A new look into web application reconnaissance

•

1 like•989 views

Presentation by Jurgens van der Merwe at ZaCon 2 in 2010. This presentation is about Selenium, a browser automation framework and its applications in web reconnaissance. Examples of using Selenium with facebook are discussed.

Technology

  Jurgens
van
der
Merwe
(jurgens@sensepost.com)

  Junior
analyst
with
SensePost

  Interests:

  Information
Security

  Innovative
Technologies

  Music

  Skateboarding

  etc

Purpose

Interface

Speed

Value

Attack
surface

Complexity

  Browser
Automation
Framework

for
Testing
Web
Applications

  Consists
of
3
parts
:

  Selenium
IDE

  Selenium
Remote
Control

  Selenium
Grid

  For
this
talk
we
will
focus
on

the
core
library
and
functionality

of
Selenium
Framework

  Automation

  The
ability
to
trigger
sequential
events
without
the
need
of

manual
interaction

  Harvesting

  The
ability
to
gather
large
datasets
of
common
objects

over
a
period
of
time

  Extraction

  The
ability
to
extract
key
elements
from
an
entity
in
order

to
obtain
valuable

information
regarding
a
speciﬁc
target

Over
700
billion
minutes
a
month
=

19865
lifetimes

  Behind
the
‘Sannie’
experiment

  Purpose

  Showing
that
bots
can
act
like
humans
too.

  Goal

  Following
logical
pathways
to
mimic
human
interaction.

  Demo

  The
mass
friendship
harvest

  Purpose

  Harvest
user
relationships

  Goal

  Determining
the
theory
behind:

 
{
friends
of
a
friend,
of
a
friend,
of
a
friend,
of
a
friend,
of
a

friend,
of
a
friend,
of
a
friend,
of
a
friend,
of
a
friend….
}

  The
Facebook
Proﬁler

  Purpose

  Creating
my
own
personal
address
book

  Goal

  Extracting
user
information
from
facebook
proﬁles

  Demo

  Web
Simulator

  Supports
various
browsers
like

  Mozilla
Firefox

  Google
Chrome

  Opera

  Safari

  Internet
Explorer

  Interacts
with
the
Document
Object
Model
(DOM)

  Latency!!!

  Super
fast
ZA
internet.

  Having
to
wait
for
the
web
element
to
be
completely

constructed
within
the
DOM.

  Complexity
of
the
application

  Understanding
the
logic
behind
the
application.

  Selenium
is
a
cool
technology
for
interacting
with
any

Web
2.0
application.

  Impersonates
human-‐like
interaction
with
a
web

application
by
following
logical
paths.

  Ability
to
rely
on
the
browser’s
DOM
rather
than
the

source
of
a
web
page
when
extracting
information.

 
Allow
you
to
actually
see
the
browser
execute
your
code

and
navigate
through
the
targeted
application.

  The
ability
to
test
the
functionality
of
the
web

application
through
various
browsers.

???????????????????????????????????????????????????????

Questions

???????????????????????????????????????????????????????

What's hot

3d passwordAbinaya Sathya

3D-PASSWORD SEMINeeraj Kumar Tiwari

3D PASSWORD SEMINARKarishma Khan

Defenses against large scale online password guessing attackserneelkamal

Graphical Based Authentication (S3PAS)Ketan Patil

3D PasswordShubham Rungta

3d passwordAbhirami P S

Defence against large scale online guessing attacks using persuasive cued cli...Ayisha M Kalburgi

3D-Password Devyani Vaidya

Authentication scheme for session password using Images and colorNitesh Kumar

3DPassword_AakashTakaleAakash Takale

Defenses against large scale online password guessing attacksdhanyashree11

Defenses against large scale online password guessing attacks by using persu...AbhilashPasupula

Graphical passwordswapnilbirdawade

Securing online password guessing attackSaurav Sinha

Graphical Password AuthenticationAbha nandan

3D passwordanuradha srivastava

SEMINAR REPORT ON 3D PASSWORDKarishma Khan

What's hot (18)

3d password

3D-PASSWORD SEMI

3D PASSWORD SEMINAR

Defenses against large scale online password guessing attacks

Graphical Based Authentication (S3PAS)

3D Password

3d password

Defence against large scale online guessing attacks using persuasive cued cli...

