Hi dear readers! This year I attended my first OWASP AppSec EU both as an attendee and speaker. IMG_5535-2 I really enjoyed the conference, the community-driven presentations, and 3 tracks (DevOps, Developer, CISO, Hacker). Because of my interests, I decided to follow the Hacker track.

Man in contacts

The first presentation that I attended on AppSec was Man in contacts by Jeremy Matos and Laureline David. The main idea was to create a malicious app that has access to your contacts (you actually give the permissions), and then all your contacts are drained to the malicious C&C. After that, the attacker knows exactly who do you have saved, and using the malicious app is able to create a duplicate but with another phone number (the permission to contacts allows both to read and write to the contacts). Then, the attacker can send you a message via, for instance Signal (from the number that belongs to the duplicated contact), and you will be probably social engineered ;-). The researchers reported this, and they received the following responses: IMG_5541-2-1

The last XSS talk

The next presentation that I came was The last defense XSS talk by Jim Manico. Like every Jim’s talk - very dynamic, interesting, and funny. Jim has amazing energy and loves to spread the knowledge. To pentesters I think the content was nothing new, but for people who are not aware of how to deal with XSS’ - must see! Jim, as a part of the super cool OWASP community, is going to share the slides on CC license! IMG_5542

Testing iOS apps without Jailbreak in 2018

After Jim, that was time for me to give the talk. I don’t want to be a judge in my own case so here you can download slides and just see 😉 Credits to Wojciech Dworakowski for the photo 😃 IMG_5594

Attacking modern web technologies

After my talk, I went on Attacking modern web technologies by Frans Rosen. A lot of interesting examples that had a real impact on business models (for example, how Dropbox was forced to delete users’ personal directories). Over 3,6 slides per minute - pretty dynamic presentation, haha. 🔥🔥🔥 IMG_5551

Winning - the future perspective in the next 20 years!

After the fire, it was time for a Keynote - Winning - the future perspective in the next 20 years! by Andrew van der Stock. I enjoyed the historical part of his presentation - did you know that let’s say, the ancestor of OWASP top 10 has been created in 1976 and then classified?! IMG_5555

Imperial War Museum - Networking Event

Would it be inappropriate to start this section with the following sentence: Free beer for #speakers? 😉 I like historical places, so the Imperial War Museum was amazing for me. Few photos below: IMG_5585 Real enigma: IMG_5587 ‘#food’ IMG_5579 IMG_5578

2nd day

XSS is dead

The second day has started with Mario Heiderich’s talk about XSS. He touched the interesting problem - a glorification of vulnerabilities instead of fixes. He also asked a question who wants the XSS to be permanently fixed - the king of every bug bounty program, haha. 😅 IMG_5599

Outsmarting smart contracts

Presentation by my colleague Damian Rusinek - yes, SecuRing had 2 talks on AppSec this year. 😉 That was the first time I saw this presentation, and I enjoyed it. It was one big PoC of things that can go wrong in smart contracts. Btw - cool example with using blockchain to eVoting - imagine that every citizen will be able to verify voting results… Link to the presentation here IMG_5607

Prepare(): Introducing Novel Exploitation Techniques in Wordpress

Talk gave by Robin Peraglie. I liked PoCes and always hard to do a live demo. I knew about all presented techniques but for those who haven’t heard about double preparing problem in WordPress (and about custom prepared statements…) I can recommend this presentation! IMG_5609

Bye bye AppSec

That was the end of my journey. I hope I will be on the next AppSec too! 👍🏻 IMG_5617