Presentation by Rob Ragan and Oscar Salazar at OWASP AppSec California 2019

Every picture I take, I pose a threat. By picture, I mean screenshot. By threat I mean attacker. What if there was a way to find more exposures without exactly knowing what we’re looking for? OWASP DirBuster had the right idea but was missing the power of perceptual analysis.

This presentation is full of dirty tricks to optimize the hunt for security exposures. Unlimited storage, scalable serverless infrastructure, and machine learning powered by collaborative filtering will enable us to usher in a new age of visibility into our attack surface.

Around the world, bug hunters are leveraging OSINT techniques (e.g. using OWASP Amass) to find security vulnerabilities for organizations. However, they need better ways to perform analysis at scale. Traditional scanners require in-depth knowledge of each issue in order to write a signature. All we need with this new approach is a target, a path, and as output we will get potential exposures. Do this properly at scale and you have effectively taken what would be millions of results to review and filtered it to thousands of likely vulnerable candidates.

This presentation explores new ways to:

• Distribute requests to targets and paths using scalable serverless infrastructure
• Screenshot results with unlimited storage and organize them by visual similarity
• Automate identification of more exposures more quickly using collaborative filtering

Focus these techniques on identifying RCEs and you now have a formidable weapon. This approach can be used for a variety of analysis use cases. Penetration testers, bug bounty, SOC analysts, threat researchers, vulnerability scan jockeys, will all benefit from this next generation approach.