AppSec Europe 2018 has ended
                                                                                    ***Content is subject to change.***

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Hacker [clear filter]
Thursday, July 5

10:15am BST

Mr Sandman: Time Lock Puzzles for Good and Evil
Limited Capacity seats available

Delayed execution is a concept of significant interest to attackers, who seek to use it so that their malware is able to bypass the analysis period of sandboxes and antivirus emulators. Historically, techniques used to delay execution have included Windows API calls, and short, simple loops involving assembly, counters, or loading libraries. However, security tools are increasingly able to detect and prevent these techniques, using methods such as accelerating time, returning false tick counts, intercepting API calls, and performing multipath execution. As a result, attackers are constantly striving to find new and creative ways to delay execution. Delayed execution is also of some interest to defenders, who try to implement it, in either manual or automated solutions, in order to frustrate the attack models of bots, botnets, and spammers.

Enter the timelock puzzle - a relatively unknown cryptographic construct whereby a puzzle is presented, the solution to which requires a certain amount of time or computational effort. Historically, timelock puzzles were proposed for benign applications, such as sealed auction bids, escrow, and the timed release of confidential information. However, they provide an interesting method of delayed execution which to date has been underexplored in security research, particularly as an offensive methodology. Specifically, they may present a significant challenge in malware detection and analysis, particularly for automated solutions such as sandboxes.

In this talk, I cover the history of timelock puzzles and their proposed applications for offence and defence, and examine some case studies. I then demonstrate several timelock puzzles which I have developed, including some novel constructions, and show through demonstrations how they can be weaponised - including both process hollowing within executables, and within VBA macros. For each construction, I explore the advantages and disadvantages for both attackers and defenders, and explain how they work, and why. I then turn to prevention and detection, presenting a heuristic model for generic detection of timelock puzzles, and cover the defender's perspective in the form of attacks against timelock puzzles, including parallelisation, predictability, and enhanced computational processing.

I then cover the challenges and feasibility of using timelock puzzles for good, discussing some of the models presented in previous work and a real-world case study where timelock puzzles could have been used to significant effect, break down a proof-of-concept defensive timelock puzzle I created, and some of the issues identified with it from an attacker's perspective.

Finally, I assess the practicality of timelock puzzles for both attack and defence, share some lessons learned from this research, and outline suggestions for future research in this area. 

avatar for Matt Wixey

Matt Wixey

Vulnerability Research, PwC
Matt leads on vulnerability R&D for the PwC Cyber Security practice in the UK, working closely with the Ethical Hacking team, and is a PhD candidate at UCL, in the Department of Security and Crime Science and the Department of Computer Science. Prior to joining PwC, Matt led a technical... Read More →

Thursday July 5, 2018 10:15am - 11:00am BST
Fleming - 3rd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

11:00am BST

Passive Fingerprinting of HTTP/2 Clients
Limited Capacity seats available

HTTP/2 is the second major version of the HTTP protocol. It changes the way HTTP is transferred “on the wire” by introducing a full binary protocol that is made up of TCP connections, streams, and frames, rather than a plain-text protocol. Such a fundamental change from HTTP/1.x to HTTP/2, means that client-side and server-side implementations have to incorporate completely new code in order to support new HTTP/2 features. This introduces nuances in protocol implementations, which, in return, might be used to passively fingerprint web clients.

Our research is based on more than 10 million HTTP/2 connections from which we extracted fingerprints for over 40,000 unique user agents across hundreds of implementations.

In the presentation, I intend to provide the following:

•HTTP/2 Overview
- Introduction into the basic elements of the protocol
- a review the different components chosen for the fingerprint format (alongside a discussion on those left out)
- Potential use cases of the proposed fingerprint
- Usage Statistics - prevalence of HTTP/2 usage on Akamai’s platform

•Examples of common HTTP/2 Implementations & Client fingerprints collected during the research

•HTTP/2 support (or the lack of) among common web security tools (Burp suite, sqlmap, etc.)

