Black Hat Briefings, Europe 2007 [audio] Presentations From The Security Conference.

"Today, other than doing a full static analysis of the code, the most common practice tfind vulnerabilities in your web application is tget off-the-shelf automated web scanner, point ta URL, and hope that it's doing the right thing. But is it? How dyou know that the scanner exercised all the vital areas of your application? How accurate and complete are the results? Is relying on HTTP response the best way tfind all vulnerabilities in an application? What if there was a way tlook at what's happening inside the application while these web scanners were hitting the application? In this talk, we'll explore that "looking inside the application as the security test runs" possibility - through byte-code instrumentation. We will see how we can use aspect oriented technologies such as AspectJ tinject security monitors directly inside a pre-compiled Java / .NET web application. We will alsgthrough a proof of concept and dem- turning a typical blackbox test inta "whitebox" test using the techniques discussed in t