AppSec USA 2017 has ended
Back To Schedule
Friday, September 22 • 10:30am - 11:15am
HUNT: Data Driven Web Hacking & Manual Testing

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.

What if you could turbocharge your web hacking without having to sacrifice efficiency? Since pure automation misses so much important information, why not use powerful alerts created from real threat intelligence? What if you had these powerful alerts in as a plugin in a tool that that is so ubiquitous in web hacking that it’s synonymous to its very definition? What if this plugin not only told wyou where to look for vulnerabilities, but also gave you curated resources for additional exploitation and methodology? What if you could organize your web hacking methodology inside of your tool? Well, dream no more! HUNT is a new Burp Suite extension that aims to arm web hackers with parameter level suggestions on where to look for certain classes of vulnerabilities such as SQL Injection, Command Injection, Local/Remote File Inclusion, and more! The data that drives this plugin are parsed from hundreds of real-world assessments which provide the user with the means to effectively root out critical issues. Not only will HUNT help you assess large, hard targets more thoroughly, but it also aims to organize common web hacking methodologies right inside of Burp Suite. As an open source project, we will go over the data driven design of HUNT and its core functionality.


Detailed Outline

HUNT's core idea is to parse large data sets of web application flaws and transforming the results into a meaningful testing tool. We've taken one of the largest known vulnerability data sets, the bounty data at Bugcrowd, and scrubbed it all down to vulnerability class and parameter name. With this data, we can infer patterns in web application vulnerability locations.

Today, one of the things we struggle with as an industry is manual testing for large, complex applications. With the amount of surface area to cover on assessments, we are forced to rely on automation. And while automation is great, it fails to apply the years of experience we have as pentesters in identifying edge-cases in web vulnerabilities that cannot be easily found by anything other than a human.


HUNT will log and alert commonly vulnerable areas for manual testers to look at based on the collective knowledge of hackers all over the world. This will help break down complex applications into meaningful and testable areas. We are not aiming to replace scanners in this fashion, but instead, we are making sure web hacking gets the manual tester love that it truly deserves.


The tool covers critical vulnerability classes that can be meaningfully parsed at the moment:


SQL Injection

Local/Remote File Includes

Directory Traversal

OS Command Injection

Server Side Request Forgery

File Upload Vulnerabilities

Insecure Direct Object References

Server Side Template Injection


Sections of the Talk

The Problem

Web hacking training lacks detailed tribal knowledge of vulnerability location

Sites are larger and more complex than ever and even harder to test thoroughly with current manual testing techniques and methodologies

No in-tool workflow for web hacking methodologies

The Data

Understanding the data set

Learning about data and patterns discerned

Give examples of the data of vulnerable parameters

Examples: file, document, folder, style, pdf

The Tool

Explore HUNT's install and GUI

Explore some sample alerts live

Explore HUNT's methodology and tester references

Explore HUNT's methodology organization tab

Talk about the future and contribution


JP Villanueva

Trust & Security Engineer, Bugcrowd
JP Villanueva is a Trust & Security Engineer at Bugcrowd. Before Bugcrowd, JP spent 2 years as an Application Security Engineer and another 2 years as a Solutions Architect at WhiteHat Security helping customers become more secure. JP has also presented at local OWASP chapters, Interop... Read More →

Friday September 22, 2017 10:30am - 11:15am EDT
Coronado L