Legal and Efficient Web App Testing Without Permission

March 21, 2012 (at 2:30 p.m.) in Attacks & Research

This talk will be a highly practical walk-through for the items in the OWASP Testing Guide that can be at least partially tested for security without permission and also how those tests have been incorporated to the Offensive (Web and more) Testing Framework (owtf) for efficient testing and verification. A before and after comparison will be shown so that the audience can see the difference from silent testing using traditional means to testing the same items with owtf. The talk will include an owtf demo focused on silent testing.

The purpose of this talk is to show how to partially test a website for security, legally and responsibly, before even permission is given. This may be useful in a number of situations such as when short timeframes are given to test a web application or when the pentester is willing to go the extra mile to do as much work as possible in advance in order to have the best chance to get in and use the test window for active testing and exploitation only (i.e. when permission is really needed). The techniques described will be mapped to well-defined OWASP Testing Guide items. This talk will be highly practical and real examples from the field will be shown for most if not all techniques. The purpose of this talk is to show just how much can be done without almost touching a website in the hope of increasing awareness and perhaps provide some pen testers with new ideas or perspectives on how a web app pen test can be carried out in practice.

Although the talk will be mostly focused on web app testing there will be a brief practical discussion on the often disregarded overlap between web app security and network security.

Abraham Aranguren

After an infosec honour mark at university, from 2000 until 2007 Abraham’s contact with security was mostly from a defensive point of view: fixing vulnerabilities, source code reviews and vulnerability prevention at the design level as an application and framework architect. – From 2007 forward Abraham focused more on the offensive side of security with special focus on web app security. In his spare time Abraham is the lead developer/architect of <a href="http://owtf.org">OWTF</a>, an independent security consultant, a GIAC exam question writer and a <a href="http://7-a.org">security blogger</a>. Abraham also holds a number of information security certifications: CISSP, OSCP, GWEB, OSWP, CPTS, CEH, MCSE:Security, MCSA:Security, Security+

Twitter: <a href="https://twitter.com/#!/7a_" target="_blank">@7a_</a> Blog: <a href="http://blog.7-a.org/" target="_blank">blog.7-a.org</a>