SlideShare a Scribd company logo

A new look into web application reconnaissance

SensePost
SensePost

Presentation by Jurgens van der Merwe at ZaCon 2 in 2010. This presentation is about Selenium, a browser automation framework and its applications in web reconnaissance. Examples of using Selenium with facebook are discussed.

Technology
1 of 19
Download to read offline
  Jurgens  van  der  Merwe  (jurgens@sensepost.com)     Junior  analyst  with  SensePost     Interests:     Information  Security       Innovative  Technologies     Music     Skateboarding     etc  
         Purpose            Interface                          Speed              Value                          Attack  surface                      Complexity  
           Purpose              Interface                          Speed            Value                                Attack  surface                      Complexity  
  Browser  Automation  Framework     for  Testing  Web  Applications     Consists  of  3  parts  :     Selenium  IDE     Selenium  Remote  Control     Selenium  Grid     For  this  talk  we  will  focus  on     the  core  library  and  functionality   of  Selenium  Framework    
  Automation     The  ability  to  trigger  sequential  events  without  the  need  of   manual  interaction     Harvesting     The  ability  to  gather  large  datasets  of  common  objects   over  a  period  of  time     Extraction     The  ability  to  extract  key  elements  from  an  entity  in  order   to  obtain  valuable    information  regarding  a  specific  target  
Over  700  billion  minutes  a  month  =    19865  lifetimes  
  Behind  the  ‘Sannie’  experiment     Purpose     Showing  that  bots  can  act  like  humans  too.     Goal     Following  logical  pathways  to  mimic  human  interaction.     Demo  
  The  mass  friendship  harvest     Purpose     Harvest  user  relationships       Goal     Determining  the  theory  behind:      {  friends  of  a  friend,  of  a  friend,  of  a  friend,  of  a  friend,  of  a   friend,  of  a  friend,  of  a  friend,  of  a  friend,  of  a  friend….  }  
  The  Facebook  Profiler     Purpose     Creating  my  own  personal  address  book     Goal     Extracting  user  information  from  facebook  profiles     Demo  
  Web  Simulator     Supports  various  browsers  like     Mozilla  Firefox       Google  Chrome     Opera     Safari     Internet  Explorer     Interacts  with  the  Document  Object  Model  (DOM)  
  Latency!!!       Super  fast  ZA  internet.     Having  to  wait  for  the  web  element  to  be  completely   constructed  within  the  DOM.     Complexity  of  the  application     Understanding  the  logic  behind  the  application.  
  Selenium  is  a  cool  technology  for  interacting  with  any   Web  2.0  application.     Impersonates  human-­‐like  interaction  with  a  web   application  by  following  logical  paths.       Ability  to  rely  on  the  browser’s  DOM  rather  than  the   source  of  a  web  page  when  extracting  information.      Allow  you  to  actually  see  the  browser  execute  your  code   and  navigate  through  the  targeted  application.     The  ability  to  test  the  functionality  of  the  web   application  through  various  browsers.  
???????????????????????????????????????????????????????   Questions   ???????????????????????????????????????????????????????  

Recommended

A SHOULDER SURFING RESISTANT GRAPHICAL AUTHENTICATION SYSTEM
A SHOULDER SURFING RESISTANT GRAPHICAL AUTHENTICATION SYSTEMA SHOULDER SURFING RESISTANT GRAPHICAL AUTHENTICATION SYSTEM
A SHOULDER SURFING RESISTANT GRAPHICAL AUTHENTICATION SYSTEMNexgen Technology
 
Shoulder surfing resistant graphical and image based login system
Shoulder surfing resistant graphical and image based login systemShoulder surfing resistant graphical and image based login system
Shoulder surfing resistant graphical and image based login systemAkshay Surve
 
Shoulder Surfing as future technology
Shoulder Surfing as future technologyShoulder Surfing as future technology
Shoulder Surfing as future technologySatish Govindappa
 
