AppSec California 2017

According to Symantec Internet Security Threat Report 2016, 78% of scanned websites have vulnerabilities, of which one in seven is deemed critical. After spending years working as a web app penetration tester across both the private and public sector, it quickly became apparent that relying exclusively on automated scanning tools was not sufficient. In order to accurately demonstrate what an adversary would be capable of, we needed to develop a new way of assessing web applications, which combines both automated tools and more importantly, manual testing.

In the Cyber Security world, one may be inclined to believe that automated scanners are superior at vulnerability discovery; however, humans are actually much better at accurately identifying vulnerabilities. It has been our observation that nearly half of the vulnerabilities identified in our security assessments were not detected by vulnerability scanners, but rather identified through manual testing. As many organizations rely heavily on vulnerability scanners to discover vulnerabilities, it’s important to not gain a false sense of security based on scanner results alone as scanners often overlook logical errors.

This presentation will capture a new methodology that aims at taking a hybrid approach to web app penetration testing by integrating both automated and manual testing together. We will cover the use of interception proxies for manual testing as well as IDS/IPS evasion techniques. Lastly, we will close the talk with a live demo which demonstrates the necessity for a hybrid approach to web app penetration testing.