logo

2023-02-13 ~ 2023-02-16

Presentations (with video): 44 (33)

Designed for private and public sector infosec professionals, the two-day OWASP conference equips developers, defenders, and advocates to build a more secure web. We are offering educational 2-day training courses on February 13-14 followed by the conference and exhibition days February 15-16.

Sort by:  

Authors: Dr. Magda Chelly
2023-02-16

tldr - powered by Generative AI

The presentation discusses the potential risks and benefits of using AI-generated code in software development, with a focus on cybersecurity and DevOps. The speaker emphasizes the importance of balancing speed and efficiency with quality and security, and highlights the need for clear contracts and due diligence when working with third-party AI tools and data sets.
  • AI-generated code can increase productivity and reduce errors, but may also pose significant risks to businesses and users if not properly regulated and tested.
  • Clear contracts and due diligence are necessary when working with third-party AI tools and data sets to ensure quality and security.
  • The use of AI in software development requires a balance between speed and efficiency and quality and security.
  • The speaker suggests that AI-assisted coding may be a more effective approach than relying solely on AI-generated code.
  • The presentation also touches on the broader issues of data privacy and intellectual property rights in the context of AI and big data.
Authors: Dan Murphy, Frank Catucci
2023-02-16

tldr - powered by Generative AI

The presentation discusses a vulnerability in OpenSSL 3.0 that requires a specific set of circumstances to exploit, limiting its impact. The speaker emphasizes the importance of exploring and testing vulnerabilities to determine their actual risk.
  • The vulnerability requires a valid client certificate and occurs during the certificate handshake process
  • The affected code is a narrow window in OpenSSL 3.0, limiting the number of potential targets
  • The exploit requires a specific alignment of memory, making it difficult to execute
  • The speaker encourages a spirit of exploration and experimentation to determine the actual risk of vulnerabilities
Authors: Meghan Jacquot
2023-02-16

tldr - powered by Generative AI

The speaker discusses the problem of wearing too many hats in cybersecurity and offers solutions through finding patterns and categorization.
  • Wearing too many hats is a common problem in cybersecurity
  • Finding patterns and categorization can help consolidate roles and reduce noise
  • The speaker provides examples of the OWASP Top 10 vulnerabilities
  • The speaker is working on a book about cybersecurity and is gathering stories from people in the field
Authors: Gil Cohen, Omri Inbar
2023-02-16

Two vulnerable websites which were found to be vulnerable to CRLF injection, caused Google Chrome to behave differently. This trigged an exciting research journey ending in finding weaknesses in reverse proxies, Chrome and other browsers as well as a new hacking technique named Frontend server hijacking or Frontjacking in short. Frontjacking combines CRLF injection, poorly configured servers and shared hosting, enables attackers to execute any reflected XSS and phishing related payloads while bypassing any defensive mechanisms including CSP (Content Security Policy), HttpOnly cookie attributes, WAFs (Web Application Firewalls), CORS (Cross Origin Resource Sharing) and HTTPS certificate validation.
Authors: Syue Siang Su
2023-02-16

tldr - powered by Generative AI

The presentation discusses the importance of smart contract security in blockchain technology and the need for reverse engineering and control flow graph construction to ensure correct executing logics.
  • Blockchain technology allows developers to define rules and create applications with automatic verification through smart contracts.
  • Front-end security issues in web3 can affect back-end security.
  • Reverse engineering and control flow graph construction are necessary for smart contract security.
  • Tools such as the Third Eye, Truffle, and ConsenSys can aid in auditing smart contract code.
  • Constructing a control flow graph helps to understand program flow and ensure correct executing logics.
Authors: Tanya Janca
2023-02-16

tldr - powered by Generative AI

The presentation discusses resources and strategies for maintaining secure legacy applications in DevOps.
  • Encourages joining the Open Web Application Security Project and local chapters
  • Provides a PDF summary of the presentation
  • Offers free online community called We Hack Purple with training courses and podcasts
  • Suggests regular communication with software developers and security champions through lunch and learns and presentations
  • Emphasizes the importance of feedback and addressing issues promptly
Authors: Sam Stepanyan
2023-02-16

tldr - powered by Generative AI

Nettacker: An Automated Penetration Testing Framework
  • Nettacker is a free and open-source automated reconnaissance and penetration testing tool
  • It can scan networks for vulnerabilities, discover expired SSL certificates, and find subdomains hosting vulnerable versions of content management systems
  • Nettacker can be used by both attackers and defenders, and has been helpful for bug bounty research
  • The tool uses YAML modules and is written in Python
  • Nettacker can be automated using GitHub actions and Docker containers
  • Automated scans can be scheduled to run regularly and generate reports as artifacts
Authors: Dr. Luca Compagna
2023-02-16

tldr - powered by Generative AI

The presentation discusses the challenges of using commercial and open source tools for static analysis of code vulnerabilities and proposes a framework for improving the effectiveness of such tools.
  • Commercial and open source tools for static analysis of code vulnerabilities have limitations in detecting all vulnerabilities
  • The presented framework involves using patterns and discovery rules to improve the effectiveness of static analysis tools
  • Transformation experiments were conducted to improve the testability of patterns
  • The framework can be improved by adding custom rules and integrating other open source tools
  • The community is invited to contribute to the project and help improve the framework
Authors: Mehmet Önder Key
2023-02-16

In my research, besides the use of a new technique as compressed file(hpi,deb,jar etc.) manipulation in the field of remote code execution; this includes implementing this on popular web apps and publishing this 0day at the time of presentation.In most web applications, uploading harmful files is allowed with the precautions taken in the file upload section. One of these protection methods is file hash,extension,head,type etc control mechanisms. However, in this presentation, you will see how we can add a file to the system that we can run the code remotely with compressed file manipulation, how we can become an authorized user in the system, and how to increase the privileges of the seized application user on a popular applications. You will be able to see both a new method and 0Day in the presentation.
Authors: Marine du Mesnil
2023-02-16

In 2019, users of the Ameli, the french welfare website, could read other users' messages and attachments containing confidential information by trivially changing a parameter in the URL. Unfortunately, this flaw is much more common than we think and access control has been listed as the Top 1 flaw by OWASP.Historically, developers manage permissions directly in code and the product team is not always well aware of the conditions which leads to flaws in access control. It is also one of the most complex vulnerabilities to manage and it is easy for a developer to forget a condition in their API and open up access to sensitive data to anyone.On a fund management site using django-admin, we needed very fine-grained management of vertical (permission levels) and horizontal (compartmentalisation between users) permissions with a need for some administrators to manage their own teams independently.We were able to implement an extremely easy-to-use and manageable system using both Django's internal permissions management and a SaaS: Okta.During this talk, I will cover the following topics:- Vertical and Horizontal Permissions using a django-admin example- Adding a SaaS for login and permissions- The pros and cons of OktaAt the end of this talk, you will know the best practices for implementing and using permissions with django-admin example. You will also understand the pros and cons of using a SaaS to outsource permissions management and simplify it for your administrators.