UPDATE: I will update this blog post with links to the video when available
NOTE: Remember there is a Download option in slideshare :).
“That was best description of why cross domain policy is bad I’ve ever heard” – Full props to Robin Wood for those kind words re this talk!
There are three versions of “Legal and efficient web app testing without permission”:
1) Troopers12 – Heidelberg (Germany) – 1h talk – 129 slides, no demos, video here soon
2) HackPra – Ruhr University, Bochum (Germany) – 1h talk – 129 slides (same) + 1h of live demos, video here!
This was the only talk where I showed demos of the aux plugins (for spear phishing, etc). This was possibly the best talk because of the extra time, live demos with audience interaction and many great questions.
I truly believe the HackPra talk publishing format is even better than the one in the BlackHat Briefings. UPDATE: Except in the link above :). I meant this format!
3) BSides London – London (UK) – 1h talk using 125 slides (4 removed for time) + 3 demos here (Subset from Hackpra), video here!
4) CONFidence – Kraków (Poland) – 1h talk using 125 slides (4 removed for time) + 3 demos here (Subset from Hackpra), video here soon
NOTE: At BSides London, right after me was Sandro Gauci presenting Escalating privileges on common webapps”. This was the perfect continuation to my talk to “finish the job off” ;). Sandro published the source code here the video and slides here. Please send him pull requests, this is an awesome project!
“Legal and efficient web app testing without permission” tried to:
– Draw attention to the HTML filter challenge so that you hack it and let me know 🙂
– Improve Silent web app testing by example, increasing coverage and focus on the 100% legitimate stuff
– Cover the basics of OWTF in the same talk
– Briefly cover almost 50% of the OWASP Testing guide + Clickjacking + CORS
– Allow the audience to get something out of the talk regardless of skill level:
By using real-world examples I hope I made this accessible not only to pen testers but also developers, etc
– Provide something practical and useful that is easy to apply
– Explain the disadvantage security testers have and how to get around it without breaking the law
– Briefly explain the powerful concepts of “analysis in parallel”, “chess-like priority analysis” and using the OWASP Testing guide as a checklist
– Increase awareness: Your site can be tested without you seeing anything and this talk can be used as evidence of that 🙂
If you attended or watched any of the talks I would really appreciate if you could take the time to provide feedback, including negative feedback :).
Thanks for the kind words, great conferences and support!