Path X: Explosive Security Testing Tools Using Xpath presented at ShmooCon 2008

by Andre Gironda, Marcin Stracener,

Tags: Security Testing

Summary : This talk will cover what XPath is, how it is used to parse XML in web applications in order to aid security testing tools, and why XPath expressions are good locators in comparison to other methods such as DOM or CSS selectors. The presenters will attempt to demonstrate how XPath can be used for good instead of being targeted with injection or blind XPath injection attacks.
The TS/SCI Security team members Andre Gironda and Marcin Wielgoszewski bring you current and highly relevant information on attacking and defending modern applications with only the best security tools. Andre has worked for a number of companies in security roles, including labs deep within Cisco Systems and many years at a major online auction site. Marcin is a recent graduate in Network Security entering the world of application assessments.
Bio - Andre Gironda
Andre is a prominent member of the TS/SCI Security team. His recent contributions include the OWASP Evaluation And Certification Criteria and speaking engagements on topics ranging from security in the SDLC to problems with trusting the same-origin policy. Andre has worked for a number of companies in security-qa-developer or network testing roles, including labs deep within Cisco Systems and many years in an operations role at a major online auction site.
Bio - Marcin Wielgoszewski
Marcin founded back in 2006, a team of researchers interested in web application security, trusted systems, software security and information security assurance. Team TSSCI applies Orange and Red book (TCSEC) concepts to modern day computer security problems. Marcin participated in ShmooCon Labs last year and in the past has worked for fortune-50 companies and defense contractors. He is currently working as a security consultant in the New England area
Bio - Tom Stracener
Tom has been involved in security for 10 years, and is the co-founder nCircle network security. In an industry dominated by vanity and hype he tries to do real research that benefits the community. Tom has spoken at Defcon/Blackhat and over 200 major security conferences and events in the last 3 years, including RSA and CSI, you name it. His hat is white. He is also the co-founder of the ORB Group: Tom is currently working for Cenzic Inc. as the Sr. Security Analyst.