This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP NYC AppSec 2008 Conference-SPEAKER-Yiannis Pavlosoglou"

From OWASP
Jump to: navigation, search
Line 6: Line 6:
  
 
== JBroFuzz 0.1 - 1.1: Building a Java Fuzzer for the Web ==
 
== JBroFuzz 0.1 - 1.1: Building a Java Fuzzer for the Web ==
 +
[[Image:JBroFuzz-SplashScreen.jpg|thumb|500px|left|JBroFuzz Splash Screen]]
  
 
The process of creating a stable and functional fuzzing tool for web applications, when examined in greater detail holds a number of caveats. With the ever-growing need for reliable penetration testing tools, [http://www.owasp.org/index.php/Category:OWASP_JBroFuzz JBroFuzz] in its short history, has been designed with the key objective of being able to fuzz the web.
 
The process of creating a stable and functional fuzzing tool for web applications, when examined in greater detail holds a number of caveats. With the ever-growing need for reliable penetration testing tools, [http://www.owasp.org/index.php/Category:OWASP_JBroFuzz JBroFuzz] in its short history, has been designed with the key objective of being able to fuzz the web.
  
 
This talk aims to cover the evolution of development of this application, starting from the architectural design criteria, to the definition of fuzzers and generators, encompassing also the graphical user interface. Key areas covered will include:
 
This talk aims to cover the evolution of development of this application, starting from the architectural design criteria, to the definition of fuzzers and generators, encompassing also the graphical user interface. Key areas covered will include:
 +
 +
== Overview ==
  
 
* Designing fuzz categories (OWASP Testing Guide v2)
 
* Designing fuzz categories (OWASP Testing Guide v2)

Revision as of 20:45, 11 May 2008

Yiannis Pavlosoglou - short bio

There is a world of numbers, hiding behind letters, inside computers that stimulates the brain of Yiannis. Currently, he is focusing on research relating to coding standards, practices and ways of exploiting development code. This focus entails the breaking and making of client-side standalone, as well as server-side web applications.

As such things need doing for a living and can take their toll, he holds the position of Senior Director in EMEA for Ounce Labs, based in London. His area of expertise is in source code audits, bytecode interpretations and reverse engineering. He has performed a number of source code audits and application security assessments on an international level.

JBroFuzz 0.1 - 1.1: Building a Java Fuzzer for the Web

JBroFuzz Splash Screen

The process of creating a stable and functional fuzzing tool for web applications, when examined in greater detail holds a number of caveats. With the ever-growing need for reliable penetration testing tools, JBroFuzz in its short history, has been designed with the key objective of being able to fuzz the web.

This talk aims to cover the evolution of development of this application, starting from the architectural design criteria, to the definition of fuzzers and generators, encompassing also the graphical user interface. Key areas covered will include:

Overview

  • Designing fuzz categories (OWASP Testing Guide v2)
    • Recursive fuzzing
    • Replasive fuzzing
  • How to build a core java fuzzing framework
    • The need for BigInteger
    • Fuzzers are iterators
  • Limitations in implementing default HTTP/S connections
    • Why not use a HTTP Commons implementation
    • Calculating POST length re-writes
  • GUI Design
    • Sticking to Swing and AWT
    • Building a standalone application
  • Expanding JBroFuzz
    • What is inside the jar file
    • Implement your own fuzzer by extending JBroFuzz

This presentation will be interactive, with a number of demonstrations, relating to JBroFuzz's functionality and operation.