Defeating The Intercepting Web Proxy

390 views

Published on

Presented at HITB Amsterdam 2013, this presentation goes in detail why using web interception proxies is not always the best approach when doing web application security testing.

Published in: Software
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
390
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
13
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Defeating The Intercepting Web Proxy

  1. 1. Defeating The Intercepting Web Proxy A Glimpse Into the Next Generation of Web Security Tools Wednesday, 10 April 13
  2. 2. Who is this talk for? Wednesday, 10 April 13
  3. 3. Why web proxies? Wednesday, 10 April 13
  4. 4. •Proxies are basic tools. •They are general purpose. •Provide visibility of the comms. Wednesday, 10 April 13
  5. 5. Written in Java! Wednesday, 10 April 13
  6. 6. Buffering! Wednesday, 10 April 13
  7. 7. Large files are no fun! Wednesday, 10 April 13
  8. 8. No pipelining! Wednesday, 10 April 13
  9. 9. WebSocket are no go! Wednesday, 10 April 13
  10. 10. Plain auth is pain! Wednesday, 10 April 13
  11. 11. SSL auth is pain! Wednesday, 10 April 13
  12. 12. Custom auth is no! Wednesday, 10 April 13
  13. 13. It takes time to setup! Wednesday, 10 April 13
  14. 14. Everything is just a request and a response. No understandings of the app purpose and function. Wednesday, 10 April 13
  15. 15. Does it pass grandma’s test for Ease of Use? Wednesday, 10 April 13
  16. 16. Charles Darwin It is not the strongest of the species that survives, nor the most intelligent, but the one most responsive to change. Wednesday, 10 April 13
  17. 17. Innovation ended with Achilles! Wednesday, 10 April 13
  18. 18. This is how web apps will look like in 2 years. Wednesday, 10 April 13
  19. 19. Unreal3 engine is ported to asm.js. Wednesday, 10 April 13
  20. 20. The most powerful client ever built. Wednesday, 10 April 13
  21. 21. HTML5 Wednesday, 10 April 13
  22. 22. JavaScript Wednesday, 10 April 13
  23. 23. NECKO, XPCOM Wednesday, 10 April 13
  24. 24. Chrome APIs Wednesday, 10 April 13
  25. 25. To Da Rescue Wednesday, 10 April 13
  26. 26. Web Security Testing Reinvented Wednesday, 10 April 13
  27. 27. •AttackAPI 2005/2006 •Technika 2006/2007 •Weaponry 2008/2009 •Websecurify Suite 2011/- Wednesday, 10 April 13
  28. 28. Suite Wednesday, 10 April 13
  29. 29. Runs In The Browser Runs In The Cloud Instant Queued Proactive Reactive Online/Offline Online SAASWEBSECURIFY Wednesday, 10 April 13
  30. 30. See what they do. Wednesday, 10 April 13
  31. 31. Compiler Code Code Wednesday, 10 April 13
  32. 32. Browser Ext. Code Wednesday, 10 April 13
  33. 33. Code TargetExt. Wednesday, 10 April 13
  34. 34. Code TargetExt. Worker Wednesday, 10 April 13
  35. 35. •Ability to send requests. •Ability to intercept transactions. •Ability to access low level APIs. Wednesday, 10 April 13
  36. 36. DEMOS Wednesday, 10 April 13
  37. 37. Building It Up Wednesday, 10 April 13
  38. 38. BadAssProxy Wednesday, 10 April 13
  39. 39. What is next? Wednesday, 10 April 13
  40. 40. Q&A Wednesday, 10 April 13

×