•Review of attacks over HTTP/2 observed on Akamai’s platform

ttp://akamai.me/2qWIqON - whitepaper published by Akamai’s Threat-Research Team. 

avatar for Elad Shuster

Elad Shuster

Security Data Analyst, Akamai
Leading a team or security researchers, at Akamai's Threat Research group.With over 10 years of data analysis experience across different industries, I am currently exploring new trends in the web security and bot detection, while helping maintain the defensive protections of Akamai's... Read More →

Thursday July 5, 2018 11:00am - 11:45am BST
Fleming - 3rd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

11:45am BST

Secure Messengers and Man in The Contacts: The Ultimate Spear Phishing Weaponi
Limited Capacity seats available

In 2016, Man in the Contacts attack was published (MitC, https://www.securingapps.com/blog/ManInTheContacts_CYBSEC16.pdf) which consists in taking control of a smartphone's contacts with a legitimate application, then altering contact data to either
- impersonate a specific contact
- attempt to intercept communications by relaying messages through an additional device.
Despite sandboxing on most mobile platforms, contacts are shared between all applications and can be modified by any of them with sufficient permissions.

Building up from what was presented, we built and deployed a fully functional implementation.

Packaged within a game published on Google's Play Store without any validation issues, our MitC implementation allows us to fully control the contacts of the users by listening to our Command and Control server.

Since most modern messaging applications implicitly trust contact data, our implementation becomes a very efficient spear phishing weapon: user receives a message from someone he (thinks he) knows within an end to end encrypted (E2E) channel, so he is really confident. E2E also blinds messaging servers, not able to do anymore content filtering, making it easy to transfer malicious links.

Presentation Outline:
* Wrap up of Man In The Contacts attack
* Feedback from WhatsApp, Telegram and Signal: won't fix
* Implementing Man In The Contacts in practice
- Android game: social version of Rock, Paper, Scissors
- Command And Control server
- Web interface
* The spear phishing use case
* Live demonstration with volunteers from the audience
* Open sourcing the tool
* Possible mitigations 

avatar for Laureline David

Laureline David

Freelance consultant, Self-Employed
Freelance Consultant, HEIG-VD Graduate (Security Engineering)
avatar for Jeremy Matos

Jeremy Matos

Software Security Expert, Securing Apps
Jeremy Matos has been working in building secure software for more than 12 years.With an initial academic background as a developer, he designed and helped implementing a breakthrough mobile two-factor authentication solution. He led code reviews and security validation activities... Read More →

Thursday July 5, 2018 11:45am - 12:30pm BST
Fleming - 3rd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

1:30pm BST

The Last XSS Defense Talk: Why XSS Defense has radically changed in the past 7 years
Limited Capacity seats available

Why are we still talking about Cross Site Scripting in 2018? Because it's painfully difficult to defend against XSS even to this day. This talk is a fundamental update to the 2011 AppSec USA talk "The Past Present and Future of XSS Defense". We'll address new defensive strategies such as modern JavaScript framework defense in Angular, React and other frameworks. We'll also look at how CSP deployment has changed in the past 7 years illustrating the progressive use of content security which supports CSP v1, v2 and v3 concurrently. We will then look at advances in HTML sanitization on both the client and server and focus on sanitizers and defensive libraries that have stood the test of time in terms of maintenance and security. We'll also look at interesting design topics such as how HTML injection is still critical even in the face of rigorous XSS defense and how HTTPOnly cookies are largely ineffective. This talk should help developers and security professionals alike build a focused and modern strategy to defend against XSS in modern applications.

avatar for Jim Manico

Jim Manico

Founder, Manicode Security
Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also an investor/advisor for BitDiscovery, Nucleus Security, Secure Circle and Signal Sciences. Jim is a frequent speaker on secure software practices... Read More →

