Over the past weekend the last version of DerbyCon ever came to an end. At the conference the VDA Labs team conducted our Advanced Exploitation training and four members of our team had the honor of giving talks in front of some of the best hackers in the world. The talks are posted below, followed by our brief retrospective of the conference.
Using Next Generation Fuzzing Tools: Fixing Bugs and Writing Next Generation Fuzzing Exploits
by Dr. Jared DeMott and John Stigerwalt
The process of fuzzing has changed, from mutation, to frameworks, to constraint solving (CS) and genetic algorithms (GA) of today. While pre-written suites and custom one-offs can be great, GAs (AFL/Clusterfuzz) and CS (Sage/MSRD) often do the best – and we’ll drop serious vulns in this talk to prove it. These tools are paired best with scale – fuzzing-as-a-service (FaaS). It’s time to test your code before attackers do. But it’s still not a perfectly simple endeavor. We will explain harnesses; how to pick seeds; which portions of the app to target; CI/CD; and much more. We’ll look at an exciting, new DAST tool; microsoftsecurityriskdetection.com. From there, we’ll teach you how to turn bugs into fixes, or exploits. Excitingly, you’ll learn how to write 0day from results.
Old Tools, New Tricks: Hacking WebSockets
by Michael Fowl and Nick Defoe
Many application developers and penetration testers have struggled to figure out how to assess the security of WebSocket applications. When new technologies like WebSockets are developed, often the tooling available for penetration testing takes awhile to catch up. What if you could use traditional penetration testing tools to assess WebSockets? By leveraging concepts found in native code fuzzing, you can! We have been using a novel approach that allows traditional web security testing tools to find vulnerabilities in WebSocket applications.
For those who are not familiar, DerbyCon has been one of the preeminent hacker conferences over the past decade, and VDA Labs has been there almost every year. The conference has always offered a selection of some of the best training, technical talks, and communities of all hacker conferences. Part of this was made possible by the manageable size (less than 2000 people) and approachable city (Louisville, KY), but we would say that a huge part of it was the great people who attend. Over the past few years we have met up with old friends, made new ones, shared our knowledge, and learned from titans in our industry all at this one conference – and those of us lucky enough to have been there will miss it for years to come.
The last DerbyCon was bittersweet – but at least for us, we are going to have memories and awesome stories to share for the rest of our lives. Our thanks go out to the trainers, speakers, organizers, volunteers, and sponsors who made it all possible. We hope to see you at another con sometime soon!