One Click Ownage

The presentation
A simple plug-in based open source framework for Automation of detection and exploitation vulnerabilities such as SQL Injection, Arbitrary File Upload and Remote Code Execution. Talks demonstrates how to gain a remote shell in an SQL Injection just by one request. Also it shows that it's possible to get a reverse shell out of SQL Injection by mounting a CSRF attack which wasn't possible before this. WebRaider is written in .NET, open-source and allows users to write new attack plug-ins. It's a similar design to CORE Impact just for web applications and vulnerabilites which causes remote code execution. It's planned to be an OWASP Project, and will be publicly released in the conference among with "One Click Ownage" whitepaper which explains one request remote code execution in SQL Server. This will be an updated and more detailed version of the talk that I've presented in ITUnderground 2009. However the whitepaper, WebRaider tool and details of the talk hasn't been published yet.

The speaker
Ferruh Mavituna worked as Security Consultant for Turkish Army and Police Forces. Released several research papers such as "SQL Injection Wildcard Attacks" and "XSS Tunnelling" also contributed to OWASP Testing Guide v3. Released several open source projects in web applications area such as "BSQL Hacker" and "XSS Shell". Was OWASP Turkey Chapter Leader for 3 years. He's currently working for Mavituna Security Ltd.