Difference between revisions of "One Click Ownage"

From OWASP
Jump to: navigation, search
(Created page with '== The presentation == rightA simple plug-in based open source framework for Automation of detection and exploitation vulnerabilities such as SQ…')
 
Line 5: Line 5:
 
== The speaker  ==
 
== The speaker  ==
  
Ferruh Mavituna worked as Security Consultant for Turkish Army and Police Forces. Released several research papers such as "SQL Injection Wildcard Attacks" and "XSS Tunnelling" also contributed to OWASP Testing Guide v3. Released several open source projects in web applications area such as "BSQL Hacker" and "XSS Shell". Was OWASP Turkey Chapter Leader for 3 years, currently working for Portcullis Computer Security Ltd. as Senior Security Researcher in London / UK.
+
Ferruh Mavituna worked as Security Consultant for Turkish Army and Police Forces. Released several research papers such as "SQL Injection Wildcard Attacks" and "XSS Tunnelling" also contributed to OWASP Testing Guide v3. Released several open source projects in web applications area such as "BSQL Hacker" and "XSS Shell". Was OWASP Turkey Chapter Leader for 3 years. He's currently working for Mavituna Security Ltd.
  
 
[[Category:OWASP_AppSec_DC_09]] [[Category:OWASP_Conference_Presentations]]
 
[[Category:OWASP_AppSec_DC_09]] [[Category:OWASP_Conference_Presentations]]

Revision as of 19:34, 27 August 2009

The presentation

Owasp logo normal.jpg
A simple plug-in based open source framework for Automation of detection and exploitation vulnerabilities such as SQL Injection, Arbitrary File Upload and Remote Code Execution. Talks demonstrates how to gain a remote shell in an SQL Injection just by one request. Also it shows that it's possible to get a reverse shell out of SQL Injection by mounting a CSRF attack which wasn't possible before this. WebRaider is written in .NET, open-source and allows users to write new attack plug-ins. It's a similar design to CORE Impact just for web applications and vulnerabilites which causes remote code execution. It's planned to be an OWASP Project, and will be publicly released in the conference among with "One Click Ownage" whitepaper which explains one request remote code execution in SQL Server. This will be an updated and more detailed version of the talk that I've presented in ITUnderground 2009. However the whitepaper, WebRaider tool and details of the talk hasn't been published yet.

The speaker

Ferruh Mavituna worked as Security Consultant for Turkish Army and Police Forces. Released several research papers such as "SQL Injection Wildcard Attacks" and "XSS Tunnelling" also contributed to OWASP Testing Guide v3. Released several open source projects in web applications area such as "BSQL Hacker" and "XSS Shell". Was OWASP Turkey Chapter Leader for 3 years. He's currently working for Mavituna Security Ltd.