Back To Schedule
Tuesday, January 26 • 11:30am - 12:30pm
AuthMatrix: Simplified Authorization Testing for Web Applications

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

While many threats to web applications such as SQLi and XSS can be mitigated through generic framework solutions, enforcing authorization remains a complex task for developers. Proper enforcement of access controls requires unique design considerations for each application and can be difficult to get right. Detecting vulnerabilities in authorization can be just as challenging, as these issues are generally difficult to map and test for. Due to the complexity in an application's architecture, pen-testers must frequently use their limited time and resources developing custom tools specific to a single application's authorization model.


In this presentation we take you through the process of designing a tool capable of simplifying this testing methodology to reduce the redundancy between testing unique targets. We will discuss some of the common authorization insecurity patterns seen in web applications and services, consider the common challenges faced by pen-testers when testing for these issues, and present effective methods for mapping the intricacies of these models. Additionally, we will introduce AuthMatrix, a new extension to the Burp Suite testing utility designed to simplify authorization test cases in a clear and reproducible manner.

avatar for Mick Ayzenberg

Mick Ayzenberg

Security Engineer, Security Innovation
Mick’s years of security industry experience have included consulting on dozens of mid-to-long term projects for well-known technology companies.  He has done extensive work in network protocol analysis, reversing, and fuzzing of both software applications and network communications... Read More →

Tuesday January 26, 2016 11:30am - 12:30pm PST
Annenberg Community Beach House