Conference:  Defcon 31

Authors: James Kettle Director of Research, PortSwigger

2023-08-01

For too long, web race-condition attacks have focused on a tiny handful of scenarios. Their true potential has been masked thanks to tricky workflows, missing tooling, and simple network jitter hiding all but the most trivial, obvious examples. In this session, I'll introduce multiple new classes of race condition that go far beyond the limit-overrun exploits you're probably already familiar with. Inside every website lurks a state machine: a delicately balanced system of states and transitions that each user, session, and object can flow through. I'll show how to fire salvos of conflicting inputs at high-profile websites to make state machines collapse, enabling you to forge trusted data, misroute tokens, and mask backdoors. To handle this explosion of attack surface, I'll share a polished methodology designed to help you eke out subtle tell-tale clues and scent blood long before sacrificing anything to the RNG gods. I've also taken lore amassed over years of research into HTTP Desync Attacks and developed a strategy that can squeeze 30 requests sent from Melbourne to Dublin into a sub-1ms execution window. Alongside the open source tool, we'll also release free online labs so you can try out your new skillset immediately.

Conference:  OWASP 20th Anniversary Event

Authors: Kim Carter

2021-09-24

The presentation discusses the Purple Team approach to cybersecurity and DevOps, which involves collaboration between red and blue teams to improve security testing and remediation.

• Purple Team approach involves collaboration between red and blue teams
• Uses automated testing tools and continuous integration to improve security testing and remediation
• Involves setting up web applications and deploying them using infrastructure as code
• Provides detailed reports on defects and how to remediate them
• Offers opportunities for contributors with various skill levels to participate in building the Purple Team framework

Conference:  OWASP 20th Anniversary Event

Authors: Jasvir Nagra, Pedro Fortuna

2021-09-24

The presentation discusses the need for a holistic approach to client-side web isolation to improve web application security.

• Current browser-based security features lack full isolation for browser-based apps
• A holistic approach to client-side web isolation is needed to cover all angles of web application security
• Reducing the size of the compartment, making the units stronger, and more developer-friendly is key to achieving this
• Web Page Integrity is a sandboxing solution that can be seamlessly integrated into any web app