Thursday July 5, 2018 1:30pm - 2:15pm BST
Fleming - 3rd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

2:15pm BST

Testing iOS Apps without Jailbreak in 2018
Limited Capacity seats available

Penetration tests of iOS applications usually require jailbreak. On the other hand, software developers often enforce a new version of iOS to run the application. Unfortunately, as history shows, with the release of subsequent versions of the iOS system, pentesters have to wait longer and longer for a stable jailbreak. Finally, by testing iDevices, we become participants of the Russian roulette - remain with an out-of-date iOS with the hope that there won’t be an application requiring a newer version; or take the risk of updating and maybe never get the new jailbreak version? During my presentation, I will show you that it is not necessary to put iRevolver to the head and I will present the techniques of conducting the penetration tests without the need to have a jailbreak. The presentation will also include a live demo presenting the solution to the problem of access to protected application resources on the latest version of iOS.

avatar for Wojciech Reguła

Wojciech Reguła

The speaker is IT Senior Security Specialist employed at SecuRing. Professionally responsible for web and mobile security testing with particular emphasis on iOS. He is a creator of secure Ruby code examples for OWASP Security Knowledge Framework and founder of infosec student research... Read More →

Thursday July 5, 2018 2:15pm - 3:00pm BST
Fleming - 3rd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

3:30pm BST

Attacking Modern Web Technologies
Limited Capacity seats available

In this talk, top ranked white-hat hacker Frans Rosén will focus on methodologies and results of attacking modern web technologies. He will explain how he accessed private Slack tokens by using postMessage and WebSocket-reconnect, and how vulnerable configurations in both AWS and Google Cloud allow attackers to take full control of your assets.
Listen to 60 minutes of new hacks, bug bounty stories and learnings that will make you realize that the protocols and policies you believed to be secure are most likely not.

avatar for Frans Rosen

Frans Rosen

Security Advisor, Detectify
Dev/Security/Founder at @youngskilled/@detectify/@shipwallet

Thursday July 5, 2018 3:30pm - 4:15pm BST
Fleming - 3rd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE
Friday, July 6

10:15am BST

Outsmarting Smart Contracts - An Essential Walkthrough a Blockchain Security Minefields
Limited Capacity seats available

The most common blockchain-based application is Bitcoin - cryptocurrency worth a couple of thousands $ per BTC. But Bitcoin is built on the Blockchain 1.0. The second generation of blockchain opened a much broader field of application and is described as mechanism allowing programmable transactions. Smart Contracts, as they are called, are scripts that are executed and stored in the blockchain. Their code, storage and execution calls are all publicly available and verifiable. The execution and verification processes are held by miners what makes the decentralized ecosystem slow, but secure. Smart contracts have many applications from ICOs, through digital identity management, non-digital asset (diamond, real estate, IoT device, etc.) ownership management and tracing to almost anything you can think of.
An example of second generation blockchain platform that support smart contracts is Ethereum. The miners, who execute contracts and secure the platform, are paid with Ether, which is the Ethereum cryptocurrency (worth about $1k) and an incentive for hackers. Ethereum’s smart contracts are written in the Solidity language, which is similar to well-known high-level languages, and compiled to Ethereum Virtual Machine bytecode stored in blockchain. It is a complex software implementing new and often difficult to follow in every detail technology. Thus it makes an explosive mix with high potential for human mistake by developer. The problem is that even a very small coding mistake can lead to losses of millions of dollars.
The goal of this presentation is to shed the light on the security of smart contracts, its potential vulnerabilities and popular design and implementation security flaws. I will investigate flaws of Ethereum smart contract, both Ethereum-specific and known from other languages, that led to spectacular thefts. I am sure you have heard of these spectacular hacks, like $30M (now worth $130M) Parity, or another $150M blocked in smart contracts. Thanks to this presentation you will know how millions were stolen and how to avoid such mistakes.
I will also share my personal experience regarding responsible disclosure of such vulnerabilities. It is a way harder than submitting a bug in a traditional application, and involves non-obvious complications. First, the transparency principle leads to a real time race between white and blackhat hackers. Sometimes whitehat even has to actually steal from potential victims in order to prevent malicious theft. Moreover, in most cases there is no possibility to contact (especially urgently and securely) the smart contract owner and report the problem. In my case, after finding critical vulnerability that allowed me to empty whole exchange Ethereum token wallet, it required a solid investigation to find the right people to talk to, and took unnecessarily long time. To address this issue I propose a mechanism to notify contract’s owner. The message is securely kept on the blockchain and only owner of the contract can read it.
The audience will leave with a fair understanding of a pack of attack vectors and vulnerabilities specific for the concept of decentralized execution of publicly visible smart contracts. And what’s more, they will know how to find and avoid these vulnerabilities.

avatar for Damian Rusinek

Damian Rusinek

Sr. Security Specialist, SecuRing
Senior IT Security Specialist, since 2016 in SecuRing. Professionally responsible for blockchain, web and mobile application audits and source code analysis. Software developer and analyst with over a decade of experience. Engaged in many projects, such as projects from energy industry... Read More →

Friday July 6, 2018 10:15am - 11:00am BST
Fleming - 3rd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

11:00am BST

Prepare(): Introducing Novel Exploitation Techniques in Wordpress
Limited Capacity seats available

WordPress is used by 30% of all the websites. Due to its wide adoption it is a popular target for attackers. Security vulnerabilities are actively exploited in outdated cores and plugins in order to compromise large amounts of installations. Although the Wordpress core is audited and reviewed daily by bug bounty hunters and its great community, security vulnerabilities still pop up due to the intrinsic features of the PHP language. Further, the wide adoption and extension of the WordPress core prevents to switch to modern best practices and enforces the maintenance of legacy code.
 In this talk we will look at a fundamental design flaw of the WordPress core which lead to a series of severe security issues. We will examine how a custom design of prepared statements did not only lead to SQL injection vulnerabilities but also to a new type of PHP object injection. We will analyze the characteristics of this specific occurrence and how to spot it in other PHP projects. The goal of this talk is to introduce a new and generic exploitation technique as well as guidance for WordPress and other developers on how to prevent the presented issues.


Robin Peraglie

Security Research, RIPS Technologies
Robin is a passionate bug hunter and security researcher at RIPS Technologies. Since he was young he experimented with web security, cryptography and lockpicking. He received a degree in IT Security at the Ruhr-University Bochum and collected industrial experience in penetration tests... Read More →

Friday July 6, 2018 11:00am - 11:45am BST
Fleming - 3rd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

11:45am BST

FIESTA: an HTTPS side-channel party
Limited Capacity seats available

In the past few years, several attacks exploiting side-channel issues in TLS traffic have been launched with the aim of extracting information protected by HTTPS. CRIME, BREACH,, and TIME are all good examples of such attacks.  But they are known, and most Internet sites have introduced countermeasures to protect against them. Unfortunately, this is not enough to protect sensitive online information. HTTPS traffic has other side-channels that could be exploited in a similar way, exposing private information. It this paper, we present a new tool, called FIESTA, that will help us test this kind of issues. In addition, we release a new side-channel not used before, affecting the most important technology companies in the Internet.

avatar for Jose Selvi

Jose Selvi

Principal Penetration Tester, Prosegur Cybersecurity
Jose Selvi is a Principal Penetration Tester & Security Researcher atProsegur Cybersecurity. His 13 years of expertise performing advancedsecurity services and solutions in various industries include mainlypenetration tests and information security research in new technologies.He... Read More →

Friday July 6, 2018 11:45am - 12:30pm BST
Fleming - 3rd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

