{"id":206,"date":"2009-03-23T16:00:50","date_gmt":"2009-03-23T21:00:50","guid":{"rendered":"http:\/\/www.webadminblog.com\/?p=206"},"modified":"2009-04-01T10:33:29","modified_gmt":"2009-04-01T15:33:29","slug":"assessing-your-web-app-manually-without-hacking-it","status":"publish","type":"post","link":"https:\/\/www.webadminblog.com\/index.php\/2009\/03\/23\/assessing-your-web-app-manually-without-hacking-it\/","title":{"rendered":"Assessing Your Web App Manually Without Hacking It"},"content":{"rendered":"<p>After giving my presentation on &#8220;Using Proxies to Secure Applications and More&#8221; at the TRISC 2009 conference, I decided to attend the presentation by Robert &#8220;RSnake&#8221; Hansen and Rob MacDougal entitled &#8220;Assessing Your Web App Manually Without Hacking It&#8221;.\u00a0 The gist of this presentation was that with a few simple tools (Web Developer Toolbar, NoScript, you web browser) you can spend about an hour looking at the characteristics of a web application in order to determine what types and how many vulnerabilities it may have.\u00a0 My notes on the presentation are below:<\/p>\n<p><!--more--><!--[if gte mso 9]><xml> <w :WordDocument> <\/w><w :View>Normal<\/w> <w :Zoom>0<\/w> <w :TrackMoves \/> <w :TrackFormatting \/> <w :PunctuationKerning \/> <w :ValidateAgainstSchemas \/> <w :SaveIfXMLInvalid>false<\/w> <w :IgnoreMixedContent>false<\/w> <w :AlwaysShowPlaceholderText>false<\/w> <w :DoNotPromoteQF \/> <w :LidThemeOther>EN-US<\/w> <w :LidThemeAsian>X-NONE<\/w> <w :LidThemeComplexScript>X-NONE<\/w> <w :Compatibility> <w :BreakWrappedTables \/> <w :SnapToGridInCell \/> <w :WrapTextWithPunct \/> <w :UseAsianBreakRules \/> <w :DontGrowAutofit \/> <w :SplitPgBreakAndParaMark \/> <w :DontVertAlignCellWithSp \/> <w :DontBreakConstrainedForcedTables \/> <w :DontVertAlignInTxbx \/> <w :Word11KerningPairs \/> <w :CachedColBalance \/> <\/w> <m :mathPr> <m :mathFont m:val=\"Cambria Math\" \/> <m :brkBin m:val=\"before\" \/> <m :brkBinSub m:val=\"&#45;-\" \/> <m :smallFrac m:val=\"off\" \/> <m :dispDef \/> <m :lMargin m:val=\"0\" \/> <m :rMargin m:val=\"0\" \/> <m :defJc m:val=\"centerGroup\" \/> <m :wrapIndent m:val=\"1440\" \/> <m :intLim m:val=\"subSup\" \/> <m :naryLim m:val=\"undOvr\" \/> <\/m> <\/xml>< ![endif]--><!--[if gte mso 9]><xml> <w :LatentStyles DefLockedState=\"false\" DefUnhideWhenUsed=\"true\"   DefSemiHidden=\"true\" DefQFormat=\"false\" DefPriority=\"99\"   LatentStyleCount=\"267\"> <w :LsdException Locked=\"false\" Priority=\"0\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" QFormat=\"true\" Name=\"Normal\" \/> <w :LsdException Locked=\"false\" Priority=\"9\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" QFormat=\"true\" Name=\"heading 1\" \/> <w :LsdException Locked=\"false\" Priority=\"9\" QFormat=\"true\" Name=\"heading 2\" \/> <w :LsdException Locked=\"false\" Priority=\"9\" QFormat=\"true\" Name=\"heading 3\" \/> <w :LsdException Locked=\"false\" Priority=\"9\" QFormat=\"true\" Name=\"heading 4\" \/> <w :LsdException Locked=\"false\" Priority=\"9\" QFormat=\"true\" Name=\"heading 5\" \/> <w :LsdException Locked=\"false\" Priority=\"9\" QFormat=\"true\" Name=\"heading 6\" \/> <w :LsdException Locked=\"false\" Priority=\"9\" QFormat=\"true\" Name=\"heading 7\" \/> <w :LsdException Locked=\"false\" Priority=\"9\" QFormat=\"true\" Name=\"heading 8\" \/> <w :LsdException Locked=\"false\" Priority=\"9\" QFormat=\"true\" Name=\"heading 9\" \/> <w :LsdException Locked=\"false\" Priority=\"39\" Name=\"toc 1\" \/> <w :LsdException Locked=\"false\" Priority=\"39\" Name=\"toc 2\" \/> <w :LsdException Locked=\"false\" Priority=\"39\" Name=\"toc 3\" \/> <w :LsdException Locked=\"false\" Priority=\"39\" Name=\"toc 4\" \/> <w :LsdException Locked=\"false\" Priority=\"39\" Name=\"toc 5\" \/> <w :LsdException Locked=\"false\" Priority=\"39\" Name=\"toc 6\" \/> <w :LsdException Locked=\"false\" Priority=\"39\" Name=\"toc 7\" \/> <w :LsdException Locked=\"false\" Priority=\"39\" Name=\"toc 8\" \/> <w :LsdException Locked=\"false\" Priority=\"39\" Name=\"toc 9\" \/> <w :LsdException Locked=\"false\" Priority=\"35\" QFormat=\"true\" Name=\"caption\" \/> <w :LsdException Locked=\"false\" Priority=\"10\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" QFormat=\"true\" Name=\"Title\" \/> <w :LsdException Locked=\"false\" Priority=\"1\" Name=\"Default Paragraph Font\" \/> <w :LsdException Locked=\"false\" Priority=\"11\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" QFormat=\"true\" Name=\"Subtitle\" \/> <w :LsdException Locked=\"false\" Priority=\"22\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" QFormat=\"true\" Name=\"Strong\" \/> <w :LsdException Locked=\"false\" Priority=\"20\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" QFormat=\"true\" Name=\"Emphasis\" \/> <w :LsdException Locked=\"false\" Priority=\"59\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Table Grid\" \/> <w :LsdException Locked=\"false\" UnhideWhenUsed=\"false\" Name=\"Placeholder Text\" \/> <w :LsdException Locked=\"false\" Priority=\"1\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" QFormat=\"true\" Name=\"No Spacing\" \/> <w :LsdException Locked=\"false\" Priority=\"60\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Light Shading\" \/> <w :LsdException Locked=\"false\" Priority=\"61\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Light List\" \/> <w :LsdException Locked=\"false\" Priority=\"62\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Light Grid\" \/> <w :LsdException