Slack Team for Security Testers and Bug Hunters

Transcript

1. Slack Team for Security Testers and Bug Hunters Shibuya.XSS techtalk

   #8

2. Senior security engineer at Recruit Technologies Co., Ltd. Weekend bug

   hunter MUNEAKI NISHIMURA - nishimunea

3. I created a place on Slack where anybody can freely

   ask and answer questions or get supports about security testing

4. https://sec-testing.slack.com

5. You can join our team from here http://slackin.csrf.jp

6. • You can stay anonymous if you prefer • You

   can be a read-only member • 311 registered users (for now) • 22 channels

7. • new-features • random • session-management • sqli • tls

   • xss • authentication • authorization • business-logic • config-and-deploy • crypto • ddos • error-handling • event • file-handling • general • http-general • identity-management • information-gathering • injection-general • js • mobile

8. 2016.03 Look back over the 8 months

9. Case 1: XSSvectorMaker • Researcher ymzkei5 created a tool that

   suggests appropriate XSS payload in a specified context • The tool has evolved by taking opinions from guys in #xss channel • You can download it from here for free http://int21h.jp/tools/XSSvectorMaker/

10. Case 2: Attack Vectors on File Upload • Researcher shhnjk

    from Dubai shared many exploitation techniques in #file- handling channel • The latest his finding is to abuse IE by PDF files that were delivered with incorrect content-type header • His achievements can be found below https://shhnjk.blogspot.jp/

11. Case 3: DDoS Detection & Mitigation • Researcher purintai proposed

    to make a new channel #ddos for discussing DDoS detection and mitigation • The collective opinion of the channel is that prevention measure is different by their role, e.g., service owner or network operator • Discussion may be ongoing to find a better way to integrate each of countermeasures we can take

12. 2016.11 The possibility of this team in the future

13. • Penetration testers want deep understanding of known vulnerabilities in

    order to write its exploitation code • Security engineers in services and products companies also want to know how the vulnerability is severe and what could be done by it in order to estimate the risk and triage it

14. When you analyze a known vulnerability please share it with

    us!

15. You can join our team from here (again) http://slackin.csrf.jp