InfoconDB

Presented at ShellCon 2018, Sept. 22, 2018, 2 p.m. (30 minutes)

Being able to comprehend causal relationships between sources of user input and their corresponding output is a distinguishing characteristic that separates the master web hacker from the novice script kiddy. The better a tester can grasp these relationships, the faster they can abuse lapses in input sanitization, identify dangerous programming patterns, and understand the overall attack surface of the application.

However, enumerating these relationships is difficult and time intensive to do by hand, especially with JavaScript-heavy apps. Security scanning tools have tried to automate this procedure, but they face several problems in modern web applications:

To solve these problems, we need a tool that augments, not automates, a manual penetration tester by helping them understand all of the inputs and outputs of a web application. To this end, we present Tracy, a tool for assisting penetration testers with enumerating every sink of output for all user input sources.

Presenters:

Michael Roberts
Michael Roberts is a penetration tester with NCC Group. Michael performs web, mobile application and network penetration tests, and has a passion for virtual reality and machine learning outside of work life. Michael holds an bachelor's degree in computer and information technology from Purdue University.
Jake Heath
Jake Heath is a penetration tester with NCC Group. Jake performs web application and network penetration tests as well as various types of hardware engagements, including hardware teardowns, physical threat modeling, and secure boot implementation. Jake holds a Master's of Science in Computer Engineering from University of Cincinnati, where he performed research in their embedded medical device lab. Twitter: @JacobRHeath

Tracy: Because Tracing User Input Through JavaScript is for Tools

Presenters:

Links:

Similar Presentations: