on it for a long

time. Was really want to find part of the -- maybe has been

secure web servers on different ports. You what about to find

acquisition maybe the company had recently that came from a

different development team and they might have a whole view of

problems that came from a whole different group. You want to

look at functional will the changes and redesigns on sites.

Mobile websites because you are set to renter differently on

your phone. And also a new mobile app version when you are

testing. We are going to go into tools and stuff I used to find

for you to a tack. So recouldn't MG is this tool that a lose to

you do -- one part has all these modules to do subdomain

discovery. Now subdomain discovery is a big part of

finding application left out there marketing spins up a

sight, -- DEF -- finding those and hacking those code execution

through those sites is kind of where you can get big pay

outside. So this script what it does is it scrapes Google for

all -- given web property so let's say Acme.com this will --

for everything that is in ACME and remove those result until

you are down to this long list of subdomains. Also scrapes

being -- net craft, subdomains like common fires tool would

this is on get had you been wrap around reCON installed if to you

use -- you can pop the script in and go. Yes, so this is the

output of something like that against the company like this.

You can see -- probably a lot of domains here that have gone

under assessed as far as you go, so, -- this is that idea of it

rating through Google to find subdomains here you have sight

then minus dub dub dub sites I found on its first hit sand box

I removed that this is the scraping that the cool -- tool

-- is doing. You get credit plier, business or shopping or

advertising and you just keep on removing these until you have

all of them. Then you -- then you end up with a huge list of

sites to assess. Then you want to go through and on your entity

that you are attacking you want to find mergers or acquisition

that may be on -- they just purchased accompany, purchased

by Facebook they got popped as soon as they were a choired they

were not under Facebook six month rule I don't know if it's

six month I can't remember how long. But yeah they got popped

immediate until was a whole different DEF team. They got hit

with injection and custom header that was great well not great

but it was good for the bounty hunter. Wikipedia, update these

things for stock reasons so keep an eye on these if you are --

your company has to purchase something else they have new

domain may not be in the bug about tea -- there's also a

repository of links of ever kind of -- that's comes out on pay

pal and Googled. This one is post -- hosted and Facebook I

have no idea its linked it has everything high percent linked

these are the blog articles. Why is this important if somebody

already found these bugs. Because, bugs get represented

across the domain In different places. So you can tell a lot

about an organization once you read these articles and find the

same bug in other locations like the subdomains may be rogue --

how they filter out input you get a lot of in tell around the

字幕リスト動画再生

DEF CON 23 - Jason Haddix - How to Shot Web: Web and mobile hacking in 2015

stuff

vulnerable

bunch

context