Talkin' Bout [Infosec] News

I like webapps, don’t you? Webapps have got to be the best way to learn about security. Why? Because they’re self-contained and so very transparent.

You don’t need a big ol’ lab before you can play with them. You can run them in a single tiny VM or even tiny-er Docker image on your laptop. And so long as you’re attacking your own stuff, it’s easy to stay out of trouble. You’re up and running in the time it takes for a single download.

And the transparent part? Ever since “view source” in the earliest web browsers, it’s been easy to see exactly what’s going on in a webapp and in the browser. Every webapp you ever use has no choice but to give you the (client-side) source code! It’s almost like there’s no such thing as a “black box” webapp pentest if you think about it…

Anyhow – the Developer Tools in Firefox (and Chrome) are what happens when you take “view source” and add 25 years or so of creativity and power.

We’ll look at the Developer Tools in the latest Firefox with a pentester’s eye. Inspect and change the DOM (Document Object Model), take screenshots, find and extract key bits of data, use the console to run Javascript in the site’s origin context, and even pause script execution in the debugger if things go too fast…

Maybe we’ll convince you that you can realistically do a big chunk of a webapp pentest without ever leaving the browser.

Join the BHIS Discord channel — https://discord.gg/aHHh3u5

Download the slides: https://www.activecountermeasures.com/presentations/ (BHIS_Webcasts)

0:00 – A Shady-White Slideshow with “FREE TOOLS!” On the Sign

0:38 – The Way Back Machine

11:00 – Always Be Learning

18:01 – The Path to the Developer Tools

24:37 – Console Separately From a Window

30:40 – The Network Tab

36:23 – Storage Tab

Show Notes

I like webapps, don’t you? Webapps have got to be the best way to learn about security. Why? Because they’re self-contained and so very transparent. You don’t need a big ol’ lab before you can play with them. You can run them in a single tiny VM or even tiny-er Docker image on your laptop. And so long as you’re attacking your own stuff, it’s easy to stay out of trouble. You’re up and running in the time it takes for a single download. And the transparent part? Ever since “view source” in the earliest web browsers, it’s been easy to see exactly what’s going on in a webapp and in the browser. Every webapp you ever use has no choice but to give you the (client-side) source code! It’s almost like there’s no such thing as a “black box” webapp pentest if you think about it… Anyhow – the Developer Tools in Firefox (and Chrome) are what happens when you take “view source” and add 25 years or so of creativity and power. We’ll look at the Developer Tools in the latest Firefox with a pentester’s eye. Inspect and change the DOM (Document Object Model), take screenshots, find and extract key bits of data, use the console to run Javascript in the site’s origin context, and even pause script execution in the debugger if things go too fast… Maybe we’ll convince you that you can realistically do a big chunk of a webapp pentest without ever leaving the browser. Join the BHIS Discord channel — https://discord.gg/aHHh3u5 Download the slides: https://www.activecountermeasures.com/presentations/ (BHIS_Webcasts) 0:00 – A Shady-White Slideshow with “FREE TOOLS!” On the Sign 0:38 – The Way Back Machine 11:00 – Always Be Learning 18:01 – The Path to the Developer Tools 24:37 – Console Separately From a Window 30:40 – The Network Tab 36:23 – Storage Tab
  • (00:00) - A Shady-White Slideshow with "FREE TOOLS!" On the Sign
  • (00:35) - The Way Back Machine
  • (10:16) - Always Be Learning
  • (16:55) - The Path to the Developer Tools
  • (23:14) - Console Separately From a Window
  • (28:44) - The Network Tab
  • (33:57) - Storage Tab
  • (35:45) - All The Cookies
  • (37:42) - The Inspector Gadget Thingy
  • (41:46) - Debugger
  • (42:08) - Customize the Tools
  • (42:18) - Console Tricks

What is Talkin' Bout [Infosec] News?

A weekly Podcast with BHIS and Friends. We discuss notable Infosec, and infosec-adjacent news stories gathered by our community news team.
Join us live on YouTube, Monday's at 4:30PM ET