Bio: Abraham Aranguren After an infosec honour mark at university, from 2000 until 2007 Abraham’s contact with security was mostly from a defensive point of view: fixing vulnerabilities, source code reviews and later on trying to prevent vulnerabilities at the design level as an application and framework architect.
From 2007 forward Abraham focused more on the offensive side of security with special focus on web app security.
Abraham also holds a number of information security certifications: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+.
Temat prezentacji: Legal and efficient Web app testing without permission
Język prezenatacji: Angielski
An OWASP-focused walk-through on passive and semi passive techniques to assess Web app security and how those have been included into OWTF.
The Offensive (Web, etc) Testing Framework (aka OWTF) is a free and opensource OWASP+PTES-focused tool. Its objective is to unite great tools and make pen testing more efficient. Full details available at http://owtf.org.
This talk will be a highly practical walk-through for the items in the OWASP Testing Guide that can be at least partially tested for security without permission and also how those tests have been incorporated into OWTF for efficient testing and verification. From a defensive perspective this talk may also be useful to learn how criminals may analyse our systems without us noticing.
The purpose of this talk is to show how to partially test a website for security, legally and responsibly, before even permission is given. This may be useful in a number of situations such as when short timeframes are given to test a web application or when the pentester is willing to go the extra mile to do as much work as possible in advance. By applying these techniques pen testers will really have the best chance to get in and will only have to use the test window for active testing and exploitation only (i.e. when permission is really needed).
The techniques described will be mapped to well-defined OWASP Testing Guide items. This talk will be highly practical and real examples from the field will be shown for most if not all techniques. The purpose of this talk is to show just how much can be done without almost touching a website in the hope of increasing awareness and perhaps provide some pen testers with new ideas or perspectives on how a web app pen test can be carried out in practice.