Resume
ResumeResume
ResumeAbhishek Bhakat
 
Ml Malware Network Analytics
Ml Malware Network AnalyticsMl Malware Network Analytics
Ml Malware Network Analyticsmadhucharis
 
Mental Models, Microinteractions & More
Mental Models, Microinteractions & MoreMental Models, Microinteractions & More
Mental Models, Microinteractions & MoreAndrew Croce
 
3D PASSWORD
3D PASSWORD 3D PASSWORD
3D PASSWORD Rajashree Swain
 
3D Password M Sc BHU Sem 1
3D Password M Sc BHU Sem 13D Password M Sc BHU Sem 1
3D Password M Sc BHU Sem 1Swagato Dey
 

Recommended

A SHOULDER SURFING RESISTANT GRAPHICAL AUTHENTICATION SYSTEM
A SHOULDER SURFING RESISTANT GRAPHICAL AUTHENTICATION SYSTEMA SHOULDER SURFING RESISTANT GRAPHICAL AUTHENTICATION SYSTEM
A SHOULDER SURFING RESISTANT GRAPHICAL AUTHENTICATION SYSTEMNexgen Technology
 
Shoulder surfing resistant graphical and image based login system
Shoulder surfing resistant graphical and image based login systemShoulder surfing resistant graphical and image based login system
Shoulder surfing resistant graphical and image based login systemAkshay Surve
 
Shoulder Surfing as future technology
Shoulder Surfing as future technologyShoulder Surfing as future technology
Shoulder Surfing as future technologySatish Govindappa
 
Resume
ResumeResume
ResumeAbhishek Bhakat
 
Ml Malware Network Analytics
Ml Malware Network AnalyticsMl Malware Network Analytics
Ml Malware Network Analyticsmadhucharis
 
Mental Models, Microinteractions & More
Mental Models, Microinteractions & MoreMental Models, Microinteractions & More
Mental Models, Microinteractions & MoreAndrew Croce
 
3D PASSWORD
3D PASSWORD 3D PASSWORD
3D PASSWORD Rajashree Swain
 
3D Password M Sc BHU Sem 1
3D Password M Sc BHU Sem 13D Password M Sc BHU Sem 1
3D Password M Sc BHU Sem 1Swagato Dey
 
3d password
3d password3d password
3d passwordAbinaya Sathya
 
3D-PASSWORD SEMI
3D-PASSWORD SEMI3D-PASSWORD SEMI
3D-PASSWORD SEMINeeraj Kumar Tiwari
 
3D PASSWORD SEMINAR
3D PASSWORD SEMINAR3D PASSWORD SEMINAR
3D PASSWORD SEMINARKarishma Khan
 
Defenses against large scale online password guessing attacks
Defenses against large scale online password guessing attacksDefenses against large scale online password guessing attacks
Defenses against large scale online password guessing attackserneelkamal
 
Graphical Based Authentication (S3PAS)
Graphical Based Authentication (S3PAS)Graphical Based Authentication (S3PAS)
Graphical Based Authentication (S3PAS)Ketan Patil
 
3D Password
3D Password3D Password
3D PasswordShubham Rungta
 
3d password
3d password3d password
3d passwordAbhirami P S
 
Defence against large scale online guessing attacks using persuasive cued cli...
Defence against large scale online guessing attacks using persuasive cued cli...Defence against large scale online guessing attacks using persuasive cued cli...
Defence against large scale online guessing attacks using persuasive cued cli...Ayisha M Kalburgi
 
3D-Password
3D-Password 3D-Password
3D-Password Devyani Vaidya
 
Authentication scheme for session password using Images and color
Authentication scheme for session password using Images and colorAuthentication scheme for session password using Images and color
Authentication scheme for session password using Images and colorNitesh Kumar
 
3DPassword_AakashTakale
3DPassword_AakashTakale3DPassword_AakashTakale
3DPassword_AakashTakaleAakash Takale
 
