This morning I attended a workshop hosted by Michael Sutton of SPI Dynamics. Michael is the Security Evangelist (kinda like a mix between a trainer and a sales engineer, I think…does that not sound like a cushy role?) for SPI Dynamics, and he talked about hacking web applications. I just need to mention that the blogs and labs on the SPI Dynamics site are both nice resources. The talk had about 35-40 people in attendence, about 1/3 QA, 1/3 developers, and 1/3 security people, with a couple managers and a couple of us sysadmins in attendence.
Michael opened up by talking about why web application security is important now, and then delved into describing and demoing 4 different attacks against web apps: XSS, SQL Injection, CSRF, and Ajax attacks. While this isn’t new to me, personally, I don’t think I’ve seen live demos of these attacks before, so that was a step up for me (come on, we don’t get this kind of thing in Iowa every month!). He talked about reflected and persistent XSS issues, with a demonstration of persistent XSS. Then both verbose and blind SQL injections. After a break we saw CSRF and Ajax demonstrations.
I do want to mention the tools used or mentioned. Oh wait, gosh, almost everying is done using just a browser. Of course, this means almost anyone can start picking this up and learning how to find these holes (increased risk!). Michael did mention Absinthe as a blind SQL injection automater, Live HTTP Headers (firefox addon), FireBug (firefox addon), and SPI Proxy (part of the commercial product WebInspect). The latter was used to intercept and change browser-server requests in Ajax pages– very cool!.
He then closed out with brief looks at SPI commercial tools WebInspect and DevInspect, which really both look nice for dev and security teams to automate and standardize their testing. My only brief nitpick on the presentation was the use of AJAX as an acronym in the slides, but he did mention that it is no longer really intended as an acronym anymore, and has been used to simply describe new web behaviors. Kudos for hating on “Web 2.0” as a term, since I hate it as well.
Nitpick aside, the workshop was well done, a decent way to spend a morning away from work, and provided good information. I’d recommend it for anyone who is already not a web application security guru and knows those above attacks and tools inside and out. And no, it had no marketing spiel or slant to it.