Locked=\"false\" Priority=\"63\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium Shading 1\" \/> <w :LsdException Locked=\"false\" Priority=\"64\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium Shading 2\" \/> <w :LsdException Locked=\"false\" Priority=\"65\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium List 1\" \/> <w :LsdException Locked=\"false\" Priority=\"66\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium List 2\" \/> <w :LsdException Locked=\"false\" Priority=\"67\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium Grid 1\" \/> <w :LsdException Locked=\"false\" Priority=\"68\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium Grid 2\" \/> <w :LsdException Locked=\"false\" Priority=\"69\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium Grid 3\" \/> <w :LsdException Locked=\"false\" Priority=\"70\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Dark List\" \/> <w :LsdException Locked=\"false\" Priority=\"71\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Colorful Shading\" \/> <w :LsdException Locked=\"false\" Priority=\"72\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Colorful List\" \/> <w :LsdException Locked=\"false\" Priority=\"73\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Colorful Grid\" \/> <w :LsdException Locked=\"false\" Priority=\"60\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Light Shading Accent 1\" \/> <w :LsdException Locked=\"false\" Priority=\"61\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Light List Accent 1\" \/> <w :LsdException Locked=\"false\" Priority=\"62\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Light Grid Accent 1\" \/> <w :LsdException Locked=\"false\" Priority=\"63\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium Shading 1 Accent 1\" \/> <w :LsdException Locked=\"false\" Priority=\"64\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium Shading 2 Accent 1\" \/> <w :LsdException Locked=\"false\" Priority=\"65\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium List 1 Accent 1\" \/> <w :LsdException Locked=\"false\" UnhideWhenUsed=\"false\" Name=\"Revision\" \/> <w :LsdException Locked=\"false\" Priority=\"34\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" QFormat=\"true\" Name=\"List Paragraph\" \/> <w :LsdException Locked=\"false\" Priority=\"29\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" QFormat=\"true\" Name=\"Quote\" \/> <w :LsdException Locked=\"false\" Priority=\"30\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" QFormat=\"true\" Name=\"Intense Quote\" \/> <w :LsdException Locked=\"false\" Priority=\"66\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium List 2 Accent 1\" \/> <w :LsdException Locked=\"false\" Priority=\"67\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium Grid 1 Accent 1\" \/> <w :LsdException Locked=\"false\" Priority=\"68\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium Grid 2 Accent 1\" \/> <w :LsdException Locked=\"false\" Priority=\"69\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium Grid 3 Accent 1\" \/> <w :LsdException Locked=\"false\" Priority=\"70\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Dark List Accent 1\" \/> <w :LsdException Locked=\"false\" Priority=\"71\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Colorful Shading Accent 1\" \/> <w :LsdException Locked=\"false\" Priority=\"72\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Colorful List Accent 1\" \/> <w :LsdException Locked=\"false\" Priority=\"73\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Colorful Grid Accent 1\" \/> <w :LsdException Locked=\"false\" Priority=\"60\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Light Shading Accent 2\" \/> <w :LsdException Locked=\"false\" Priority=\"61\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Light List Accent 2\" \/> <w :LsdException Locked=\"false\" Priority=\"62\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Light Grid Accent 2\" \/> <w :LsdException Locked=\"false\" Priority=\"63\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium Shading 1 Accent 2\" \/> <w :LsdException Locked=\"false\" Priority=\"64\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium Shading 2 Accent 2\" \/> <w :LsdException Locked=\"false\" Priority=\"65\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium List 1 Accent 2\" \/> <w :LsdException Locked=\"false\" Priority=\"66\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium List 2 Accent 2\" \/> <w :LsdException Locked=\"false\" Priority=\"67\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium Grid 1 Accent 2\" \/> <w :LsdException Locked=\"false\" Priority=\"68\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium Grid 2 Accent 2\" \/> <w :LsdException Locked=\"false\" Priority=\"69\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium Grid 3 Accent 2\" \/> <w :LsdException Locked=\"false\" Priority=\"70\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Dark List Accent 2\" \/> <w :LsdException Locked=\"false\" Priority=\"71\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Colorful Shading Accent 2\" \/> <w :LsdException Locked=\"false\" Priority=\"72\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Colorful List Accent 2\" \/> <w :LsdException Locked=\"false\" Priority=\"73\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Colorful Grid Accent 2\" \/> <w :LsdException Locked=\"false\" Priority=\"60\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Light Shading Accent 3\" \/> <w :LsdException