Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Slack Team for Security Testers and Bug Hunters

Slack Team for Security Testers and Bug Hunters

Shibuya.XSS techtalk #8の発表資料です。


November 14, 2016


Other Decks in Technology


  1. I created a place on Slack where anybody can freely

    ask and answer questions or get supports about security testing
  2. • You can stay anonymous if you prefer • You

    can be a read-only member • 311 registered users (for now) • 22 channels
  3. • new-features • random • session-management • sqli • tls

    • xss • authentication • authorization • business-logic • config-and-deploy • crypto • ddos • error-handling • event • file-handling • general • http-general • identity-management • information-gathering • injection-general • js • mobile
  4. Case 1: XSSvectorMaker • Researcher ymzkei5 created a tool that

    suggests appropriate XSS payload in a specified context • The tool has evolved by taking opinions from guys in #xss channel • You can download it from here for free http://int21h.jp/tools/XSSvectorMaker/
  5. Case 2: Attack Vectors on File Upload • Researcher shhnjk

    from Dubai shared many exploitation techniques in #file- handling channel • The latest his finding is to abuse IE by PDF files that were delivered with incorrect content-type header • His achievements can be found below https://shhnjk.blogspot.jp/
  6. Case 3: DDoS Detection & Mitigation • Researcher purintai proposed

    to make a new channel #ddos for discussing DDoS detection and mitigation • The collective opinion of the channel is that prevention measure is different by their role, e.g., service owner or network operator • Discussion may be ongoing to find a better way to integrate each of countermeasures we can take
  7. • Penetration testers want deep understanding of known vulnerabilities in

    order to write its exploitation code • Security engineers in services and products companies also want to know how the vulnerability is severe and what could be done by it in order to estimate the risk and triage it