Backslash Powered Scanning: Hunting Unknown Vulnerability Classes

Presented at Black Hat Europe 2016, Nov. 4, 2016, 9:30 a.m. (60 minutes)

Existing web scanners search for server-side injection vulnerabilities by throwing a canned list of technology-specific payloads at a target and looking for signatures - almost like an anti-virus. In this presentation, I'll share the conception and development of an alternative approach, capable of finding and confirming both known and unknown classes of injection vulnerabilities. Evolved from classic manual techniques, this approach reaps many of the benefits of manual testing including casual WAF evasion, a tiny network footprint, and flexibility in the face of input filtering. <br /> <br /> True to its heritage, this approach also manages to harness some pitfalls that will be all too familiar to experienced manual testers. I'll share some of the more entertaining findings and lessons learned from unleashing this prototype on a few thousand sites, and release a purpose-built stealthy-scanning toolkit. Finally, I'll show how it can be taken far beyond injection hunting, leaving you with numerous leads for future research.


  • James Kettle / albinowax - Head of Research, PortSwigger Web Security   as James Kettle
    James Kettle is head of research at PortSwigger Web Security, where he designs and refines vulnerability detection techniques for Burp Suite's scanner. Recent work has focused on techniques to detect unknown classes of vulnerabilities, and the new Burp Collaborator system for identifying and exploiting asynchronous blind code injection. James has extensive experience cultivating novel attack techniques, including server-side RCE via Template Injection, client-side RCE via malicious formulas in CSV exports, and abusing the HTTP Host header to poison password reset emails and server-side caches. He has spoken at numerous prestigious venues including BlackHat USA, OWASP AppSec Europe, and 44Con London.


Similar Presentations: