OWASP meet

No Comments

I spent a pleasant evening at the quarterly meet of Leeds and North Chapter of OWASP. I've been on the mailing list for a while but this was the first meet I've been to.

Two talks were being put on, the first one was for a run through of Context App Tester. In the past I've used Burp suite for testing web apps but I've always found it not particularly user friendly, it's got the job done but it been a struggle to do anything more automated. This is totally down to me wanting to get on and actually do stuff, rather than reading documents or tutorials (and the one time I tried to find tutorials they too weren't user friendly. Again probably my fault). CAT seems to be much more intuitive,:click, highlight, set as $thing_you_want_to_change, go. Some nice fuzzing features, brute force, chaining of requests (e.g. grabbing a new valid token for each request), standard SQLi. It would seem to keep sate information about every request, which at any point you can send to a new tab and keep working from there. By the end of the session the CAT app seemed a little cluttered but I might chalk this up to us being shown _everything_ during the cause of the demo and no house keeping done on the way. It is still in beta, so I might suggest some tab management as a feature request when I get round to using it in anger. The crowning glory of it though,for me, is the notepad. It's just a scratchpad, but it does all sorts of en/decoding which will be an absolute fantastic tool for any puzzling I do in the future, and means I can throw away the piece of shit I knocked together in Java a while back.

Big surprise at the end when we were told it's free (as in beer) and they're looking at opening some sort of API in the future so you can build your own modules to drop in to it.

So I'm going to give it a bigger look over when I get time, I'll also go back and look at Burp a bit closer too :)

Second on the bill was Sammy Kamkar doing his "How I met your girlfriend" talk from this years Blackhat. Sammy's talk was about four attacks, nicely chained together to pull off one big one. Some of them were very theoretical, but not nearly as hard to pull off as some other theoretical attacks I've seen, they were definitely within reach, but only if Saturn and Jupiter are aligned and unpatched. Others were stupidly easy. Sammy was a entertaining speaker, and is a very good security researcher getting to the crux of the problem quickly via a joke. The breakdown of his talk can be found here WARNING: Maths ahead! and the accompany the slide deck (unfortunately edited, no Britteny doing maths or trolling of other InfoSec folks :sadface: and from a quick check also missing two of the attacks... I'll see if I can find a more comprehensive set somewhere)

The next meet is in December, and in Manchester so I don't know if I'll be able to make it. We'll see eh?

Comments are closed for this post