Locked=\"false\" Priority=\"61\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Light List Accent 3\" \/> <w :LsdException Locked=\"false\" Priority=\"62\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Light Grid Accent 3\" \/> <w :LsdException Locked=\"false\" Priority=\"63\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium Shading 1 Accent 3\" \/> <w :LsdException Locked=\"false\" Priority=\"64\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium Shading 2 Accent 3\" \/> <w :LsdException Locked=\"false\" Priority=\"65\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium List 1 Accent 3\" \/> <w :LsdException Locked=\"false\" Priority=\"66\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium List 2 Accent 3\" \/> <w :LsdException Locked=\"false\" Priority=\"67\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium Grid 1 Accent 3\" \/> <w :LsdException Locked=\"false\" Priority=\"68\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium Grid 2 Accent 3\" \/> <w :LsdException Locked=\"false\" Priority=\"69\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium Grid 3 Accent 3\" \/> <w :LsdException Locked=\"false\" Priority=\"70\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Dark List Accent 3\" \/> <w :LsdException Locked=\"false\" Priority=\"71\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Colorful Shading Accent 3\" \/> <w :LsdException Locked=\"false\" Priority=\"72\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Colorful List Accent 3\" \/> <w :LsdException Locked=\"false\" Priority=\"73\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Colorful Grid Accent 3\" \/> <w :LsdException Locked=\"false\" Priority=\"60\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Light Shading Accent 4\" \/> <w :LsdException Locked=\"false\" Priority=\"61\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Light List Accent 4\" \/> <w :LsdException Locked=\"false\" Priority=\"62\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Light Grid Accent 4\" \/> <w :LsdException Locked=\"false\" Priority=\"63\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium Shading 1 Accent 4\" \/> <w :LsdException Locked=\"false\" Priority=\"64\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium Shading 2 Accent 4\" \/> <w :LsdException Locked=\"false\" Priority=\"65\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium List 1 Accent 4\" \/> <w :LsdException Locked=\"false\" Priority=\"66\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium List 2 Accent 4\" \/> <w :LsdException Locked=\"false\" Priority=\"67\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium Grid 1 Accent 4\" \/> <w :LsdException Locked=\"false\" Priority=\"68\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium Grid 2 Accent 4\" \/> <w :LsdException Locked=\"false\" Priority=\"69\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium Grid 3 Accent 4\" \/> <w :LsdException Locked=\"false\" Priority=\"70\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Dark List Accent 4\" \/> <w :LsdException Locked=\"false\" Priority=\"71\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Colorful Shading Accent 4\" \/> <w :LsdException Locked=\"false\" Priority=\"72\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Colorful List Accent 4\" \/> <w :LsdException Locked=\"false\" Priority=\"73\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Colorful Grid Accent 4\" \/> <w :LsdException Locked=\"false\" Priority=\"60\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Light Shading Accent 5\" \/> <w :LsdException Locked=\"false\" Priority=\"61\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Light List Accent 5\" \/> <w :LsdException Locked=\"false\" Priority=\"62\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Light Grid Accent 5\" \/> <w :LsdException Locked=\"false\" Priority=\"63\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium Shading 1 Accent 5\" \/> <w :LsdException Locked=\"false\" Priority=\"64\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium Shading 2 Accent 5\" \/> <w :LsdException Locked=\"false\" Priority=\"65\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium List 1 Accent 5\" \/> <w :LsdException Locked=\"false\" Priority=\"66\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium List 2 Accent 5\" \/> <w :LsdException Locked=\"false\" Priority=\"67\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium Grid 1 Accent 5\" \/> <w :LsdException Locked=\"false\" Priority=\"68\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium Grid 2 Accent 5\" \/> <w :LsdException Locked=\"false\" Priority=\"69\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium Grid 3 Accent 5\" \/> <w :LsdException Locked=\"false\" Priority=\"70\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Dark List Accent 5\" \/> <w :LsdException Locked=\"false\" Priority=\"71\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Colorful Shading Accent 5\" \/> <w :LsdException Locked=\"false\" Priority=\"72\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Colorful List Accent 5\" \/> <w :LsdException Locked=\"false\" Priority=\"73\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Colorful Grid Accent 5\" \/> <w :LsdException Locked=\"false\" Priority=\"60\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Light Shading Accent 6\" \/> <w :LsdException Locked=\"false\" Priority=\"61\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Light List Accent 6\" \/> <w :LsdException Locked=\"false\" Priority=\"62\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Light