Have you ever thought of hacking web applications for fun and profit? How about playing with authentic, award-winning security bugs identified in some of the greatest companies? If that sounds interesting, join this unique 100% hands-on training!

I will discuss security bugs found in a number of bug bounty programs (including Google, Yahoo, Mozilla, Twitter and others). You will learn how bug hunters think and how to hunt for security bugs effectively.

To be successful in bug hunting, you need to go beyond automated scanners. If you are not afraid of going into detail and diving into full-stack exploitation, then this 100% hands-on training is for you. There is a lab exercise for each attack presented in this training + students can take the complete lab environment home after the training session.

Watch 3 exclusive videos (~1 hour) to feel the taste of this training:
- Exploiting Race Conditions: https://www.youtube.com/watch?v=lLd9Y1r2dhM
- Token Hijacking via PDF File: https://www.youtube.com/watch?v=AWplef1CyQs
- Bypassing Content Security Policy: https://www.youtube.com/watch?v=tTK4SZXB734

Key Learning Objectives

After completing this training, you will have learned about:

• REST API hacking
• AngularJS-based application hacking
• DOM-based exploitation
• bypassing Content Security Policy
• server-side request forgery
• browser-dependent exploitation
• DB truncation attack
• NoSQL injection
• type confusion vulnerability
• exploiting race conditions
• path-relative stylesheet import vulnerability
• reflected file download vulnerability
• hacking with wrappers
• subdomain takeover
• remote cookie tampering
• non-standard XSS attacks
• hijacking tokens via PDF
• XML attacks
• deserialization attacks
• HTTP parameter pollution
• bypassing XSS protection
• hacking with polyglot
• clickjacking attack
• window.opener tabnabbing attack
• RCE attacks
• and more…

What Students Will Receive

Students will be handed in a VMware image with a specially prepared testing environment to play with all bugs presented in this training (*). When the training is over, students can take the complete lab environment home to hack again at their own pace.

(*) The download link will be sent after signing a non-disclosure agreement and subscribing to Dawid Czagan's newsletter.


Special Bonus

The ticket price includes FREE access to Dawid Czagan's 6 online courses:

• Start Hacking and Making Money Today at HackerOne
• Keep Hacking and Making Money at HackerOne
• Case Studies of Award-Winning XSS Attacks: Part 1
• Case Studies of Award-Winning XSS Attacks: Part 2
• DOUBLE Your Web Hacking Rewards with Fuzzing
• How Web Hackers Make BIG MONEY: Remote Code Execution

What Students Say About This Training

This training has been very well-received by students around the world. References are attached to Dawid Czagan's LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/). They can also be found here: https://silesiasecuritylab.com/services/training/#opinions - training participants from companies such as Oracle, Adobe, ESET, ING, …


What Students Should Know

To get the most of this training intermediate knowledge of web application security is needed. Students should be familiar with common web application vulnerabilities and have experience in using a proxy, such as Burp Suite Proxy, or similar, to analyze or modify the traffic.


What Students Should Bring

Students will need a laptop with 64-bit operating system, at least 8 GB RAM, 35 GB free hard drive space, administrative access, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version). Prior to the training, make sure there are no problems with running 64-bit VMs (BIOS settings changes may be needed). Please also make sure that you have Internet Explorer 11 installed on your machine or bring an up-and-running VM with Internet Explorer 11.

Modern IT systems are complex and it’s all about full-stack nowadays. To become a pentesting expert, you need to dive into full-stack exploitation and gain a lot of practical skills. That’s why I created the Full-Stack Pentesting Laboratory.

For each attack, vulnerability and technique presented in this training there is a lab exercise to help you master full-stack pentesting step by step. What’s more, when the training is over, you can take the complete lab environment home to hack again at your own pace.

I found security bugs in many companies including Google, Yahoo, Mozilla, Twitter and in this training I’ll share my experience with you. The content of this training has been carefully selected to cover the topics most frequently requested by professional penetration testers.


Key Learning Objectives

After completing this training, you will have learned about:

• Hacking cloud applications
• API hacking tips & tricks
• Data exfiltration techniques
• OSINT asset discovery tools
• Tricky user impersonation
• Bypassing protection mechanisms
• CLI hacking scripts
• Interesting XSS attacks
• Server-side template injection
• Hacking with Google & GitHub search engines
• Automated SQL injection detection and exploitation
• File read & file upload attacks
• Password cracking in a smart way
• Hacking Git repos
• XML attacks
• NoSQL injection
• HTTP parameter pollution
• Web cache deception attack
• Hacking with wrappers
• Finding metadata with sensitive information
• Hijacking NTLM hashes
• Automated detection of JavaScript libraries with known vulnerabilities
• Extracting passwords
• Hacking Electron applications
• Establishing reverse shell connections
• RCE attacks
• XSS polyglot
• and more …

What Students Will Receive

Students will be handed a VMware image with a specially prepared lab environment to play with all attacks, vulnerabilities and techniques presented in this training (*). When the training is over, students can take the complete lab environment home to hack again at their own pace.

(*) The download link will be sent after signing a non-disclosure agreement and subscribing to my newsletter.


Special Bonus

The ticket price includes FREE access to my 6 online courses:

• Fuzzing with Burp Suite Intruder
• Exploiting Race Conditions with OWASP ZAP
• Case Studies of Award-Winning XSS Attacks: Part 1
• Case Studies of Award-Winning XSS Attacks: Part 2
• How Hackers Find SQL Injections in Minutes with Sqlmap
• Web Application Security Testing with Google Hacking

What Students Say About My Trainings

References are attached to my LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/). They can also be found here: https://silesiasecuritylab.com/services/training/#opinions – training participants from companies such as Oracle, Adobe, ESET, ING, …


What Students Should Know

To get the most of this training intermediate knowledge of pentesting and web application security is needed. Students should have experience in using a proxy, such as Burp Suite Proxy, or similar, to analyze or modify the traffic.


What Students Should Bring

Students will need a laptop with 64-bit operating system, at least 8 GB RAM, 35 GB free hard drive space, administrative access, ability to turn off AV/firewall and VMware Player/Fusion installed (64-bit version). Prior to the training, make sure there are no problems with running 64-bit VMs (BIOS settings changes may be needed).

The training will be offered as a hybrid event - you can join us on site or watch the stream online.

This course teaches you how to analyse Android and iOS apps for security vulnerabilities, by going through the different phases of testing, including dynamic testing, static analysis and reverse engineering. Sven will share his experience and many small tips and tricks to attack mobile apps that he collected throughout his career and bug hunting adventures.

At the beginning of the first day we start by giving an overview of the Android Platform and its Security Architecture. It is no longer mandatory for students to bring their own Android device, instead a cloud-based virtualized Android device will be provided for each student, by using Corellium.

These are some of the topics that will be covered during the course:

● Frida crash course to kick-start with dynamic instrumentation on Android apps
● Intercepting network traffic of apps written in mobile app frameworks such as Google Flutter
● Identifying and exploiting a real word Deep-link vulnerability
● Explore the differences and effectiveness of Reverse Engineering Android Apps through patching Smali, Xposed and Dynamic Instrumentation with Frida
● Analyze Local Storage of an Android App
● Using Brida to bypass End2End Encryption in an Android app
● Usage of dynamic Instrumentation with Frida to:
○ bypass Frida detection mechanisms
○ bypass multiple root detection mechanisms

On day 2 we are focusing on iOS and will begin with an overview of the iOS Platform and Security Architecture (Hardware Security, Code Signing, Sandbox, Secure Boot, Security Enclave etc.). After explaining what an IPA container is and the iOS file system structure, we start creating an iOS testing environment with Corellium and deep dive into various topics and techniques, including:
● Analyzing iOS applications that use non-HTTP traffic including ways of intercepting the traffic
● Frida crash course to kick-start with dynamic instrumentation for iOS apps
● Bypassing SSL Pinning with SSL Kill Switch and Objection
● Evaluate different implementations of Touch ID / Face ID and ways to bypass them
● Testing methodology with a non-jailbroken device by repackaging an IPA with the Frida Gadget
● Testing stateless authentication mechanisms such as JWT in an iOS Application
● Using Frida for Runtime Instrumentation of iOS Apps to bypass:
○ Anti-Jailbreaking mechanisms
○ Frida detection mechanism
○ and other client-side security controls

The course consists of many different labs developed by us and the course is roughly 50% hands-on and 50% lecture.

At the end of each day a small CTF will be played to investigate an app with the newly learned skills and there will be prizes :-)

After successful completion of this course, students will have a better understanding of how to test for vulnerabilities in mobile apps, how to mitigate them and how to execute tests consistently. The course is based on the OWASP Mobile Security Testing Guide (MSTG) and is conducted by one of the authors himself. The OWASP MSTG is a comprehensive and open source guide about mobile security testing for both iOS and Android.

.WHAT DOES "THREAT HUNTING" MEAN?
- Threat Hunting technics on network level
- Threat Hunting on Microsoft Windows Active Directory
- Threat Hunting on Linux Systems / Memory Forensics
- Incident Response process


WHO SHOULD TAKE THIS TRAINING?
- IT-Security Administrators
- IT-Administrators with knowledge of protocols and basic LINUX skills
- Security analysts looking to hone their threat hunting skills
- Junior analysts looking to forward their security career
- Environments needing to quickly identify compromised systems
- IT Security Management and Leadership
- Active Directory / Windows Engineers


AUDIENCE SKILL LEVEL
Students should have a working understanding of IP communications. They should also have a basic understanding of network threat hunting.


STUDENT REQUIREMENTS
- Bring your own Notebook with local admin rights
- Min. 8 GB RAM and 100GB free disk space
- VMWare Player installed
- The ability to connect to the Ubuntu system via SSH


KEY TAKEAWAYS
- Acquiring and analyzing Linux memory
- Understand security risks and defensive mitigations
- Hardening Active Directory
- Identify tools and processes for network threat hunting
- How to set up a threat hunting environment
- Threat score system to prioritize artifacts
- Leveraging network findings to pivot into a forensic analysis

Social engineering attacks remain at the top of the threat landscape and data breach reports. But although those reports tend to simplify many breaches as the result of a successful phishing attack, the reality we get from current threat research is evidently more complex. Social engineering attacks have been evolving. Today, the pathway that leads to that successful phishing email is often the result of a larger attack kill chain based on research and good open-source intelligence that helps attackers identify organizational vulnerabilities. But it doesn't stop there. Weaponized psychology is still a strong component of social engineering attacks.

In this threat landscape, it is paramount for security professionals and penetration testers/red teamers to better understand how social engineering works, and how to proactively identify and disrupt attack verticals.

This class aims to provide participants with the necessary knowledge on open-source intelligence and social engineering, to help security teams build better protective measures (proactive & reactive) and to inform their security strategy. It also aims to help penetration testers improve their recommendations and provide better and more realistic insights to their clients.

Attendees will leave this class having acquired the psychological knowledge along with the technical capability to tackle this challenge, whether they want to simulate social engineering attacks or prevent them.

Course overview:

Each module is designed to support the next one. We start by learning what social engineering is, and the types of successful attacks that we have been observing. Real-life case studies are presented and analyzed. We move on to more practical parts: How did these attacks come to life? What was the background information that they were built upon, and what elements made them successful? Most often, good social engineering is based on excellent intelligence, most of which is collected from open sources. During the open-source intelligence (OSINT) modules, participants get to see where and how attackers collect business information, what tools they use, and how to combine and analyze those information into intelligence that produces useful insights. We focus on two main areas: OSINT for businesses and for persons. During the last parts of the class, we will explore and analyze what security professionals can do to improve their security posture against social engineering attacks on a strategic and tactical level. We will discuss reducing risk, becoming a less attractive target, informing the security strategy, and responding to social engineering attacks. Practical exercises are included throughout the class.



