Sergey Gordeychik is a director and scriptwriter of the Positive Hack Days forum, and a captain of SCADAStrangeLove.org team. He is also a member of the Web Application Security Consortium (WASC). Alexey is coauthor of research and will join us via Skype to provide some mathematical hardcore.
[Abstract] There is no silver bullet for automation of application security testing. Attempts to combine SAST and DAST in one tool or to correlate results by "hybrid analysis" may expand dynamic coverage but does not reduce false positive rates. To provide simple to understand results and low level of false positive the method of automatic exploit generation for source code analysis was developed. By using state of the art mathematical methods this approach can use power of SAST to create ready for use exploits (e.g. input data to trigger attack via detected vulnerability) for most common application flaws such as SQL Injection, XML External Entity, Cross-Site Scripting, Remote and Local File Inclusion and so on. During practical testing of the method, ability to highlight backdoors or application specific flaws, such as hardcoded passwords or "hidden" execution paths was detected.
To prove efficiency of the method, several vulnerabilities in widely deployed applications will be disclosed.