CHCon 2023

LOLWAP: Living Off the Land for Web App Pentesters
2023-11-25 , Ngaio Marsh Theatre

Imagine you’re a web application penetration tester and you’re on-site at a client’s office, testing a web application before it goes live. Problem is, the app lives in their Special Devops Lab environment and is only accessible from an internal network jump box…which doesn't have Burp Suite installed, of course. You protest but the client tells you, “Sorry, we don’t allow hacking tools in the Special Devops Lab.” If I had a dollar for every time this happened to me, I’d have $3 which isn't a lot but it's weird that it happened three times. This talk will show you how use built-in web browser Developer Tools to replicate Burp Suite’s intercepting proxy and Repeater functionality so that if this ever happens to you, you’ll be able to tell the client “No worries, mate!” and proceed to tear that app apart with your bare web browser.

Ben is a web application penetration tester who has been living in Aotearoa for a couple years now. When he’s not hacking he’s probably running tabletop RPGs, getting motion sick in VR, walking his cat, or tramping through the Waitakeres.