Loading…

Log in to bookmark your favorites and sync them to your phone or calendar.

Workshop [clear filter]
Wednesday, October 18
 

10:15

CtF Workshop #1 - Breaking Clouds

With over half of the fortune 500 on board, Cloud Foundry is considered to be the world's leading cloud platform. In this session, we will show some very interesting vulnerabilities that we identified and responsibly disclosed over this year to the platform's maintainers. We will discuss issues in working with zip files, using parameters in ruby-rack as well as various cases of time-of-check vs time-of-use and expand on each issue with a barrage of real world examples. 

In the second part of the session we will work out how migrating applications to a cloud environment might open them up to new and exciting vectors that are otherwise considered unexploitable.

We will see how with new technologies come new vulnerabilities and sometimes, it's just the old vulnerabilities that are making a comeback. 

Attendees could perform the learnt attacks on a pre-configured environment during the workshop.


Workshoppers
ES

Eran Shmuely

Sr Staff Cyber Security Researcher, GE Digital
VS

Vladi Sandler

Security Researcher, GE


Wednesday October 18, 2017 10:15 - 11:45
Room 37 - CS and Communications Building

11:00

12:15

CtF Workshop #2 - Exploiting Authentication Issues For 25,000$

Authentication mechanisms are considered to be the most sensitive part of any application and yet they seem to be some of the most prone for implementation errors. In this session, the security researcher will discuss how he broke the authentication mechanisms for some of the biggest applications in the world (Uber, Yahoo, Twitter, etc.). He will present advanced practical ways of exploiting SSO mechanisms such as SAML and OAuth, as well as user invitations and password reset mechanisms. 

In the second part of this session we will examine how CSP(Content Security Policy) helped fixing one of the vulnerabilities and we will elaborate about the various security-related HTTP security headers described by The Internet Engineering Task Force (IETF).

A security researcher from GE Digital will discuss what each one of these headers does to help augment web application security and under what circumstances they could be bypassed by a clever adversary. 

Attendees could perform the learnt attacks on a pre-configured environment during the workshop.


Workshoppers
avatar for Michael Reizelman

Michael Reizelman

Security Researcher, GE Digital


Wednesday October 18, 2017 12:15 - 13:45
Room 37 - CS and Communications Building

14:15

CtF Workshop #3 - Cache me if you can

Hash functions are all around us, being used for a variety of applications such as data integrity verification, de-duplication algorithms and as pointer generators in hash-tables. In this session a security researcher from GE Digital will discuss and demonstrate the differences between cryptographic and none-cryptographic hashes, generating collisions and performing cache poisoning and timing attacks against applications that use hashing naively. 


Attendees could perform the learnt attacks on a pre-configured environment during the workshop.


Workshoppers
avatar for Amit Kaplan

Amit Kaplan

Cyber Security Researcher, GE Digital
BSc in Communication systems engineering from Ben Gurion University of the Negev. Currently work as Cyber Security Resercher. My main fields of interest are Cryptography and Side-Channel Attacks. And Whisky........


Wednesday October 18, 2017 14:15 - 15:15
Room 37 - CS and Communications Building