Web Application Security: "Stuff Your Mother Never Told You" - Dennis Groves and Bill Pennington
0Web Application Security: "Stuff Your Mother Never Told You"
Dennis Groves, Director of Internet Security Consulting, Centerstance, Inc.
Bill Pennington, Principal Consultant & Technical Program Lead for Penetration Testing & Web Application Assessments, Guardent
[ Web, Mail, DNS & Others ]
Web Application Security is of paramount interest to everyone from corporations to consumers as society moves toward an ecommerce infrastructure. The design of the HTTP protocol simply does not allow for truly secure applications to exist. The only thing you can do is minimize your potential risk.
In the course of several years experience working in web application security, we as well as others, have discovered an overwhelming number of ways to attack any web applications. The conclusion of this can be drawn that potentially any Web-accessible system is vulnerable to attack. This presentation will discuss and demonstrate some of the more pervasive security weaknesses using Whitehat Arsenal.
Main Topics of Discussion:
Data Manipulation:
A variety of common web application vulnerabilities such as URL Manipulation, Parameter Tampering, Directory Traversal and HTTP Request Header Manipulation
Filter-Bypass Manipulation:
Defeating the security safeguards and filters using a variety of techniques. Method Switching, URL Encoded Strings, Double Hex Encoding, Long URLs, Case Sensitivity, XSS Filter-Bypass Manipulation, and Null Character Injection are possible avenues of attack.
Cross-Site Scripting:
An all to common and often misunderstood web attack. An easy to accomplish exploit used frequently by script kiddies and other malicious intruders.
Accompanying each attack vector, possible resolution and mitigation techniques will be discussed as well which will help protect you web applications.
Most of the web attack demonstrations with be executed using WhiteHat Arsenal. Whitehat Arsenal possesses a powerful suite of GUI-Browser based web security tools. These endowments make Whitehat Arsenal capable of completing painstaking web security pen-test work considerably faster and more effectively than any of the currently available tools. Imagine employing WH Arsenal to quickly customize and execute just about any web security attack possible and having those penetration attempts logged in XML format for later reporting or analysis.
Dennis Groves is currently the Director of Internet Security Consulting for Centerstance, Inc. For the last 3 years his primary focus has been on Web Application Security. He is a founding member of the Open Web Application Project and a former Sanctum employee, he played a key role in the development of AppScan. He has spent the last five years pen-testing high profile websites, and web application security testing numerous significant ecommerce and financial companies. He is best known for having taught Jeff Moss to hack; and hopefully less known as the one who stole Jeff's 2400bps modem.
Bill Pennington is a Principal Consultant and Technical Program Lead for Penetration Testing and Web Application Assessments with Guardent. Bill has performed web application assessments for over three years in a variety of industry verticals including financial services, eCommerce, and biotechnology. Bill has six years of professional experience in information security, eleven in information technology. He is familiar with Linux, Solaris, Windows, and OpenBSD, and is a Certified Information Security Systems Practitioner and Certified Cisco Network Administrator (CCNA). He has broad experience in web application security, penetration testing, computer forensics and in intrusion detection systems. Bill also contributed several chapters to "Hacker's Challenge: Test Your Incident Response Skills Using 20 Scenarios"
Black Hat - USA - 2002
Hacking conference
#hacking, #hackers, #infosec, #opsec, #IT, #security