Defenses against large scale online password guessing attacks
Defenses against large scale online password guessing attacksDefenses against large scale online password guessing attacks
Defenses against large scale online password guessing attacksdhanyashree11
 
Defenses against large scale online password guessing attacks by using persu...
Defenses against large scale online password guessing attacks by using persu...Defenses against large scale online password guessing attacks by using persu...
Defenses against large scale online password guessing attacks by using persu...AbhilashPasupula
 
Graphical password
Graphical passwordGraphical password
Graphical passwordswapnilbirdawade
 
Securing online password guessing attack
Securing online password guessing attackSecuring online password guessing attack
Securing online password guessing attackSaurav Sinha
 
Graphical Password Authentication
Graphical Password AuthenticationGraphical Password Authentication
Graphical Password AuthenticationAbha nandan
 
3D password
3D password3D password
3D passwordanuradha srivastava
 
SEMINAR REPORT ON 3D PASSWORD
SEMINAR REPORT ON 3D PASSWORDSEMINAR REPORT ON 3D PASSWORD
SEMINAR REPORT ON 3D PASSWORDKarishma Khan
 
Threats to machine clouds
Threats to machine cloudsThreats to machine clouds
Threats to machine cloudsSensePost
 
Putting the tea back into cyber terrorism
Putting the tea back into cyber terrorismPutting the tea back into cyber terrorism
Putting the tea back into cyber terrorismSensePost
 
Sensepost assessment automation
Sensepost assessment automationSensepost assessment automation
Sensepost assessment automationSensePost
 
Denial of services : limiting the threat
Denial of services : limiting the threatDenial of services : limiting the threat
Denial of services : limiting the threatSensePost
 

More Related Content

What's hot

Defenses against large scale online password guessing attacks
Defenses against large scale online password guessing attacksDefenses against large scale online password guessing attacks
Defenses against large scale online password guessing attackserneelkamal
 
Graphical Based Authentication (S3PAS)
Graphical Based Authentication (S3PAS)Graphical Based Authentication (S3PAS)
Graphical Based Authentication (S3PAS)Ketan Patil
 
Defence against large scale online guessing attacks using persuasive cued cli...
Defence against large scale online guessing attacks using persuasive cued cli...Defence against large scale online guessing attacks using persuasive cued cli...
Defence against large scale online guessing attacks using persuasive cued cli...Ayisha M Kalburgi
 
Authentication scheme for session password using Images and color
Authentication scheme for session password using Images and colorAuthentication scheme for session password using Images and color
Authentication scheme for session password using Images and colorNitesh Kumar
 
3DPassword_AakashTakale
3DPassword_AakashTakale3DPassword_AakashTakale
3DPassword_AakashTakaleAakash Takale
 
Defenses against large scale online password guessing attacks
Defenses against large scale online password guessing attacksDefenses against large scale online password guessing attacks
Defenses against large scale online password guessing attacksdhanyashree11
 
Defenses against large scale online password guessing attacks by using persu...
Defenses against large scale online password guessing attacks by using persu...Defenses against large scale online password guessing attacks by using persu...
Defenses against large scale online password guessing attacks by using persu...AbhilashPasupula
 
Securing online password guessing attack
Securing online password guessing attackSecuring online password guessing attack
Securing online password guessing attackSaurav Sinha
 
Graphical Password Authentication
Graphical Password AuthenticationGraphical Password Authentication
Graphical Password AuthenticationAbha nandan
 
SEMINAR REPORT ON 3D PASSWORD
SEMINAR REPORT ON 3D PASSWORDSEMINAR REPORT ON 3D PASSWORD
SEMINAR REPORT ON 3D PASSWORDKarishma Khan
 

What's hot (18)