3D-Password

Authentication scheme for session password using Images and color

3DPassword_AakashTakale

Defenses against large scale online password guessing attacks

Defenses against large scale online password guessing attacks by using persu...

Graphical password

Securing online password guessing attack

Graphical Password Authentication

3D password

SEMINAR REPORT ON 3D PASSWORD

Viewers also liked

Threats to machine cloudsSensePost

Putting the tea back into cyber terrorismSensePost

Sensepost assessment automationSensePost

Denial of services : limiting the threatSensePost

Web 2.0 security woesSensePost

It's all about the timingSensePost

Attacks and DefencesSensePost

A Brave New WorldSensePost

State of the information security nationSensePost

Viewers also liked (9)

Threats to machine clouds

Putting the tea back into cyber terrorism

Sensepost assessment automation

Denial of services : limiting the threat

Web 2.0 security woes

It's all about the timing

Attacks and Defences

A Brave New World

State of the information security nation

Similar to A new look into web application reconnaissance

2010 za con_jurgens_van_der_merweJohan Klerk

Computer science department - a four page presentationmohamedsamyali

Manoj_cvManoj Mariappan

Data Visualizations in Cyber Security: Still Home of the WOPR?Matthew Park

The Impact of Emerging Technology on Digital TransformationRichard Esplin

Invited Talk - Cyber Security and Open Sourcehack33

Intro2 malwareanalysisshortVincent Ohprecio

Stuxnet redux. malware attribution & lessons learnedYury Chemerkin

Ask me anything:A Conversational Interface to Augment Information Security w...Matthew Park

Web 3.0: The Upcoming RevolutionNitin Godawat

The Semantic Knowledge GraphTrey Grainger

Machine Learning & Cyber Security: Detecting Malicious URLs in the HaystackAlistair Gillespie

Ett 590 - Virtual WorldsAline Click

.NET Fest 2018. Олександр Краковецький. Microsoft AI: створюємо програмні ріш...NETFest

Oleksander Krakovetskyi "Artificial Intelligence and Machine Learning for .NE...Fwdays

2019 04-13 ai for .net developers (fwdays)Oleksandr Krakovetskyi

AI Security : Machine Learning, Deep Learning and Computer Vision SecurityCihan Özhan

Infinitytech NewShashwat Shriparv

Artificial intelligence and its applicationMohammed Abdel Razek

Security in the age of Artificial IntelligenceFaction XYZ

Similar to A new look into web application reconnaissance (20)

2010 za con_jurgens_van_der_merwe

Computer science department - a four page presentation

Manoj_cv

Data Visualizations in Cyber Security: Still Home of the WOPR?

The Impact of Emerging Technology on Digital Transformation

Invited Talk - Cyber Security and Open Source

Intro2 malwareanalysisshort

Stuxnet redux. malware attribution & lessons learned

Ask me anything:A Conversational Interface to Augment Information Security w...

Web 3.0: The Upcoming Revolution

The Semantic Knowledge Graph

Machine Learning & Cyber Security: Detecting Malicious URLs in the Haystack

Ett 590 - Virtual Worlds

.NET Fest 2018. Олександр Краковецький. Microsoft AI: створюємо програмні ріш...

Oleksander Krakovetskyi "Artificial Intelligence and Machine Learning for .NE...

