It seems that everything is a web application nowadays. Whether the application is cloud-based, mobile, or even fat client they all seem to be using web protocols to communicate. Adding to the traditional landscape there is rise in the use of application programming interfaces, integration hooks, and next generation web technologies. What this means for someone testing web applications is that flexibility is the key to success. The Python programming language is just as flexible as today's web application platforms. The language is appealing to security professionals because it is easy to read and write, has a wide variety of modules, and has plenty of resources for help. This additional flexibility affords the tester greater depth than many of the canned tests that come with common tools they use on a daily basis. Greater familiarity plus flexible language equals tester win!
In this presentation we introduce methods with which to create your own clients, tools, and test cases using the Python programming language. We want to put testers closer to the conditions in which they are testing for and arm them with the necessary resources to be successful. We also discuss interfacing with current tools that people commonly use for web application testing. This allows for pinpoint identification of specific vulnerabilities and conditions that are difficult for other tools to identify.
Nathan Hamiel is a Principal Consultant for FishNet Security's Application Security Practice. He is also an Associate Professor of Software Engineering at the University of Advancing Technology. Nathan is an Information Assurance faculty member that is part of the university's Center of Academic Excellence sponsored by the NSA and DHS. He spends most of his time focusing in the areas of application, Web 2.0, and enterprise security. Throughout his career Nathan has provided security guidance to everyone from Fortune 100 companies to government agencies. Nathan has been a speaker at security events around the world including: Black Hat, Def con, ShmooCon, ToorCon, SecTor, and many others. Recently his talks have covered attacking everything from user-generated content to application programming interfaces.
Marcin Wielgoszewski is a security engineer and consultant at Gotham Digital Science. He is a committee member for the OWASP NYNJMetro chapter and has previously spoken at ShmooCon and other OWASP events. His research primarily focuses on software security and assurance.