Slack Team for Security Testers and Bug Hunters Shibuya.XSS techtalk #8

Senior security engineer at Recruit Technologies Co., Ltd. Weekend bug hunter MUNEAKI NISHIMURA - nishimunea

I created a place on Slack where anybody can freely ask and answer questions or get supports about security testing

https://sec-testing.slack.com

You can join our team from here http://slackin.csrf.jp

• You can stay anonymous if you prefer • You can be a read-only member • 311 registered users (for now) • 22 channels

• new-features • random • session-management • sqli • tls • xss • authentication • authorization • business-logic • config-and-deploy • crypto • ddos • error-handling • event • file-handling • general • http-general • identity-management • information-gathering • injection-general • js • mobile

2016.03 Look back over the 8 months

Case 1: XSSvectorMaker • Researcher ymzkei5 created a tool that suggests appropriate XSS payload in a specified context • The tool has evolved by taking opinions from guys in #xss channel • You can download it from here for free http://int21h.jp/tools/XSSvectorMaker/

Case 2: Attack Vectors on File Upload • Researcher shhnjk from Dubai shared many exploitation techniques in #file- handling channel • The latest his finding is to abuse IE by PDF files that were delivered with incorrect content-type header • His achievements can be found below https://shhnjk.blogspot.jp/

Case 3: DDoS Detection & Mitigation • Researcher purintai proposed to make a new channel #ddos for discussing DDoS detection and mitigation • The collective opinion of the channel is that prevention measure is different by their role, e.g., service owner or network operator • Discussion may be ongoing to find a better way to integrate each of countermeasures we can take

2016.11 The possibility of this team in the future

• Penetration testers want deep understanding of known vulnerabilities in order to write its exploitation code • Security engineers in services and products companies also want to know how the vulnerability is severe and what could be done by it in order to estimate the risk and triage it

When you analyze a known vulnerability please share it with us!

You can join our team from here (again) http://slackin.csrf.jp