tl;dr: Hunting Evasive Vulnerabilities

Posted on May 23, 2022

Below are some takeaways from @albinowax’s brilliant presentation at Nullcon Berlin. He explores why some vulnerabilities are evasive and gives some ideas and advice on how to dig them out. You can find the keynote here.


  • Don’t let the appearance of defences deter you from trying the attack anyway. The defences may be misconfigured in a way that nobody understands yet.
  • Seek out old or unfashionable exploit techniques and learn about them from the original research. Often, more modern content is just a diluted version.
  • “That’ll never work…” -> “That’ll never work unless…” Define the ‘unless’ as precisely as possible and try it out.
  • “That’s too obvious…” = infosec version of the bystander effect. Try it anyway, you could be lucky and nobody else has tried it before.
  • App-specific knowledge is highly valuable. Mining a tonne of parameters is not useful if you don’t know how the app itself works.
  • Bug bounty assets are scanned by millions of people using default settings. Flip random switches to discover something different!
  • Curiosity-powered hacking: test hypothesis, ask questions and iterate. Make asking questions cheap. Build on your existing knowledge and assumptions and they may be completely overturned.

And the csv injection payload he shared:


Possible future project

A note I made to myself for a future project is to develop a tool that maps the popularity of vulnerabilities in the same way as the graphs shown at the 14:00 mark - it would be a decent resource for identifying vulnerabilities that have likely crept back into modern apps IMO. If you know of such a tool or would like to collaborate on developing it, get in touch!