Hunting evasive vulnerabilities

James Kettle

Director of Research

@albinowax

• Published: 13 May 2022 at 14:00 UTC

• Updated: 07 September 2022 at 09:04 UTC

Do you ever wonder about the vulnerabilities you've missed? Why didn't they show themselves - and will they be discovered by somebody else later?

Certain vulnerabilities have a knack for evading auditors. As we enter the age of continuous security, knowing how to unearth these is becoming an essential skill. This is true whether you're the first to look at a target and don't want to leave any gifts for the next person, or one of many and just don't want to leave empty-handed.

In this presentation, l pick out evasive vulnerabilities found across a decade of web security research, exploring what factors hid both individual bugs and entire attack classes - and what gave them away. They're a diverse bunch - they may be too advanced or too stupid, well-masked, hiding in plain sight, or armoured by inconvenience. By examining them, I extract both specific techniques and broad principles that you can apply to find other overlooked flaws. I also explore what definitely doesn't work, because I've learnt quite a bit about that too.

This talk is intended to be useful to anyone interested in finding or understanding vulnerabilities. Please note that some of these techniques are distinctly lazy - if you'd prefer to be told to try harder, that can be arranged.

This talk was a keynote at Nullcon Berlin, so it's a bit more accessible than some of our team's usual output. The slides are available, but please note that they are intended to supplement the presentation so they won't be much use on their own. If you're just looking for something to read, you might like So you want to be a web security researcher?

Enjoy!

Back to all articles