defeating the intercepting web proxy

Defeating The Intercepting Web Proxy A Glimpse Into the Next Generation of Web Security Tools

Wednesday, 10 April 13

Who is this talk for?


Why web proxies?


•Proxies are basic tools.

•They are general purpose.

•Provide visibility of the comms.


Written in Java!Wednesday, 10 April 13

Buffering!Wednesday, 10 April 13

Large files are no fun!Wednesday, 10 April 13

No pipelining!Wednesday, 10 April 13

WebSocket are no go!Wednesday, 10 April 13

Plain auth is pain!Wednesday, 10 April 13

SSL auth is pain!Wednesday, 10 April 13

Custom auth is no!Wednesday, 10 April 13

It takes time to setup!Wednesday, 10 April 13

Everything is just a request and a response.

No understandings of the app purpose and function.


Does it pass grandma’s test for Ease of Use?


Charles Darwin

It is not the strongest of the species that survives, nor the most intelligent,

but the one most responsive to change.


http://www.goodreads.com/author/show/12793.Charles_Darwin




Innovation ended with Achilles!


This is how web apps will look like in 2 years.


Unreal3 engine is ported to asm.js.


The most powerful client ever built.


HTML5Wednesday, 10 April 13

JavaScriptWednesday, 10 April 13

NECKO, XPCOMWednesday, 10 April 13

Chrome APIsWednesday, 10 April 13

To Da RescueWednesday, 10 April 13

Web Security Testing Reinvented


•AttackAPI 2005/2006

•Technika 2006/2007

•Weaponry 2008/2009

•Websecurify Suite 2011/-


Suite


Runs In The Browser Runs In The Cloud

Instant Queued

Proactive Reactive

Online/Offline Online

SAASWEBSECURIFY


See what they do.


Compiler

Code

Code


Browser

Ext.

Code


Code TargetExt.


Code TargetExt.

Worker


•Ability to send requests.

•Ability to intercept transactions.

•Ability to access low level APIs.


DEMOSWednesday, 10 April 13

Building It UpWednesday, 10 April 13

BadAssProxyWednesday, 10 April 13

What is next?


Q&A


defeating the intercepting web proxy

Software