3d password
3d password3d password
3d password
 
3D-PASSWORD SEMI
3D-PASSWORD SEMI3D-PASSWORD SEMI
3D-PASSWORD SEMI
 
3D PASSWORD SEMINAR
3D PASSWORD SEMINAR3D PASSWORD SEMINAR
3D PASSWORD SEMINAR
 
Defenses against large scale online password guessing attacks
Defenses against large scale online password guessing attacksDefenses against large scale online password guessing attacks
Defenses against large scale online password guessing attacks
 
Graphical Based Authentication (S3PAS)
Graphical Based Authentication (S3PAS)Graphical Based Authentication (S3PAS)
Graphical Based Authentication (S3PAS)
 
3D Password
3D Password3D Password
3D Password
 
3d password
3d password3d password
3d password
 
Defence against large scale online guessing attacks using persuasive cued cli...
Defence against large scale online guessing attacks using persuasive cued cli...Defence against large scale online guessing attacks using persuasive cued cli...
Defence against large scale online guessing attacks using persuasive cued cli...
 
3D-Password
3D-Password 3D-Password
3D-Password
 
Authentication scheme for session password using Images and color
Authentication scheme for session password using Images and colorAuthentication scheme for session password using Images and color
Authentication scheme for session password using Images and color
 
3DPassword_AakashTakale
3DPassword_AakashTakale3DPassword_AakashTakale
3DPassword_AakashTakale
 
Defenses against large scale online password guessing attacks
Defenses against large scale online password guessing attacksDefenses against large scale online password guessing attacks
Defenses against large scale online password guessing attacks
 
Defenses against large scale online password guessing attacks by using persu...
Defenses against large scale online password guessing attacks by using persu...Defenses against large scale online password guessing attacks by using persu...
Defenses against large scale online password guessing attacks by using persu...
 
Graphical password
Graphical passwordGraphical password
Graphical password
 
Securing online password guessing attack
Securing online password guessing attackSecuring online password guessing attack
Securing online password guessing attack
 
Graphical Password Authentication
Graphical Password AuthenticationGraphical Password Authentication
Graphical Password Authentication
 
3D password
3D password3D password
3D password
 
SEMINAR REPORT ON 3D PASSWORD
SEMINAR REPORT ON 3D PASSWORDSEMINAR REPORT ON 3D PASSWORD
SEMINAR REPORT ON 3D PASSWORD
 

Viewers also liked

Threats to machine clouds
Threats to machine cloudsThreats to machine clouds
Threats to machine cloudsSensePost
 
Putting the tea back into cyber terrorism
Putting the tea back into cyber terrorismPutting the tea back into cyber terrorism
Putting the tea back into cyber terrorismSensePost
 
Sensepost assessment automation
Sensepost assessment automationSensepost assessment automation
Sensepost assessment automationSensePost
 
Denial of services : limiting the threat
Denial of services : limiting the threatDenial of services : limiting the threat
Denial of services : limiting the threatSensePost
 
Web 2.0 security woes
Web 2.0 security woesWeb 2.0 security woes
Web 2.0 security woesSensePost
 
It's all about the timing
It's all about the timingIt's all about the timing
It's all about the timingSensePost
 
Attacks and Defences
Attacks and DefencesAttacks and Defences
Attacks and DefencesSensePost
 
A Brave New World
A Brave New WorldA Brave New World
A Brave New WorldSensePost
 
State of the information security nation
State of the information security nationState of the information security nation
State of the information security nationSensePost
 

Viewers also liked (9)

Threats to machine clouds
Threats to machine cloudsThreats to machine clouds
Threats to machine clouds
 
Putting the tea back into cyber terrorism
Putting the tea back into cyber terrorismPutting the tea back into cyber terrorism
Putting the tea back into cyber terrorism
 
Sensepost assessment automation
Sensepost assessment automationSensepost assessment automation
Sensepost assessment automation
 
Denial of services : limiting the threat
Denial of services : limiting the threatDenial of services : limiting the threat
Denial of services : limiting the threat
 
