Back To Schedule
Thursday, January 24 • 3:00pm - 3:50pm
Pose a Threat: How Perceptual Analysis Helps Bug Hunters

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Every picture I take, I pose a threat. By picture, I mean screenshot. By threat I mean attacker. What if there was a way to find more exposures without exactly knowing what we’re looking for? OWASP DirBuster had the right idea but was missing the power of perceptual analysis.

This talk is full of dirty tricks to optimize the hunt for security exposures. Unlimited storage, scalable serverless infrastructure, and machine learning powered by collaborative filtering will enable us to usher in a new age of visibility into our attack surface. Around the world, bug hunters are leveraging OSINT techniques (e.g. using OWASP Amass) to find security vulnerabilities for organizations. However, they need better ways to perform analysis at scale. Traditional scanners require in-depth knowledge of each issue in order to write a signature. All we need with this new approach is a target, a path, and as output we will get potential exposures. Do this properly at scale and you have effectively taken what would be millions of results to review and filtered it to thousands of likely vulnerable candidates.

Come watch the revolution unfold with new ways to:
* Distribute requests to targets and paths using scalable serverless infrastructure
* Screenshot results with unlimited storage and organize them by visual similarity
* Automate identification of more exposures more quickly using collaborative filtering

Focus these techniques on identifying RCEs and you now have a formidable weapon. In conclusion, this approach can be used for a variety of analysis use cases. Penetration testers, bug bounty, SOC analysts, threat researchers, vulnerability scan jockeys, will all benefit from this next generation approach.

Presentation Link​​​

avatar for Rob Ragan

Rob Ragan

Partner, Bishop Fox
Rob Ragan is a Principal Researcher with 15+ years experience in penetration testing, red teaming, and offensive security. These days he's mostly interested in innovative techniques to to map out the domains, subdomains, exposed services, and vulnerabilities of large and complex... Read More →
avatar for Oscar Salazar

Oscar Salazar

Principal Security Associate, Bishop Fox
Oscar Salazar is a Principal at Bishop Fox, a security consulting firm providing services to the Fortune 500, global financial institutions, and high-tech startups. In this role, he focuses on continuous security assessment, red teaming, application penetration testing, source code... Read More →

Thursday January 24, 2019 3:00pm - 3:50pm PST
Club Room