Gathering intelligence about a target is the first step an attacker takes when hacking an application. One key piece of information an attacker looks for is development information. What technology is the application built with? What security issues does the development team struggle with? What does the input validation code look like? And are there any outdated dependencies that might pave the way to a successful attack? Attackers collect information about an application’s development process, technology, and dependencies to strategize how to best attack an application. Open source reconnaissance is an increasingly popular method of reconnaissance. Compared to traditional web hacking reconnaissance techniques like host enumeration and active fingerprinting, open-source intelligence is stealthy and almost impossible to detect. In this session, I am going to dive into how attackers conduct open-source reconnaissance and how to prevent open-source recon from compromising the security of your application.
Vickie Li is a web security researcher. She began her career as a web developer and fell in love with security in the process. She enjoys learning and teaching vulnerability research and secure development. Now, she spends her days hunting for vulnerabilities, writing, and blogging about her adventures hacking the web here https://vkili.github.io/blog/.
Level 0, SecArmy Village