OWASP NYC AppSec 2008 Conference-SPEAKER-Andres Riancho

Jump to: navigation, search

Andres Riancho - Bio

Andrés Riancho is an information security researcher and founder of Bonsai, where he is mainly involved in Penetration Testing and Vulnerability Research. In the research field, he discovered critical vulnerabilities in IPS appliances from 3com and ISS; and contributed with SAP research performed at his former employer.

His main focus has always been the Web Application Security field, in which he developed w3af a Web Application Attack and Audit Framework used extensively by penetration testers and security consultants. Andrés has spoken and hold trainings at many security conferences around the globe, like OWASP World C0n (USA), CanSecWest (Canada), T2 (Finland) and ekoparty (Buenos Aires).

Andrés founded Bonsai in 2009 in order to further research into automated Web Application Vulnerability detection and exploitation.

Talk abstract

Web application auditing and exploiting is an art, but even art needs help of tools to make the process faster and more accurate. Right now open source tools like nikto, wapiti, pantera and others try to find vulnerabilities in web applications but lack many features and configuration options. Comercial tools have the features, at the expense of high product costs, and aren't as dynamic as open source projects.

w3af ( Web Application Attack and Audit Framework ) is an open source project that aims to automate the detection and explotation of all web application vulnerabilities. The project objective is to become an open platform where anyone can contribute with code and new technics. w3af is extended using plugins that are fully written in python, right now the project has more than 80 plugins and 30K lines of code!

The framework is divided into three phases: discovery, audit and attack. All plugins smoothly communicate with each other and work together to achieve the objective; w3af replaces standalone tools and makes web penetration testing as easy as possible; any wierd characteristic can be added as a plugin and consume all the features of the framework.

w3af implements many exploit plugins and features to aid this process, not less important are the discovery and audit plugins that will find those vulnerabilities for you to exploit! w3af one tool to rule them all.

My talk will introduce this tool to new users, while showing it's features and the new GUI.