Hunting Evasive Vulnerabilities - Finding Flaws That Others Miss

Explore advanced techniques for uncovering elusive vulnerabilities in web security with this 40-minute conference talk by James Kettle, Director of Research at PortSwigger. Delve into a decade of web security research, examining factors that conceal both individual bugs and entire attack classes. Learn specific methods and broad principles for identifying overlooked flaws, understand what approaches are ineffective, and gain insights into lazy yet effective techniques. Discover the importance of continuous security and how to avoid leaving vulnerabilities for others to find. Suitable for anyone interested in finding or understanding vulnerabilities, this talk covers topics such as attention traps, visible defenses, overcoming fear, implausible ideas, invisible chain-links, missing fingerprints, attack surface overload, and curiosity-powered hacking.

Introduction
Attention Trap
Outline
Background
Why join the hunt
The visible defence
The fear
The implausible idea
The invisible chain-link
The missing fingerprint
Pyramid of pain
Attack surface overload
Scan to learn: curiosity-powered hacking
Takeaways