Category Archives: Application Security

Speaking at the SANS Mobile Device Security Summit

Filed under Apple, Application Security, Mobile Security, Penetration Testing
Tagged as , , , , , ,

I’ll be presenting “Attacking and Defending Apple iOS Devices in the Enterprise” Monday, March 12 @ 10am. I’ve got a bunch of new content about iOS 5, iCloud and the latest attacks on these devices. This is the inaugural event for SANS and I’m proud to be part of it! More information can be found here at the SANS website.

Don’t Drop the SOAP: Real World Web Service Testing for Web Hackers Presentation

Filed under Application Security, Penetration Testing, Web Services
Tagged as , , , , , , , , ,

Sorry for the long delay on posting the slides from the presentation that myself, Josh Abraham and Kevin Johnson did at Black Hat USA and DEF CON 19.  I’ve uploaded the slides from DEF CON to SlideShare (you can also download a copy there as well) and below are the links to the tools and white paper.  I’m currently in the process of working with OWASP to get the testing methodology put into the next version of the OWASP testing guide (v4).  If you have any comments or bug reports for the tools and vulnerable web services please let Josh and Kevin know, they would appreciate it!

Download the white paper.  Download Josh’s Metasploit modules.  Download Kevin’s vulnerable web services.

More Firefox application testing plugins: ExploitMe

Filed under Application Security

I recently wrote about some other Firefox plugins which allow you to manipulate and hack web pages. Looks like there is another set of tools called “ExploitMe” which allows for SQL Injection and XSS (Cross Site Scripting), and web service testing. From the article:

“The ExploitMe tools — which are in currently in beta form — include SQL Inject-Me, which lets you right-click on an HTML field in your Firefox browser and inject it with SQL injection payloads, and XSS-Me, which works the same way, but with XSS. The tools developers also plan to release Web services exploit tools as well…”

Looks like this is becoming a new trend in application testing tools. Good to see that things are using a good framework like Firefox extensions to add useful tools for testing. Note that I just did a quick search for the ExploitMe set of of tools in the Firefox extensions database and it has not been released yet as the creators will be launching these tools at the SecTor conference later this month.