Gray, the New Black: Gray-Box Web Vulnerability Testing

No ratings

Presented at CS040SecConFab 2013 by

Brian Chess

Penetration testers who use only black-box tools are destined to lose to attackers who are willing to spend more time or effort looking for vulnerabilities. Defenders need to make use of one of the few natural advantages at their disposal: ready access to the system they’re trying to protect. In this talk, Brian will discuss gray-box vulnerability testing techniques that expose web application internals so that testers understand what an application is doing and can spot vulnerabilities faster. The tool for this kind of testing observes the program while it executes. It reveals attack surface, points out vulnerable program behavior, and opens up a code-level view of the application.