1. 始めに
こんにちは、morioka12 です。
本稿では「NahamCon 2024: Main Track - Hosted by Critical Thinking - Bug Bounty Podcast」について個人的に簡単なまとめを紹介します。
- 1. 始めに
- 2. NahamCon 2024
- Modern WAF Bypass Techniques on Large Attack Surfaces
- .js Files Are Your Friends
- Sluicing Scripts
- OAuth Secrets
- Practical AI for Bounty Hunters
- GraphQL is the New PHP
- Shodan & WAF Evasion Techniques
- Writing Caido Plugin Using AI
- Deep dive into AWS Instance metadata
- Subdomain takeover can be so much worse than phishing
- 3. 終わりに
(私はリアルタイムで視聴していましたが、終了後は YouTube Live のアーカイブが非公開のため、公開されてる情報をもとにまとめています。)
We'll be going live with Day 2 of #NahamCon2024 in a few hours with some amazing talks from @infosec_au, @zseano, @TomNomNomm @gregxsunday, @Jhaddix, @0xLupin, @GodfatherOrwa, @rez0__, @Congon4tor, @InsecureNature and @JoeLeonJr!
— Ben Sadeghipour (@NahamSec) May 25, 2024
🗓️9:00 AM PST
📍https://t.co/5IwymGTHaO pic.twitter.com/r8h9xadv4J
. @0xteknogeek and I are hosting NahamCon today and we're PUMPED!
— Justin Gardner (@Rhynorater) May 25, 2024
The line up is so good - all well respected, top hunters speaking on their bread-and-butter.
Definitely a high ROI conference. Check out @NahamSec's YouTube to tune in! pic.twitter.com/Dkl7NQBz1P
2. NahamCon 2024
NahamCon 2024 Schedule
Modern WAF Bypass Techniques on Large Attack Surfaces
- YouTube Video
- Slide
Thanks for everyone watching my keynote on WAF bypasses at Nahamcon. You can find my slides here: https://t.co/1TTLWz7woz
— shubs (@infosec_au) May 25, 2024
- nowafpls Burp Plugin (XML/URLEncoded/JSON)
Epic presentation on WAF bypass by @infosec_au at NahamCon by @NahamSec
— Jason Haddix (@Jhaddix) May 25, 2024
I did a bakeoff for these types of tools a while back;
Here are some of your choices by type of infrastructure you want to proxy by!
Socks + Proxying:https://t.co/msod9lmrFBhttps://t.co/mPcPYFZDZd…
Released as part of #NahamCon, an SQL injection cheatsheet like no other:https://t.co/KDpvOnoedd
— Tib3rius (@0xTib3rius) May 24, 2024
I'll be updating it soon with more examples, but it covers so much useful info! Thanks @NahamSec for inviting me to do an SQLi workshop!
.js Files Are Your Friends
- YouTube Video
.js files are your (best) friend by @zseano is live now at #NahamCon2024! pic.twitter.com/cXO5epxI6q
— Ben Sadeghipour (@NahamSec) May 25, 2024
Working on updating @renniepak 's JS parser bookmarklet that @zseano talked about today at Nahamcon! 🫶 pic.twitter.com/USpHtmxXkD
— Jason Haddix (@Jhaddix) May 25, 2024
Sluicing Scripts
Thanks to everyone who watched my NahamCon talk!
— TomNomNom (@TomNomNom) May 25, 2024
If you're interested, I actually did end up writing it with HTML and JS from scratch instead of using PowerPoint or Google slides. The whole thing was done in-browser.
Thanks a ton to @NahamSec @0xteknogeek and @Rhynorater :) https://t.co/rQjcJSm3Ee
OAuth Secrets
- YouTube Video
Practical AI for Bounty Hunters
- YouTube Video
My talk is coming up for NahamCon! @NahamSec
— Jason Haddix (@Jhaddix) May 25, 2024
Here is the work-in-progress XSS mutation bot:https://t.co/t4s31gVagA
and the work-in-progress Acquisitions Bot:https://t.co/AkbJqSJWxc
and the work-in-progress Reporting Bot:https://t.co/gnGWgTc9B6
and my epic general web…
GraphQL is the New PHP
In under 20 minutes, @Jhaddix will be presenting his "Practical AI for Bounty Hunters" at #NahamCon2024 followed by @0xlupin's "GraphQL is the New PHP"! pic.twitter.com/p0Es8eI9tf
— Ben Sadeghipour (@NahamSec) May 25, 2024
Shodan & WAF Evasion Techniques
- YouTube Video
Live with @GodfatherOrwa at #NahamCon2024! https://t.co/9SJHtI5tKn pic.twitter.com/GFF6y9sadq
— Ben Sadeghipour (@NahamSec) May 25, 2024
https://x.com/GodfatherOrwa/status/1794391269864808615
Writing Caido Plugin Using AI
🔥@rez0__ showing us how to create a @CaidoIO plugin using AI, followed by @Congon4tor's "Deep dive into AWS Instance metadata" pic.twitter.com/wLxdF7NxZ4
— Ben Sadeghipour (@NahamSec) May 25, 2024
Deep dive into AWS Instance metadata
- YouTube Video
Subdomain takeover can be so much worse than phishing
Our entire team at #NahamCon gets excited every year when we see @InsecureNature's submission.. and this year is no different! Join us as we close out #NahamCon2024 with "Subdomain takeover can be so much worse than phishing" in ONE hour! pic.twitter.com/HqdE3kopoy
— Ben Sadeghipour (@NahamSec) May 25, 2024
3. 終わりに
本稿では「NahamCon 2024: Main Track - Hosted by Critical Thinking - Bug Bounty Podcas」について個人的に簡単なまとめを紹介しました。
ここまでお読みいただきありがとうございました。
