Old Tools, New Tricks: Hacking WebSockets

Presented at DerbyCon 9.0 Finish Line (2019), Sept. 8, 2019, 11:30 a.m. (30 minutes)

Many application penetration testers and developers have struggled to figure out how to assess the security of WebSocket applications. When new technologies like WebSockets are developed, often the tooling available for penetration testing takes awhile to catch up. What if you could use traditional web penetration testing tools to assess WebSockets? By leveraging concepts found in native code fuzzing, you can! We have been using a novel approach that allows traditional web security testing tools to find vulnerabilities in WebSocket applications.

Presenters:

• Michael Fowl
  Michael Fowl works as a Senior Security Engineer at VDA Labs where he leverages offensive information security skills to help clients. An avid bug hunter and penetration tester, Michael has spent countless hours performing web application assessments, including placing as a top finisher in events like “Hack the Pentagon.”
• Nick Defoe
  Nick Defoe is a Security Operations Manager at VDA Labs where he manages security consulting engagements to ensure success. Coming from a background in web application development, Nick has worked on penetration tests and application assessments for many major brands.

Links:

• https://infocon.org/cons/DerbyCon/DerbyCon 9 2019/Old Tools New Tricks Hacking WebSockets Michael Fowl Nick Defoe.mp4
• https://infocon.org/cons/DerbyCon/DerbyCon 9 2019/Old Tools New Tricks Hacking WebSockets Michael Fowl Nick Defoe.eng.srt (subtitles)
• https://www.youtube.com/watch?v=MhxayMPknFI

Similar Presentations:

• Black Hat USA 2012 / Hacking with WebSockets
• AppSec USA 2012 / Hacking with WebSockets
• ToorCon San Diego 14 (2012) / Hacking with WebSockets