JSFoo Coimbatore 2019

On building faster, performant and secure web applications


Leveraging web application vulnerabilities to build an open source intelligence arsenal

Submitted by Karan Saini (@karansaini) on Saturday, 4 May 2019

Section: Full talk (40 mins) Technical level: Beginner Session type: Demo Session type: Lecture Technical level: Intermediate

Vote on this proposal

Login to vote

Total votes:  +1


This talk aims to introduce the audience to how web application vulnerabilities can be used for the purpose of building a self-sufficient open source intelligence arsenal.


The talk will primarily focus on the prevalence of the following types of flaws:

  • overly permissive application programming interfaces
  • business logic errors
  • insecure direct object reference attacks
  • use of insecure identifiers

Through providing real life examples of discovered issues, the talk will provide a starting point for where and how resourceful OSINT can be found and collected. Further, the talk will also touch upon how developers can avoid baking these issues into their services and products and how end users can avoid becoming a part of these databases. The talk will also cover targeting ‘hyper local’ service providers for the purpose of building categorised repositories.

Talk overview:

  • Introduction:

    • What is OSINT?
    • Why build your own arsenal?
    • How can web application vulnerabilities help?
    • Minor case study on the uses of OSINT

    Scoping: - Targeting location-specific service providers - Usual suspects: What to look out for Numeric Identifiers, API(s), IDOR(s), Weak Auth; - Slides with examples

    Execution: “The good stuff” - Scraping the information, OR; - Creating tools to query information at will.

    Prevention: - As developers: What to avoid?; - As users: What to avoid? (protective techniques).

Speaker bio

Karan Saini is a Policy Officer at the Centre for Internet and Society.



Login with Twitter or Google to leave a comment