How To Break Web Software

Google TechTalks, April 13, 2006. Mike Andrews is a senior consultant who specializes in software security and leads the web application security assessments and Ultimate Web Hacking classes for Foundstone. ABSTRACT It all started out as a place to share physics documents, but has grown into potentially mankind's largest and most complex creation. The World Wide Web is a lot of things - a soapbox for everyone, a giant shopping mall, an application platform, and unfortunately a hacker's playground. As more applications get "web-ified" moving from the desktop or legacy systems onto the web, attackers follow the vulnerabilities. Without sophisticated tools or "1337 5x1llz", web applications are now the most attacked technology, with the majority of attacks categorized as "easily exploitable". So, before your application is placed out into one of the most hostile environments, how do you stop your software from being "0wn3d" by the 14 year old in their blacked-out bedroom, or being used by a Russian crime cartel? In this TechTalk, Mike Andrews will look at how web applications are attacked, walk through a testing framework for evaluating the security of an application and take some deep-dives into a few interesting and common vulnerabilities and how they can be exploited.