Yokoso! is a project focused on creating fingerprinting code that is deliverable through some form of client attack. This can be used during penetration tests that combine network and web applications. One of the most common questions we hear is "so what can you do with XSS?" and we hope that Yokoso! answers that question.

We will creating JavaScript and Flash objects that are able to be delivered via XSS attacks. These code payloads will contain the fingerprinting information used to map out a network and the devices and software it contains.

Call for Fingerprints and Volunteers

The Yokoso! project team is interested in growing the number of fingerprints being offered through Yokoso! We are asking for volunteers, both in helping build the application and fingerprint their infrastructure. Please contact us at if you are interested in helping with this.

To provide us with fingerprint URIs, please send us the URI for any unique items within the application. Some examples of this would be logo graphics or application files. We are specifically interested in knowing URIs from after authentication. Please send the URI along with the name and version of the software/hardware.

The Ultimate Pen Test: Combining Network and Web App Techniques for World Domination

Monday, September 29 * 7:00pm - 9:00pm
, Ed Skoudis and Kevin Johnson
, SANS Network Security 2008 Keynotes

Most penetration tests are focused on either network attacks or web application attacks. Given this separation, many pen testers themselves have understandably followed suit, specializing in one type of test or the other. While such specialization is a sign of a vibrant, healthy penetration testing industry, tests focused on only one of these aspects of a target environment often miss the real business risks of vulnerabilities discovered and exploited by determined and skilled attackers. By combining web app attacks such as SQL injection, Cross-Site Scripting, and Remote File Includes with network attacks such as port scanning, service compromise, and client-side exploitation, the bad guys are significantly more lethal. Penetration testers and the enterprises who use their services need to understand these blended attacks and how to measure whether they are vulnerable to them. This session provides practical examples of penetration tests that combine such attack vectors, and real-world advice for conducting such tests against your own organization.

Project Team

Project Leads

  Kevin Johnson

Kevin Johnson is a Senior Security Analyst with Intelguardians. Kevin came to security from a development and system administration background. He has many years of experience performing security services for fortune 100 companies, and in his spare time contributes to a large number of open source security projects. Kevin founded and leads the development on B.A.S.E. (the Basic Analysis and Security Engine) project. The BASE project is the most popular web interface for the Snort intrusion detection system. Kevin is an instructor for SANS, authoring and teaching Security 542, Web Application Pen-Testing In-Depth and teaching other SANS classes such as the Incident Handling and Hacker Techniques class. He has presented to many organizations, including Infragard, ISACA, ISSA and the University of Florida.

  Justin Searle

Justin Searle is a Senior Security Analyst with Intelguardians. He specializes in network security architecture, penetration testing, and PCI compliance. Prior to Intelguardians, Justin served as the IT Security Architect for JetBlue Airways. Justin helped secure their telecommuters' virtual call center and re-design the airline's infrastructure to help towards PCI compliance. He has also provided top-tier support for some of the largest supercomputers in the world. Justin has taught courses in hacking techniques, intrusion detection, forensics and Cisco networking at both ITT Technical Institute and New Horizons. Justin has presented at a number of security conferences, including ToorCon and the SANS Institute Pentesters Summit. Justin has an MBA in International Technology, as well as both the CISSP and SANS GCIH certifications.