Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web application security

Similar presentations


Presentation on theme: "Web application security"— Presentation transcript:

1 Web application security

2  Web security tools that are on the web  Goals Save time Build a clean interface (Based on JQuery) Accessible anywhere Help other pen-testers  Limitations Optimized for IE for now (personal project)

3

4

5  CSRF POC Helper  What does it do? Automates x-domain post via link Linked page auto-submits form to make x-domain post.  Why? Demonstrates CSRF in POST just as dangerous as GET.

6  Web Text Converter  What does it do? Generates Encoded Payloads  Why? Save time! Accessible! Encoders supports:  Various base entity encoding  Url encoding  Various base script encoding  Base 64 encoding  Obfuscated Ascii encoding  Regular UTF-7  Comprehensive UTF-7

7  Heap Spray Wizard  What does it do? Sprays your heap with default payload to run calc.exe or provide your own shellcode.  Why? Meant to be used with AX tools Configure how much heap memory you want to spray. Makes it one click process to spray with working payload

8  Html Test Tool  What does it do? Render various content in the browser using arbitrary content- type.  Why? Different browsers treat different mime-types differently. Browsers sniff based on content- type. Flirting with mime-type paper by Blake Frantz. Great paper. Sanity check mime-type behavior.

9  Web Bug Tool  What does it do? Creates temporary web bug. Record hits to a page.  Why? Save time reusing web bug.

10  Online Strings  What does it do? Extract out unicode and ascii strings from binary files.  Why? Quick and accessible. Thought it was cool :-P

11  Makes it one click operation to map  Again it’s available anywhere with web access.  Nothing surprising but fun tool  Lesson: Don’t share photos taken with phone! j/k

12  View State Decoder  What does it do? Allows you to peek inside what’s inside ViewState data.  Why? Demystifies content of viewstate Allows you to see a tree view of all the property values in viewstate Any server side sensitive info inside? Any questionable property being stored?

13  Feel free to use it for authorized pen- testing.  Over 20+ tools (including bookmarklets)  If you have tools you’d like to see online please shoot me a mail.  Thanks!


Download ppt "Web application security"

Similar presentations


Ads by Google