Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Slack Team for Security Testers and Bug Hunters

Slack Team for Security Testers and Bug Hunters

Shibuya.XSS techtalk #8の発表資料です。

MUNEAKI NISHIMURA

November 14, 2016
Tweet

More Decks by MUNEAKI NISHIMURA

Other Decks in Technology

Transcript

  1. Slack Team for Security Testers and Bug Hunters
    Shibuya.XSS techtalk #8

    View full-size slide

  2. Senior security engineer at Recruit Technologies Co., Ltd.
    Weekend bug hunter
    MUNEAKI NISHIMURA - nishimunea

    View full-size slide

  3. I created a place on Slack where anybody can freely ask and answer
    questions or get supports about security testing

    View full-size slide

  4. https://sec-testing.slack.com

    View full-size slide

  5. You can join our team from here
    http://slackin.csrf.jp

    View full-size slide

  6. • You can stay anonymous if you prefer
    • You can be a read-only member
    • 311 registered users (for now)
    • 22 channels

    View full-size slide

  7. • new-features
    • random
    • session-management
    • sqli
    • tls
    • xss
    • authentication
    • authorization
    • business-logic
    • config-and-deploy
    • crypto
    • ddos
    • error-handling
    • event
    • file-handling
    • general
    • http-general
    • identity-management
    • information-gathering
    • injection-general
    • js
    • mobile

    View full-size slide

  8. 2016.03
    Look back over the 8 months

    View full-size slide

  9. Case 1: XSSvectorMaker
    • Researcher ymzkei5 created a tool that
    suggests appropriate XSS payload in a
    specified context
    • The tool has evolved by taking opinions
    from guys in #xss channel
    • You can download it from here for free
    http://int21h.jp/tools/XSSvectorMaker/

    View full-size slide

  10. Case 2: Attack Vectors on File Upload
    • Researcher shhnjk from Dubai shared
    many exploitation techniques in #file-
    handling channel
    • The latest his finding is to abuse IE by
    PDF files that were delivered with
    incorrect content-type header
    • His achievements can be found below
    https://shhnjk.blogspot.jp/

    View full-size slide

  11. Case 3: DDoS Detection & Mitigation
    • Researcher purintai proposed to make a new channel #ddos for
    discussing DDoS detection and mitigation
    • The collective opinion of the channel is that prevention measure is
    different by their role, e.g., service owner or network operator
    • Discussion may be ongoing to find a better way to integrate each of
    countermeasures we can take

    View full-size slide

  12. 2016.11
    The possibility of this team in the future

    View full-size slide

  13. • Penetration testers want deep understanding of known vulnerabilities
    in order to write its exploitation code
    • Security engineers in services and products companies also want to
    know how the vulnerability is severe and what could be done by it in
    order to estimate the risk and triage it

    View full-size slide

  14. When you analyze a known vulnerability
    please share it with us!

    View full-size slide

  15. You can join our team from here (again)
    http://slackin.csrf.jp

    View full-size slide