Hackers of India

Pentesting a website with million lines of Javascript

 Lavakumar Kuppan   Ahamed Nafeez 



Web Application security testing used to be very straightforward. You configure your browser to use an intercepting proxy. Capture the traffic from the browser and then fuzz this captured traffic for vulnerabilities. That was back when all the logic and therefore all the vulnerabilities were on the server-side. But things are very different today, complex business logic is being increasingly transferred over to the client-side giving rise to a new breed of vulnerabilities.

You might already know about all the DOM and HTML5 security problems, you might already understand their impact well. But can you effectively test for these issues during a pentest? Do you favourite security tools allow you to test for these new breed of vulnerabilities? In this talk we will show you techniques that are part science and part magic that can get the job done.