Professional Documents
Culture Documents
Current workarounds
Proposed solutions
Introduction to RAFT
Friday, August 5, 2011
We Arent...
Raise awareness
Current request
Previous requests
User-Agent
GET /viaf/75785466/ HTTP/1.1
Host: viaf.org
Accept: application/rdf+xml
!=
GET /viaf/75785466/ HTTP/1.1
Host: viaf.org
Friday, August 5, 2011
And again
Difficult cases
In-session detection
Request time
Authorization checks
Request/response diffs
No cross-tool analysis
Test manually
DirBuster!
Friday, August 5, 2011
A Word on Word Lists
aspnet_client
_notes
_vti_cnf
_vti_log
_vti_pvt
App_Code
App_Data
pkginfo
_vti_bin
Friday, August 5, 2011
DirBuster WTF?
Session Management
Multi-stepped operations
Content discovery
Intelligent spidering
HTML5
RIA
Friday, August 5, 2011
Web Smart Fuzzer Components
Randomization handling
CSRF tokens
DOM data
Payload choices
Introducing RAFT
Friday, August 5, 2011
What is RAFT?
RAFT is different
Focus on workflow
Technical Components
Mac OS X
10.5 / 10.6
Linux
Windows
Windows XP / Windows 7
Friday, August 5, 2011
Dependencies
PyQT4
QtWebKit
QScintilla
lxml
pyamf
pydns
Friday, August 5, 2011
RAFT Download
http://code.google.com/p/raft
RAFT Browser
Webscarab
Paros
Friday, August 5, 2011
Interface Walkthrough
Demo
Friday, August 5, 2011
Analysis
Analysis Anywhere!
Modular analyzers
Timing analysis
Image analysis
Demo
Friday, August 5, 2011
Smart Testing Components
Templatized components
Requester
Fuzzer
Sequence running
Browser object
Templating approach
Demo
Friday, August 5, 2011
Sequence Fuzzer
Demo
Friday, August 5, 2011
DOM Fuzzer Demo
Demo
Friday, August 5, 2011
Deeper?
Friday, August 5, 2011
Pop!
Friday, August 5, 2011
Documentation
Really?
Example
Friday, August 5, 2011
RAFT Weaknesses
Webkit dependence
SQLite
Hardcoded payloads
Reporting output
An Inspection Proxy
Friday, August 5, 2011
Call to Action
We need help
Future features
Questions?
Friday, August 5, 2011
Contact
Nathan Hamiel
http://twitter.com/nathanhamiel
nhamiel@gmail.com
Justin Engler
http://twitter.com/justinengler
Gregory Fleisher
gfleischer@gmail.com
twitter.com/%00<script>alert(0xLOL)
Seth Law
http://twitter.com/sethlaw
seth.w.law@gmail.com
RAFT Dev Team
http://twitter.com/RAFTDevTeam
Friday, August 5, 2011
Feedback Forms