GET /api/events/fsck-2023/talks/UKVQLJ/?format=api
HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"code": "UKVQLJ",
"speakers": [
{
"code": "YA9PEF",
"name": "Daniel Neagaru",
"biography": "Daniel is a seasoned pentester with over 5 years of experience in\r\nsecurity, 5 more as a sysadmin, and a passion for building tools that\r\nsolve real-world problems. His experience helping developers build\r\nOAuth directly from RFCs highlighted the limitations of existing\r\ntools, motivating him to build a more flexible and customizable\r\nsolution. 2 years ago, he started building Raider, and later the same\r\nyear it became a part of OWASP, and he's been actively developing and\r\nimproving raider ever since.",
"avatar": null
}
],
"title": "Automating and attacking complex HTTP processes with OWASP Raider",
"submission_type": {
"de": "Talk (40 Min) + Fragen",
"en": "Talk (40 Min) + Questions"
},
"track": {
"de": "Talks",
"en": "Talks"
},
"state": "confirmed",
"abstract": "## Abstract\r\nRaider is a novel, LISP-based framework for web application security\r\ntesting that abstracts the client-server information exchange as a\r\nfinite state machine. Each step comprises one request with inputs, one\r\nresponse with outputs, arbitrary actions to do on the response, and\r\nconditional links to other stages, creating a graph-like\r\nstructure. This architecture works not only for authentication\r\npurposes but can be used for any HTTP process that needs to keep track\r\nof states. In this presentation, we'll cover the motivation behind\r\nRaider, the key concepts of the framework, and demonstrate how it can\r\nautomate complex HTTP processess. We'll show how Raider's flexibility\r\nenables easy customization of attacks and how its clear text\r\nconfiguration makes reproducing, sharing, and modifying attacks easy.\r\n## Outline\r\n\r\n1. Introduction\r\n - Present myself\r\n - Origins of Raider and the problem it was created to solve\r\n - The gap in current web app security testing tools\r\n - The challenges of testing authentication processes\r\n - Limitations with static configuration files like JSON\r\n - How can LISP be used to solve those limitations\r\n - Why hylang was used\r\n\r\n2. Methodology\r\n - Understanding and reverse engineering complex HTTP processes, like the Authentication\r\n - Abstracting the client-server information exchange as a Finite State Machine\r\n - Explain the core concepts in Raider: Flows, FlowGraphs, Request, Plugins, Operations\r\n\r\n3. Demo\r\n - Automating registration and login processes in OWASP juiceshop\r\n - Automating SQL injection testing with Raider\r\n - Chaining together multiple vulnerabilities to exploit a more complex attack\r\n\r\n4. Conclusions\r\n - What's next for Raider\r\n - Raider's limitations\r\n - Q/A session\r\n\r\n## Links to the project:\r\n- Website: https://raiderauth.com/\r\n- Source: https://github.com/OWASP/raider\r\n- Documentation: https://docs.raiderauth.com/en/latest/\r\n- Twitter: @raiderauth\r\n- Mastodon: @raiderauth@infosec.exchange",
"description": null,
"duration": 50,
"slot_count": 1,
"do_not_record": false,
"is_featured": false,
"content_locale": "en",
"slot": {
"room": {
"de": "Kino 5",
"en": "Cinema 5"
},
"start": "2023-06-03T16:00:00+02:00",
"end": "2023-06-03T16:50:00+02:00"
},
"image": null,
"resources": []
}
