On Wednesday, June 29th, 2016, I was privileged to give a talk at OWASP Phoenix titled “Everything You’ve Ever Wanted to Know About Black-Box Web Vulnerability Scanners (But Were Afraid to Ask)”.

This was an exciting talk for me, as it was my first ever OWASP meeting. I am a big fan of OWASP, and they have been instrumental to helping shape my knowledge of security. I’m happy to start giving back to the OWASP community.

In this talk I covered parts of the paper Why Johnny Can’t Pentest: An Analysis of Black-box Web Vulnerability Scanners, along with the intentionally vulnerable web application WackoPicko, which is contained in the great OWASP Broken Web Applications Project.

I then covered parts of the paper Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner, which the source code of the state-aware-crawler is available on GitHub.

I also discussed some preliminary work in this area and where I see the field of black-box vulnerability analysis research heading in the future.

There’s also a fantastic Q&A session at the end with great question from the audience.

Here is the video of the talk: