MatriXay - When Web App & Database Security Pen-Test/Audit Is a Joy

Presented at DEF CON 14 (2006), Unknown date/time (Unknown duration)

This topic will present a new web-app/DB pen-test tool. This tool supports both proxy (passive) mode as well as direct URL targeting. It is a mixed Web App SQL Injection systematic pen-test and WebApp/Database scanner/auditing-style tool and supports most popular databases used by web applications such as Oracle, SQL Server, Access and DB2. It has many unique features from web app backend Database automatic detection to the ability to browse database objects (without the need to ask for a passwords, of course), to the ability to locate/search for any sensitive content inside the DB and find more vulnerability points from source as well as privilege escalation.

Presenters:

• Xiao Rong
  Yuan Fan, GCIH, GCIA, CISSP, is the founder of DBAppSecurity Inc with consulting service on enterprise security management especially on database and application security. His expertise spans from network layer to application/database layer Security. Before that he worked 5+ years for ArcSight for a variety of security device‚s connectors, and many years in network management area. He holds a Master of Computer engineering degree from San Jose State University. Last year, he presented the abnormal detection between webApp layer and DB layer. This time he is going to show the brand new sword out for the first time. The tool˜MatriXray˜was designed and developed by him and his partner XiaoRong in their spare (night) time is deemed to be promising from several aspects including the deep pen-test ability framework and cross database support (currently supports Oracle, SQL Server, DB2,Access).
• Yuan Fan - Founder
  Yuan Fan, GCIH, GCIA, CISSP, is the founder of DBAppSecurity Inc with consulting service on enterprise security management especially on database and application security. His expertise spans from network layer to application/database layer Security. Before that he worked 5+ years for ArcSight for a variety of security device‚s connectors, and many years in network management area. He holds a Master of Computer engineering degree from San Jose State University. Last year, he presented the abnormal detection between webApp layer and DB layer. This time he is going to show the brand new sword out for the first time. The tool˜MatriXray˜was designed and developed by him and his partner XiaoRong in their spare (night) time is deemed to be promising from several aspects including the deep pen-test ability framework and cross database support (currently supports Oracle, SQL Server, DB2,Access).

Links:

• https://defcon.org/html/defcon-14/dc-14-speakers.html#Fan
• https://infocon.org/cons/DEF CON/DEF CON 14/DEF CON 14 video/DEF CON 14 - Yuan Fan - MatriXay - Video.mp4
• https://www.youtube.com/watch?v=U-em0xpF4ng

Similar Presentations:

• DEF CON 16 (2008) / Time-Based Blind SQL Injections Using Heavy Queries: A Practical Approach to MS SQL Server, MS Acess, Oracle, MySQL Databases and Marathon Tool
• AppSec USA 2014 / Blended Web and Database Attacks on Real-time, In-Memory Platforms
• DEF CON 19 (2011) / Hacking and Securing DB2 LUW Databases