Presented at
DEF CON 14 (2006),
Unknown date/time
(Unknown duration).
This topic will present a new web-app/DB pen-test tool. This tool supports both proxy (passive) mode as well as direct URL targeting. It is a mixed Web App SQL Injection systematic pen-test and WebApp/Database scanner/auditing-style tool and supports most popular databases used by web applications such as Oracle, SQL Server, Access and DB2. It has many unique features from web app backend Database automatic detection to the ability to browse database objects (without the need to ask for a passwords, of course), to the ability to locate/search for any sensitive content inside the DB and find more vulnerability points from source as well as privilege escalation.
Presenters:
-
Yuan Fan
- Founder
Yuan Fan, GCIH, GCIA, CISSP, is the founder of DBAppSecurity Inc with consulting service on enterprise security management especially on database and application security. His expertise spans from network layer to application/database layer Security. Before that he worked 5+ years for ArcSight for a variety of security device‚s connectors, and many years in network management area. He holds a Master of Computer engineering degree from San Jose State University. Last year, he presented the abnormal detection between webApp layer and DB layer. This time he is going to show the brand new sword out for the first time. The tool˜MatriXray˜was designed and developed by him and his partner XiaoRong in their spare (night) time is deemed to be promising from several aspects including the deep pen-test ability framework and cross database support (currently supports Oracle, SQL Server, DB2,Access).
-
Xiao Rong
Yuan Fan, GCIH, GCIA, CISSP, is the founder of DBAppSecurity Inc with consulting service on enterprise security management especially on database and application security. His expertise spans from network layer to application/database layer Security. Before that he worked 5+ years for ArcSight for a variety of security device‚s connectors, and many years in network management area. He holds a Master of Computer engineering degree from San Jose State University. Last year, he presented the abnormal detection between webApp layer and DB layer. This time he is going to show the brand new sword out for the first time. The tool˜MatriXray˜was designed and developed by him and his partner XiaoRong in their spare (night) time is deemed to be promising from several aspects including the deep pen-test ability framework and cross database support (currently supports Oracle, SQL Server, DB2,Access).
Links:
Similar Presentations: