Security B-Sides Kansas City Presentation

Security B-Sides Kansas City is happening Wednesday, October 26, 2011.  I will be presenting there at 10AM.  The topic is using Watir-WebDriver (a browser automation framework/driver) and Ruby to perform web application security unit testing.  While doing the research, I also got a chance to use another framework, Capybara, so I included examples from it as well.  The presentation will mostly consist of demos.  I will discuss what Watir-WebDriver is, alternate frameworks and languages to use, and how to apply them to web application security unit testing.  Then, I will walk through specific examples/demos showing how to use the frameworks to exploit/unit test vulnerabilities in the OWASP Broken Web Applications Project/VMware image.  The unit testing framework I chose is RSpec. I have demos ready for the following issues:

• SQL Injection
• error message based
• matching contents of a union select over the application usernames/passwords
• Cross-site Scripting
• Reflected - URL Based
• Reflected - Using a custom POST request
• Stored
• Autocomplete
• Session Fixation
• Open Redirect
• Enumerating authorization/access controls
• Information Disclosure through HTTP headers

After the presentation, I can provide anyone that asks with completed unit tests for all of the vulnerabilities listed above for both Ruby/Watir-WebDriver and Ruby/Capybara, using RSpec as the unit testing framework.  To run these demos at home, simply download and run the OWASP Broken Web Application VMware image using VMware Player.