Web App Security Testing for Everyone

A session at O'Reilly Fluent Conference 2015

Wednesday 22nd April, 2015

4:30pm to 5:00pm (PST)

Web applications are under constant attack and intrusions and data breaches are on the rise. Though attacks can be complex and sophisticated, many of the most common vulnerabilities are straightforward to observe and exploit.

In this presentation, Tony Porterfield will describe ways for users without extensive security experience to test for common vulnerabilities in web applications using only a browser and free software tools. These techniques will be illustrated with examples of actual vulnerabilities that he has observed while testing educational web applications. He will present a test plan that can be used to survey a site’s security in a short amount of time, and describe how it relates to the OWASP ASVS and Top 10 list.

Participants will learn how to test for and discover vulnerabilities including

*Improper session management and cookie settings
*Username enumeration
*Direct object references
*Caching of sensitive data
*Improper password storage
*Information leakage
*Exposed APIs
*Error messages and excessive headers
*Email sent without TLS

Participants will learn about free software and websites that can be used to evaluate security, including:

*Browser add ons
*Security-checking proxies such as OWASP ZAP and Burp Proxy
*SSL Checker
*TLS Checker
*ASAFAWEB ASP.net security checker
*Google transparency reports

About the speaker

This person is speaking at this event.
Tony Porterfield

Security researcher and advocate

Tony Porterfield is a software engineer with 20 years experience in the computer and networking industries. A parent of two, he advocates for improving the security and privacy of web applications used by children and students.

His web app security findings have been published in the New York Times and Mother Jones, and he was a panelist at the 2014 Common Sense Media School Privacy Zone Summit in Washington DC.

He writes about security on his blog, www.edtechinfosec.org

Sign in to add slides, notes or videos to this session

Tell your friends!


Time 4:30pm5:00pm PST

Date Wed 22nd April 2015

Short URL


View the schedule



See something wrong?

Report an issue with this session