The Diviner Digital Clairvoyance Breakthrough Gaining Access to the Source Code & Server Side Memory Structure of ANY Application presented at ZeroNights 2012

by Shay Chen,

Tags: Reverse Engineering Web Security Blackbox Testing

Summary : "The Crown Jewel of information disclosure, source code disclosure, is arguably the most significant information an attacker can obtain, and can be used to expose potential code-level vulnerabilities, logic, and hard coded information.
Since vulnerabilities that disclose source code are not always available, we were lead to believe that the concept of security by obscurity can provide some level of protection, as fragile as it may be but not anymore.
Divination Attacks, a new breed of information gathering attacks, provide the means to predict the structure of the memory and source code of application components, using black box techniques with unparalleled accuracy.
These techniques were implemented in Diviner a new OWASP ZAP extension, which can be used to locate leads for direct and indirect vulnerabilities, and can also enable testers to fingerprint fragments of the server-side source code and visualize the structure of the server memory, thus, enhancing the tester's decision making process and enabling him to properly invest his time and efforts."