Smartfuzzing The Web: Carpe Vestra Foramina

Presented at DEF CON 19 (2011), Aug. 6, 2011, 11 a.m. (50 minutes)

It can be scary to think about how little of the modern attack surface many tools cover. There is no one best tool for the job and on top of that some tools don't do a great job at anything. Often in the hands of general users the capabilities and limitations are not even thought of during testing. Point, click, done. The attack surface of modern web environments as well as their protection mechanisms have become more complicated and yet many tools have not adapted. Hey, Y2K called and it wants some applications tested. There is certainly no shortage of vulnerabilities in modern web environments but we should be looking beyond low hanging fruit at this point. In between fully automated scanners and manual testing lies a sweet spot for the identification of vulnerabilities. Some of the juiciest pieces of information are not found by vulnerability scanners but are found by humans creating custom tests. This is why semi-automated testing space is so important. All of this complicated blending of protection mechanisms, services, and RIA technologies means that moving in to the area of semi-automated testing can be fraught with failure. We detail how these failures can be avoided as well as provide a tool that solves some of these problems as well as provides analysis for your own tools and scripts. Your web applications have moved on, don't you think it's time your tools to do the same?


  • Seth Law - Principal Consultant, FishNet Security
    Seth Law Seth Law is a Principal Consultant for FishNet Security in Application Security. He spends the majority of his time breaking web and mobile applications, but has been known to code when the need arises. Seth is currently involved in multiple open source projects, including RAFT. Twitter: @sethlaw
  • Justin Engler - Security Consultant, FishNet Security
    Justin Engler is a Security Consultant for FishNet Security's Application Security practice. His focus is on the security of web applications, web-backed thick clients (desktop and mobile), databases, and industrial control systems. Justin is currently working on the open source RAFT project.
  • Gregory Fleischer - Senior Security Consultant, FishNet Security
    Gregory Fleischer is a Senior Security Consultant in the Application Security practice at FishNet Security. In his spare time, he likes to find and exploit vulnerabilities in web browsers and client-side technologies such as Java and Flash. He has an interest in privacy and anonymity and has worked with The Tor Project to identify potential issues.
  • Nathan Hamiel - Principal Consultant, FishNet Security
    Nathan Hamiel is a Principal Consultant for FishNet Security's Application Security Practice. He is also an Associate Professor of Software Engineering at the University of Advancing Technology. He spends most of his time focusing in the areas of application, Web 2.0, and enterprise security. Nathan has been a speaker at security events around the world including: Black Hat, DefCon, ShmooCon, ToorCon, SecTor, OWASP and many others. He is also a developer of several open source security projects including the pywebfuzz and RAFT.
  • Panel