2019 04-13 ai for .net developers (fwdays)

AI Security : Machine Learning, Deep Learning and Computer Vision Security

Infinitytech New

Artificial intelligence and its application

Security in the age of Artificial Intelligence

Recently uploaded

WordPress Websites for Engineers: Elevate Your Brandgvaughan

Bluetooth Controlled Car with Arduino.pdfngoud9212

My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer

Install Stable Diffusion in windows machinePadma Pradeep

SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero

Vulnerability_Management_GRC_by Sohang Sengupta.pptxnull - The Open Security Community

Artificial intelligence in the post-deep learning eraDeakin University

Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren

SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren

"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski

Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK

Pigging Solutions in Pet Food ManufacturingPigging Solutions

Build your next Gen AI Breakthrough - April 2024Neo4j

Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies

costume and set research powerpoint presentationphoebematthew05

DMCC Future of Trade Web3 - Special EditionDubai Multi Commodity Centre

Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation

Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada

Recently uploaded (20)

WordPress Websites for Engineers: Elevate Your Brand

Bluetooth Controlled Car with Arduino.pdf

My INSURER PTE LTD - Insurtech Innovation Award 2024

Install Stable Diffusion in windows machine

SIP trunking in Janus @ Kamailio World 2024

Vulnerability_Management_GRC_by Sohang Sengupta.pptx

Artificial intelligence in the post-deep learning era

Advanced Test Driven-Development @ php[tek] 2024

SQL Database Design For Developers at php[tek] 2024

"Debugging python applications inside k8s environment", Andrii Soldatenko

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...

Unblocking The Main Thread Solving ANRs and Frozen Frames

Pigging Solutions in Pet Food Manufacturing

Build your next Gen AI Breakthrough - April 2024

Benefits Of Flutter Compared To Other Frameworks

costume and set research powerpoint presentation

DMCC Future of Trade Web3 - Special Edition

Connect Wave/ connectwave Pitch Deck Presentation

Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024

A new look into web application reconnaissance

2.   Jurgens van der Merwe (jurgens@sensepost.com)   Junior analyst with SensePost   Interests:   Information Security   Innovative Technologies   Music   Skateboarding   etc

7. Purpose Interface Speed Value Attack surface Complexity

8. Purpose Interface Speed Value Attack surface Complexity

9.   Browser Automation Framework for Testing Web Applications   Consists of 3 parts :   Selenium IDE   Selenium Remote Control   Selenium Grid   For this talk we will focus on the core library and functionality of Selenium Framework

10.   Automation   The ability to trigger sequential events without the need of manual interaction   Harvesting   The ability to gather large datasets of common objects over a period of time   Extraction   The ability to extract key elements from an entity in order to obtain valuable information regarding a speciﬁc target

11. Over 700 billion minutes a month = 19865 lifetimes

12.

13.   Behind the ‘Sannie’ experiment   Purpose   Showing that bots can act like humans too.   Goal   Following logical pathways to mimic human interaction.   Demo

14.   The mass friendship harvest   Purpose   Harvest user relationships   Goal   Determining the theory behind:   { friends of a friend, of a friend, of a friend, of a friend, of a friend, of a friend, of a friend, of a friend, of a friend…. }

15.   The Facebook Proﬁler   Purpose   Creating my own personal address book   Goal   Extracting user information from facebook proﬁles   Demo

16.   Web Simulator   Supports various browsers like   Mozilla Firefox   Google Chrome   Opera   Safari   Internet Explorer   Interacts with the Document Object Model (DOM)

17.   Latency!!!   Super fast ZA internet.   Having to wait for the web element to be completely constructed within the DOM.   Complexity of the application   Understanding the logic behind the application.

18.   Selenium is a cool technology for interacting with any Web 2.0 application.   Impersonates human-‐like interaction with a web application by following logical paths.   Ability to rely on the browser’s DOM rather than the source of a web page when extracting information.   Allow you to actually see the browser execute your code and navigate through the targeted application.   The ability to test the functionality of the web application through various browsers.

19. ??????????????????????????????????????????????????????? Questions ???????????????????????????????????????????????????????

A new look into web application reconnaissance

Recommended

Recommended

More Related Content

What's hot

What's hot (18)

Viewers also liked

Viewers also liked (9)

Similar to A new look into web application reconnaissance

Similar to A new look into web application reconnaissance (20)

More from SensePost

More from SensePost (20)

Recently uploaded

Recently uploaded (20)

A new look into web application reconnaissance