Course Outline


Introduction

- Attacking the human – good social skills and the right technology

- The psychology of social engineering attacks

- Case study

-  Open-source intelligence (OSINT) –vulnerabilities hidden in plain sight

-  Ethics

 

Social Engineering Kill-Chain

-  Case study

-  Target reconnaissance & OSINT

-  Pretexting -crafting the cover story

-  Approaching a target

-  Exploitation

- Tailored, sophisticated social engineering attacks

-  Exercise based on case study

 

Social Engineering Attacks

-  Frequent (& successful) social engineering pretexts / cases from real life attacks

-  Phishing, vishing, and impersonations (very briefly – most people know them)

-  Hybrid social engineering attacks – blending methodologies

-  Elaborate, targeted attacks

-  Weaponizing psychology

-  Influence & manipulation techniques



Open-source Intelligence

-  OSINT as a risk identification & mitigation tool

-  Creating social engineering attacks based on good OSINT

-  Setting up your workspace & tools

-  Operational security (OPSEC)

-  Methodologies for Intelligence collection

-  Tools

- Using tools wisely



Business OSINT

-  Finding physical security vulnerabilities

-  Collecting business information

-  Creating an organizational chart

-   Identifying the internal hierarchical dynamics

-   Internal culture & relationships

-   Incorporating the intelligence collected within a social engineering kill chain

-   Exercise

 

People OSINT

-  Finding contact details (email addresses & phone numbers)

-  Identifying key people

-  Social media intelligence (SOCMINT)

-  Who makes a good target?

- How to identify overwhelmed employees/departments

- Tailored attacks: Profiling people

-  Case study

-  Exercise

 

Psychological Exploits of Social Engineering Attacks

-  Engineering trust

-  Rapport building

-  Elicitation techniques

-  Interactive case study – which social engineering techniques do you observe?



Disrupting Social Engineering Attacks & Creating a Defense Strategy

-  Thinking & acting strategically

-  OSINT: identifying, managing, and eliminating risks

-  Minimizing or disrupting social engineering attack verticals

-  Counterintelligence techniques

-  Organizational best practices

-  Employee awareness; benefits & limitations



Closing Remarks

 


This workshop will focus on ways to abuse the use of Terraform to elevate privileges, expose data, and gain further footholds in environments from a developer’s perspective. We’ll cover the common uses of Terraform and how a malicious actor could abuse Terraform. This talk will include multiple demos.

Trailer: https://drive.google.com/file/d/1K7nLy6a9n9DP_-Fj6iSdpP5Yib7C8-nV/view

Modern web applications are complex and it’s all about full-stack nowadays. That’s why you need to dive into full-stack exploitation if you want to master web attacks. Say ‘No’ to classical web application hacking, join this unique video training, and take your professional pentesting career to the next level.

Dawid Czagan has found security bugs in many companies including Google, Yahoo, Mozilla, Twitter and in this video training he will share his experience with you. You will dive deep into full-stack exploitation of modern web applications and you will learn how to hunt for security bugs effectively.


Almost 5 hours of high-quality video courses with lots of recorded demos

You will get lifetime access to these 5 video courses:


1. Bypassing Content Security Policy in Modern Web Applications
- Introduction
- Bypassing CSP via ajax.googleapis.com (FREE VIDEO)
- Bypassing CSP via Flash File
- Bypassing CSP via Polyglot File
- Bypassing CSP via AngularJS

2. Hacking Web Applications via PDFs, Images, and Links
- Introduction
- Token Hijacking via PDF (FREE VIDEO)
- XSS via Image
- User Redirection via window.opener Tabnabbing

3. Hacking AngularJS Applications
- Introduction
- AngularJS: Template Injection and $scope Hacking (FREE VIDEO)
- AngularJS: Going Beyond the $scope
- AngularJS: Hacking a Static Template
- Summary

4. Exploiting Race Conditions in Web Applications
- Introduction
- Exploiting Race Conditions – Case 1 (FREE VIDEO)
- Exploiting Race Conditions – Case 2
- Case Studies of Award-Winning Race Condition Attacks

5. Full-Stack Attacks on Modern Web Applications
- Introduction
- HTTP Parameter Pollution (FREE VIDEO)
- Subdomain Takeover
- Account Takeover via Clickjacking


What students should know

• Common web application vulnerabilities

What students will learn

• Become a web hacking expert
• Dive into full-stack exploitation of modern web applications
• Learn how hackers can bypass Content Security Policy (CSP)
• Discover how web applications can be hacked via PDFs, images, and links
• Explore how hackers can steal secrets from AngularJS applications
• Check if your web applications are vulnerable to race condition attacks
• Learn about HTTP parameter pollution, subdomain takeover, and clickjacking
• Discover step by step how all these attacks work in practice (DEMOS)
• Take your professional pentesting career to the next level
• Learn from one of the top hackers at HackerOne

What students will receive
Students will receive lifetime access to almost 5 hours of high-quality video courses with lots of recorded demos (hosted on the 3rd party platform Grinfer; subject to terms of use and privacy policy). The access link will be sent after subscribing to Dawid's newsletter.


What students say about Dawid's trainings

References are attached to Dawid's LinkedIn profile (https://www.linkedin.com/in/dawid-czagan-85ba3666/). They can also be found here: https://silesiasecuritylab.com/services/training/#opinions - training participants from companies such as Oracle, Adobe, ESET, ING, …

Since Russia’s invasion of Ukraine, the European Union has rightfully sought to reduce its dependence on Russian oil with the ultimate aim of completely eliminating it. In this quest for trustworthy oil suppliers, Brussels has turned to countries such as Azerbaijan who, although wealthy in oil, have dubious human rights records and who, in many ways, are at the forefront of cyber surveillance and cyberwarfare. This quest has come at a cost, with the EU keeping mum on Azerbaijan’s armed invasion of the Nagorno-Karabakh territories southwards of Armenia - a scenario otherwise eerily similar to Russia’s armed invasion. As it cracks down on spyware within the EU, the European Commission buys Azeri President Aliyev’s oil, apparently unaware of hackers from Baku rolling out spyware and remote access trojans. Not only do Armenian officials find themselves victims of this campaign, but also EU and UN observers in the Nagorno Karabakh region.
Doing so, the European Union may get its oil; whether it will successfully curb cyberwarfare by tacitly approving it is unlikely.

Staying under the radar and remaining undetected is one of our priorities during Red Teaming assessments. After all, we’re simulating real threat actors and want to reach our objectives without raising any suspicion. This becomes a more and more challenging task as new defences are implemented, requiring us to add new tools and techniques to our tool belt. Occasionally, though, there is a new technique that brings a broad set of features and doesn’t leave countless traces. This talk is about one such technique: beacon object files (BOFs)!

BOFs aren’t exactly the new hot stuff, as a matter of fact, they’ve been around for more than two years now. In those two years, a de-facto BOF standard has been adapted by many C2 frameworks out there. But what happens when your C2 doesn’t support it? Will you need to fall back to other, potentially less safe, alternative techniques?

That’s a problem we faced and decided to solve when we worked with Brute Ratel C4, which doesn’t support Cobalt Strike’s de-facto BOF standard API. In this talk, we’ll dig deep into the COFF format, show how the Cobalt-Strike de-facto standard is incompatible with Brute Ratel’s and how we established full compatibility between the two. A tool that automates this task and a blog post series about it will be released, accompanying the talk.

“The security of our system is critical to our operation and to the confidence of the campaigns and state parties we work with,” said Rep. Debbie Wasserman Schultz, Florida congresswoman and Democratic National Committee chairwoman, on June 12, 2016. “When we discovered the intrusion, we treated this like the serious incident it is and reached out to CrowdStrike immediately. Our team moved as quickly as possible to kick out the intruders and secure our network.”

Well, not really. The FBI first contacted the DNC about Russian network intrusions in September 2015 and were expelled ten months later—hardly “as quick as possible.” Even when CrowdStrike had confirmed on May 8, that not just one, but two Russian intelligence groups were into their networks, the DNC only directed CrowdStrike to expel them on the weekend of June 10. For another month, Russian hackers were eavesdropping on the secret communications of the Democratic Party.

Why did it take so long for the FBI, and then DNC, to respond to such an urgent matter? The simple answer—incompetence—is tempting. It is also wrong. As I will describe in this talk, each actor in this story acted more or less rationally, following the rules that applied to them.

Recent advancements in quantum computing research have made significant progress. If we achieve a functional quantum computer, it has the potential to undermine the security of current public key cryptosystems, which are widely integrated into commercial products. Although there have been proposed solutions to counter quantum attacks, these solutions currently grapple with security and efficiency concerns in everyday use.

This talk focuses on exploring hash-based digital signature techniques, particularly those rooted in Merkle tree structures. The research deeply investigates the viability of Verkle trees and vector commitments, introducing pioneering concepts within this field.

At DeepSec I will present a novel post-quantum digital signature, using modern technologies, such as Verkle tree. I will talk about the working methology of making the signature post-quantum secure. I will describe the attack on post-quantum digital signatures using machine learning. I will also talk about the opportunities to use machine learning to make post-quantum cryptography more efficient.

Lectures on SAP security have a lot in common with gin: They are quite dry and you quickly get dizzy from them. And afterwards, you have trouble remembering the last hour (or was it longer?). That's because SAP security is seen as pretty meaningless by 99 percent of the information security community. What those 99 percent don't know, however: If I break into their SAP system, I'm potentially not after their SAP data, but after the rest of their network.

This presentation will highlight the potential for a hacked SAP installation to attack your corporate network, based on the experiences with the DY-MON malware. Learn how common defenses are bypassed and fail. And maybe have a gin afterwards.

BPF allows us to do great things – from hooking practically any kernel function, to blocking actions and killing processes – but it can be quite difficult to use! Wouldn't it be amazing if you could just write some YAML and a pre-existing, mature, open source, BPF engine did all the hard work? And sent events to your logs? And your email? And maybe even to your phone as a SMS text message, and to your Slack channel? With OSS Tetragon you can! In this talk I will show you how to monitor and block actions with BPF, without actually writing any BPF.

Tetragon is an open source BPF tool that can be configured with YAML to hook almost any kernel function, and any syscall and any tracepoint; interpret the input arguments, make pre-defined decisions based on them, as well as the process instigating them; and then log, trigger or block as a result.

BPF is a revolutionary technology that can be used to run portable code in the kernel, safely, and with great reach. BPF programs can communicate with each other, and with user space, via maps – arrays, hashes, ring buffers, and various other data structures that can be used to store, check and pass data around. As a technology, it has existed for a number of years, and still underpins libpcap today, but it can be quite tricky to use. BPF implements its own virtual architecture, that is portable between different versions of kernel, and even different underlying processors.

The difficulties of programming BPF come partly from the language, but mostly from the verifier. BPF itself is an assembly language with a minimal library of helper functions – you can't just call any kernel function! It can be compiled from C and rust, and probably other mid-to-low-level languages, and this can be a barrier to those who prefer the higher-level python and .Net. That said, BPF programs tend to be simple, and it is possible to learn enough C (and the special LLVM/Clang incantations) to get a BPF program compiled.

But then in steps the verifier – the gatekeeper that many novice (and even experienced) BPF programmers dread. In order to ensure safety, the verifier checks every BPF program as it is loaded into the kernel, and rejects those that it can't vouch for. It checks for length and complexity, to ensure programs will always exit; it checks that memory access is bounded and restricted to that allowed; and it checks that only permitted helpers are used, which vary from program type to program type, and attachment point to attachment point.

Satisfying the verifier is the problem that many find the most troubling. To overcome this, the open source Tetragon can be used to abstract all the BPF into YAML, making it much easier to use. All the programming and verifier issues are hidden, and the user just has to specify where they want to hook, what they want to inspect at that point, and what action they want to take if their criteria is met. By default Tetragon can log events to user space, but it can also track file descriptors between programs, it can kill processes directly from the kernel, and it can also trigger web hooks, such as those provided by canary tokens and Thinkst Canaries.

If you want to detect and block on Linux, then you really need to do this from inside the kernel. BPF, and Tetragon, provide the tools to do just that. I will demonstrate typical use cases with simple YAML files that audience members can take away and try for themselves.

You work hard to defend against internet-based threats but how prepared are you when the attacker is on your literal doorstep? This session will provide a better understanding of the onsite attack surface and some of the more common, practical attack techniques that can result in a difficult to detect network compromise. Attendees will gain a stronger understanding of the role of Information Security as it pertains to Physical Security and be better equipped to identify gaps in their defenses before they are exploited.

What happens when a large group of more or less connected individuals need to deal with a cyber incident, together? In this interactive hands-on session, we will try to experience - first-hand - just how challenging it can be to keep information flowing, make the right decisions and protect our assets while dealing with a simulated crisis.

One of the main premises of any IT installation, is to protect the entire infrastructure against possible failures. In addition to firewalls and other network elements, one of the vital points is the electrical system.

Thanks to uninterruptible power supplies (UPS), it is possible to cover and manage these issues economically. The main problem is that many of these systems inherit the same bugs as other IoT devices, which makes them vulnerable to all kinds of attacks.

In this presentation, we will explain how it has been possible to develop different zero-day vulnerabilities thanks to social engineering, some investment and a bit of common sense. Among other things, these flaws would make it possible to compromise the electrical system of an office or even that of a Data Center.

Since these devices share common components, it would be possible to obtain remote code execution (with the highest possible privileges) and/or denial of service on more than 100 different manufacturers. Moreover, all of this has been automated in a single framework, making it possible to detect and exploit these vulnerabilities easily, simply and fully automatically.

The Dutch police has been trying to collaborate with ‘private partners’, including the Dutch hacker community in the Netherlands, for years now (the great Public Private Partnership or PPP), with mild succes. So when they asked what they could organise to get to know us, we replied with “invite us to hack police stuff and eat pizza”. We thought we would never hear of them again. Surprise surprise, they eventually invited us in. So we created a team consisting of brilliant hard- and software hackers from the Dutch hacking community and went to the Amsterdam police station to try and hack some of their bodycams. Did we succeed? Come and find out and prepare to laugh until you cry!

Cloud communication platforms like Zoom have become a fundamental aspect of modern communication and are widely used in daily work. However, in certain scenarios, traditional endpoints such as desk phones or analog gateways are still required. Today, these devices can be integrated with most major cloud communication providers through the use of their provisioning services, which centralize configurations and firmware.

This session is about a security analysis of the Zoom "Zero Touch Provisioning" method in conjunction with certified hardware. It will reveal several vulnerabilities that, when combined, allow an attacker to remotely compromise arbitrary devices, enable massive eavesdropping on conversations or rooms, remote control of devices, or using them as a pivot point to attack the adjacent corporate network.

Be curious about the details of hard-coded cryptographic material, improper authentication, lack of immutable root of trust, exposure of sensitive information and unverified ownership.

This is a break-out session and a follow-up to the presentation. You can take part and simulate your way through unexpected situations. This is an interactive session.

With the globalization and the complexification of threats, cooperation and collaboration between cybersecurity experts worldwide is crucial nowadays. Therefore, there is a need to share a common basis, languages, and protocols. This requires sharing elements of training, notably within the programs of higher education institutions. However, training national workforces in cybersecurity is a challenging task, as it requires balancing the need for openness – so that useful knowledge and practice can be shared – and the need for secrecy – so that defense strategies remain efficient. This presentation will explore some elements to nurture the debates on this question, by introducing and discussing several challenges that education in cybersecurity is facing, including the relations between the academia and the (cyber)security world and the questions of transparency and trust, the challenges related to international students and online courses, as well as the challenges of training the general population in order to raise cybersecurity awareness. Finally, we will discuss how AI complexifies the situation further, and whether it might or not become a game changer.

References in public available literature pertaining to a completely serverless connection method between two peers behind routers implementing NAT are scarce. In this talk we are describing a more generic method for NAT traversal that requires no intermediate server and relies on a multiple port testing method which resembles a brute force attack. A proof of concept has been created for verifying and demonstrating our results.

This talk relates to p2p communication without the need of a third party (intermediate server or other) for initiating the communication.

This is a break-out session and a follow-up to the presentation. You can take part and simulate your way through unexpected situations. This is an interactive session.

Ransomware's explosion has been sustained for years. As tech changes, so too do the actor TTPs. It's imperative to explore the 2023 mindset of ransomware actors: they are going after "target rich, cyber poor" industries that will make them money by selling data, exploiting the victims they hit as well as the partners and third party services linked to the victims. While double-, triple-, and quadruple- extortion practices are still around, actors are also adapting/changing their encryption processes to better emulate protective services such as anti-virus and file scanning software to blend in and provide no red flags to technical and cyber practitioners. This allows for a long-term, stealth presence in networks which facilitates lateral movement to collect as much information as possible.

Exposed secrets like API keys and other credentials are the crown jewels of organizations but continue to be a persistent vulnerability within security. The majority of security breaches leverage secrets at some point during the attack path. This presentation sheds light on the various methods used by attackers to discover and exploit these secrets in different technologies. This guide will include how to:
- Abuse public and private code repositories
- Decompile containers
- Decompile mobile applications from the App and Play Stores
We combine novel research, real-life attack paths, and live demos to prove exactly the steps attackers take, revealing their playbook.

Presentation Details
Recent research has shown that git repositories are treasure troves full of secrets. A year-long study showed that 10 million secrets were pushed into public repositories in 2022 alone. We will show exactly how adversaries abuse the public GitHub API to exploit secrets. First by leaking secrets in code publicly and watching malicious actors abuse them and second by walking through breaches like T-Connect where public secrets were discovered. Public source code, however, is only the tip of the iceberg as private code repositories have proven to be much more valuable targets. We will show how to gain unauthorized access to private git repositories and discover secrets deep in their history. This will include supply chain poisoning, developer phishing, and configuration exploitation among other techniques, and explore breaches like Uber to show the steps attackers took. Finally, this talk will dive into decompiling containers, packages, and mobile applications to be able to uncover the huge amount of secrets buried within. Not only will we review famous examples like the Codecov breach, but we will use research and live demos to show how shockingly simple it is to find secrets in these applications.

Knowing how attackers operate is essential in building effective defenses, understanding the attacker's playbook allows you to understand their next moves. This presentation is perfect for anyone wanting to know how to prevent attackers from getting hold of your crown jewels.

This talk will explore methods to detect malicious URLs at scale with various techniques I've used throughout many years as a researcher, as well as some new ideas. We'll talk about using URL reputation services, text analysis to find typos and patterns, domain and hosting infrastructure investigation, and the application of machine learning techniques to quickly make an educated decision at scale. All processes will use openly available tools and methods that will be made available at the time of the presentation.

In the ever-evolving cybersecurity landscape, the identification and acknowledgment of vulnerabilities through the Common Vulnerabilities and Exposures (CVE) system play a crucial role. However, vendor discretion in determining whether a security issue warrants a CVE assignment often results in overlooked vulnerabilities that pose significant risks. This presentation introduces the !CVE initiative, a groundbreaking platform that addresses this critical gap by identifying, tracking, and sharing unacknowledged cybersecurity vulnerabilities.

Our presentation begins with an overview of the CVE system and the challenges security researchers face in dealing with unacknowledged vulnerabilities. We discuss real-world examples of security issues ignored by vendors and explore the potential consequences of these hidden threats. We then delve into the !CVE platform, detailing its mission, features, and collaborative approach to empower the security community.

Through case studies, we demonstrate the value of the !CVE initiative in strengthening the cybersecurity ecosystem, highlighting the significance of addressing vulnerabilities not recognized by vendors. We also showcase the reporting process, expert panel, and public availability of !CVE reports, fostering a transparent and inclusive environment for vulnerability tracking and sharing.

Join us in exploring the world of unacknowledged cybersecurity vulnerabilities and learn how the !CVE initiative is bridging the gap between vendor discretion and community-driven security efforts. By raising awareness and fostering collaboration, we can create a more secure and resilient digital landscape for all.

We techies love solving problems with cool technology, to the point where we attempt to implement the economy in code. Although important in general, we know, that for example blockchain, cryptography and SSDLC are irrelevant when the user enters their credentials on a phishing site. From an attacker's point of view, though, we see that modern technologies such as artificial intelligence are immensely beneficial to attack one of the weakest links in security - humans. We will explore how modern technologies, for instance DeepFakes, DNNs and Transformers, can be misused by bad actors. We will explore some interesting ideas for attacks, discuss their practical feasibility and demonstrate implementations of some of these attacks. We will also look at approaches to detect and defend against AI-powered attacks.

The vast majority of organizations on our planet are SMEs who do not have the capability to leverage professional Threat Intelligence Tools or even have Threat Intelligence Teams. They continuously struggle to prioritize their efforts fixing security problems but are typically not focusing on the right stuff. Not all threat actors are equally likely to penetrate your organization. Therefore, not all TTPs are equally likely to be leveraged against you. MITRE ATT&CK is the de-facto standard in researching current TTPs and figuring out how to detect and prevent them from happening.

We created a small but powerful tool based on MITRE ATT&CK to easily figuring out connections between Threat Actors, malware, TTPs and their relevance to your industry to help you figure out what to focus on. The tool is specifically built for organizations without the capabilities to use a professional Threat Intelligence platform or TI team in general but still want to have some insights into their most relevant threats.

In this talk, we want to shift the focus from our large global enterprise customers towards the 90% of SMEs and their issues in defending against professional threats. We will demonstrate our tool, talk about presenting the added value to management as well as some interesting findings and connections we identified using it.

Artificial intelligence is developing at a breathtaking pace, already surpassing humans in some areas. But with opportunity comes potential for abuse: generative models are getting better at creating deceptively real deepfakes - audio or video recordings of people that are not real, but entirely digitally created. While the technology can be used legitimately for film and television, it has great potential for abuse. This lecture illustrates this problem using audio deepfakes, i.e. fake voice recordings. The technical background of synthesis will be highlighted, and current research on countermeasures will be presented: Can we use AI to expose deepfakes? Can we learn to recognise deepfakes, and if so, how?

In this talk, we will revisit some of the scariest stories we faced during more than 50 penetration testing and security research projects, with a twist. In the ever-emerging industry of automotive, with old and new OEMs trying to get a share of the pie, many things are at stake, with many things getting overlooked, forgotten, or even deliberately covered. We will go through a journey of critical findings in different targets and the constant battle between penetration testers, developers, and mid to upper management. This will help the audience get an understanding of how the industry behaves right now, what they (and what we) are doing wrong, and how the future of automotive security should be shaped, not only for the sake of security, but also for the sake of safety and reliability.

This talk will try to raise awareness on the current state of automotive security, how does the industry behave in the whole spectrum of it (100-year-old OEMs to 2-year-old OEMs and Tier 1 suppliers) and ultimately try to propose a way forward for both the automotive and security industries, with the goal being a safer and more reliable future for everyone, in and out of the streets.

The Adversaries leverage the attack surface complexity to their advantage. They look for the shortest and easiest attack path to access high value targets quickly, before they are detected. It is a race of time between the attacker and the defender, during this talk, we gonna explain how the permission default used in many integrations can give advantages to the attackers mainly in Cloud, and how the attacker can use true permission, to escalate privilege in the cloud, explaining differences between Attack Vector vs Attack Path and what would be the shortest path used by the attacker that probably focuses to have the success!.

Technologies such as the Internet Low Bitrate Codec (iLBC) and the Opus Codec led to WebRTC, which in turn enabled the rise of global Voice-Over-IP Applications such as Skype.

More than 10 years later, the IETF published another novel standard, Messaging Layer Security. RfC 9420 has officially been presented this summer, and is the first global open standard for end-to-end encrypted real-time communication.

Messaging Layer Security will likely have a similar impact as the aforementioned technologies because it solves multiple problems of today's telecommunications environment:

- Isolated Messaging environments without any interoperability

- Lack of cryptographic accountability in large group settings

- Poor performance in large groups

- Future-proofing against quantum-based attacks

This talk will examine the process and architecture behind Messaging Layer Security and will provide a deeper understanding of the principles behind it, with a focus on cryptography enabling communication in large groups with thousands of people.

It will also provide an overview of the current adoption of MLS and potential developments for the future, such as end-to-end identity and post-quantum resistance.

Furthermore, we will shed light on the regulatory context of the European Union’s drive for more interoperability with the Digital Markets Act (DMA), particularly Article 7. MLS will be a major piece of this interoperability puzzle – together with the work currently being done in the MIMI working group in the IETF.

Memory corruption, a vulnerability that emerged in the 1980s and gained prominence with the discovery of the first buffer overflow in the fingerd Unix application exploited by the Morris worm in 1988, has since become a significant concern in the field of security. Its prevalence was further underscored by the influential Phrack edition 49 titled "Smashing the Stack for Fun and Profit" in 1996.
Today, memory corruption remains one of the most pressing security challenges, compelling the entire defensive security industry to develop robust countermeasures. This session aims to delve into the progress made by the security industry in mitigating and protecting against different types of memory corruption, as well as the current state of these efforts.

During the talk, I will explore various techniques that have been introduced worldwide to safeguard against and mitigate memory corruptions and their bypasses found over years. Moreover, I will present insightful metrics to gauge the effectiveness of these techniques.

This discussion will be valuable for security researchers and exploit developers seeking to familiarize themselves with existing measures designed to impede the execution of exploits and malicious code in both process and kernel memory. By attending this talk, participants will gain a comprehensive understanding of the advancements made in memory corruption mitigation, equipping them with the knowledge necessary to enhance security practices and proactively address this critical aspect of the cybersecurity landscape.

The COVID-19 pandemic has led to the development and deployment of various contact tracing apps worldwide, including the Hong Kong government's LeaveHomeSafe app. In this talk, we will present the findings of our comprehensive security assessment of LeaveHomeSafe, which uncovered a range of vulnerabilities from minor to critical.

We will discuss the overall app design and functionality, the uncovered issues related to data privacy and security, as well as interesting edge-case scenarios. We will delve into the technical details of the vulnerabilities we found, demonstrating the tools and techniques used to identify and exploit them.

Our talk will also cover the disclosure process, as well as the subsequent press and official Hong Kong government reactions, which garnered international attention.

The talk will break down the good, the bad and the ugly of this security audit journey, from security audit to disclosure, public release, meetings with journalists and various attempts to further prove a number of security findings.

Attendees will gain valuable insights into the unique challenges of securing contact tracing apps, as well as the importance of conducting thorough security assessments before deploying such apps at scale. We will provide actionable recommendations to improve the security of LeaveHomeSafe and other similar apps, emphasizing the need for ongoing security testing and continuous improvement. Join us for an engaging and thought-provoking discussion on the security implications of contact tracing apps in the context of the COVID-19 pandemic.

For some preliminary talk background, please see:
https://7asecurity.com/blog/2022/07/leavehomesafe-android-ios-apps/

In the ever-evolving realm of cybersecurity, the cat-and-mouse game between attackers and defenders continues to intensify. To safeguard critical systems against malicious exploitation, the hardening of binary files has emerged as a fundamental security measure. However, no security measure remains impervious to threats, and binary hardening techniques face ongoing challenges.

This talk aims to shed light on the significance of binary hardening as a countermeasure against evolving vulnerabilities. Through a comprehensive examination, we explore both traditional and contemporary binary exploitation techniques, providing real-world insights into modern exploiting methodologies that bypass protective mechanisms implemented through binary hardening.

Our research addresses the lack of accurate and complete sources of information on binary hardening, emphasizing the importance of understanding ELF file structure and attacker avoidance strategies. By encouraging vigilance among developers and defenders, we aim to raise awareness about common binary files that lack proper hardening.

Throughout the presentation, we emphasize the significance of staying updated with the latest advancements in binary hardening techniques and exploit development. With an insightful outline covering ELF overview, outdated exploitation techniques, binary hardening, implementation, exploit bypassing, and real-world case studies, this talk offers an innovative perspective on the dynamic cybersecurity landscape. Attendees will gain valuable knowledge and tools to fortify their systems against digital threats and enhance their security practices.

Additionally, we will introduce our new tool called HardenMeter. HardenMeter is an open-source Python tool carefully designed to comprehensively assess the security hardening of binaries and systems. Its robust capabilities include thorough checks of various binary exploitation protection mechanisms, including Stack Canary, RELRO, randomizations (ASLR, PIC, PIE), None Exec Stack, Fortify, ASAN, NX bit.

HardenMeter was developed after conducting extensive Binary Exploitation research, addressing the need for an accurate and precise tool that assesses binary hardening and recommends binary files that require heightened attention and monitoring.

Occasionally we come across the expression “attacker mindset”, yet without properly understanding what it means in practice. What does it REALLY mean? Is it a different way of thinking? Planning? Improvising? Or execution? Or maybe all of the above? We’ll dive into some practical examples & hands-on demos to understand what this term actually means, from an engagement perspective.