Grid Accent 6\" \/> <w :LsdException Locked=\"false\" Priority=\"63\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium Shading 1 Accent 6\" \/> <w :LsdException Locked=\"false\" Priority=\"64\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium Shading 2 Accent 6\" \/> <w :LsdException Locked=\"false\" Priority=\"65\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium List 1 Accent 6\" \/> <w :LsdException Locked=\"false\" Priority=\"66\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium List 2 Accent 6\" \/> <w :LsdException Locked=\"false\" Priority=\"67\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium Grid 1 Accent 6\" \/> <w :LsdException Locked=\"false\" Priority=\"68\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium Grid 2 Accent 6\" \/> <w :LsdException Locked=\"false\" Priority=\"69\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Medium Grid 3 Accent 6\" \/> <w :LsdException Locked=\"false\" Priority=\"70\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Dark List Accent 6\" \/> <w :LsdException Locked=\"false\" Priority=\"71\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Colorful Shading Accent 6\" \/> <w :LsdException Locked=\"false\" Priority=\"72\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Colorful List Accent 6\" \/> <w :LsdException Locked=\"false\" Priority=\"73\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" Name=\"Colorful Grid Accent 6\" \/> <w :LsdException Locked=\"false\" Priority=\"19\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" QFormat=\"true\" Name=\"Subtle Emphasis\" \/> <w :LsdException Locked=\"false\" Priority=\"21\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" QFormat=\"true\" Name=\"Intense Emphasis\" \/> <w :LsdException Locked=\"false\" Priority=\"31\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" QFormat=\"true\" Name=\"Subtle Reference\" \/> <w :LsdException Locked=\"false\" Priority=\"32\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" QFormat=\"true\" Name=\"Intense Reference\" \/> <w :LsdException Locked=\"false\" Priority=\"33\" SemiHidden=\"false\"    UnhideWhenUsed=\"false\" QFormat=\"true\" Name=\"Book Title\" \/> <w :LsdException Locked=\"false\" Priority=\"37\" Name=\"Bibliography\" \/> <w :LsdException Locked=\"false\" Priority=\"39\" QFormat=\"true\" Name=\"TOC Heading\" \/> <\/w> <\/xml>< ![endif]--><br \/>\nStep 1: Exploit Overachievers<\/p>\n<ul>\n<li>Maximize value by using free tools<\/li>\n<li>OWASP (Open Web Application Security Project)<\/li>\n<li>WASC (Web Application Security Consortium)<\/li>\n<\/ul>\n<p>Step 2: Learn<\/p>\n<ul>\n<li>Security is not an arcane art reserved for people with a special gift.\u00a0 It\u2019s campfire knowledge.\n<ul>\n<li>Assess your security posture regularly<\/li>\n<li>Do not neglect any aspect of your security; bad guys don\u2019t (Social Engineering, Internal Network, Firewall, Web Apps, etc)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Step 3: Chase Your Tail<\/p>\n<ul>\n<li>Remember where you started\n<ul>\n<li>Free tools can provide extreme amounts of value\n<ul>\n<li>OWASP (Eg: OWASP Testing Guide)<\/li>\n<li>WASC<\/li>\n<\/ul>\n<\/li>\n<li>There is no magic to security<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Tools Needed<\/strong><\/span><\/p>\n<ul>\n<li>Web Developer Toolbar\n<ul>\n<li>POST to GET<\/li>\n<li>Response headers<\/li>\n<\/ul>\n<\/li>\n<li>NoScript or QuickJava<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Estimating Vulnerabilities<\/strong><\/span><\/p>\n<ul>\n<li>Site Age \u2013 Care &amp; Feeding\n<ul>\n<li>\u201cCopyright 2003\u201d<\/li>\n<li>Alexa<\/li>\n<li>Archive.org<\/li>\n<li>Whois<\/li>\n<li>Last modified date<\/li>\n<li>Old server + modules version #\u2019s<\/li>\n<\/ul>\n<\/li>\n<li>2-3 years (2), 3-5 years (3), 5-10 years (4), 10+ (5)<\/li>\n<li>Programming Language\n<ul>\n<li>.cfm (1)<\/li>\n<li>AJAX (1)<\/li>\n<li>.do\/.jsp (1)<\/li>\n<li>.cgi\/.pl\/.shtml (2)<\/li>\n<li>.asp (2)<\/li>\n<li>.php (2)<\/li>\n<li>.aspx\/.jspx\/.html (0)<\/li>\n<li>Languages + Demographics theory<\/li>\n<\/ul>\n<\/li>\n<li>Size of the Site Logic Complexity\n<ul>\n<li>Surf around manually\n<ul>\n<li>Sitemap<\/li>\n<\/ul>\n<\/li>\n<li>Google inurl: search<\/li>\n<li>Spider (added download + added time)<\/li>\n<li>Small (0), Medium \u2013 typical retailer (1), Large \u2013 Yahoo (3)<\/li>\n<\/ul>\n<\/li>\n<li>Search\n<ul>\n<li>XSS tests (1)\n<ul>\n<li>\u201cCompany\u201d<\/li>\n<li>I &lt;3 U<\/li>\n<\/ul>\n<\/li>\n<li>SQL injection (1)\n<ul>\n<li>O\u2019Malley<\/li>\n<\/ul>\n<\/li>\n<li>DoS (.5)\n<ul>\n<li>a AND b AND c \u2026<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<li>Registration\n<ul>\n<li>Does it exist?