At Oredev 2014 I presented “Confessions of an Accidental Security Tester”.
“Alan Richardson does not describe himself as a security tester. He’s read the books so he knows enough to know he doesn’t know or do that stuff properly. But he has found security issues, on projects, and on live sites that he depends on for his business.
You want to know user details? Yup, found those. You want to download the paid for assets from the site without paying for them? Yup, can do. You want to see the payment details for other people? OK, here they are. All of this, and more, as Alan stumbled, shocked, from one security issue to the next,
In this session Alan describes examples of security issues, and how he found them: the tools he used, why he used them, what he observed and what that triggered in his thought processes.
Perhaps most shocking, is not that the issues were live, and relatively easy to find and exploit. But that the companies were so uninterested in them. So this talk also covers how to ‘advocate’ for these issues. It also warns you not to expect rewards and gratitude. Companies with these type of issues typically do not have bug bounty schemes.
Nowadays, many of the tools you need to find and exploit these issues are built in to the browser. Anyone could find them. But testers have a head start. So in this session Alan shows how you can build on the knowledge and thought processes you already have, to find these types of issues.
This is a talk about pushing your functional testing further, deeper, and with more technical observation, so you too can ‘accidentally’ discover security issues.”