The topic of web application security is definitely a new topic, if we compare it for example to network security or something like cryptography but in all of this thematics, it’s important to give newcomers the basics because if they don’t have them, they’ll never be able to become good in what they’re going to do there. Let’s have a look at network security or better say at man-in-the-middle (MITM) attacks. I would say, that all of the security professionals today, even if their not specialized on network technologies know about this kind of attack but now have a look on web application security. Take the example of Cross Site Scripting (XSS). In the webappsec scene everyone will know about XSS and what you can do with it but are you sure that every network infrastructure pentester will know about it? Now I’d like to point you to a small experiment, if we can call it this way. About two weeks ago, I’ve given a presentation at the 0sec, a small security conference in Switzerland. Of course I spoke about web application security but I asked myself: “Most of the guys (and girls) there are low-level hackers, does it really make sense to talk about my newest research and the latest attack vectors?”. The answer for me was clear, the newest stuff will be the most exciting and if less than 50% of the audience knows what you’ve talked about, after your presentation, it’s was really cool and crazy stuff but from my point of view it’s much more important, to show people the basic possibilities we’ve got so far in hacking web technologies. Because of this, I decided to talk about the big picture of web application security, instead of the latest and greatest webapp hacking stuff and below you’ll find the short abstract for my talk:
Most of the actual vulnerabilities which security researchers and also bad guys (doesn’t) report every day, are related to web applications. Even if this is the case, the security community didn’t get the big picture of what security related problems we’ve got through web applications. In this demonstration, Sven Vetsch (aka. Disenchant) will show you an overview of the most important web vulnerabilities like SQLi, XSS, CSRF, Path Traversal, Session Fixation and much more. The focus in this demonstration is not to show you the latest research results in webappsec, it’s to show the big picture of this topic to the attendees.
As I already wrote before, it was some kind of an experiment because I didn’t know if the attending security people really want to hear old stuff but from my point of view it was really a success. I only get positive feedbacks and as I expected, most of the attendees where low-level hackers. Unfortunately I was not allowed to disclose the source code of my demo application, which is a vulnerable social networking platform, where I can simulate most of the web application related security problems we have today and I’d also like to implement even XML and AJAX security stuff. Because of this, it wasn’t that easy to show everything in a clear way but I think the attending people get from the demonstration what I expected, the big picture of web application security.
This small story showed me, that many people in the security community know about some web application security stuff but even not the basics and at least from my point of view it makes much more sense to start with basic stuff instead of presenting state of the art hacking, only a few people will understand.
PS: I would really like to create a web application security 101 video training but I have to check some licensing stuff before and in the worst case, I’ve to rewrite my whole demo application.