Explore the limitations of automated web vulnerability scanners in this 41-minute conference talk from Louisville Infosec 2014. Delve into common vulnerabilities often overlooked by scanners, including logic flaws, insecure authentication practices, and access control issues. Learn about weak password policies, user enumeration, lack of account lockout, and password reset flaws. Discover defense strategies against account harvesting and insecure CAPTCHA implementations. Examine client-side concerns and the dangers of assuming web obscurity. Gain valuable insights and takeaways to enhance your web security practices beyond automated scanning.
Overview
Syllabus
Intro
Introductions
Background & Observations
Automated Web Vulnerability Scanners
Common Vulns Scanners Miss
Logic flaws
Logic flaw defense
Insecure Authentication: Weak Password Policy
Insecure Authentication: User Enumeration
Insecure Authentication: Lack of Account Lockout
Insecure Authentication: Password Reset Flaws
Account Harvesting Defense
InsecureCAPTCHA
Access Control & Privilege Escalation
Client-side concerns
Assumption of web obscurity
Takeaways
Reach Out
