Episode #219 with Jason Haddix

Discovery Tools, Security Research

Author

Seth Law
January 23, 2025

This week on Absolute AppSec, Ken (@cktricky) and Seth (@sethlaw) had a slight schedule change, meaning we’re gonna go back into the archives for this weeks summary. Today, we’re returning to Episode 219 with Jason Haddix to discuss DEFCON talks, using LLMs in research, and his then-recently released tools. You can find it at https://www.youtube.com/watch?v=YYBQkic2bN4, or wherever you get your podcasts.

Jason is a prominent figure in the cybersecurity community, known for his contributions to application security research, bug bounty programs, and red teaming. At the time of this episode airing he was Chief Information Security Officer at BuddoBot, but has since founded Arcanum Information Security where he does consulting and training. Jason was one of the earliest guests on Absolute AppSec.

“The whole future of methodology, the way we test, the tools that empower us to do our testing is going to change with the advent of consumer level AI right now.”

Justin

At the time of filming, Jason had been working on his latest project, the “Cloud Recon” tool. Jason and his colleague Gunner designed Cloud Recon to enhance asset discovery across cloud environments like AWS, GCP, Azure, and DigitalOcean. The tool leverages SSL certificate metadata to quickly scan vast cloud infrastructures, identifying ephemeral assets that often evade traditional detection methods. Jason emphasizes the importance of detecting these fleeting assets, such as temporary development instances or integration infrastructure, which can expose organizations to security risks. Cloud Recon stands out for its speed and efficiency, capable of scanning entire cloud ranges in just over two hours. This level of performance democratized advanced reconnaissance capabilities, traditionally reserved for elite bug bounty hunters and red teams, making them accessible to a broader security community.

Jason also introduced another tool, EasyEASM, designed specifically for IT teams to simplify the process of external asset discovery. Recognizing that many organizations start their asset management journey with spreadsheets, EasyEASM automates the creation of a comprehensive asset inventory. It compiles detailed information, including tech stacks, page titles, and screenshots of assets, providing organizations with a clear and actionable view of their external digital footprints. This tool aims to bridge the gap between IT teams and security professionals, fostering proactive security measures.

“I’ve met security people who are like, [AI is] trash. I can prove to you it’s not trash. It’s changing the world right now. [They say that] it’s not doing it the way it’s supposed to be doing it. It gives a lot of feedback, it gives you errors. You can’t trust it. [But] humans give you errors and you can’t trust humans, but we make that work everyday.”

Jason

The conversation dove further into Jason’s “SusParams” project, an evolution of his earlier work known as “Hunt.” SusParams was created by analyzing extensive public vulnerability datasets from sources like HackerOne Hacktivity and CVEs to identify high-risk web parameters frequently associated with security flaws. This comprehensive dataset has been integrated into the Burp Suite extension “GAP,” enabling real-time alerts for potentially vulnerable parameters during security testing. Jason highlights how this tool serves as a valuable resource for security professionals, particularly newcomers, by surfacing common vulnerability patterns that experienced testers might recognize instinctively. By integrating SusParams with GAP, Jason and his team streamlined vulnerability detection, making it easier for security teams to identify and prioritize potential weaknesses. Artificial Intelligence played a significant role in the development of the updated SusParams dataset. Using AI-powered parsing tools, Jason and his team efficiently analyzed vast amounts of data from public vulnerability repositories. These tools helped identify patterns in parameter names and routes that correlate with specific vulnerability types. The integration of AI not only accelerated the data processing but also enhanced the accuracy of the final dataset, making it a powerful resource for security practitioners.

There are wider implications of these tools for both offensive and defensive security strategies. Continuous asset monitoring and proactive security measures have proved critical in the time since this episode aired, shaping up to today’s rapidly evolving threat landscape. Tools like Cloud Recon and SusParams not only empower red teams and bug bounty hunters but also provide blue teams and IT departments with essential insights to secure their infrastructure effectively.

This episode is sponsored by Redpoint Security. Redpoint specializes in “Code Security. By Coders,” which is bolstered by years of experience testing applications and conducting code reviews against all types of applications. Redpoint also offers secure code training to help ground your teams in better security practices across the development lifecycle. So check out redpointsecurity.com for more information and put your company on a path to better security.

As you may have noticed, it’s cold out and at the very least you should have a warm Absolute AppSec hat. Visit the merch store and pick up those needed items. Or just join Seth and Ken in Slack.

Stay Secure,

Seth & Ken

https://youtu.be/viXpwtLJa3k - Episode #146 - OWASP Top 10, Bug Bounties with @JHaddix, Request Smuggling - Another discussion with Jason Haddix, first talking about the OWASP Top 10 Draft list and how the Top 10 should be used as an awareness document. Discussions on bug bounties with surprise guest Jason Haddix (@JHaddix). More fun with HTTP Request Smuggling.

https://www.youtube.com/watch?v=RX4mdX4XUZ0 - Episode #9 - Jason Haddix - One of the very first Absolute AppSec episodes with Jason as a guest.

https://youtu.be/U_7zoVhVtsQ - Episode #96 - Fuzzing and Static Analysis Tools - Seth and Ken discuss fuzzing techniques, recommendations, and experience. Stories of fuzzing in production. How static analysis tools have changed and where they fit.

Absolute AppSec Happenings

https://utkusen.substack.com/p/how-to-create-vulnerable-looking - Creating an application honeypot. Given that honeypots have been a staple of monitoring (and logging) in the network space, it makes sense to add this to your tool chest for detecting attacks against your application.

https://gist.github.com/hackermondev/45a3cdfa52246f1d1201c1e8cdef6117 - Student finds a way to deanonymize locations using various services through installation and requests made by a malicious application .

https://portswigger.net/research/stealing-httponly-cookies-with-the-cookie-sandwich-technique - New research from PortSwigger. This time related to stealing of HttpOnly cookies based on behaviors in some browsers.

Upcoming Events

Where in the world are Seth and Ken?

February 14-15, 2025 - CactusCon, Mesa, AZ - Ken is speaking, Seth may or may not make an appearance for drinks, discussions, and some crocs&socks.

February 20-21, 2025 - Harnessing LLMs for Application Security - Virtual Training - Next opportunity for the new course that focuses on strategies for using more than just the chat interface of an LLM to secure software.

March 6-7, 2025 - Apres-Cyber Slopes Summit - Seth will be presenting his Modern vs. 0ld 5k00l talk, where all the old vulnerabilities are new again.

March ??, 2025 - Practical Secure Code Review - Virtual Training - The course that started it all! We will reprise this online with a training in Q1, if you have specific dates you would like to see, please reach out (via email or Slack).

June 28-29, 2025 - DEF CON Trainings, Seattle, WA - Seth and Ken will present one of the courses. Watch this space for additional details once it is fully posted.