The Bug Hunters Methodology presented at AppSecUSA 2015

by Jason Haddix,

Summary : This is the live and hands on version of Jason's Defcon talk "How to Shot Web: Web and Mobile Hacking in 2015". Join Jason as he explores successful tactics and tools used by himself and the best bug hunters. Practical methodologies, scripts, and tips make you better at hacking websites and mobile apps. Whether you're trying to claim those bug bounty prizes or find high level vulnerabilities faster or more efficiently, this talk is for you! Convert edge-case vulnerabilities to practical pwnage even on presumably heavily tested sites. These are tips and tricks that the every-tester can take home and use. Jason will focus on philosophy, discovery, mapping, tactical fuzzing (XSS, SQLi, LFI, ++), CSRF, web services, and mobile vulnerabilities. In many cases we will explore these attacks down to the parameter, teaching the tester common places to look when searching for certain bugs. In addition he will cover common evasions to filters and as many time saving techniques he can fit in.