logo
Dates

Author


Conferences

Tags

Sort by:  

Authors: Dr. Luca Compagna
2023-02-16

tldr - powered by Generative AI

The presentation discusses the challenges of using commercial and open source tools for static analysis of code vulnerabilities and proposes a framework for improving the effectiveness of such tools.
  • Commercial and open source tools for static analysis of code vulnerabilities have limitations in detecting all vulnerabilities
  • The presented framework involves using patterns and discovery rules to improve the effectiveness of static analysis tools
  • Transformation experiments were conducted to improve the testability of patterns
  • The framework can be improved by adding custom rules and integrating other open source tools
  • The community is invited to contribute to the project and help improve the framework
Authors: Javan Rasokat
2022-11-18

This talk deals with ‘race conditions’ in web applications. From 2021 to 2022 we have seen an increase in race condition reports with huge bugbounty payouts affecting MS, AWS, Instagram and others, for example, leading to MFA-Bypass. According to MITRE it is still a big "research gap" and based on how easily race conditions are introduced into code and how difficult they are to detect, there are probably still a lot of vulnerable applications out there. This type of vulnerability allows an attacker to create unforeseen states as a result of overlapping and parallel program code sequences. By cleverly exploiting these conditions, advantages can be gained, such as bypassing anti-brute force mechanisms, overriding limits, overvoting, and other attack scenarios. As part of this talk a developed penetration testing tool with a distributed approach and a demo web application that is vulnerable to this type of attack is being presented. With help of the demo application and the developed race condition testing tool real-world attack scenarios will be demonstrated. Also results of tested SAST/DAST tools will be given to show how difficult it is to prevent and also test for race condition vulnerabilities.  The learning objects are:1. Introduction to the Race Condition and TOCTOU vulnerabilities, how they work and why exploiting them can be attractive to an attacker, how little is known about them and perhaps too often overlooked in penetration testing.2. How easily the vulnerability exists in various web programming languages. And in which frameworks the vulnerabilities exist by default (example of a vulnerable PHP code snippet with race condition - "would you find it in a code review?").3. Why our existing toolset consisting of DAST/SAST!/RASP/WAF etc. has difficulty preventing or detecting these vulnerabilities, and why it is necessary to look for race condition vulnerabilities as part of a penetration test.4. Actual and impressive attack scenarios from bugbounty reports have been implemented in a vulnerable demo application and will be attacked during a live demo. The audience with the mindset of a breaker will learn how to test for race conditions during penetration testing.
Authors: Phu H. Phung
2021-09-24

Abstract:​Although there exist technical solutions or legislation laws, online user privacy is still an open issue and an unsolved crisis. Indeed, there is no formal assurance mechanism to guarantee that a web application will not violate its users' privacy stated in the user agreement. In this presentation, we introduce a new method to protect web users' privacy by monitoring JavaScript code based on the source of the code, i.e., code origin.  Our code-origin policy enforcement approach advances the conventional same-origin policy standard and allows the users to customize their protection. We demonstrate that our privacy policies can be certified at the development phase and verified at runtime to provide formal assurance of the enforcement.​​​
Authors: Florian Stahl
2021-09-24

tldr - powered by Generative AI

The speaker presents the top 10 risks to web application security and privacy, and discusses the challenges faced in creating version 2.0 of the list.
  • The speaker presents the top 10 risks to web application security and privacy, including injection, broken authentication and session management, cross-site scripting, and security misconfiguration.
  • Insufficient data quality is also a privacy concern, as incorrect data can lead to issues such as incorrect credit ratings or package delivery.
  • Missing or insufficient session expiration is a commonly overlooked risk that can allow providers to collect data from devices without user knowledge.
  • Creating version 2.0 of the list was challenging due to finding volunteers, deciding on which risks to include, and determining the appropriate level of abstraction.
  • Translations and countermeasures for version 2.0 are still being worked on, and the speaker encourages spreading awareness and implementing the list in practice.