\u00a0 Yes (1)<\/li>\n<li>Email validation and\/or CAPTCHA (1-2)<\/li>\n<li>Password complexity? (1)<\/li>\n<li>Can you choose \u201cadmin\u201d as a username? (1)<\/li>\n<\/ul>\n<\/li>\n<li>Security Functions\n<ul>\n<li>Does change password enforce password complexity rules<\/li>\n<li>Does change password require the existing password<\/li>\n<li>Can you change email address without a password<\/li>\n<li>Can emails be changed without validating them<\/li>\n<li>Are secret questions \u201cstrong\u201d<\/li>\n<\/ul>\n<\/li>\n<li>Contact forms\n<ul>\n<li>Do they have an email address in a hidden field (1)<\/li>\n<li>Submit a blank contact\n<ul>\n<li>Does it work without an error (1)<\/li>\n<\/ul>\n<\/li>\n<li>With and without JavaScript\n<ul>\n<li>Does it say \u201cThanks\u201d without JS but errors when JS is turned on (1)<\/li>\n<\/ul>\n<\/li>\n<li>Can users contact other users on the site (Eg: Private message) (2)<\/li>\n<\/ul>\n<\/li>\n<li>Login\n<ul>\n<li>Does it use SSL (1)<\/li>\n<li>Does it allow auto complete (1)<\/li>\n<li>Does it stop me from being able to type failed logins (3)\n<ul>\n<li>Horizontal, Vertical, &amp; Diagonal Brute Force attacks<\/li>\n<\/ul>\n<\/li>\n<li>Can you switch POST to GET (1)\n<ul>\n<li>Session fixation<\/li>\n<li>CSRF (1 per major site function, EG: change password, change secret question, change email address, etc)<\/li>\n<\/ul>\n<\/li>\n<li>Does it auto-logout (1)<\/li>\n<li>javascript:alert(document.cookie) (1)<\/li>\n<\/ul>\n<\/li>\n<li>Forgot password flow\n<ul>\n<li>Does it send the plaintext password (1)<\/li>\n<li>Does it send a \u201csmall\u201d key (1) \u2013 20 bits or less<\/li>\n<li>Does it tell you if your username is valid or not (.5)<\/li>\n<\/ul>\n<\/li>\n<li>File Upload\n<ul>\n<li>Does it check file extensions (.5)<\/li>\n<li>Does it check file types (.5)<\/li>\n<li>Does it allow re-displaying of the file (1)<\/li>\n<\/ul>\n<\/li>\n<li>HTML\/JS\/CSS Comments\n<ul>\n<li>Intranet IPs\/addresses (.5)<\/li>\n<li>Passwords (1)<\/li>\n<li>Functionality comments (.5)<\/li>\n<\/ul>\n<\/li>\n<li>URL Structure\n<ul>\n<li>function?path=\/files\/file.asp (1)<\/li>\n<li>something?id=104 (1)<\/li>\n<li>search?q=bob&amp;charset=UTF-8 (1)\n<ul>\n<li>alternate charset<\/li>\n<li>header injection<\/li>\n<\/ul>\n<\/li>\n<li>redir?url=http:\/\/www.cnn.com\/ (.5)<\/li>\n<li>chngpasswd?usr=bob&amp;pass=1234 (2)<\/li>\n<li>\/images\/ If it shows a directory (1)<\/li>\n<\/ul>\n<\/li>\n<li>Obvious admin interfaces (2)\n<ul>\n<li>\/admin\/<\/li>\n<li>\/blog\/wp-admin\/<\/li>\n<li>\/administrator\/<\/li>\n<li>\/adm\/<\/li>\n<li>admin.url.com<\/li>\n<\/ul>\n<\/li>\n<li>Outdated Open Source or Commercial Programs\n<ul>\n<li>PHP nuke<\/li>\n<li>WordPress<\/li>\n<li>Drupal<\/li>\n<li>3\/instance<\/li>\n<li>+1 for every major revision out of date<\/li>\n<\/ul>\n<\/li>\n<li>Other questions\n<ul>\n<li>Does it allow rich HTML user comments (1)<\/li>\n<li>Does it have a send-to-friend function (1)<\/li>\n<li>Virtual host? (MSN IP search) (1)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><span style=\"text-decoration: underline;\"><strong>Things this doesn\u2019t cover<\/strong><\/span><\/p>\n<ul>\n<li>Timing attacks, buffer overflows, etc<\/li>\n<li>Network infrastructure flaws (including DNS)<\/li>\n<li>Predictable file locations (VCS trees, etc)<\/li>\n<li>Logic flaws<\/li>\n<li>Backup files\/folders\/CVS trees, etc<\/li>\n<li>Alternate paths of exploitation (email, FTP, APIs, etc)<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>After giving my presentation on &#8220;Using Proxies to Secure Applications and More&#8221; at the TRISC 2009 conference, I decided to attend the presentation by Robert &#8220;RSnake&#8221; Hansen and Rob MacDougal entitled &#8220;Assessing Your Web App Manually Without Hacking It&#8221;.\u00a0 The gist of this presentation was that with a few simple tools (Web Developer Toolbar, NoScript, [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[222],"tags":[229,76,230,228,158,159,102],"class_list":["post-206","post","type-post","status-publish","format-standard","hentry","category-texas-regional-infrastructure-security-conference-2009","tag-app","tag-application","tag-assessment","tag-manual","tag-penetration","tag-testing","tag-web"],"aioseo_notices":[],"aioseo_head":"\n\t\t<!-- All in One SEO 4.9.10 - aioseo.com -->\n\t<meta name=\"description\" content=\"After giving my presentation on &quot;Using Proxies to Secure Applications and More&quot; at the TRISC 2009 conference, I decided to attend the presentation by Robert &quot;RSnake&quot; Hansen and Rob MacDougal entitled &quot;Assessing Your Web App Manually Without Hacking It&quot;. The gist of this presentation was that with a few simple tools (Web Developer Toolbar, NoScript,\" \/>\n\t<meta name=\"robots\" content=\"max-image-preview:large\" \/>\n\t<meta name=\"author\" content=\"Josh\"\/>\n\t<link rel=\"canonical\" href=\"https:\/\/www.webadminblog.com\/index.php\/2009\/03\/23\/assessing-your-web-app-manually-without-hacking-it\/\" \/>\n\t<meta name=\"generator\" content=\"All in One SEO (AIOSEO) 4.9.10\" \/>\n\t\t<meta property=\"og:locale\" content=\"en_US\" \/>\n\t\t<meta property=\"og:site_name\" content=\"Web Admin Blog | Real Web Admins.  Real World Experience.\" \/>\n\t\t<meta property=\"og:type\" content=\"article\" \/>\n\t\t<meta property=\"og:title\" content=\"Assessing Your Web App Manually Without Hacking It | Web Admin Blog\" \/>\n\t\t<meta property=\"og:description\" content=\"After giving my presentation on &quot;Using Proxies to Secure Applications and More&quot; at the TRISC 2009 conference, I decided to attend the presentation by Robert &quot;RSnake&quot; Hansen and Rob MacDougal entitled &quot;Assessing Your Web App Manually Without Hacking It&quot;. The gist of this presentation was that with a few simple tools (Web Developer Toolbar, NoScript,\" \/>\n\t\t<meta property=\"og:url\" content=\"https:\/\/www.webadminblog.com\/index.php\/2009\/03\/23\/assessing-your-web-app-manually-without-hacking-it\/\" \/>\n\t\t<meta property=\"article:published_time\" content=\"2009-03-23T21:00:50+00:00\" \/>\n\t\t<meta property=\"article:modified_time\" content=\"2009-04-01T15:33:29+00:00\" \/>\n\t\t<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n\t\t<meta name=\"twitter:title\" content=\"Assessing Your Web App Manually Without Hacking