October 19 @ 3:00 pm – 3:50 pm MDT
Presented by: Drew Kirkpatrick
Payload development for pen testers is simplified by authenticated access that is typical during application assessments. Pen testers already know what sequence of requests and responses are required to achieve a particular goal when they develop a payload.
JS-Tap captures sensitive data as users interact with the application including screenshots of pages visited and inputs entered by the user such as login credentials. Cookies and local storage are scraped, potentially disclosing sensitive session data. HTML content is also captured providing the application insight needed to develop targeted XSS payloads for future attacks.
Critically, the payload makes no requests to the application server itself.
Drew has 20 years of experience designing and building complex systems, including application security, network policy management, machine learning, and transit and aerospace systems. These days he works to improve Information Security by applying penetration testing and computer science to assess the security posture of TrustedSec clients. Before joining TrustedSec, he was a Security Researcher at NopSec and Secure Decisions as well as a Senior Computer Scientist for the U.S. Navy.
EDUCATION & CERTIFICATIONS
Offensive Security Certified Professional (OSCP)
GIAC Web Application Penetration Tester (GWAPT)
GIAC Mobile Device Security Analyst (GMOB)
M.S. Computer Science – Florida Institute of Technology
M.S. Computer Information Systems – Florida Institute of Technology
B.A. Psychology/Economics – St. Mary’s College of Maryland
Drew has developed and contributed to several open source projects, including OWASP Attack Surface Detector and various machine learning and penetration testing tool projects.
PASSION FOR SECURITY
Drew’s love for building complex systems led to the discovery that he found tremendous joy in breaking complex systems—in a good way.