AppSec California 2015

Applications have changed, but your test apps havent!
Its about time for a test app that’s a little more current than circa 2002. Enter Hackazon.

Hackazon, is a modern vulnerable web application. It looks like an online storefront with a modern AJAX interface, strict workflows and RESTful API's used by a companion mobile app. And, its here to replace the old Web 1.0 test apps (WebGoat, DVWA, Hackme Bank and Hackme Casino) that no longer mirror the applications we see in the wild. Will your application security scanner successfully test this site? Doubt it! Even manual pen testers will have their hands full testing their skills against it.

There are vulnerabilities scattered throughout Hackazon, and each vulnerable area is configurable so that users can change the vulnerability landscape to prevent “known vuln testing” or any other form of cheating. To find all the vulnerabilities in Hackazon it will require proper handling of not only classic web security, but will require testing RESTful interface formats that power AJAX functionality and mobile clients (JSON, XML, GwT, and AMF). It will also require tedious testing of strict workflows common in todays business applications.

Hackazon is an open source application that will ultimately be contributed to OWASP to be included with the other vulnerable test applications.

Join Dan for this talk where he will demonstrate Hackazon and the techniques required to find the vulnerabilities in the different interfaces and formats.