I like webapps, don’t you? Webapps have got to be the best way to learn about security. Why? Because they’re self-contained and so very transparent.
You don’t need a big ol’ lab before you can play with them. You can run them in a single tiny VM or even tiny-er Docker image on your laptop. And so long as you’re attacking your own stuff, it’s easy to stay out of trouble. You’re up and running in the time it takes for a single download.
And the transparent part? Ever since “view source” in the earliest web browsers, it’s been easy to see exactly what’s going on in a webapp and in the browser. Every webapp you ever use has no choice but to give you the (client-side) source code! It’s almost like there’s no such thing as a “black box” webapp pentest if you think about it…
Anyhow – the Developer Tools in Firefox (and Chrome) are what happens when you take “view source” and add 25 years or so of creativity and power.
We’ll look at the Developer Tools in the latest Firefox with a pentester’s eye. Inspect and change the DOM (Document Object Model), take screenshots, find and extract key bits of data, use the console to run Javascript in the site’s origin context, and even pause script execution in the debugger if things go too fast…
Maybe we’ll convince you that you can realistically do a big chunk of a webapp pentest without ever leaving the browser.
Join the BHIS Discord channel — https://discord.gg/aHHh3u5
Slides for this webcast can be found here: https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_HowToDeveloperToolsWebappPentesting.pdf
0:00 – A Shady-White Slideshow with “FREE TOOLS!” On the Sign
0:38 – The Way Back Machine
11:00 – Always Be Learning
18:01 – The Path to the Developer Tools
24:37 – Console Separately From a Window
30:40 – The Network Tab
36:23 – Storage Tab
38:20 – All The Cookies
