Post on 06-May-2015
description
Defeating The Intercepting Web Proxy A Glimpse Into the Next Generation of Web Security Tools
Wednesday, 10 April 13
Who is this talk for?
Wednesday, 10 April 13
Why web proxies?
Wednesday, 10 April 13
•Proxies are basic tools.
•They are general purpose.
•Provide visibility of the comms.
Wednesday, 10 April 13
Written in Java!Wednesday, 10 April 13
Buffering!Wednesday, 10 April 13
Large files are no fun!Wednesday, 10 April 13
No pipelining!Wednesday, 10 April 13
WebSocket are no go!Wednesday, 10 April 13
Plain auth is pain!Wednesday, 10 April 13
SSL auth is pain!Wednesday, 10 April 13
Custom auth is no!Wednesday, 10 April 13
It takes time to setup!Wednesday, 10 April 13
Everything is just a request and a response.
No understandings of the app purpose and function.
Wednesday, 10 April 13
Does it pass grandma’s test for Ease of Use?
Wednesday, 10 April 13
Charles Darwin
It is not the strongest of the species that survives, nor the most intelligent,
but the one most responsive to change.
Wednesday, 10 April 13
Innovation ended with Achilles!
Wednesday, 10 April 13
This is how web apps will look like in 2 years.
Wednesday, 10 April 13
Unreal3 engine is ported to asm.js.
Wednesday, 10 April 13
The most powerful client ever built.
Wednesday, 10 April 13
HTML5Wednesday, 10 April 13
JavaScriptWednesday, 10 April 13
NECKO, XPCOMWednesday, 10 April 13
Chrome APIsWednesday, 10 April 13
To Da RescueWednesday, 10 April 13
Web Security Testing Reinvented
Wednesday, 10 April 13
•AttackAPI 2005/2006
•Technika 2006/2007
•Weaponry 2008/2009
•Websecurify Suite 2011/-
Wednesday, 10 April 13
Suite
Wednesday, 10 April 13
Runs In The Browser Runs In The Cloud
Instant Queued
Proactive Reactive
Online/Offline Online
SAASWEBSECURIFY
Wednesday, 10 April 13
See what they do.
Wednesday, 10 April 13
Compiler
Code
Code
Wednesday, 10 April 13
Browser
Ext.
Code
Wednesday, 10 April 13
Code TargetExt.
Wednesday, 10 April 13
Code TargetExt.
Worker
Wednesday, 10 April 13
•Ability to send requests.
•Ability to intercept transactions.
•Ability to access low level APIs.
Wednesday, 10 April 13
DEMOSWednesday, 10 April 13
Building It UpWednesday, 10 April 13
BadAssProxyWednesday, 10 April 13
What is next?
Wednesday, 10 April 13
Q&A
Wednesday, 10 April 13