It | Web Admin Blog\" \/>\n\t\t<meta name=\"twitter:description\" content=\"After giving my presentation on &quot;Using Proxies to Secure Applications and More&quot; at the TRISC 2009 conference, I decided to attend the presentation by Robert &quot;RSnake&quot; Hansen and Rob MacDougal entitled &quot;Assessing Your Web App Manually Without Hacking It&quot;. The gist of this presentation was that with a few simple tools (Web Developer Toolbar, NoScript,\" \/>\n\t\t<script type=\"application\/ld+json\" class=\"aioseo-schema\">\n\t\t\t{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/2009\\\/03\\\/23\\\/assessing-your-web-app-manually-without-hacking-it\\\/#article\",\"name\":\"Assessing Your Web App Manually Without Hacking It | Web Admin Blog\",\"headline\":\"Assessing Your Web App Manually Without Hacking It\",\"author\":{\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/author\\\/jsokol\\\/#author\"},\"publisher\":{\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/#organization\"},\"datePublished\":\"2009-03-23T16:00:50-05:00\",\"dateModified\":\"2009-04-01T10:33:29-05:00\",\"inLanguage\":\"en-US\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/2009\\\/03\\\/23\\\/assessing-your-web-app-manually-without-hacking-it\\\/#webpage\"},\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/2009\\\/03\\\/23\\\/assessing-your-web-app-manually-without-hacking-it\\\/#webpage\"},\"articleSection\":\"TRISC 2009, app, application, assessment, manual, penetration, testing, web\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/2009\\\/03\\\/23\\\/assessing-your-web-app-manually-without-hacking-it\\\/#breadcrumblist\",\"itemListElement\":[{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.webadminblog.com#listItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.webadminblog.com\",\"nextItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/category\\\/conferences\\\/#listItem\",\"name\":\"Conferences\"}},{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/category\\\/conferences\\\/#listItem\",\"position\":2,\"name\":\"Conferences\",\"item\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/category\\\/conferences\\\/\",\"nextItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/category\\\/conferences\\\/texas-regional-infrastructure-security-conference-2009\\\/#listItem\",\"name\":\"TRISC 2009\"},\"previousItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.webadminblog.com#listItem\",\"name\":\"Home\"}},{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/category\\\/conferences\\\/texas-regional-infrastructure-security-conference-2009\\\/#listItem\",\"position\":3,\"name\":\"TRISC 2009\",\"item\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/category\\\/conferences\\\/texas-regional-infrastructure-security-conference-2009\\\/\",\"nextItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/2009\\\/03\\\/23\\\/assessing-your-web-app-manually-without-hacking-it\\\/#listItem\",\"name\":\"Assessing Your Web App Manually Without Hacking It\"},\"previousItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/category\\\/conferences\\\/#listItem\",\"name\":\"Conferences\"}},{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/2009\\\/03\\\/23\\\/assessing-your-web-app-manually-without-hacking-it\\\/#listItem\",\"position\":4,\"name\":\"Assessing Your Web App Manually Without Hacking It\",\"previousItem\":{\"@type\":\"ListItem\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/category\\\/conferences\\\/texas-regional-infrastructure-security-conference-2009\\\/#listItem\",\"name\":\"TRISC 2009\"}}]},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/#organization\",\"name\":\"Web Admin Blog\",\"description\":\"Real Web Admins.  Real World Experience.\",\"url\":\"https:\\\/\\\/www.webadminblog.com\\\/\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/author\\\/jsokol\\\/#author\",\"url\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/author\\\/jsokol\\\/\",\"name\":\"Josh\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/2009\\\/03\\\/23\\\/assessing-your-web-app-manually-without-hacking-it\\\/#authorImage\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/17951f69795527f90a4e9cb75ad6c9b3?s=96&d=identicon&r=pg\",\"width\":96,\"height\":96,\"caption\":\"Josh\"}},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/2009\\\/03\\\/23\\\/assessing-your-web-app-manually-without-hacking-it\\\/#webpage\",\"url\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/2009\\\/03\\\/23\\\/assessing-your-web-app-manually-without-hacking-it\\\/\",\"name\":\"Assessing Your Web App Manually Without Hacking It | Web Admin Blog\",\"description\":\"After giving my presentation on \\\"Using Proxies to Secure Applications and More\\\" at the TRISC 2009 conference, I decided to attend the presentation by Robert \\\"RSnake\\\" Hansen and Rob MacDougal entitled \\\"Assessing Your Web App Manually Without Hacking It\\\". The gist of this presentation was that with a few simple tools (Web Developer Toolbar, NoScript,\",\"inLanguage\":\"en-US\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/#website\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/2009\\\/03\\\/23\\\/assessing-your-web-app-manually-without-hacking-it\\\/#breadcrumblist\"},\"author\":{\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/author\\\/jsokol\\\/#author\"},\"creator\":{\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/index.php\\\/author\\\/jsokol\\\/#author\"},\"datePublished\":\"2009-03-23T16:00:50-05:00\",\"dateModified\":\"2009-04-01T10:33:29-05:00\"},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/#website\",\"url\":\"https:\\\/\\\/www.webadminblog.com\\\/\",\"name\":\"Web Admin Blog\",\"description\":\"Real Web Admins.  Real World Experience.\",\"inLanguage\":\"en-US\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.webadminblog.com\\\/#organization\"}}]}\n\t\t<\/script>\n\t\t<!-- All in One SEO -->\n\n","aioseo_head_json":{"title":"Assessing Your Web App Manually Without Hacking It | Web Admin Blog","description":"After giving my presentation on \"Using Proxies to Secure Applications and More\" at the TRISC 2009 conference, I decided to attend the presentation by Robert \"RSnake\" Hansen and Rob MacDougal entitled \"Assessing Your Web App Manually Without Hacking It\". The gist of this presentation was that with a few simple tools (Web Developer Toolbar, NoScript,","canonical_url":"https:\/\/www.webadminblog.com\/index.php\/2009\/03\/23\/assessing-your-web-app-manually-without-hacking-it\/","robots":"max-image-preview:large","keywords":"","webmasterTools":{"miscellaneous":""},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.webadminblog.com\/index.php\/2009\/03\/23\/assessing-your-web-app-manually-without-hacking-it\/#article","name":"Assessing Your Web App Manually Without Hacking It | Web Admin Blog","headline":"Assessing Your Web App Manually Without Hacking It","author":{"@id":"https:\/\/www.webadminblog.com\/index.php\/author\/jsokol\/#author"},"publisher":{"@id":"https:\/\/www.webadminblog.com\/#organization"},"datePublished":"2009-03-23T16:00:50-05:00","dateModified":"2009-04-01T10:33:29-05:00","inLanguage":"en-US","mainEntityOfPage":{"@id":"https:\/\/www.webadminblog.com\/index.php\/2009\/03\/23\/assessing-your-web-app-manually-without-hacking-it\/#webpage"},"isPartOf":{"@id":"https:\/\/www.webadminblog.com\/index.php\/2009\/03\/23\/assessing-your-web-app-manually-without-hacking-it\/#webpage"},"articleSection":"TRISC 2009, app, application, assessment, manual, penetration, testing, web"},{"@type":"BreadcrumbList","@id":"https:\/\/www.webadminblog.com\/index.php\/2009\/03\/23\/assessing-your-web-app-manually-without-hacking-it\/#breadcrumblist","itemListElement":[{"@type":"ListItem","@id":"https:\/\/www.webadminblog.com#listItem","position":1,"name":"Home","item":"https:\/\/www.webadminblog.com","nextItem":{"@type":"ListItem","@id":"https:\/\/www.webadminblog.com\/index.php\/category\/conferences\/#listItem","name":"Conferences"}},{"@type":"ListItem","@id":"https:\/\/www.webadminblog.com\/index.php\/category\/conferences\/#listItem","position":2,"name":"Conferences","item":"https:\/\/www.webadminblog.com\/index.php\/category\/conferences\/","nextItem":{"@type":"ListItem","@id":"https:\/\/www.webadminblog.com\/index.php\/category\/conferences\/texas-regional-infrastructure-security-conference-2009\/#listItem","name":"TRISC 2009"},"previousItem":{"@type":"ListItem","@id":"https:\/\/www.webadminblog.com#listItem","name":"Home"}},{"@type":"ListItem","@id":"https:\/\/www.webadminblog.com\/index.php\/category\/conferences\/texas-regional-infrastructure-security-conference-2009\/#listItem","position":3,"name":"TRISC 2009","item":"https:\/\/www.webadminblog.com\/index.php\/category\/conferences\/texas-regional-infrastructure-security-conference-2009\/","nextItem":{"@type":"ListItem","@id":"https:\/\/www.webadminblog.com\/index.php\/2009\/03\/23\/assessing-your-web-app-manually-without-hacking-it\/#listItem","name":"Assessing Your Web App Manually Without Hacking It"},"previousItem":{"@type":"ListItem","@id":"https:\/\/www.webadminblog.com\/index.php\/category\/conferences\/#listItem","name":"Conferences"}},{"@type":"ListItem","@id":"https:\/\/www.webadminblog.com\/index.php\/2009\/03\/23\/assessing-your-web-app-manually-without-hacking-it\/#listItem","position":4,"name":"Assessing Your Web App Manually Without Hacking It","previousItem":{"@type":"ListItem","@id":"https:\/\/www.webadminblog.com\/index.php\/category\/conferences\/texas-regional-infrastructure-security-conference-2009\/#listItem","name":"TRISC 2009"}}]},{"@type":"Organization","@id":"https:\/\/www.webadminblog.com\/#organization","name":"Web Admin Blog","description":"Real Web Admins.  Real World Experience.","url":"https:\/\/www.webadminblog.com\/"},{"@type":"Person","@id":"https:\/\/www.webadminblog.com\/index.php\/author\/jsokol\/#author","url":"https:\/\/www.webadminblog.com\/index.php\/author\/jsokol\/","name":"Josh","image":{"@type":"ImageObject","@id":"https:\/\/www.webadminblog.com\/index.php\/2009\/03\/23\/assessing-your-web-app-manually-without-hacking-it\/#authorImage","url":"https:\/\/secure.gravatar.com\/avatar\/17951f69795527f90a4e9cb75ad6c9b3?s=96&d=identicon&r=pg","width":96,"height":96,"caption":"Josh"}},{"@type":"WebPage","@id":"https:\/\/www.webadminblog.com\/index.php\/2009\/03\/23\/assessing-your-web-app-manually-without-hacking-it\/#webpage","url":"https:\/\/www.webadminblog.com\/index.php\/2009\/03\/23\/assessing-your-web-app-manually-without-hacking-it\/","name":"Assessing Your Web App Manually Without Hacking It | Web Admin Blog","description":"After giving my presentation on \"Using Proxies to Secure Applications and More\" at the TRISC 2009 conference, I decided to attend the presentation by Robert \"RSnake\" Hansen and Rob MacDougal entitled \"Assessing Your Web App Manually Without Hacking It\". The gist of this presentation was that with a few simple tools (Web Developer Toolbar, NoScript,","inLanguage":"en-US","isPartOf":{"@id":"https:\/\/www.webadminblog.com\/#website"},"breadcrumb":{"@id":"https:\/\/www.webadminblog.com\/index.php\/2009\/03\/23\/assessing-your-web-app-manually-without-hacking-it\/#breadcrumblist"},"author":{"@id":"https:\/\/www.webadminblog.com\/index.php\/author\/jsokol\/#author"},"creator":{"@id":"https:\/\/www.webadminblog.com\/index.php\/author\/jsokol\/#author"},"datePublished":"2009-03-23T16:00:50-05:00","dateModified":"2009-04-01T10:33:29-05:00"},{"@type":"WebSite","@id":"https:\/\/www.webadminblog.com\/#website","url":"https:\/\/www.webadminblog.com\/","name":"Web Admin Blog","description":"Real Web Admins.  