This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Thursday, October 25 • 3:00pm - 3:45pm
The Diviner - Digital Clairvoyance Breakthrough - Gaining Access to the Source Code & Server Side Memory Structure of ANY Application (OWASP ZAP extension)

Sign up or log in to save this to your schedule and see who's attending!

Information disclosure has always been a boon to hackers.
The Crown Jewel of information disclosure, source code disclosure, is arguably the most significant information an attacker can obtain, and can be used to expose potential code-level vulnerabilities, logic, and hard coded information.
Since vulnerabilities that disclose source code are not always available, we were lead to believe that the concept of security by obscurity can provide some level of protection, as fragile as it may be… but not anymore.
Divination Attacks, a new breed of information gathering attacks, provide the means to identify the memory structure and source code of application components, using black box techniques with unparalleled accuracy.
What is that useful for?  
Consider the methods that are required to detect the following complex exposures:
SQL Injection attacks that affects different pages in the application via database values or session attributes, and require the vulnerable page to be accessed through abnormal combinations of authentication, deliberate exceptions, and missing information.
Sounds confusing?
Talented or lucky testers might be able to detect these complex exposures in a limited scope, but have you ever heard of an automated vulnerability scanner, a passive security scanner, or any other black-box tool that can detect these "indirect" attacks with minimal user interference?
"Diviner" - a new OWASP ZAP extension, can be used to locate leads for direct and indirect attacks scenarios on a consistent basis, and can also enable testers to fingerprint server-side source code fragments and visualize the structure of the server memory and inter-page processes, thus, enhancing the tester's decision making process and enabling him to properly invest his time and efforts.

avatar for Shay Chen

Shay Chen

CEO, Effective Security
Shay Chen is the CEO of Effective Security, an information-security boutique company specializing in information security assessments and in automating security processes of vulnerability management and SDLC. | | He has over twelve years in information technology and security, a strong background in software development, and a stream of previously published vulnerabilities, attack vectors, benchmarks and hacking methodologies. | | Shay is... Read More →

Thursday October 25, 2012 3:00pm - 3:45pm
Adobe Room - Texas Ballroom I Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

Attendees (35)