Explore the fundamentals of source-assisted web application penetration testing in this 45-minute conference talk from AppSecEU 2016 in Rome. Learn why utilizing source code is crucial, understand the concept of Hybrid Analysis Mapping, and discover the differences between Dynamic and Static Application Security Testing. Delve into vulnerability taxonomy, static and dynamic locations, and endpoint databases. Gain insights into plugin installation, attack surface enumeration, and handling false positives. Examine practical examples, including Android applications, debug parameters, and MVC configurations. Conclude with an overview of data flow analysis to enhance your web application security testing skills.
The ABCs of Source-Assisted Web Application Penetration Testing
Overview
Syllabus
Introduction
Agenda
Why use source code
Hybrid Analysis Mapping
Initial Goal
Dynamic Application Security Testing
Static Application Security Testing
Vulnerability Taxonomy
Static and Dynamic Locations
Endpoint Database
Dynamic Results
Plugin Overview
Plugin Installation
Attack Surface Enumeration
False Positives
Example
Supported Technologies
Android Applications
Debug Parameters
MVC Model Configuration
MVC Example
Questions
Data Flow Analysis
Taught by
OWASP Foundation
Related Courses
-
Application Security for Developers
-
Application Security for Developers and DevOps Professionals
-
Complete Web Application Hacking & Penetration Testing
-
Improving Dynamic Vulnerability Scanners with Static Code Analysis
-
Improving Penetration Testing Efficiency with OWASP Code Pulse and Attack Surface Detector
-
Bugs Ruin Everything - Keynote on Vulnerability Analysis and Exploitation
