Saturday, 31 December 2011

Silent web app testing by example slides and experience

UPDATE: Just realised that slideshare made the fonts look funny, use the "Download" option at the top to see the presentation as a PDF properly.

If you are interested you can now view and download the slides for "Silent web app testing by example" here.

I would like to take this opportunity to thank the awesome BerlinSides audience for all the kind words and support. I felt really overwhelmed by the good feedback, I almost hugged a guy when he told me something like: "I really liked your talk, it is amazing: The entry to BerlinSides is free and I am getting better talks here than in CCC". I think this was an exaggeration but thank you!!! That is motivation for the whole new year right there :).

I would also like to thank my buddy Gavin (who gave the excellent SE talk at BerlinSides) for letting me use his remote control which I believe made the presentation more natural.

Thanks go also for Aluc for having patience to answer all my questions before and during BerlinSides :) and for paying for many of the costs out of his own pocket.

The 16 owtf demos and slides will follow shortly as well as the source code release next week.

Happy new year everyone!

Friday, 2 December 2011

BruCon 2011 Lightning Talk winner slides, experience and some pics

I would like to use this opportunity to thank everybody that voted my lightning talk "Web app testing without attack traffic" as the "BruCon 2011 Lightning Talk winner".

I only had 5 minutes so I had to take out many things I wanted to cover, for this reason, I have significantly expanded this talk (106 slides + good feedback from reviewers so far) and submitted it to BerlinSides.

The slides I used for BruCon are now posted here (I only changed the website URL to the new one).

I did not even know the Lightning Talks part of the conference was also a contest and was surpised you chose mine over internationally well-known speakers and many great projects and ideas that were also presented (and I really liked myself!):

- "Metasploit shellbag information gathering module" by Jason Haddix
- "Impersonating SSL" - SSL interception tool via "plausible invalid cert" by Chris John Riley.
- "Do not fear crypto" (TYPO3 vuln walk-through) by Chris John Riley
- "Digital death - a very quick version" by Robin Wood
- "Honeymail project" to track spam by Tomasz Miklas:
- "Last year it was remote, now it's local!" by Wicked Clown (on windows priv escalation vuln)
- "Ostinato" (a packet capture / crafter) by Joke:
- Joke gave another talk the following day too! (Chris John Riley and her were the only -I think- to give 2 talks, you rock!)
- "How (not) to pick up chicks at the BruCON Party" by Melisande
- "How to suck less at ...SQUIRRELS" by Matt Erasmus
- biosshadow presented too but I forgot the talk name, I think it was about password profiling
- "Bypassing endpoint protection" by Matt Summers
(Sorry if I forgot someone, it's been a while since September!)

 From the BruCon 2011 security conference itself, I was waiting for the pictures and video to do one of my "all out, pictures or it did not happen" security conference blog posts but no conference pictures were published and most of the video was lost unfortunately.

I will briefly say that for me, personally, the best talk/workshop of the conference was undoubtedly:
"The Web Application Hacking Toolchain" by Jason Haddix

In my opinion, many (but not all) of the other talks were too "high level", Jason Haddix provided something practical that we can apply directly and explained his reasoning along the way. This is the kind of information sharing we need to do more of in the infosec community.

Thanks for the pic bioshadow!

Despite what I just said, the following non-technical talk was highly inspirational to me:
"You and your research" by Haroon Meer

From the rest, one of the best was obviously Dan Kaminski with "Black Ops of TCP/IP 2011" and also Alex Hutton with "Why Information Risk Management Is Failing, Why That Matters to Security & What You Can Do About It" you can see a picture of them enjoying a Mojito here:
Thank you to the person that tweeted this :). Was it you Marisa?

Jimmy had an awesome T-shirt everyday:
Thanks for pic Tomasz!

And I found everybody very approachable and nice during the 1st but also the 2nd day after party:
Thanks for the pic Marc!

I was also impressed by the Mobile phones talk: "Smart Phones – The Weak Link in the Security Chain" by Nick Walker and Werner Nel. This was really good research and definitely a lot of work.

There were many other great talks and I also specially liked Chris Gates and Joe McCray with "Pentesting High Security Environments" and "Abusing Locality in Shared Web Hosting" by Nick Nikiforakis.

As usual I could not physically attend everything but from what I attended, that was the best in my opinion.

A full list of what each talk was about can be found here: