Website Impersonation Attacks: Who is REALLY Behind That Mask?

Jason Mortensen

Fri, 1st August 2014


Speaker Bio 1:
Jason Mortensen has been practicing information security for over a decade, solving real world business problems in a global, corporate environment. He has demonstrated technical leadership in numerous areas in information security, including web application security, risk assessment and management, user authentication, identity and access management, and security standards development.

Learning Objectives:

Jason will explain:

  • How web applications are one of the most common ways that business-critical data is made available to users, and as a result, they are also one of the most popular targets for security attacks.
  • How authentication weaknesses in web sites can be particularly disastrous, essentially allowing attackers to walk through your virtual front door to steal your critical information.
  • This session will highlight key techniques that are used for attacking web site authentication, and will provide countermeasures to protect against such attacks.

Questions and answers

Max, Concise Courses:
Are you familiar with the firefox addon “HTTPS Everywhere”? Should I get my team to install it on their browsers?

Jason Mortensen:
Yes, HTTPS Everywhere is a really good idea. What the [Firefox add-on] does is it [acts] like a plug-in and it takes your Firefox and when you try going to a website, for example Facebook and go to the regular HTTP Facebook, this browser extension will intercept that and force your browser to try to go to the HTTPS website. I think it’s a good idea to force HTTPS wherever you can, and this is certainly a tool that will help you do that just in case you do go to a website that is not encrypted this will attempt to force you to use the encrypted part of the website to make sure that any passwords or session tokens are protected.


Max, Concise Courses:
What do you think of Web Goat, is it worth learning and what is your favorite resource for this subject?

Jason Mortensen:
There are a number of different tools that help people to learn Web Application Security. I think that Web Goat is a good resource, there are a number out there, I know that Foundstone has a number of vulnerable websites that you can use to practice hacking techniques for Web Hacking. Typically you want to make sure that you testing a website that you have access to, so some of the websites that are vulnerable on purpose – that’s a great way to test out these things without getting into trouble.

There are a number of tools. You ought to use a local proxy tool that will allow you to intercept the HTTP traffic and manipulate it before you send it back. OWASP has the ZAP Tool and I know BURP Proxy is a very common and very well done tool. Web Goat is fine though.