OWASP 2022 Global AppSec San Francisco has ended
Global AppSec San Francisco returns November 14-18.

Designed for private and public sector infosec professionals, the two-day OWASP conferences equip developers, defenders, and advocates to build a more secure web. We are offering educational 1-day, 2-day, and 3-day training courses on November 14-16.

Join us for leading application security technologies, speakers, prospects, and the community, in a unique event that will build on everything you already know to expect from an OWASP Global Conference.
Back To Schedule
Friday, November 18 • 3:30pm - 4:30pm
Krampus - Building a custom DAST that actually works

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
When doing application security for an API–centric enterprise spanning over thousands of micro services, Dynamic Application Security Testing (DAST) is almost a must-have. However, DAST products often fail to execute even the most rudimentary tests on internal endpoints that require a complex user flow. If an API call requires an ID that was obtained in the response BODY 5 HTTP calls ago, the chances a traditional DAST will be able to test your API are slim.

In this talk we’ll present our approach for solving this issue, by leveraging existing headless-chrome test suites (built by the engineers as part of the R&D flow) to serve as the attack surface for our custom DAST solution, Krampus. By using Chromium interceptors, we were able to introduce appsec payloads into HTTP requests issued during the execution of normal 'user flow' test scenarios (and pick up the results) and have an effective DAST for internal API's and endpoints.

It wasn't smooth sailing, though, with many challenges along the way. Particularly, we realized that replicating each API call & param with a separate test will mean that the number of our test calls grows exponentially, pushing up both cost and overhead. As many of our API’s also include dynamic params as part of the path, we had to build an API asset DB to understand if and when a specific URL was already tested (code for which we plan to release as open source).

At the end of the talk the participants will have the tools to leverage similar testing suites in their own orgs to drastically improve the quality & coverage of the automatic testing in their environment.

avatar for Zohar Shchar

Zohar Shchar

Application Security, Wix
After years focusing on offensive penetration tests and leading red team simulations, in the last ~2.5 years I'm leading the application security team in Wix. You can check out some of my past research here - www. ehpus.com... Read More →
avatar for Dmitry Ryskin

Dmitry Ryskin

Application Security Engineer, Wix
In the past 2 years I have been leading the Application Security Engineering at Wix, creating solutions for AppSec at an enterprise scale. During my 10 years of Web Development experience I've been working on Production Stability and Developer Experience tools.

Friday November 18, 2022 3:30pm - 4:30pm PST
Seacliff AB