Loading…
AppSecUSA 2012 has ended
Back To Schedule
Thursday, October 25 • 3:00pm - 3:45pm
The Diviner - Digital Clairvoyance Breakthrough - Gaining Access to the Source Code & Server Side Memory Structure of ANY Application (OWASP ZAP extension)

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!


Information disclosure has always been a boon to hackers.
 
The Crown Jewel of information disclosure, source code disclosure, is arguably the most significant information an attacker can obtain, and can be used to expose potential code-level vulnerabilities, logic, and hard coded information.
 
Since vulnerabilities that disclose source code are not always available, we were lead to believe that the concept of security by obscurity can provide some level of protection, as fragile as it may be… but not anymore.
 
Divination Attacks, a new breed of information gathering attacks, provide the means to identify the memory structure and source code of application components, using black box techniques with unparalleled accuracy.
 
What is that useful for?  
 
Consider the methods that are required to detect the following complex exposures:
 
SQL Injection attacks that affects different pages in the application via database values or session attributes, and require the vulnerable page to be accessed through abnormal combinations of authentication, deliberate exceptions, and missing information.
 
Sounds confusing?
 
Talented or lucky testers might be able to detect these complex exposures in a limited scope, but have you ever heard of an automated vulnerability scanner, a passive security scanner, or any other black-box tool that can detect these "indirect" attacks with minimal user interference?
 
"Diviner" - a new OWASP ZAP extension, can be used to locate leads for direct and indirect attacks scenarios on a consistent basis, and can also enable testers to fingerprint server-side source code fragments and visualize the structure of the server memory and inter-page processes, thus, enhancing the tester's decision making process and enabling him to properly invest his time and efforts.


Speakers
avatar for Shay Chen

Shay Chen

CEO, Effective Security
Shay Chen is the CEO of Effective Security, an information-security boutique company specializing in information security assessments and in automating security processes of vulnerability management and SDLC. He has over twelve years in information technology and security, a strong... Read More →


Thursday October 25, 2012 3:00pm - 3:45pm CDT
Adobe Room - Texas Ballroom I Hyatt Regency Austin, 208 Barton Springs Road, Austin, TX, 78704

Attendees (0)