How to Shot Web: Web and mobile hacking in 2015

Presented at DEF CON 23 (2015), Aug. 8, 2015, 4 p.m. (60 minutes).

2014 was a year of unprecedented participation in crowdsourced and static bug bounty programs, and 2015 looks like a trendmaker. Join Jason as he explores successful tactics and tools used by himself and the best bug hunters. Practical methodologies, tools, and tips make you better at hacking websites and mobile apps to claim those bounties. Convert edge-case vulnerabilities to practical pwnage even on presumably heavily tested sites. These are tips and tricks that the every-tester can take home and use. Jason will focus on philosophy, discovery, mapping, tactical fuzzing (XSS, SQLi, LFI, ++), CSRF, web services, and mobile vulnerabilities. In many cases we will explore these attacks down to the parameter, teaching the tester common places to look when searching for certain bugs. In addition he will cover common evasions to filters and as many time saving techniques he can fit in.


Presenters:

  • Jason Haddix - Director of Technical Operations, Bugcrowd
    Jasonis the Director of Technical Operations at Bugcrowd. Jason trains and works with internal application security engineers to triage and validate hardcore vulnerabilities in mobile, web, and IoT applications/devices. He also works with Bugcrowd to improve the security industries relations with the researchers. Jason’s interests and areas of expertise include, mobile penetration testing, black box web application auditing, network/infrastructural security assessments, binary reverse engineering, and static analysis.

Links:

Similar Presentations: