At Oredev 2014 I presented two track sessions:
CONFESSIONS OF AN ACCIDENTAL SECURITY TESTER - "I DIDN'T BREAK IN, YOU LEFT THE DOOR OPEN"
"Alan Richardson has stumbled across security issues on a number of live web sites and applications. He didn't mean to, he was just observing the system at a lower level of detail than other users, and then asked questions about what he saw. In this session he will describe: tools he used, the thought processes he went through, the bugs he found, the processes he went through to raise and pressure the companies to fix, and the extreme lack of rewards and gratitude that he received in the process"
In this presentation at Oredev 2014 I describe the 'habits' that I adopt as part of my test approach which help me observe and stumble across "Security Issues", even though I don't do the same things as Security Testers.
The talk was recorded so you can watch the video:
The full blurb is below:
"Alan Richardson does not describe himself as a security tester. He's read the books so he knows enough to know he doesn't know or do that stuff properly. But he has found security issues, on projects, and on live sites that he depends on for his business.
You want to know user details? Yup, found those. You want to download the paid for assets from the site without paying for them? Yup, can do. You want to see the payment details for other people? OK, here they are. All of this, and more, as Alan stumbled, shocked, from one security issue to the next,
In this session Alan describes examples of security issues, and how he found them: the tools he used, why he used them, what he observed and what that triggered in his thought processes.
Perhaps most shocking, is not that the issues were live, and relatively easy to find and exploit. But that the companies were so uninterested in them. So this talk also covers how to 'advocate' for these issues. It also warns you not to expect rewards and gratitude. Companies with these type of issues typically do not have bug bounty schemes.
Nowadays, many of the tools you need to find and exploit these issues are built in to the browser. Anyone could find them. But testers have a head start. So in this session Alan shows how you can build on the knowledge and thought processes you already have, to find these types of issues.
This is a talk about pushing your functional testing further, deeper, and with more technical observation, so you too can 'accidentally' discover security issues."
I presented "Automation Abstractions: Page Objects and Beyond" as a conference talk Oredev 2014
I have uploaded the slides to slideshare
And the source code is in this repo.
The talk was filmed and recorded by Oredev, unfortunately the audio does not appear to have recorded properly and is very very quiet in the original video.
I managed to edit the video and have processed the audio to make it louder - it is little clipped, but at least you can hear it in the video below.