Web Hacking And AI Security Labs At BSidesSF

Jason Haddix and NahamSec will be conducting hands-on “Arsenal” style labs and micro-training sessions at the BSidesSF Bug Bounty Village. The event covers:
– Web Hacking (SQLi, XSS, CSRF, SSRF)
– AI Security (Adversarial ML, Model Poisoning)
– Recon Techniques (OSINT, Subdomain Enumeration)

You Should Know:

1. Web Hacking Essentials

SQL Injection (SQLi) Exploitation

sqlmap -u "http://example.com/login?id=1" --dbs --batch

Steps:

1. Identify injection points (`’`, `”`, `)`, `–`).

2. Use `UNION`-based or Boolean-based attacks.

3. Extract DB schema with `–schema`.

XSS Payload Testing

<script>alert(document.cookie)</script>

Verify with:

curl -X POST "http://test.com/search" -d "q=<script>alert(1)</script>"

2. AI Security Testing

Adversarial Attacks on ML Models

import tensorflow as tf 
from cleverhans.tf2.attacks import FastGradientMethod

model = tf.keras.models.load_model('target_model.h5') 
fgsm = FastGradientMethod(model) 
adv_example = fgsm.generate(input_sample, eps=0.1)

Steps:

1. Load a target ML model.

2. Generate adversarial inputs using FGSM or PGD.

3. Evaluate model misclassification.

3. Advanced Recon Techniques

Subdomain Enumeration

amass enum -d example.com -active 
subfinder -d example.com -o subdomains.txt

Verify with HTTPX:

httpx -l subdomains.txt -status-code -title -tech-detect

OSINT with theHarvester

theHarvester -d microsoft.com -b google,linkedin

What Undercode Say

Always test exploits in a controlled environment (docker pull vuln/webapp).
Use `Burp Suite` (burpsuite) for intercepting web traffic.
For AI security, check IBM Adversarial Robustness Toolbox (ART).

Practice Linux commands:

grep -R "password" /var/www/  Find hardcoded secrets 
chmod 600 /etc/shadow  Secure sensitive files

Windows commands for security checks:

Get-Process | Where-Object { $_.CPU -gt 90 }  Detect malware 
netstat -ano | findstr LISTENING  Check open ports

Expected Output:

A structured, actionable guide for web/AI hacking with verified commands and tools.

Relevant URLs:

References:

Reported By: Jhaddix If – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Listen to this Post

You Should Know:

1. Web Hacking Essentials

SQL Injection (SQLi) Exploitation

Steps:

1. Identify injection points (`’`, `”`, `)`, `–`).

2. Use `UNION`-based or Boolean-based attacks.

3. Extract DB schema with `–schema`.

XSS Payload Testing

Verify with:

2. AI Security Testing

Adversarial Attacks on ML Models

Steps:

1. Load a target ML model.

2. Generate adversarial inputs using FGSM or PGD.

3. Evaluate model misclassification.

3. Advanced Recon Techniques

Subdomain Enumeration

Verify with HTTPX:

OSINT with theHarvester

What Undercode Say

Expected Output:

Relevant URLs:

References:

Join Our Cyber World:

Related Posts: