Legal and Efficient Web App Testing Without Permission presented at TROOPERS 2012

by Abraham Aranguren,

Tags: Security

Summary : This talk will be a highly practical walk-through for the items in the OWASP Testing Guide that can be at least partially tested for security without permission and also how those tests have been incorporated to the Offensive (Web and more) Testing Framework (owtf) for efficient testing and verification. A before and after comparison will be shown so that the audience can see the difference from silent testing using traditional means to testing the same items with owtf. The talk will include an owtf demo focused on silent testing.
The purpose of this talk is to show how to partially test a website for security, legally and responsibly, before even permission is given. This may be useful in a number of situations such as when short timeframes are given to test a web application or when the pentester is willing to go the extra mile to do as much work as possible in advance in order to have the best chance to get in and use the test window for active testing and exploitation only (i.e. when permission is really needed). The techniques described will be mapped to well-defined OWASP Testing Guide items. This talk will be highly practical and real examples from the field will be shown for most if not all techniques. The purpose of this talk is to show just how much can be done without almost touching a website in the hope of increasing awareness and perhaps provide some pen testers with new ideas or perspectives on how a web app pen test can be carried out in practice.
Although the talk will be mostly focused on web app testing there will be a brief practical discussion on the often disregarded overlap between web app security and network security.