Web 2.0 security woes
Web 2.0 security woesWeb 2.0 security woes
Web 2.0 security woes
 
It's all about the timing
It's all about the timingIt's all about the timing
It's all about the timing
 
Attacks and Defences
Attacks and DefencesAttacks and Defences
Attacks and Defences
 
A Brave New World
A Brave New WorldA Brave New World
A Brave New World
 
State of the information security nation
State of the information security nationState of the information security nation
State of the information security nation
 

Similar to A new look into web application reconnaissance

2010 za con_jurgens_van_der_merwe
2010 za con_jurgens_van_der_merwe2010 za con_jurgens_van_der_merwe
2010 za con_jurgens_van_der_merweJohan Klerk
 
Computer science department - a four page presentation
Computer science department - a four page presentationComputer science department - a four page presentation
Computer science department - a four page presentationmohamedsamyali
 
Data Visualizations in Cyber Security: Still Home of the WOPR?
Data Visualizations in Cyber Security: Still Home of the WOPR?Data Visualizations in Cyber Security: Still Home of the WOPR?
Data Visualizations in Cyber Security: Still Home of the WOPR?Matthew Park
 
The Impact of Emerging Technology on Digital Transformation
The Impact of Emerging Technology on Digital TransformationThe Impact of Emerging Technology on Digital Transformation
The Impact of Emerging Technology on Digital TransformationRichard Esplin
 
Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Sourcehack33
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshortVincent Ohprecio
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
Ask me anything: A Conversational Interface to Augment Information Security w...
Ask me anything: A Conversational Interface to Augment Information Security w...Ask me anything: A Conversational Interface to Augment Information Security w...
Ask me anything: A Conversational Interface to Augment Information Security w...Matthew Park
 
Web 3.0: The Upcoming Revolution
Web 3.0: The Upcoming RevolutionWeb 3.0: The Upcoming Revolution
Web 3.0: The Upcoming RevolutionNitin Godawat
 
The Semantic Knowledge Graph
The Semantic Knowledge GraphThe Semantic Knowledge Graph
The Semantic Knowledge GraphTrey Grainger
 
Machine Learning & Cyber Security: Detecting Malicious URLs in the Haystack
Machine Learning & Cyber Security: Detecting Malicious URLs in the HaystackMachine Learning & Cyber Security: Detecting Malicious URLs in the Haystack
Machine Learning & Cyber Security: Detecting Malicious URLs in the HaystackAlistair Gillespie
 
Ett 590 - Virtual Worlds
Ett 590 - Virtual WorldsEtt 590 - Virtual Worlds
Ett 590 - Virtual WorldsAline Click
 
.NET Fest 2018. Олександр Краковецький. Microsoft AI: створюємо програмні ріш...
.NET Fest 2018. Олександр Краковецький. Microsoft AI: створюємо програмні ріш....NET Fest 2018. Олександр Краковецький. Microsoft AI: створюємо програмні ріш...
.NET Fest 2018. Олександр Краковецький. Microsoft AI: створюємо програмні ріш...NETFest
 
Oleksander Krakovetskyi "Artificial Intelligence and Machine Learning for .NE...
Oleksander Krakovetskyi "Artificial Intelligence and Machine Learning for .NE...Oleksander Krakovetskyi "Artificial Intelligence and Machine Learning for .NE...
Oleksander Krakovetskyi "Artificial Intelligence and Machine Learning for .NE...Fwdays
 
2019 04-13 ai for .net developers (fwdays)
2019 04-13 ai for .net developers (fwdays)2019 04-13 ai for .net developers (fwdays)
2019 04-13 ai for .net developers (fwdays)Oleksandr Krakovetskyi
 
AI Security : Machine Learning, Deep Learning and Computer Vision Security
AI Security : Machine Learning, Deep Learning and Computer Vision SecurityAI Security : Machine Learning, Deep Learning and Computer Vision Security
AI Security : Machine Learning, Deep Learning and Computer Vision SecurityCihan Özhan
 
