Lavakumar Kuppan & Nafeez Ahmed

Paper Title

Pentesting a website with million lines of Javascript


Web Application security testing used to be very straightforward. You configure your browser to use an intercepting proxy. Capture the traffic from the browser and then fuzz this captured traffic for vulnerabilities. That was back when all the logic and therefore all the vulnerabilities were on the server-side. But things are very different today, complex business logic is being increasingly transferred over to the client-side giving rise to a new breed of vulnerabilities.

You might already know about all the DOM and HTML5 security problems, you might already understand their impact well. But can you effectively test for these issues during a pentest? Do you favourite security tools allow you to test for these new breed of vulnerabilities? In this talk we will show you techniques that are part science and part magic that can get the job done.

Speaker Bio

Lavakumar Kuppan

Lavakumar Kuppan is the CTO of Ironwasp Information Security Solutions Pvt Ltd and founder of the open source IronWASP Project. IronWASP is one of the world's best web security scanners and is Asia's largest open source security project.

He is a well known security researcher who has discovered new attacks and vulnerabilities in HTML5 and other browser technologies. He is also a frequent speaker at Security conferences and has authored several security tools.

The web security scanning technology developed by him won an innovation award from the Indian Department of Science & Technology and Lockheed Martin. He was also awarded the Black Shield Luminaire award for his work in the field of security.

Nafeez Ahmed

Nafeez is a Security Engineer, working on end to end penetration testing to researching exotic security topics to creating threat models. He has an above average interest in client-side security and network security.

In the past, he has contributed to Facebook's white hat program in its early days and various other bug bounty programs. He has been a speaker at Nullcon and CoC0n in the previous years. He sporadically blogs @ and tweets now and then @skeptic_fx

Copyright © 2023 | Nullcon India | International Security Conference | All Rights Reserved