Conference:  Global AppSec San Francisco 2022

Authors: Omar Minawi

2022-11-18

Can’t seem to shake off those XSS bug bounty reports? Interested in exploring a novel XSS attack chain? This session is for you.Tune in to explore a real-life example of a multi-step XSS attack chain that targeted and exploited multiple trust domains. You will get an insight into defense-in-depth and an exciting walkthrough of exploit research and investigation. Lastly, we will tie it all together by evaluating and diving into multiple web security defense-in-depth tactics that could thwart this novel chained attack.

Conference:  Global AppSec San Francisco 2022

Authors: David Klein

2022-11-17

Hand sanitizers have been an important tool to prevent the Covid pandemic from spreading even further. However, not everything related to hand sanitization is as positive. Hand written sanitizing functions, frequently found on the web, are a grave security risk. Input sanitization is the main technique to defend against injection attacks such as Cross-Site Scripting (XSS). With more and more functionality being offered in the form of web applications, the importance of correct sanitizing functions increases.While evidence of broken sanitizers exist, no comprehensive study about real world JavaScript sanitizing functions existed. To close this gap we leveraged a taint-tracking enabled Web browser to detect JavaScript code performing input sanitization. We built an analysis framework to evaluate the collected functions for both generality and security. We found 10% of the analyzed sanitizers to be blatantly insecure with our framework being able to automatically generate a modified payload passing through the sanitizer. However, most of the remaining sanitizers were only secure for the exact piece of code surrounding them, running danger that a simple modification, such as changing from single to double quotes, opens the door to injection vulnerabilities.By attending this session you will learn about the intricacies of input sanitization on the web, how to protect your website and what to avoid when doing so. You will also get a glimpse towards upcoming mitigations against Client-Side XSS, which might aid to finally ridden the web of this vulnerability class.

Conference:  OWASP 20th Anniversary Event

Authors: Malcolm Heath, Raymond Pompon

2021-09-24

The presentation discusses the analysis of 8.5 million web honeypot events collected over 52 months to identify specific CVEs being targeted in large global attack campaigns and to understand attacker tactics and trends. The data-driven defense approach is emphasized.

• Partnership with Deflexio to collect data from web sensors in hundreds of honeypots worldwide
• 8.5 million events analyzed using Python, Pandas, NumPy, Jupiter Notebooks, and Elasticsearch
• Identification of specific CVEs targeted in global attack campaigns and understanding of attacker tactics and trends
• Data-driven defense approach emphasized

Conference:  OWASP 20th Anniversary Event

Authors: Philippe De Ryck

2021-09-24

The presentation discusses the challenges of building secure applications and proposes solutions to improve the situation. The speaker uses examples of security issues with JSON Web Tokens and unsafe HTML components to illustrate the problem.

• Developers want to build secure applications but still fail despite their best efforts
• JSON Web Tokens have security issues that need to be addressed
• Unsafe HTML components can lead to security vulnerabilities
• Encapsulating security behavior in code can make it easier to apply security best practices at scale
• Usable security for developers is necessary to improve the situation