HUNT: Data Driven Web Hacking & Manual Testing

Presented at AppSec USA 2017, Sept. 22, 2017, 10:30 a.m. (45 minutes)

What if you could turbocharge your web hacking without having to sacrifice efficiency? Since pure automation misses so much important information, why not use powerful alerts created from real threat intelligence? What if you had these powerful alerts in as a plugin in a tool that that is so ubiquitous in web hacking that it's synonymous to its very definition? What if this plugin not only told wyou where to look for vulnerabilities, but also gave you curated resources for additional exploitation and methodology? What if you could organize your web hacking methodology inside of your tool? Well, dream no more! HUNT is a new Burp Suite extension that aims to arm web hackers with parameter level suggestions on where to look for certain classes of vulnerabilities such as SQL Injection, Command Injection, Local/Remote File Inclusion, and more! The data that drives this plugin are parsed from hundreds of real-world assessments which provide the user with the means to effectively root out critical issues. Not only will HUNT help you assess large, hard targets more thoroughly, but it also aims to organize common web hacking methodologies right inside of Burp Suite. As an open source project, we will go over the data driven design of HUNT and its core functionality.   Detailed Outline HUNT's core idea is to parse large data sets of web application flaws and transforming the results into a meaningful testing tool. We've taken one of the largest known vulnerability data sets, the bounty data at Bugcrowd, and scrubbed it all down to vulnerability class and parameter name. With this data, we can infer patterns in web application vulnerability locations. Today, one of the things we struggle with as an industry is manual testing for large, complex applications. With the amount of surface area to cover on assessments, we are forced to rely on automation. And while automation is great, it fails to apply the years of experience we have as pentesters in identifying edge-cases in web vulnerabilities that cannot be easily found by anything other than a human.   HUNT will log and alert commonly vulnerable areas for manual testers to look at based on the collective knowledge of hackers all over the world. This will help break down complex applications into meaningful and testable areas. We are not aiming to replace scanners in this fashion, but instead, we are making sure web hacking gets the manual tester love that it truly deserves.   The tool covers critical vulnerability classes that can be meaningfully parsed at the moment:   SQL Injection Local/Remote File Includes Directory Traversal OS Command Injection Server Side Request Forgery File Upload Vulnerabilities Insecure Direct Object References Server Side Template Injection   Sections of the Talk The Problem Web hacking training lacks detailed tribal knowledge of vulnerability location Sites are larger and more complex than ever and even harder to test thoroughly with current manual testing techniques and methodologies No in-tool workflow for web hacking methodologies The Data Understanding the data set Learning about data and patterns discerned Give examples of the data of vulnerable parameters Examples: file, document, folder, style, pdf The Tool Explore HUNT's install and GUI Explore some sample alerts live Explore HUNT's methodology and tester references Explore HUNT's methodology organization tab Talk about the future and contribution


  • JP Villanueva - Trust & Security Engineer - Bugcrowd
    JP Villanueva is a Trust & Security Engineer at Bugcrowd. Before Bugcrowd, JP spent 2 years as an Application Security Engineer and another 2 years as a Solutions Architect at WhiteHat Security helping customers become more secure. JP has also presented at local OWASP chapters, Interop DarkReading, BlackHat Arsenal, and Defcon. In his free time, JP enjoys playing and collecting classic video games as well as hacking on bug bounty programs.


Similar Presentations: