For those of you that attended the webcast yesterday (and those who didn’t) I’ve uploaded my slides to my SlideShare page. Thanks to my co-presenters Richard Stiennon and Kevin Henry for presenting some great content with me! If you’re interested Richard has posted his slides to SlideShare as well.
Tag Archives: pentesting
On Tuesday April 10th at 12pm EST, 9am PST, 5pm GMT I’ll be presenting “5 Lessons Learned From Breaking In: Confessions of a Pentester & Other Stories” during a free webinar. I’ll be talking about the five most common ways my team and I break into companies that you would think are highly secured such as energy companies and casinos. I’ll be joined by Richard Stiennon and Kevin Henry who will be discussing business process hacking and APTs. When you register you will get entered to win a full version of Netsparker Web Application Scanner (retail value of $5,950). Register for free here.
Share and Enjoy
This week I co-presented “Smart Bombs: Mobile Vulnerability and Exploitation” with John Sawyer and Kevin Johnson at OWASP AppSec DC. We talked about the some of the current problems facing mobile applications such as flaws found in the OWASP Mobile Top 10 and various privacy issues. We also talked about how you go about testing mobile applications from the application layer (HTTP) down to the transport layer (TCP) and file system. I highly recommend you take a look at John’s file system testing methodology as he takes more of a forensic approach which works really well. The takeaway from the talk is that you need to look at all these areas when testing mobile apps and mobile apps are growing area of concern from a security and privacy perspective.
One update we forgot to mention in the talk is that you should use Mallory, which is a transparent TCP and UDP proxy for testing mobile applications. This is an excellent tool created by the guys at Intrepidus Group. We’ve found that some apps will bypass proxy settings and lots of apps are sending data over binary protocols and more. Mallory is the tool you need for testing any mobile app fully!
Sorry for the long delay on posting the slides from the presentation that myself, Josh Abraham and Kevin Johnson did at Black Hat USA and DEF CON 19. I’ve uploaded the slides from DEF CON to SlideShare (you can also download a copy there as well) and below are the links to the tools and white paper. I’m currently in the process of working with OWASP to get the testing methodology put into the next version of the OWASP testing guide (v4). If you have any comments or bug reports for the tools and vulnerable web services please let Josh and Kevin know, they would appreciate it!