How to Shot Web: Web and mobile hacking in 2015

Presented at DEF CON 23 (2015), Aug. 8, 2015, 4 p.m. (60 minutes)

2014 was a year of unprecedented participation in crowdsourced and static bug bounty programs, and 2015 looks like a trendmaker. Join Jason as he explores successful tactics and tools used by himself and the best bug hunters. Practical methodologies, tools, and tips make you better at hacking websites and mobile apps to claim those bounties. Convert edge-case vulnerabilities to practical pwnage even on presumably heavily tested sites. These are tips and tricks that the every-tester can take home and use. Jason will focus on philosophy, discovery, mapping, tactical fuzzing (XSS, SQLi, LFI, ++), CSRF, web services, and mobile vulnerabilities. In many cases we will explore these attacks down to the parameter, teaching the tester common places to look when searching for certain bugs. In addition he will cover common evasions to filters and as many time saving techniques he can fit in.

Presenters:

• Jason Haddix - Director of Technical Operations, Bugcrowd
  Jasonis the Director of Technical Operations at Bugcrowd. Jason trains and works with internal application security engineers to triage and validate hardcore vulnerabilities in mobile, web, and IoT applications/devices. He also works with Bugcrowd to improve the security industries relations with the researchers. Jason’s interests and areas of expertise include, mobile penetration testing, black box web application auditing, network/infrastructural security assessments, binary reverse engineering, and static analysis.

Links:

• https://defcon.org/html/defcon-23/dc-23-speakers.html#Haddix
• https://infocon.org/cons/DEF CON/DEF CON 23/DEF CON 23 slides/DEF CON 23 - Jason Haddix - How to Shot Web - Web and mobile hacking in 2015 - Slides.mp4
• https://infocon.org/cons/DEF CON/DEF CON 23/DEF CON 23 video/DEF CON 23 - Jason Haddix - How to Shot Web - Web and mobile hacking in 2015 - Video.mp4
• https://infocon.org/cons/DEF CON/DEF CON 23/DEF CON 23 slides/DEF CON 23 - Jason Haddix - How to Shot Web - Web and mobile hacking in 2015 - Slides.srt (subtitles)
• https://infocon.org/cons/DEF CON/DEF CON 23/DEF CON 23 video and slides/DEF CON 23 - Jason Haddix - How to Shot Web - Web and mobile hacking in 2015 - Video and Slides.srt (subtitles)
• https://infocon.org/cons/DEF CON/DEF CON 23/DEF CON 23 video/DEF CON 23 - Jason Haddix - How to Shot Web - Web and mobile hacking in 2015 - Video.srt (subtitles)
• https://infocon.org/cons/DEF CON/DEF CON 23/DEF CON 23 video and slides/DEF CON 23 - Jason Haddix - How to Shot Web - Web and mobile hacking in 2015 - Video and Slides.mp4 (Video and Slides)
• https://www.youtube.com/watch?v=-FAjxUOKbdI

Similar Presentations:

• DeepSec 2020 „The Masquerade“ / Practical Mobile App Attacks By Example
• NolaCon 2019 / BountyCraft - The Panel
• NolaCon 2016 / Hacking Web Apps (v2)