Choose timezone
Your profile timezone:
Powered by Indico
v3.3.3-pre
This talk will present several little known but interesting situations where security vulnerabilities may arise. Basic XSS and SQL injection vulnerabilities will not be covered, but the bypass of strict defensive filters (either server-side or via a WAF) will be studied. The weird behaviors of PHP when using lax operators ("==" instead of "===") will be shown. We'll also get into XML technologies like Web Services, digital signatures, SVG documents and the like, covering attacks like denial of service, XML External Entities, Server Side Request Forgery or remote code execution via XSLT. Regarding fuzzing, one of my recent campaigns will be discussed. Most of the examples and demonstrations are based on real-world code. I promise a lot of acronyms, some really nifty bugs and maybe a few good laughs.
Nicolas Gregoire has more than 12 years of experience in penetration testing and auditing of networks and (mostly Web) applications. He founded Agarri, a small company where he finds security bugs for customers and for fun. His research was presented at numerous conferences around the world (Hack in the Box, HackInParis, ZeroNights, ...) and he was publicly thanked by some well known vendors (Microsoft, Adobe, Mozilla, Google, Apple, VMware, ...) for responsibly disclosing vulnerabilities in their products.
Organised by: Sebastian Lopienski and Miguel Angel Marquina
Computing Seminars /IT Department