Speaking at VERIFY 2006

I’ll be speaking at VERIFY 2006, which presents “real world testing solutions — presented by practitioners with edge of technology hands-on testing experience.”

I’m presenting: ** Hands-on with Free Web Security Testing Tools**. Read on for my agenda.

The agenda should go something like this:

Anatomy of HTTP

  • Requests
  • Responses
  • Encodings, etc
  • Methods: GET/POST, etc.
  • Proxying (e.g. how it works)

Testing Methods

  • Spidering
  • Probing for likely defaults (eg. /admin/)
  • Bypassing client-side checks (e.g., JavaScript)

Anatomy of Weaknesses

  • JavaScript Injection
  • Why it’s bad
  • How to test for it
  • How to automate tests for it

  • SQL Injection

  • Why it’s bad

  • How to test for it

  • How to automate tests for it

Tools

  • Nikto
  • Spidering
  • Probing systems that require authentication, SSL, etc.
  • Sorting out false positives
  • Interpreting true positives

  • TamperData (Firefox Plugin)

  • Curl

  • GETting a page

  • GETting just the headers

  • POSTing a form automatically

  • Scripting

  • Perl’s Libwww

  • Making basic requests

  • Automating tests

  • OpenSSL s_client

  • Testing supported SSL algorithms

The Hacker Instinct

  • Spotting things that “smell” bad
  • Common mistakes that can be exploited
  • 5 tests that get you the most bang for your buck