Toshinari Kureha: Make My Day - Just Run a Web Scanner: Countering The Faults of Typical Web Scanners Through Byte-code Injection

"Today, other than doing a full static analysis of the code, the most common practice tfind vulnerabilities in your web application is tget off-the-shelf automated web scanner, point ta URL, and hope that itos doing the right thing.

But is it? How dyou know that the scanner exercised all the vital areas of your application? How accurate and complete are the results? Is relying on HTTP response the best way tfind all vulnerabilities in an application? What if there was a way tlook at whatos happening inside the application while these web scanners were hitting the application?

In this talk, weoll explore that "looking inside the application as the security test runs" possibility - through byte-code instrumentation. We will see how we can use aspect oriented technologies such as AspectJ tinject security monitors directly inside a pre-compiled Java / .NET web application. We will alsgthrough a proof of concept and dem- turning a typical blackbox test inta owhiteboxtest using the techniques discussed in this talk, gaining a more complete picture: gaining coverage insight, finding more vulnerabilities, weeding out false positives reported by the scanners, and gaining root cause source information.
"