Web Application Security is still a hot topic in the security industry, especially with the recent Payment Card Industry (PCI) requirement coming into full effect requiring code review of web applications or a web application firewall. Despite all this attention, developers are not always familiar with the basic attacks against web applications and the abundance of tools available to assist malicious individuals in automating attacks. This talk will demonstrate some basic attacks against web applications including SQL Injection, Cross-Site Scripting, and Privilege Escalation. In addition, common tools that automate these attacks with merely the click of a button will be demonstrated. Finally, options for securing web services without diving into code will be discussed to assist administrators in making a more secure network.

—–

Damon Cortesi has worked in network and application security for nearly a decade, beginning his work as a Systems and Security Administrator, where he was responsible for the security of several NT systems exposed to the internet without a firewall. Most recently he was on a long-term engagement overseas helping a large retail company secure their web applications and is now back in Seattle full-time doing freelance security consulting and developing tools to ease security management.