A Bug-Hunting Tale: Finding Non-standard Vulnerabilities

October 20, 2016 -

Bookmark and Share

Ken Kantzer

We’re all familiar with common SQLi/XSS/CSRF vulnerabilities you’d find in a generic app, but what happens when you’re facing a noSQL stack, or all the “easy” bugs are gone? Creativity and out-of-the-box thinking is required! We’ll be diving into several real-life vulnerabilities that surfaced while building our own app. We’ll cover Redis key-overwrites (which supposedly are impossible), email parsing vulnerabilities, and fatal “null” equality check vulnerabilities. We’ll then talk about methods for finding and exploit these vulnerabilities yourselves for fun and profit.