Attacking Applications

Curious about the tools and techniques involved in testing or attacking web applications? This blog entry and short video give a brief introduction to just one of the tools with an easy to follow demonstration!
I’ve been teaching for The SANS Institute for just about ten years now. In that time I’ve seen dramatic changes in the information security industry, some of which have been the direct result of the diligent efforts of SANS and the associated power of the GIAC certification.

Just as the state of information security practice has improved we’ve also seen a tremendous leap in sophistication on the apart of attackers. Techniques that used to require you to be “in the know” and that were only understood by an elite few have been embedded into easy to use point and click tools today! For instance, just a few years ago it would have required a significant level of sophistication to effectively perform a blind SQL exploit against a vulnerable application. Today there are easy to use tools with graphical interfaces that will both find the vulnerabilities and exploit them without the user really needing to know what’s happening!

One of the things that security practitioners absolutely must be able to do these days is effectively asses the security of a web application. You probably noticed, but the number of new vulnerabilities in web applications discovered daily or weekly is astounding, far outstripping the number of problems found in the more traditional places (like operating systems and services!)

To give you a quick idea of what’s involved we’ve prepared a short demonstration video on the use of WebScarab, a fantastic tool available at no cost from OWASP. In the video we briefly discuss how to configure the proxy, how the proxy operates, how to do some very basic injection testing and finally a quick demonstration of how to use the Session ID Analysis module. If you need more information, please feel free to contact us or SANS to investigate the training that your people need to perform effective testing using this and other tools.

You can see the rest of the demonstration by heading over to YouTube.