The Voight-Kampff Test for Discovering Web Application Vulnerabilities

Explore the intricacies of distinguishing between human-discovered and machine-detected web application vulnerabilities in this 25-minute conference talk from BSidesSF 2020. Delve into Vanessa Sauter's presentation, which draws inspiration from the Voight-Kampff test to create a filtering system for vulnerability discoveries. Learn about the importance of identifying discovery methods, the strengths of automated scanners, and the unique value of human expertise in cybersecurity. Examine case studies, including insights from Uber's bug bounty program, and understand the nuances of various vulnerability types such as weak workflow enforcement, race conditions, and chained exploits. Engage in a thought-provoking debate on the roles of humans and machines in the ever-evolving landscape of web application security.

Intro
Vanessa Sauter
Travis McCormack
Why does method matter
Web Apps
About the Research
Web App Vulnerabilities
Machine Wins
Manual Setup
Vulnerabilities
Uber Bug Bounty
Why write weak enforcement of workflows
CashMoney example
Race conditions
Chain exploits
Humans and Machines
Case Study
Debate