Artificial intelligence and its application
Artificial intelligence and its applicationArtificial intelligence and its application
Artificial intelligence and its applicationMohammed Abdel Razek
 
Security in the age of Artificial Intelligence
Security in the age of Artificial IntelligenceSecurity in the age of Artificial Intelligence
Security in the age of Artificial IntelligenceFaction XYZ
 

Similar to A new look into web application reconnaissance (20)

2010 za con_jurgens_van_der_merwe
2010 za con_jurgens_van_der_merwe2010 za con_jurgens_van_der_merwe
2010 za con_jurgens_van_der_merwe
 
Computer science department - a four page presentation
Computer science department - a four page presentationComputer science department - a four page presentation
Computer science department - a four page presentation
 
Manoj_cv
Manoj_cvManoj_cv
Manoj_cv
 
Data Visualizations in Cyber Security: Still Home of the WOPR?
Data Visualizations in Cyber Security: Still Home of the WOPR?Data Visualizations in Cyber Security: Still Home of the WOPR?
Data Visualizations in Cyber Security: Still Home of the WOPR?
 
The Impact of Emerging Technology on Digital Transformation
The Impact of Emerging Technology on Digital TransformationThe Impact of Emerging Technology on Digital Transformation
The Impact of Emerging Technology on Digital Transformation
 
Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Source
 
Intro2 malwareanalysisshort
Intro2 malwareanalysisshortIntro2 malwareanalysisshort
Intro2 malwareanalysisshort
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
 
Ask me anything: A Conversational Interface to Augment Information Security w...
Ask me anything: A Conversational Interface to Augment Information Security w...Ask me anything: A Conversational Interface to Augment Information Security w...
Ask me anything: A Conversational Interface to Augment Information Security w...
 
Web 3.0: The Upcoming Revolution
Web 3.0: The Upcoming RevolutionWeb 3.0: The Upcoming Revolution
Web 3.0: The Upcoming Revolution
 
The Semantic Knowledge Graph
The Semantic Knowledge GraphThe Semantic Knowledge Graph
The Semantic Knowledge Graph
 
Machine Learning & Cyber Security: Detecting Malicious URLs in the Haystack
Machine Learning & Cyber Security: Detecting Malicious URLs in the HaystackMachine Learning & Cyber Security: Detecting Malicious URLs in the Haystack
Machine Learning & Cyber Security: Detecting Malicious URLs in the Haystack
 
Ett 590 - Virtual Worlds
Ett 590 - Virtual WorldsEtt 590 - Virtual Worlds
Ett 590 - Virtual Worlds
 
.NET Fest 2018. Олександр Краковецький. Microsoft AI: створюємо програмні ріш...
.NET Fest 2018. Олександр Краковецький. Microsoft AI: створюємо програмні ріш....NET Fest 2018. Олександр Краковецький. Microsoft AI: створюємо програмні ріш...
.NET Fest 2018. Олександр Краковецький. Microsoft AI: створюємо програмні ріш...
 
Oleksander Krakovetskyi "Artificial Intelligence and Machine Learning for .NE...
Oleksander Krakovetskyi "Artificial Intelligence and Machine Learning for .NE...Oleksander Krakovetskyi "Artificial Intelligence and Machine Learning for .NE...
Oleksander Krakovetskyi "Artificial Intelligence and Machine Learning for .NE...
 
