The 3 Top Techniques For Web Security Testing Using A Proxy
Paco Hope
Cigital
If you’re a web application functional tester, you’ve almost certainly used a proxy to test a few features. (If not, you should!) In this webinar, Paco will briefly show how you get your environment set up to use a proxy, and then show you 3 really fundamental techniques for performing exploratory testing on the security of web applications. Using Burp Suite, a popular web proxy for security testing, we’ll start with the straightforward technique of tamper with the body of the request. This bypasses all the client-side security checks, and lets you focus on the server-side security checks. The second technique will focus on how to tamper with cookies, headers, and other HTTP-level data. The third technique will show you how and why it is sometimes useful to use a proxy to tamper with the HTTP response. While this really only scratches the surface of what a proxy can do for you in your security testing, it’s a great way to get started and get comfortable. Given this as a starting point for web security testing, you can get off the ground and create much more complex and interesting tests.
About Me!
Author of two security books and frequent conference speaker, Paco Hope is a Principal Consultant with Cigital Ltd and has been working in the field of software security for nearly 15 years. Paco helps clients in the financial, retail, and online gaming industries build secure software by performing source code review and architectural risk analysis. He is also a member of an advisory council with (ISC)² and serves as a subject matter expert for the CISSP and CSSLP security certifications.