1:30pm BST

Exploiting Unknown Browsers and Objects
Limited Capacity seats available

Browsers are embedded everywhere, from popular applications like Steam and Spotify to headless crawlers, IoT devices and games consoles. They execute JavaScript but you don't have a dev console and some don't even allow you to interact with them. Many add custom JavaScript objects and functions but how can you discover all this hidden treasure without any dev tools? My talk introduces a new tool for your arsenal that allows you to inspect and exploit these unknown entities. The Hackability inspector is the missing offensive dev toolkit for security researchers.

avatar for Gareth Heyes

Gareth Heyes

Researcher, PortSwigger
Gareth works as a researcher at PortSwigger and loves breaking sandboxes and anything to do with JavaScript. He has developed various free online tools such as Hackvertor and Shazzer. He also created MentalJS a free JavaScript sandbox that provides a safe DOM environment for sandboxed... Read More →

Friday July 6, 2018 1:30pm - 2:15pm BST
Fleming - 3rd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

2:15pm BST

WAF Bypass Techniques Using HTTP Standard and Web Servers’ Behavior
Limited Capacity seats available

Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.

avatar for Soroush Dalili

Soroush Dalili

Principal Security Consultant, NCC Group
Soroush is a Web Application Security expert and his field of expertise includes finding vulnerabilities in web applications, security source code review, and penetration testing. He has got 10+ years of experience in this area and has submitted many security advisories. Some of his... Read More →

Friday July 6, 2018 2:15pm - 3:00pm BST
Fleming - 3rd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE

3:30pm BST

Serverless Infections - Malware Just Found a New Home
Limited Capacity seats available

With Lambda by Amazon, Cloud function by Google, and Azure functions by Microsoft, we are seeing more and more organizations leveraging the advantages introduced by serverless computing. But what does serverless computing entail when it comes to security? With no dedicated server, is the security risk higher or lower? Can malware live inside the code? These are critical questions every organization shifting to a serverless environment should be asking.
We challenged our Checkmarx Research Team to implement the first-ever RCE (Remote Code Execution) attack in a serverless environment that is both stored and viral. Using Amazon’s Lambda as our first test subject, we were able to build a PoC where we showed how information extraction and exfiltration is done. We also demonstrated how the payload persists and can be injected into other non-vulnerable functions. We then went ahead and tested to see if the same would work on Azure and Google Cloud. Curious to know the outcome?
In this talk, we will present our findings along with some best practices and tips to ensuring security prevails in a serverless environment. The presentation will start by explaining serverless computing and its advantages. We will then start digging into the details of serverless computing and how the architecture is built by the different vendors.
Our next step will be to discuss how serverless computing impacts security and how functions can be leveraged to expose the platform to infections and data exfiltrations.
The presentation details the research we conducted and shows a step-by-step process of a completely new attack vector allowing attackers to exploit command injection to:
·         Gather sensitive information from the ephemeral machine
·         Persist a payload in a non-persistent environment (by leveraging S3 write permissions)
·         Infect co-located functions to get a viral effect of all-or-nothing in remediation efforts
We will demonstrate the attack steps on one or more platforms using a live web application.
People who will join this talk will:
·     Understand the architecture and advantages of a serverless computing environment
·     Learn the security challenges entailed in working in a serverless environment
·     View a live demo on how data is infiltrated, infected, and exfiltrated in a serverless environment
·     See how we built self-duplicating attacks that survive persistently within the code
·     Watch as the attack is executed on platforms running on serverless environments

avatar for Amit Ashbel

Amit Ashbel

Cyber Security Evangelist
Amit has been with the security community for more than a decade where he has taken on multiple tasks and responsibilities, including technical and Senior Product lead positions. Amit adds valuable product knowledge including experience with a wide range of security platforms and... Read More →
avatar for Shimi Eshkenazi

Shimi Eshkenazi

Research Team, Checkmarx

Friday July 6, 2018 3:30pm - 4:15pm BST
Fleming - 3rd Floor QEII Centre Broad Sanctuary, Westminster, London. SW1P 3EE