OWASP's biggest show is just around the corner! This year's OWASP AppSec USA will be held in Minneapolis and Rapid7 is all in. We're sponsoring the show and I'm going to be participating as a speaker and will be showing w3af tips and tricks at the Open Source Showcase arena.

If you haven't heard about Web Application Security Payloads yet, this will be your chance to learn about this new technique that has been implemented as part of the w3af framework. Web Application Payloads are the evolution of old school system call payloads which are used in memory corruption exploits since the 70's. The basic problem solved by any payload is pretty simple: "I have access, what now?". In memory corruption exploits it's pretty easy to perform any specific task because after successful exploitation the attacker is able to control the CPU/ memory and execute arbitrary system calls in order to create a new user or run an arbitrary command; but in the Web Application field, the attacker is restricted to the "system calls" that the vulnerable Web Application exposes:

  • Local File Read - read()
  • OS Commanding - exec()
  • SQL Injection - read(), write() and possibly exec()

Web Application Payloads are small pieces of code that are run in the attackers box, and then translated by the Web application exploit to a combination of GET and POST requests to be sent to the remote web-server.

Finally, I'll be representing the Rapid7 Athletics Department by running the 5K/10K for charity on September 21 (the day before the conference, so if I don't show up for my talk on Sep 22nd, please try to find me at the end of the first kilometer). If everyone attending the conference joins, we can help the Bakken Museum partner with three Minneapolis schools to impact 360 students a year through integration of arts and science into the classroom. More information about the charity run can be found here.

See you all there!