Presented at AppSec USA 2014
Sept. 19, 2014, 9:30 a.m.
Get your favorite dynamic application security scanner ready to try out Hackazon! Hackazon, is a modern vulnerable web application. Hackazon looks like an online storefront with a modern AJAX interface, strict workflows and RESTful API's used by a companion mobile app. Hackazon is here to replace the old Web 1.0 test apps (WebGoat, DVWA, Hackme Bank and Hackme Casino) that no longer mirror the applications we see in the wild. Will your application security scanner successfully test this site? Doubt it! Even manual pen testers will have their hands full testing their skills against it.
There are vulnerabilities scattered throughout Hackazon, and each vulnerable area is configurable so that users can change the vulnerability landscape to prevent "known vuln testing" or any other form of cheating. To find all the vulnerabilities in Hackazon it will require proper handling of not only classic web security, but will require testing RESTful interface formats that power AJAX functionality and mobile clients (JSON, XML, GwT, and AMF). It will also require tedious testing of strict workflows common in todays business applications.
Hackazon is an open source application that will ultimately be contributed to OWASP to be included with the other vulnerable test applications.
During this workshop, Dan will give you a sneak preview of Hackazon, and seek your input as to what you're seeing in applications and would like to see in Hackazon.
- co-CEO and CTO - NT OBJECTives
Dan has been with NTO for more than 10 years and is responsible for the strategic direction and development of products and services. He also works closely with technology partners to make sure our integrations are both deep and valuable. As a result of Dan's dedication to security, technology innovation and software development, NTO application security scanning software is often recognized as the most accurate because of its sophisticated automation techniques.
Dan joined NTO from Foundstone, where he was a key developer of FoundScane's scan management, and remediation capabilities. Before Foundstone, Dan was the founder of the Information Security team in the United States branches of Fortis.
When Dan's not working on NTO products or screen sharing with our customers to help them solve their application security challenges, you'll find him blogging, co-hosting An Information Security Place Podcast and speaking at conferences like B-Sides, OWASP AppSecUSA, HouSecCon, ToorCon and more. He also works with industry groups and contributes to many open source development projects. Little known fact about Dan, he was a founder of the phpGroupWare project and creator of podPress.