Today's web apps are developed using a mashup of client- and server-side technologies. Everything from sophisticated Javascript libraries to third-party web services are thrown into the mix. Over the years, we've been asked to test these web apps with security tools that haven't evolved at the same pace. A common short-coming in most of these tools is their inability to perform dynamic analysis to identify vulnerabilities such as dynamically rendered XSS or DOM-based XSS. This is where BurpKit comes in - a BurpSuite plugin that integrates the power of WebKit with that of BurpSuite. In this presentation we'll go over how one can leverage WebKit to write their own web pen-testing tools and introduce BurpKit. We'll show you how BurpKit is able to perform a variety of powerful tasks including dynamic analysis, BurpSuite scripting, and more! Best of all, the plugin will be free and open source so you can extended it to your heart's desire!
Nadeem Douba is the founding principal of Red Canari, an information security consulting firm that specializes in the areas of technical security assessments. With over 15 years experience, Nadeem provides consulting and training services for organizations within the public and private sector. He has also presented at some of the world's largest security conferences and is the author of many well-known open source security tools, including PyMiProxy (used by the Internet Archive), Sploitego, and the Canari Framework (previously presented at DEF CON 20). His primary research interests include open source intelligence, application and operating system security, and big data. Twitter: @ndouba