Shattering the dark: uncovering vulnerabilities of the dark web === :::info - **Date:** Oct.29th 15:10-15:40 - **Speaker:** Takahiro_Yoshimura,Ken-ya_Yoshimura - **Category:** Bluebox - 1F HALL > The dark web is an anonymized information space -- it conceals you and your visitors -- you cannot distinguish between legitimate visitors and malicious attackers. While many hidden services employ CAPTCHAs hoping to fend off attackers, is it enough? Considering the current situation of Web application vulnerability scanners, it is fairly safe to say CAPTCHAs are marginally sufficient to ward off automated fuzzers or scanners. We don't think so -- we have created a free (as in freedom,) semi-automatic Web vulnerability scanner named Shatter. It enables pentesters to describe targets/analysises/dataflows with code, giving it ability of carrying out comprehensive scans in an automatic and repeatable manner. And it not only can detect issues but also aim to actively exploit ones to take the service over, optionally with external tools such as sqlmap, Metasploit, or custom exploitation script, making it a comprehensive and fierce Web application penetrator. In our session we will use it to breach a certain hidden service requiring CAPTCHAs, exposing some actual vulnerabilities which may lead to identity breaches. ::: ###### tags: `CODEBLUE2019`,`CODEBLUE`