BSIDESOK 2017 Mic Whitehorn Gillam - Sniffing Out Security Flaws in Your Web App

Sniffing Out Security Flaws in Your Web App A skilled attacker is probably not going to throw a sheer volume of different attacks at your app to see what sticks. Much like a skilled coder learns to recognize "code smells" - certain symptoms that suggest a problem; a skilled attacker recognizes specific things that may indicate a vulnerability. A simple example would be a querystring argument containing a url. It may be an open HTTP redirect, an API call that can be hijacked, a cross-site scripting flaw, or perhaps nothing at all. One of the best tools developers and application owner can use to secure their own apps is the ability to spot potential vulnerabilities the same way an attacker would.