Assessing and Exploiting Web Applications with the open-source Samurai Web Testing Framework

This week, December 10, I participated in the first OWASP international conference cellebrated in Spain, and specifically, in Iberia. IBWAS'09, the Iberic Web Application Security Conference, by the Spanish and Portuguese OWASP chapters, promoted the need of (web) application security controls and I predict it will be the conference of reference in upcoming years in the region. It was interesting to start by listening to Bruce Schneier talking about the present and future of the information security industry.

As an active member of the Samurai-WTF project, my presentation described Samurai-WTF main purpose plus its recent additions, available from the official SVN repository. I ended up with a hacking demo to demonstrate the power of integrating multiple attack tools in a single platform for web-app pen-testing exercises:

The Samurai Web Testing Framework (WTF) is an open-source LiveCD focused on web application security testing. It includes an extensive collection of pre-installed and pre-configured top penetration testing and security analysis tools, becoming the perfect environment for assessing and exploiting web applications. The tools categorization guides the analyst through the web-app penetration testing methodology, from reconnaissance, to mapping, discovery and exploitation.

This talk describes the actively developed Samurai WTF distribution, its tool set, including the recently created Samurai WTF Firefox add-ons collection (to convert the browser in the ultimate pentesting tool), the advanced features provided by the integration of multiple attack tools, plus the new tool update capabilities.

If you are interested on the project, start by checking the "Assessing and Exploiting Web Applications with the open-source Samurai Web Testing Framework" presentation, and join the project in sourceforge.net (and the mailing list).

Become a Samurai!

Hacking Challenges: Have Fun Improving Your Skills!

Last week, December 3, I was presenting an @Night event during the SANS London 2009 conference, focused on hacking challenges and how they can be used to improve your skills and knowledge while having fun:

Hacking and security challenges are a great and effective training tool. They provide a platform to improve everyone's skills by forcing all candidates to devise an offensive or defensive tactic, apply different techniques, and squeeze the available tools to succeed. The acquired knowledge can be later on applied to real-world ventures.

This interactive session will guide the audience through some scenarios associated to penetration testing and hacking challenges published over 2009. Apply your technical skills and knowledge to solve these challenges while having fun!

The interactive session was very fun and people actively participated, and performed really well, to solve a compact version of the "Prison Break" challenge in one hour. This has been the first event where we have announced the birth of a new security company, called Taddong, focused on advanced security services. More details about it in the upcoming weeks...


The presentation is available here: "Hacking Challenges: Have Fun Improving Your Skills!".

During the session, on purpose, the last portion of the challenge remained unsolved, that is... what is the input required to generate the Scylla validation code (you already know it is a hash)?

6189db841f01413a05a53b7135137a17

For those attending the session in London, I recommend you to open the presentation, review the challenge details, and try to figure out how to generate the code without using Google ;), and before reading the official solution.

Have fun! Taddong is coming...