Back to the presentations…
Ezequiel David Gutesman from Core Security Technologies presented a web application fuzzer. Why? Because web applications are very common (used everywhere) and consequences in case of attacks can be dramatic (loss of data, data theft, …) for companies. Countermeasure are WAF’s (Web Application Firewalls) coupled with IDS/IPS, code analyze (static or dynamic) and audits. Ezequiel gave info about CORE GRASP, a tool to protect against web injections. Basically, all SQL requests are analyzed using dynamic character-grained taint analysis and grammar-based analysis. All queries are classified: harmless, warning or critical (successful attack). Vulnerability reports are generated and are understandable by, not only security experts, but also by developers! Which is very important in the scope of safe development (remember: security aspects must be taken into account as early as possible during the development process).
Let’s have a lunch break now!