Slide 1

Slide 1 text

Slack Team for Security Testers and Bug Hunters Shibuya.XSS techtalk #8

Slide 2

Slide 2 text

Senior security engineer at Recruit Technologies Co., Ltd. Weekend bug hunter MUNEAKI NISHIMURA - nishimunea

Slide 3

Slide 3 text

I created a place on Slack where anybody can freely ask and answer questions or get supports about security testing

Slide 4

Slide 4 text

https://sec-testing.slack.com

Slide 5

Slide 5 text

You can join our team from here http://slackin.csrf.jp

Slide 6

Slide 6 text

• You can stay anonymous if you prefer • You can be a read-only member • 311 registered users (for now) • 22 channels

Slide 7

Slide 7 text

• new-features • random • session-management • sqli • tls • xss • authentication • authorization • business-logic • config-and-deploy • crypto • ddos • error-handling • event • file-handling • general • http-general • identity-management • information-gathering • injection-general • js • mobile

Slide 8

Slide 8 text

2016.03 Look back over the 8 months

Slide 9

Slide 9 text

Case 1: XSSvectorMaker • Researcher ymzkei5 created a tool that suggests appropriate XSS payload in a specified context • The tool has evolved by taking opinions from guys in #xss channel • You can download it from here for free http://int21h.jp/tools/XSSvectorMaker/

Slide 10

Slide 10 text

Case 2: Attack Vectors on File Upload • Researcher shhnjk from Dubai shared many exploitation techniques in #file- handling channel • The latest his finding is to abuse IE by PDF files that were delivered with incorrect content-type header • His achievements can be found below https://shhnjk.blogspot.jp/

Slide 11

Slide 11 text

Case 3: DDoS Detection & Mitigation • Researcher purintai proposed to make a new channel #ddos for discussing DDoS detection and mitigation • The collective opinion of the channel is that prevention measure is different by their role, e.g., service owner or network operator • Discussion may be ongoing to find a better way to integrate each of countermeasures we can take

Slide 12

Slide 12 text

2016.11 The possibility of this team in the future

Slide 13

Slide 13 text

• Penetration testers want deep understanding of known vulnerabilities in order to write its exploitation code • Security engineers in services and products companies also want to know how the vulnerability is severe and what could be done by it in order to estimate the risk and triage it

Slide 14

Slide 14 text

When you analyze a known vulnerability please share it with us!

Slide 15

Slide 15 text

You can join our team from here (again) http://slackin.csrf.jp