Learn advanced web hacking techniques and methodologies in this 50-minute conference talk from HouSecCon 6 (2015). Explore the differences between standard testing and more specialized approaches, discover unconventional methods for port scanning and mapping, and delve into directory bruteforce workflows. Gain insights on vulnerability discovery using OSINT and learn about new tools like the Maps Project and Intrique. Examine various attack vectors including XSS, SQL injection, file inclusion, and malicious file uploads. Understand the concept of data-driven assessment and discover the most effective resources for SQL injection. Enhance your web hacking skills with this comprehensive overview of the Bug Hunter's Methodology.
Overview
Syllabus
Intro
More Specifically
Differences from standard testing
The regular methodologies
Find the road less traveled
Port Scanning!
Mapping tips
Directory Bruteforce Workflow
Mapping/Vuln Discovery using OSINT
New Project: Maps
Using the Maps Project: Crawling
New Tool: Intrique
Session (better be quick)
Other XSS Observations
SWF Parameter XSS
SQL Injection Observations
SQLmap All Tamper Scripts
Best SQL injection resources
Local file inclusion
Remote file includes and redirects
Malicious File Upload ++
Data Driven Assessment (diminishing return FTW)
Bug Hunters Methodology
