Episode #147 with James Kettle

Security Research

This week, we blast into the past to episode #147, where Seth and Ken chatted with James Kettle (@albinowax). Kettle is the Director of Research at Portswigger and an expert in the worlds of request smuggling, cross-site scripting (XSS), and the evolving complexities of modern web applications. Watch the episode at https://www.youtube.com/watch?v=b5IVhnboDIY, or find us on your preferred podcast platform.

James’ journey into web security started with his dedication to online gaming. While playing the Polish side-scroller shooter game Soldat, he became frustrated with cheaters ruining the experience by using hacks. So, his interest in understanding web vulnerabilities began as he wanted to learn enough about hacking to combat these cheaters by targeting websites that sold cheats. During his university years studying computer science, James started with mastering cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. His interest in real-world security problems led him into the world of bug bounty hunting, where he discovered and reported vulnerabilities for companies like Google, eventually earning a spot in their top 10 bounty hunters. This paved the way for his role at PortSwigger, where his focus shifted to deeper research and finding unique vulnerabilities beyond the typical penetration testing routine.

“Things are getting tougher on the [system advancement] side, but on the other side, things are just getting more and more complex, and people are stitching together different architectures. A web application used to be just one server, and now you’re lucky if it’s just got a front end and maybe a few back ends.”

James

Request smuggling has become increasingly relevant as web applications make advancements. While systems are more secure in preventing classic bugs, making things like XSS, cross-site requests, forgery, and SQL injection less common, there is still a reliance on old apps and bad frameworks. By exploiting how both front-end and back-end services handle their HTTP requests, attackers can interfere with web communications and compromise sensitive data. In today’s environment, where web applications are no longer simple, the multiple layers each introduce their own potential vulnerabilities. As systems grow more complex and continue relying on cloud, infrastructure, microservices, and API-driven development, they open up more opportunities for attackers to exploit these intricate connections between components. In particular, vulnerabilities like server-side requests, forgery (SSRF), and authorization issues between systems have become more prevalent and dangerous. James at his team at PortSwigger have been on the frontlines, identifying how these modern architectures introduce new attack vectors, making it essential for security teams to adapt their tools and methodologies. He emphasized how using automated tools like Burp Suite enables security researchers to quickly scan real-world sites for vulnerabilities and identify flaws in large-scale systems that manual testing could easily miss.

“It’s essential that you can test things fast because it’s worth trying really stupid ideas if you can test them fast. And some really stupid ideas have amazing results.”

James

In the field of security research, not every idea will be a breakthrough—but “bad” ideas can lead to unexpected discoveries. James shared his process of “failing fast,” where he rapidly tests security hypotheses to see if they hold merit, and if they don’t, he quickly moves to the next idea. This mindset allows the exploration of many potential vulnerabilities without getting bogged down in unfruitful paths. By experimenting with unconventional ideas and using creativity in security research, James’ has made significant strides in identifying vulnerabilities and encouraged others to emphasize persistence and precision. Security research often involves chasing down ideas that may not lead anywhere, but occasionally, one idea will unlock a major vulnerability. Being able to quickly test ideas and move on if they don’t pan out is critical.

Another thing James stressed was the importance of communication. Great research can be lost if it’s not properly documented or explained. He encourages researchers to make their work accessible and easy to access so others can build upon it, which he often does.

Lastly, James suggests that focusing on a particular target— like a company or a specific system— can help researchers understand that environment deeply enough to find high-impact vulnerabilities that others might overlook. He gave the example of researchers who continually find bugs in the same systems because they have a deeper understanding of how those systems work, enabling them to chain together different bugs for maximum impact. To be an expert in a niche corner of security research will make your eye sharper when looking for vulnerabilities.

This episode is sponsored by Redpoint Security. Redpoint specializes in “Code Security. By Coders,” which is bolstered by years of experience testing applications and conducting code reviews against all types of applications, including AI, web, and mobile. Redpoint also offers secure code training to help ground your teams in better security practices across the development lifecycle. So check out redpointsecurity.com for more information and put your company on a path to better security.

If you haven’t yet, show your support of Absolute AppSec by visiting the merch store and picking up our limited edition Halloween items. Stay spooky! As always, join Seth and Ken in Slack.

Stay Secure,

Seth & Ken

https://youtu.be/vBPk1DsjNWw - Episode #108 - Sean Poris joins the duo to talk about running large bug bounty programs.

https://youtu.be/viXpwtLJa3k - Episode #146 - Jason Haddix on the podcast talking OWASP Top 10, bug bounty strategies, and request smuggling.

https://youtu.be/9N6OX38QCmg - Episode #160 - Open Source Bug Bounty programs in the news spurred by EU announcements.

Absolute AppSec Happenings

https://www.cisa.gov/resources-tools/resources/product-security-bad-practices - The overall recommendations are good, but not much rhyme or reason to putting these into practice.

https://media.defcon.org/DEF%20CON%2032/ - All of the official DEF CON 32 talks are out on their media server. It’s time to watch the talks you marked in HackerTracker but didn’t make it to because “it’ll be available online later”. Jump in Slack and give us your suggestions.

https://github.com/mllamazares/vulncov/ - Miquel Llamazares building out some tooling to identify vulnerabilities based on test code coverage, utilizing Generative AI and LLMs to suggest bug fixes based on the code and principles from Practical Secure Code Review. Good application of the approach!

Upcoming Events

Where in the world are the podcast duo?

October 22-25, 2024 - SaintCon - Provo, UT - Seth will be at the AppSec Community booth most days. Come try out the beginner’s challenges or find and fix vulnerabilities in code in the AppSec Challenge.

November 7-8, 2024 - Harnessing LLMs for Application Security/Generative AI for Software Security - Virtual Training, dates tentative - A newly developed course that focuses on strategies for using more than just the chat interface of an LLM to secure software.

November 21-22, 2024 - DeepSec, Vienna, Austria - Seth will be presenting “Modern vs. 0ld 5k00l” where everything old is new again.