Tracy: Because Tracing User Input Through JavaScript is for Tools

Being able to comprehend causal relationships between sources of user input and their corresponding output is a distinguishing characteristic that separates the master web hacker from the novice script kiddy. The better a tester can grasp these relationships, the faster they can abuse lapses in input sanitization, identify dangerous programming patterns, and understand the overall attack surface of the application.

However, enumerating these relationships is difficult and time intensive to do by hand, especially with JavaScript-heavy apps. Security scanning tools have tried to automate this procedure, but they face several problems in modern web applications:

To solve these problems, we need a tool that augments, not automates, a manual penetration tester by helping them understand all of the inputs and outputs of a web application. To this end, we present Tracy, a tool for assisting penetration testers with enumerating every sink of output for all user input sources.

Jake Heath is a penetration tester with NCC Group. Jake performs web application and network penetration tests as well as various types of hardware engagements, including hardware teardowns, physical threat...

Michael Roberts is a penetration tester with NCC Group. Michael performs web, mobile application and network penetration tests, and has a passion for virtual reality and machine learning outside of...

Back to talks..