2019 04-13 ai for .net developers (fwdays)
2019 04-13 ai for .net developers (fwdays)2019 04-13 ai for .net developers (fwdays)
2019 04-13 ai for .net developers (fwdays)
 
AI Security : Machine Learning, Deep Learning and Computer Vision Security
AI Security : Machine Learning, Deep Learning and Computer Vision SecurityAI Security : Machine Learning, Deep Learning and Computer Vision Security
AI Security : Machine Learning, Deep Learning and Computer Vision Security
 
Infinitytech New
Infinitytech NewInfinitytech New
Infinitytech New
 
Artificial intelligence and its application
Artificial intelligence and its applicationArtificial intelligence and its application
Artificial intelligence and its application
 
Security in the age of Artificial Intelligence
Security in the age of Artificial IntelligenceSecurity in the age of Artificial Intelligence
Security in the age of Artificial Intelligence
 

More from SensePost

objection - runtime mobile exploration
objection - runtime mobile explorationobjection - runtime mobile exploration
objection - runtime mobile explorationSensePost
 
Vulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationVulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationSensePost
 
Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17SensePost
 
Introducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration ToolkitIntroducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration ToolkitSensePost
 
ZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana AttacksZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana AttacksSensePost
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22SensePost
 
Heartbleed Overview
Heartbleed OverviewHeartbleed Overview
Heartbleed OverviewSensePost
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionSensePost
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tatSensePost
 
Hacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsHacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsSensePost
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented DefenceSensePost
 
Inside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemInside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemSensePost
 
SNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) PwnageSNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) PwnageSensePost
 
Its Ok To Get Hacked
Its Ok To Get HackedIts Ok To Get Hacked
Its Ok To Get HackedSensePost
 
Web Application Hacking
Web Application HackingWeb Application Hacking
Web Application HackingSensePost
 
Major global information security trends - a summary
Major global information security trends - a summaryMajor global information security trends - a summary
Major global information security trends - a summarySensePost
 
Corporate Threat Modeling v2
Corporate Threat Modeling v2Corporate Threat Modeling v2
Corporate Threat Modeling v2SensePost
 
OK I'm here, so what's in it for me?
OK I'm here, so what's in it for me?OK I'm here, so what's in it for me?
OK I'm here, so what's in it for me?SensePost
 
Security threats facing SA businessess
Security threats facing SA businessessSecurity threats facing SA businessess
Security threats facing SA businessessSensePost
 
Security in e-commerce
Security in e-commerceSecurity in e-commerce
Security in e-commerceSensePost
 

More from SensePost (20)

objection - runtime mobile exploration
objection - runtime mobile explorationobjection - runtime mobile exploration
objection - runtime mobile exploration
 
Vulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based ApplicationVulnerabilities in TN3270 based Application
Vulnerabilities in TN3270 based Application
 
Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17Ruler and Liniaal @ Troopers 17
Ruler and Liniaal @ Troopers 17
 
Introducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration ToolkitIntroducing (DET) the Data Exfiltration Toolkit
Introducing (DET) the Data Exfiltration Toolkit
 
ZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana AttacksZaCon 2015 - Zombie Mana Attacks
ZaCon 2015 - Zombie Mana Attacks
 
Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22Improvement in Rogue Access Points - SensePost Defcon 22
Improvement in Rogue Access Points - SensePost Defcon 22
 
Heartbleed Overview
Heartbleed OverviewHeartbleed Overview
Heartbleed Overview
 
Botconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server DetectionBotconf 2013 - DNS-based Botnet C2 Server Detection
Botconf 2013 - DNS-based Botnet C2 Server Detection
 
Rat a-tat-tat
Rat a-tat-tatRat a-tat-tat
Rat a-tat-tat
 
Hacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation SystemsHacking Z-Wave Home Automation Systems
Hacking Z-Wave Home Automation Systems
 
Offence oriented Defence
Offence oriented DefenceOffence oriented Defence
Offence oriented Defence
 
Inside .NET Smart Card Operating System
Inside .NET Smart Card Operating SystemInside .NET Smart Card Operating System
Inside .NET Smart Card Operating System
 
SNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) PwnageSNMP : Simple Network Mediated (Cisco) Pwnage
SNMP : Simple Network Mediated (Cisco) Pwnage
 
