Complexity of Automated Web App Scanning

Due to their large and complex attack surface and the difficulty in ensuring they are secure, web applications continue to be a prime target in attacks. All it takes is a flaw in the application itself, its framework, the web server or proxy server configuration, or even some third-party component (e.g. a JavaScript library that is embedded on each web
page) to lead to a full compromise of a host or network.

In this session, we will talk both generally about the trends in web application security and look at specific examples of how key vulnerabilities arise (e.g. discussing how, without adequate sanitisation, tainted user input can reach dangerous functions within some layer of the system), paying particular attention to those more subtle cases that
usually go under the radar.

We will build up a solid understanding, working from the most basic ideas to more intricate scenarios, sparing no detail whilst remaining accessible to non-technical audiences.

Key Takeaways:

• Gain an appreciation of the attack surface complexity of modern web applications.
• An insight into how vulnerabilities manifest, whatever their particular form, and their detection through means of inference and signatures.
• An insight into more subtle detection, such as side-channel and out-of-band detection.