Blackhat Europe, Day 1: The Waag, the Bulldog, and web application hacking

Considering my previous posts on my experiences at Black Hat Federal received pretty good reviews, I thought it would make sense to again highlight a Black Hat trip. This time it was all the way out to Amsterdam, where Rob Carter and I will be speaking about URI Use and Abuse.

Considering my previous posts on my experiences at Black Hat Federal received pretty good reviews, I thought it would make sense to again highlight a Black Hat trip. This time it was all the way out to Amsterdam, where Rob Carter and I will be speaking about URI Use and Abuse.

For reference, I've created a gallery of photos of the trip that I'll be updating as the conference goes on. The conference is at the Movenpick hotel, just a short walk from the train station, the red-light district, and all that is the heart of Amsterdam. Rob and I spent most of our first day trying to find this place that Jeff Moss (founder of Black Hat) had mentioned for lunch, the Waag (pronounced more like a V instead of a W and ending with a G and K combination sound that I could never properly make, which sounds more like Vwaghk (I think)). After explaining several times to the receptionist at the hotel that I was looking for the Wagg and not the "Vwaghk", I accepted that she must know what she's talking about and that I'm the fool, so I took her directions. Of course we got lost, which seems to be easy to do since the streets meander between waterways and there's so much to see along the way.

The architecture in Amsterdam is amazing! I kept looking for the Waag and getting side-tracked due to the amount of interesting buildings, shops, and characters to look at. In an effort to enjoy the culture to the fullest extent, Rob and I stopped at a coffee shop called the Bulldog, which served outstanding coffee. Seriously, they did. Eventually after heading the completely wrong direction, a native was kind enough to turn us around and put us on the proper road to the Waag. It was an impressive structure and looked like a nice place for a meal, but I had to get back in time to conduct an interview with Marcus Pinto and Dafydd Stuttard (Portswigger) on the training session they are providing for Black Hat Europe attendees.

Getting back just in time, I caught up with Marcus (image will be shown later) and Dafydd (image will be shown later) for a round of Q&A:

Nate: Hey guys, thanks a lot for meeting with me today to discuss your "Web Application (In)Security" training class. Could you tell me a bit about the class and what the attendees are going to learn?

Dafydd: It's a two-day course on hacking web applications that mixes theory, techniques used, as well as practical lab excercises that involve hacking a demo web application. There's a number of demo applications used, and there's a Capture the Flag challenge at the end of the class where we give out prizes. We even gave out a job at NGSSoftware to one of the winners in a previous year, as we were impressed with his skills.

Marcus: The talk is very attack focused and we teach to those techniques, but attendees will also pick up some knowledge on how to defend themselves from these types of attacks as well. We've taught similar courses numerous times to our clients and at other conferences including other Black Hats and it has been well received.

Nate: Most of the guys I work with and a number of others I know in industry use your (speaking to Dafydd) Burp Suite tool extensively, it's really a great tool for web application testing. What's your thoughts on the state of application security testing tools, specifically those that are more automated in their approach?

Dafydd: Well, we tend to have a very manual approach at NGSSoftware. We've of course evaluated and from time to time use tools like WebInspect or AppScan, but they really are only good at finding the machine repeatable-type findings, like SQL Injection, Cross-site Scripting, and other signature-based findings.

Marcus: We've even had numerous cases where those tools don't find SQL Injection, or have bugs with how they report SQL Injection issues, such as providing the last attack vector that "worked" for SQL Injection, which may cause some exception, but isn't a true SQL Injection attack vector. The high false-positive rate can make the tools a bit cumbersome to use for an experienced tester. Not to mention these tools will completely miss whole classes of vulnerabilities, such as authentication/authorization issues...

Dafydd: Flawed business logic issues, like the modify your price prior to posting the purchase attacks, etc.

Nate: I couldn't agree more. Sounds like the same thing we've noticed where I work. You two have recently co-authored the "Web Application Hacker's Handbook"(which can be bought from the portswigger site that Dafydd runs here), which I've recently picked up and have not quite got to read through yet, but early indications is that it looks quite good. Could you talk a bit about the book?

Marcus: It's really quite similar to the training session we gave here in terms of content.

Dafydd: We cover a ton of content both in the book and in the training course. We've even got a section on thick-client like hacking that focuses on Java applets and ActiveX controls.

Nate: Very interesting, thanks a lot for your time!

After the talk I got a chance to meet Sir Litchfield Sr. and chat with him. I highly recommend it if you get the chance yourself as he is highly entertaining, especially when telling Royal Marine stories... unfortunately, however, we were off the record at this point.