Real World Experience.","inLanguage":"en-US","publisher":{"@id":"https:\/\/www.webadminblog.com\/#organization"}}]},"og:locale":"en_US","og:site_name":"Web Admin Blog | Real Web Admins.  Real World Experience.","og:type":"article","og:title":"Assessing Your Web App Manually Without Hacking It | Web Admin Blog","og:description":"After giving my presentation on &quot;Using Proxies to Secure Applications and More&quot; at the TRISC 2009 conference, I decided to attend the presentation by Robert &quot;RSnake&quot; Hansen and Rob MacDougal entitled &quot;Assessing Your Web App Manually Without Hacking It&quot;. The gist of this presentation was that with a few simple tools (Web Developer Toolbar, NoScript,","og:url":"https:\/\/www.webadminblog.com\/index.php\/2009\/03\/23\/assessing-your-web-app-manually-without-hacking-it\/","article:published_time":"2009-03-23T21:00:50+00:00","article:modified_time":"2009-04-01T15:33:29+00:00","twitter:card":"summary_large_image","twitter:title":"Assessing Your Web App Manually Without Hacking It | Web Admin Blog","twitter:description":"After giving my presentation on &quot;Using Proxies to Secure Applications and More&quot; at the TRISC 2009 conference, I decided to attend the presentation by Robert &quot;RSnake&quot; Hansen and Rob MacDougal entitled &quot;Assessing Your Web App Manually Without Hacking It&quot;. The gist of this presentation was that with a few simple tools (Web Developer Toolbar, NoScript,"},"aioseo_meta_data":{"post_id":"206","title":null,"description":null,"keywords":null,"keyphrases":null,"primary_term":null,"canonical_url":null,"og_title":null,"og_description":null,"og_object_type":"default","og_image_type":"default","og_image_url":null,"og_image_width":null,"og_image_height":null,"og_image_custom_url":null,"og_image_custom_fields":null,"og_video":null,"og_custom_url":null,"og_article_section":null,"og_article_tags":null,"twitter_use_og":false,"twitter_card":"default","twitter_image_type":"default","twitter_image_url":null,"twitter_image_custom_url":null,"twitter_image_custom_fields":null,"twitter_title":null,"twitter_description":null,"schema":{"blockGraphs":[],"customGraphs":[],"default":{"data":{"Article":[],"Course":[],"Dataset":[],"FAQPage":[],"Movie":[],"Person":[],"Product":[],"ProductReview":[],"Car":[],"Recipe":[],"Service":[],"SoftwareApplication":[],"WebPage":[]},"graphName":"","isEnabled":true},"graphs":[]},"schema_type":"default","schema_type_options":null,"pillar_content":false,"robots_default":true,"robots_noindex":false,"robots_noarchive":false,"robots_nosnippet":false,"robots_nofollow":false,"robots_noimageindex":false,"robots_noodp":false,"robots_notranslate":false,"robots_max_snippet":null,"robots_max_videopreview":null,"robots_max_imagepreview":"large","priority":null,"frequency":null,"local_seo":null,"breadcrumb_settings":null,"limit_modified_date":false,"ai":null,"created":"2025-01-03 22:52:40","updated":"2025-07-17 07:12:36","seo_analyzer_scan_date":null},"aioseo_breadcrumb":"<div class=\"aioseo-breadcrumbs\"><span class=\"aioseo-breadcrumb\">\n\t\t\t<a href=\"https:\/\/www.webadminblog.com\" title=\"Home\">Home<\/a>\n\t\t<\/span><span class=\"aioseo-breadcrumb-separator\">&raquo;<\/span><span class=\"aioseo-breadcrumb\">\n\t\t\t<a href=\"https:\/\/www.webadminblog.com\/index.php\/category\/conferences\/\" title=\"Conferences\">Conferences<\/a>\n\t\t<\/span><span class=\"aioseo-breadcrumb-separator\">&raquo;<\/span><span class=\"aioseo-breadcrumb\">\n\t\t\t<a href=\"https:\/\/www.webadminblog.com\/index.php\/category\/conferences\/texas-regional-infrastructure-security-conference-2009\/\" title=\"TRISC 2009\">TRISC 2009<\/a>\n\t\t<\/span><span class=\"aioseo-breadcrumb-separator\">&raquo;<\/span><span class=\"aioseo-breadcrumb\">\n\t\t\tAssessing Your Web App Manually Without Hacking It\n\t\t<\/span><\/div>","aioseo_breadcrumb_json":[{"label":"Home","link":"https:\/\/www.webadminblog.com"},{"label":"Conferences","link":"https:\/\/www.webadminblog.com\/index.php\/category\/conferences\/"},{"label":"TRISC 2009","link":"https:\/\/www.webadminblog.com\/index.php\/category\/conferences\/texas-regional-infrastructure-security-conference-2009\/"},{"label":"Assessing Your Web App Manually Without Hacking It","link":"https:\/\/www.webadminblog.com\/index.php\/2009\/03\/23\/assessing-your-web-app-manually-without-hacking-it\/"}],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-3k","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/206","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=206"}],"version-history":[{"count":3,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/206\/revisions"}],"predecessor-version":[{"id":208,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/206\/revisions\/208"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=206"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=206"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=206"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}