Old Tools, New Tricks: Hacking WebSockets

DerbyCon 9.0 - Finish Line

Presented by: Nick Defoe, Michael Fowl
Date: Sunday September 08, 2019
Time: 11:30 - 12:00
Location: Stable Talks

Many application penetration testers and developers have struggled to figure out how to assess the security of WebSocket applications. When new technologies like WebSockets are developed, often the tooling available for penetration testing takes awhile to catch up. What if you could use traditional web penetration testing tools to assess WebSockets? By leveraging concepts found in native code fuzzing, you can! We have been using a novel approach that allows traditional web security testing tools to find vulnerabilities in WebSocket applications.

Michael Fowl

Michael Fowl works as a Senior Security Engineer at VDA Labs where he leverages offensive information security skills to help clients. An avid bug hunter and penetration tester, Michael has spent countless hours performing web application assessments, including placing as a top finisher in events like “Hack the Pentagon.”

Nick Defoe

Nick Defoe is a Security Operations Manager at VDA Labs where he manages security consulting engagements to ensure success. Coming from a background in web application development, Nick has worked on penetration tests and application assessments for many major brands.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats