JSFoo Coimbatore 2019

JSFoo Coimbatore 2019

On building faster, performant and secure web applications

About JSFoo Coimbatore

JSFoo Coimbatore is a single-day conference with talks, Birds of Feather (BOF) sessions and speaker connect sessions. The conference will be held on Friday, 5 July, at Dr.G.R.Damodaran College of Science, Coimbatore.

JSFoo Coimbatore features talks on:

  1. How to secure your web applications by identifying vulnerabilities.
  2. Leveraging Web Application Vulnerabilities for Resourceful Intelligence Gathering.
  3. Case studies of performance improvements and using the modular approach to building front-ends.
  4. Node.js and good engineering practices such as logging, debugging and integrating security into your applications.
  5. WebSDK: switching between service providers on the fly.

Speakers from Hotstar, Uber, HackerRank, Chained Ventures, Tezify, Appsecco, Gramener, and Centre for Internet and Society (CIS) will present case studies and experiential talks which will help JavaScript, full stack and front-end engineers among partcipants to build faster, secure and performant we applications.

JSFoo Coimbatore 2019 sponsors:

Gold Sponsor

MockFlow

Bronze Sponsor

Hasura ThoughtWorks

Community Sponsor

PSG Software Technologies

Venue Partner

Dr GR Damodaran College of Science

For inquiries on tickets and sponsorships, call the JSFoo Coimbatore team on 7676332020 or write to us on info@hasgeek.com

Hosted by

JSFoo is a forum for discussing UI engineering; fullstack development; web applications engineering, performance, security and design; accessibility; and latest developments in #JavaScript. Follow JSFoo on Twitter more

Riyaz Walikar

@riyazw

Captain Marvellous JavaScript - A look at how hackers use JS

Submitted Apr 21, 2019

The modern web would be grossly incomplete without JavaScript. While the dev world is using JS to build more user friendly, experience rich, responsive and fast web applications, hackers have been using JavaScript on a parallel trail using the same programming principles as the devs to break implmentations, attack users and servers alike.

In this very “informally fun” (TM) talk, filled with examples and demos, we will see how hackers (mis)use the constructs available within JavaScript/ECMAScript to go beyond XSS and automate vulnerability discovery, attack seemingly secure endpoints, exploit weaknesses in implementation and break user trust for profit and for fun.

The key takeways for attendees from this talk would be:
- Understanding how attackers see and use JavaScript
- Introduction to attacks and techniques/usage of JS beyond the standard XSS
- How JavaScript can be used as a powerful weapon in discovery and exploitation of vulnerabilities

Outline

  • Introduction to the talk
  • JavaScript and XSS: Is that it?
  • Why is XSS bad anyways?
  • I’ve Got No BeEF With You
    • Demo of a real world account and browser compromise
  • Going beyond it’s supposed application
  • Using JavaScript to Fuzz browsers
  • JS fuzzing engines
  • Browser crashes and the $$$
  • Server Side JS attacks
  • The perils of insecure templating
  • Server Side JS injection
    • Remote Code Execution
  • Client Side JS Attacks
  • What’s that in my DOM?
  • Mixing Desktop Clients and JavaScript (WCGW)
    • Case Study of
    • Code Execution using JavaScript in a Desktop Client
    • Data Theft via a insecure Express app on a Desktop Client
    • Windows Privilege Escalation using JavaScript in a Desktop Client
  • Breaking filters and Web Application Firewalls
  • JS weirdness
  • Twisted XSS payloads
  • Malware writers, JavaScript and obfuscation
  • Case Study 1
  • Case Study 2
  • Session Hijacking using ActionScript and Flash
  • Weaponising ActionScript for account takeovers
  • Mutation XSS
  • Abusing browsers’ code normalisation against them
  • JavaScript Steganography
  • Stega whaa?
    • Working with Alpha Channels in images
    • Hidden in PlainSight
  • iOT, JavaScript and a friendly home router
  • Attacking NodeJS servers on exposed iOT devices
  • What could go wrong you say!
  • Closing notes
  • The End / Q&A

Requirements

  • Projector
  • Enthusiastic Audience

Speaker bio

Riyaz Walikar currently heads the Offensive Security Team at Appsecco and is responsible for the assessment and delivery of Web and Mobile Application Security Testing engagements. He is a OSCP certified Web Application Pentester, security evangelist and researcher. He has been active in the security community for the better part of the last 10 years. He has been actively involved with the Bangalore OWASP and null chapter for the last 7 years and is one of the OWASP Bangalore chapter leads.

He is actively involved with Vulnerability Research in popular Web Applications and Network aware services and has disclosed several security issues in popular software like Apache Archiva, Openfire, Joomla!, EJabberd and has had luck with finding vulnerabilities with popular web applications like Facebook, Twitter, Google, Cisco, Symantec, Mozilla, PayPal, Ebay, Apigee, Yahoo, Adobe, Tumblr, Pinterest etc. for which he is on the Hall of Fame for most of these services. He has also been a speaker and trainer at several security conferences.

Links

Comments

{{ gettext('Login to leave a comment') }}

{{ gettext('Post a comment…') }}
{{ gettext('New comment') }}
{{ formTitle }}

{{ errorMsg }}

{{ gettext('No comments posted yet') }}

Ramakrishnan Kandasamy

Is your Serverless Application Secure?

Serverless is one of the rapidly growing technology in this cloud world. This gives a lot of advantages for the developers & adapters for while managing our applications & code. This also gives a lot of abstractions including in security space. This makes the developers think that their application is secure from all the threats & vulnerabilities. more

21 Apr 2019