OWASP NYC AppSec 2008 Conference-SPEAKER-Yiannis Pavlosoglou

Yiannis Pavlosoglou - short bio
There is a world of numbers, hiding behind letters, inside computers that stimulates the brain of Yiannis. Currently, he is focusing on research relating to coding standards, practices and ways of exploiting development code. This focus entails the breaking and making of client-side standalone, as well as server-side web applications.

As such things need doing for a living and can take their toll, he holds the position of Senior Director in EMEA for Ounce Labs, based in London. His area of expertise is in source code audits, bytecode interpretations and reverse engineering. He has performed a number of source code audits and application security assessments on an international level.

JBroFuzz 0.1 - 1.1: The History of Building a Java Fuzzer for Web Applications
The process of creating a stable and functional fuzzing tool for web applications, when examined in greater detail holds a number of caveats. With the ever-growing need for reliable penetration testing tools, JBroFuzz in its short history, has been designed with the key objective of being able to fuzz the web.

This talk aims to cover the evolution of development of this application, starting from the architectural design criteria, to the definition of fuzzers and generators, encompassing also the graphical user interface. Key areas covered will include:


 * Designing fuzz categories (OWASP Testing Guide v2)
 * Recursive fuzzing
 * Replasive fuzzing
 * How to build a core java fuzzing framework
 * The need for BigInteger
 * Fuzzers are iterators
 * Limitations in implementing default HTTP/S connections
 * Why not use a HTTP Commons implementation
 * Calculating POST length re-writes
 * GUI Design
 * Sticking to Swing and AWT
 * Building a standalone application
 * Expanding JBroFuzz
 * What is inside the jar file
 * Implement your own fuzzer by extending JBroFuzz

This presentation will be interactive, with a number of demonstrations, relating to JBroFuzz's functionality and operation.