Pose a Threat: How Perceptual Analysis Helps Bug Hunters

Presentation from OWASP AppSec California 2019 offers up dirty tricks to optimize the hunt for security exposures.

Presentation by Rob Ragan and Oscar Salazar at OWASP AppSec California 2019

Every picture I take, I pose a threat. By picture, I mean screenshot. By threat I mean attacker. What if there was a way to find more exposures without exactly knowing what we’re looking for? OWASP DirBuster had the right idea but was missing the power of perceptual analysis.

This presentation is full of dirty tricks to optimize the hunt for security exposures. Unlimited storage, scalable serverless infrastructure, and machine learning powered by collaborative filtering will enable us to usher in a new age of visibility into our attack surface.

Around the world, bug hunters are leveraging OSINT techniques (e.g. using OWASP Amass) to find security vulnerabilities for organizations. However, they need better ways to perform analysis at scale. Traditional scanners require in-depth knowledge of each issue in order to write a signature. All we need with this new approach is a target, a path, and as output we will get potential exposures. Do this properly at scale and you have effectively taken what would be millions of results to review and filtered it to thousands of likely vulnerable candidates.

This presentation explores new ways to:

  • Distribute requests to targets and paths using scalable serverless infrastructure
  • Screenshot results with unlimited storage and organize them by visual similarity
  • Automate identification of more exposures more quickly using collaborative filtering

Focus these techniques on identifying RCEs and you now have a formidable weapon. This approach can be used for a variety of analysis use cases. Penetration testers, bug bounty, SOC analysts, threat researchers, vulnerability scan jockeys, will all benefit from this next generation approach.


Rob Ragan

About the author, Rob Ragan

Principal Researcher

Rob Ragan is a Principal Researcher at Bishop Fox. Rob focuses on pragmatic solutions for clients and technology. He oversees strategy for continuous security automation. Rob has presented at Black Hat, DEF CON, and RSA. He is also a contributing author to Hacking Exposed Web Applications 3rd Edition. His writing has appeared in Dark Reading and he has been quoted in publications such as Wired.

Rob has more than a decade of security experience and once worked as a Software Engineer at Hewlett-Packard's Application Security Center. Rob was also with SPI Dynamics where he was a software engineer on the dynamic analysis engine for WebInspect and the static analysis engine for DevInspect.

More by Rob

Oscar salazar

About the author, Oscar Salazar

Principal Product Researcher

Oscar Salazar is a Principal Product Researcher at Bishop Fox. In this role, he has experience with red teaming, application penetration testing, source code review, network penetration testing, secure software design, and product security reviews. He focuses on research and development of the Continuous Attack Surface Testing (CAST) platform. Oscar has presented at many of the leading security conferences including Black Hat USA, DEF CON, RSA, BSides, Hacker Halted, SyScan 360, and SAS. His research, particularly surrounding anti-anti-automation, has appeared in Wired, eWeek, Fox News, Threatpost, and Gigaom.

Additionally, he has been a featured speaker on the Dark Reading Radio series. Prior to joining Bishop Fox, Oscar served as a web security research engineer at Hewlett Packard's Application Security Center where he designed and developed security checks for the WebInspect web application security scanner. In addition, his research involved developing more effective methods of scanning web applications.

More by Oscar

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.