Hi dear readers!
This year I attended my first OWASP AppSec EU both as an attendee and speaker.
I really enjoyed the conference, the community-driven presentations and 3 tracks (DevOps, Developer, CISO, Hacker). Because of my interests I decided to follow the Hacker track.
Man in contacts
The first presentation that I attended on AppSec was Man in contacts by Jeremy Matos and Laureline David. The main idea was to create malicious app that has access to your contacts (you actually give the permissions) and then all your contacts are drained to the malicious C&C. After that, the attacker knows exactly who do you have saved and using the malicious app is able to create a duplicate but with other phone number (the permission to contacts allows both to read and write to the contacts). Then, the attacker is able to send you a message via for instance Signal (from number that belongs to the duplicated contact) and you will be probably social engineered ;-). The researchers reported this and they received following responses:
The last XSS talk
Next presentation that I came, was The last defense XSS talk by Jim Manico. Like every Jim's talk - very dynamic, interesting and funny. Jim has amazing energy and loves to spread the knowledge. To pentesters I think the content was nothing new, but for people who are not aware how to deal with XSS' - must to see! Jim, as a part of super cool OWASP community, is going to share the slides on CC license!
Testing iOS apps without Jailbreak in 2018
Attacking modern web technologies
After my talk I went on Attacking modern web technologies by Frans Rosen. A lot of interesting examples that had a real impact on business models (for example how Dropbox was forced to delete users' personal directories). Over 3,6 slides per minute - pretty dynamic presentation, haha. 🔥🔥🔥
Winning - the future perspective in the next 20 years!
After the fire it was time for a Keynote - Winning - the future perspective in the next 20 years! by Andrew van der Stock. I really enjoyed the historical part of his presentation - did you know that, let's say, the ancestor of OWASP top 10 has been created in 1976 and then classified?!
Imperial War Museum - Networking Event
Would it be inappropriate to start this section with the following sentence: Free beer for #speakers? 😉 I like historical places, so the Imperial War Museum was amazing for me. Few photos below:
XSS is dead
The second day has started with Mario Heiderich's talk about XSS. He touched the interesting problem - glorification of vulnerabilities instead of fixes. He also asked a question who really wants the XSS to be permanently fixed - the king of every bug bounty program, haha. 😅
Outsmarting smart contracts
Presentation by my colleague Damian Rusinek - yes, SecuRing had 2 talks on AppSec this year. 😉 That was the first time I saw this presentation and I really enjoyed it. It was one big PoC of things that can go wrong in smart contracts. Btw - really cool example with using blockchain to eVoting - imagine that every citizen will be able to verify voting results... Link to the presentation here
Prepare(): Introducing Novel Exploitation Techniques in Wordpress
Talk gave by Robin Peraglie. I liked PoCes and always hard to do live demo. I knew about all presented techniques but for those who haven't heard about double preparing problem in WordPress (and about custom prepared statements...) I can recommend this presentation!
Bye bye AppSec
That was the end of my journey. I hope I will be on the next AppSec too! 👍🏻