Defeating the Intercepting Web Proxy

We were very privileged to present yet again on the annual HITB (Hack In The Box) information security conference but this time in Amsterdam. The topic was on how to move away from the arcane intercepting web proxies used during web penetration tests and embrace what is currently possible to achieve with standard browser technologies, i.e. the stuff we do with the Suite. Without further ado, here is the video.

<iframe width="100%" height="420" src="//" frameborder="0" allowfullscreen></iframe>

Presentation Abstract

This presentation will give information security professionals and enthusiasts an opportunity to explore new tricks and techniques for performing web application security assessments and penetration tests without using any intercepting proxies or any other standard tools. We will explore the weird and wonderful world of web browsers, the modern web application stack and rich web APIs to create a powerful web application security testing environment.

Attendees will get first hand exposure to brand new tools and techniques. The talk is not only educational but also provides a glimpse into the next generation web security technologies and will include the following topics and much more:

  • New developments in the HTTP proxy world.
  • Replacement tools for standard HTTP proxies using browser technologies.
  • Performing large-scale security assessments with Nodejs – i.e. scanning the web in 30 minutes.
  • Exploitation demos of various web technologies using nothing but web browsers.