Abstract: Blacklists are all too commonly seen as a defense against all kinds of attacks. I’ll be discussing the perils of using blacklists and how easily they can be bypassed for attacks such as Cross-Site Scripting (XSS), SQL Injection (SQLi), and File Uploads. I’ll share some of the techniques I’ve used to bypass clients’ blacklists. I will also cover why whitelists should be favored over blacklists and some techniques for proper implementation.

Author Bio: Damian Profancik is a Principal Security Consultant in the Application Security Group of Trustwave’s SpiderLabs. He has worked as a server/network infrastructure and security consultant for over 12 years with the last 4 years solely focused on information security. His main focus has been on application security and vulnerability research. He has worked in this capacity both independently and for a number of companies ranging from small businesses to fortune 100 enterprises. His work has included network penetration testing, application penetration testing, reverse engineering, exploit development, architectural design analysis, code review, and forensics. He is actively involved in the Information Security community through speaking engagements at events DerbyCon, ShmooCon, OWASP, and ISSA, and he is a co-leader for the local OWASP chapter.

Back to Circle City Con 2014 Videos list