Its Ok To Get Hacked
Its Ok To Get HackedIts Ok To Get Hacked
Its Ok To Get Hacked
 
Web Application Hacking
Web Application HackingWeb Application Hacking
Web Application Hacking
 
Major global information security trends - a summary
Major global information security trends - a summaryMajor global information security trends - a summary
Major global information security trends - a summary
 
Corporate Threat Modeling v2
Corporate Threat Modeling v2Corporate Threat Modeling v2
Corporate Threat Modeling v2
 
OK I'm here, so what's in it for me?
OK I'm here, so what's in it for me?OK I'm here, so what's in it for me?
OK I'm here, so what's in it for me?
 
Security threats facing SA businessess
Security threats facing SA businessessSecurity threats facing SA businessess
Security threats facing SA businessess
 
Security in e-commerce
Security in e-commerceSecurity in e-commerce
Security in e-commerce
 

Recently uploaded

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 

Recently uploaded (20)

SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 

A new look into web application reconnaissance

  • 1.
  • 2.   Jurgens  van  der  Merwe  (jurgens@sensepost.com)     Junior  analyst  with  SensePost     Interests:     Information  Security       Innovative  Technologies     Music     Skateboarding     etc  
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.          Purpose            Interface                          Speed              Value                          Attack  surface                      Complexity  
  • 8.            Purpose              Interface                          Speed            Value                                Attack  surface                      Complexity  
  • 9.   Browser  Automation  Framework     for  Testing  Web  Applications     Consists  of  3  parts  :     Selenium  IDE     Selenium  Remote  Control     Selenium  Grid     For  this  talk  we  will  focus  on     the  core  library  and  functionality   of  Selenium  Framework    
  • 10.   Automation     The  ability  to  trigger  sequential  events  without  the  need  of   manual  interaction     Harvesting     The  ability  to  gather  large  datasets  of  common  objects   over  a  period  of  time     Extraction     The  ability  to  extract  key  elements  from  an  entity  in  order   to  obtain  valuable    information  regarding  a  specific  target  
  • 11. Over  700  billion  minutes  a  month  =    19865  lifetimes  
  • 12.
  • 13.   Behind  the  ‘Sannie’  experiment     Purpose     Showing  that  bots  can  act  like  humans  too.     Goal     Following  logical  pathways  to  mimic  human  interaction.     Demo  
  • 14.   The  mass  friendship  harvest     Purpose     Harvest  user  relationships       Goal     Determining  the  theory  behind:      {  friends  of  a  friend,  of  a  friend,  of  a  friend,  of  a  friend,  of  a   friend,  of  a  friend,  of  a  friend,  of  a  friend,  of  a  friend….  }  
  • 15.   The  Facebook  Profiler     Purpose     Creating  my  own  personal  address  book     Goal     Extracting  user  information  from  facebook  profiles     Demo  
  • 16.   Web  Simulator     Supports  various  browsers  like     Mozilla  Firefox       Google  Chrome     Opera     Safari     Internet  Explorer     Interacts  with  the  Document  Object  Model  (DOM)  
  • 17.   Latency!!!       Super  fast  ZA  internet.     Having  to  wait  for  the  web  element  to  be  completely   constructed  within  the  DOM.     Complexity  of  the  application     Understanding  the  logic  behind  the  application.  
  • 18.   Selenium  is  a  cool  technology  for  interacting  with  any   Web  2.0  application.     Impersonates  human-­‐like  interaction  with  a  web   application  by  following  logical  paths.       Ability  to  rely  on  the  browser’s  DOM  rather  than  the   source  of  a  web  page  when  extracting  information.      Allow  you  to  actually  see  the  browser  execute  your  code   and  navigate  through  the  targeted  application.     The  ability  to  test  the  functionality  of  the  web   application  through  various  browsers.  
  • 19. ???????????????????????????????????????????????????????   Questions   ???????????????????????????????????????????????????????