Contributor/Package reputation is the main criterion used by developers when choosing what open-source package to ingrate into their application.

The widespread use of open source sparked a new wave of attackers on ways to spoof the Contributor/Package reputation. In this talk, we will share some of the TTP we have seen and researched that can easily be used to fool developers into choosing malicious packages; we will do a live demo of some of that techniques and share some best practices to detect and avoid those techniques.

In a world where trust is a currency, and information is power, meet Jim, the innocent accountant with access to many financial secrets. When his dream promotion slips through his fingers, Jim crosses the line from hero to rogue, unleashing a hidden fury fueled by betrayal.

Lacking any technical skills but armed with insider knowledge, he becomes the ultimate insider threat. He can steal data without a trace, eluding the watchful eyes of the very firm that underestimated him. As colleagues celebrate their achievements, Jim orchestrates a daring heist of classified information, and security tools can't detect him, he is the insider threat. Can he be caught as he employs ChatGPT knowledge and just google searches to grab and exfiltrate data from his company?

In a thrilling tale of vengeance and deception, witness how a master of numbers becomes a master of mayhem. This autumn, Jim unveils the dark side of insider knowledge. Prepare for his story as told at Deepsec Conference.

The story started as a hobby project: I was about to retrieve the current temperature of a non-smart water heater in my apartment. To not void the warranty, I was looking for a non-intrusive solution that purely relies on off-the-shelf smart home gadgets only.

Understanding the undocumented APIs of these IoT devices required reverse engineering the corresponding official mobile applications and eavesdropping on the network communication between them and the cloud management services. Researching this uncovered design flaws in the pairing protocol and vulnerabilities in the implementation that allowed attackers to steal victim sessions and to impersonate these devices for a life-time.

As security incidents become increasingly complex, it's crucial for SOC and incident response teams to focus on actual malicious investigations. However, their ability to do so is often limited by time-consuming human interactions with stakeholders.

In this talk, we'll explore different levels of automation approaches for incident response, culminating in the latest additions of conversational AI tools. These tools enable full investigations with human stakeholders to be performed automatically, with an analyst only as a silent observer/supervisor.

We'll discuss the benefits and limitations of using conversational AI tools in incident response, as well as real-world examples of how these tools have been used effectively. By the end of the talk, attendees will have a better understanding of how to leverage this technology to streamline their incident response processes and improve their overall security posture.

Have you ever taken a moment to contemplate the extensive repertoire of applications that you engage with on a daily basis? Consider, if you will, the myriad applications that necessitate the utilization of your esteemed Microsoft credentials for seamless authentication. The symbiotic relationship between users and applications has reached a level of unparalleled automation. Regrettably, users often traverse this landscape of applications with a sense of obliviousness, blissfully unaware of the vast volumes of data that these applications access or the permissions that are inadvertently granted in the process. It is with a sense of deep concern that I address the escalating prevalence of OAuth app-based attacks, a pernicious breed of cyber threats encompassing the realms of consent phishing and OAuth app abuse.

In this talk, I aim to navigate the evolutionary trajectory of attackers as they traverse a treacherous path, progressing from the methodology of Password Spray attacks to the more sophisticated realm of Credential Stuffing, ultimately culminating in the alarming arena of Oauth app abuse. Furthermore, it is imperative that we clarify the grave risks that organizations face in light of these evolving attack vectors, thereby compelling them to adopt robust security solutions capable of fortifying their defenses against the multifaceted challenges inherent in the expansive landscape of Software-as-a-Service (SaaS) offerings.

Cyber threat intelligence has become a critical security area for organisations trying to defend against threat actors. It is slowly making a shift from a buzzword to an actionable true program.

But how confident are you as a security professional that you are moving into the correct direction? Should a CTI program heavily focus on the APTs and ransomware groups or the focus could be elsewhere?

The following presentation will have a walkthrough of an APT case, present some key prioritizations on what is relevant at a specific time for a CTI program and evolve as time goes on.

Reference case: https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf

I was diagnosed with AD(H)D almost three years ago, aged 44. Getting the diagnosis and being able to get proper medicine meant the world to me; suddenly I understood all those symptoms and I was able to function remarkably better. Better understanding also meant that I got more insight to why it was becoming increasingly harder for me to get and keep a job. So something had to happen.

I’ve been an infosec professional for almost 20 years but after my diagnosis I moved to community marketing which basically meant doing the sparetime thing I love as a living. In December 2022 I was fired again and by then I knew I had to make yet another career change and make a career for myself that works better for me. Keep getting fired is obviously not sustainable. My (wise) wife said “You can’t talk about having ADHD and the challenges you have without acting upon them”. So I decided to go freelance in Infosec probably after realizing that would probably work best for me.

So this is what this talk is about: Regardless of mental diagnoses or not you should always go for what makes you happy. And especially when being mentally challenged it’s extremely important to know what the challenges are so you can mitigate them. It’s also about ADHD, what it’s really about, what the symptoms are and that you only have one life so it’s important to make the best of it.

By doing this talk I hope to spread knowledge about ADHD and break down taboos about it so more people can be helped and help themselves as this obviously is a very important subject. I am sure there is an over representation of mental diagnoses in Infosec (and IT in general) so the knowledge is definitely needed so we can talk openly about this, ensuring more companies understand how to handle diversity in every way and more people in the industry live happy lives.



On the clearweb, hundreds of shell corporations operate in the open which have been used to fuel the spread of Fentanyl and it’s precursors. These operators have stepped out of the shadows of the darkweb to increase the accessibility to their highly addictive drugs.

Sit down for this talk and discover how to identify a seller, track them down across the web, and find the links back to shell corporations based out of the United States. I will demonstrate all of this using real world examples; by following this guide you too will be able to use these OSINT tactics to take down a drug network.