BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//cfp.ctbk.de//UKVQLJ
BEGIN:VTIMEZONE
TZID:Europe/Berlin
BEGIN:STANDARD
DTSTART:20001029T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10
TZNAME:CET
TZOFFSETFROM:+0200
TZOFFSETTO:+0100
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000326T020000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3
TZNAME:CEST
TZOFFSETFROM:+0100
TZOFFSETTO:+0200
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-fsck-2023-UKVQLJ@cfp.ctbk.de
DTSTART;TZID=Europe/Berlin:20230603T160000
DTEND;TZID=Europe/Berlin:20230603T165000
DESCRIPTION:## Abstract\nRaider is a novel\, LISP-based framework for web a
 pplication security\ntesting that abstracts the client-server information 
 exchange as a\nfinite state machine. Each step comprises one request with 
 inputs\, one\nresponse with outputs\, arbitrary actions to do on the respo
 nse\, and\nconditional links to other stages\, creating a graph-like\nstru
 cture. This architecture works not only for authentication\npurposes but c
 an be used for any HTTP process that needs to keep track\nof states. In th
 is presentation\, we'll cover the motivation behind\nRaider\, the key conc
 epts of the framework\, and demonstrate how it can\nautomate complex HTTP 
 processess. We'll show how Raider's flexibility\nenables easy customizatio
 n of attacks and how its clear text\nconfiguration makes reproducing\, sha
 ring\, and modifying attacks easy.\n## Outline\n\n1. Introduction\n   - Pr
 esent myself\n   - Origins of Raider and the problem it was created to sol
 ve\n   - The gap in current web app security testing tools\n   - The chall
 enges of testing authentication processes\n   - Limitations with static co
 nfiguration files like JSON\n   - How can LISP be used to solve those limi
 tations\n   - Why hylang was used\n\n2. Methodology\n   - Understanding an
 d reverse engineering complex HTTP processes\, like the Authentication\n  
  - Abstracting the client-server information exchange as a Finite State Ma
 chine\n   - Explain the core concepts in Raider: Flows\, FlowGraphs\, Requ
 est\, Plugins\, Operations\n\n3. Demo\n   - Automating registration and lo
 gin processes in OWASP juiceshop\n   - Automating SQL injection testing wi
 th Raider\n   - Chaining together multiple vulnerabilities to exploit a mo
 re complex attack\n\n4. Conclusions\n   - What's next for Raider\n   - Rai
 der's limitations\n   - Q/A session\n\n## Links to the project:\n- Website
 : https://raiderauth.com/\n- Source: https://github.com/OWASP/raider\n- Do
 cumentation: https://docs.raiderauth.com/en/latest/\n- Twitter: @raideraut
 h\n- Mastodon: @raiderauth@infosec.exchange
DTSTAMP:20240713T181113Z
LOCATION:Cinema 5
SUMMARY:Automating and attacking complex HTTP processes with OWASP Raider -
  Daniel Neagaru
URL:https://cfp.ctbk.de/fsck-2023/talk/UKVQLJ/
END:VEVENT
END:VCALENDAR