Submitted by Riyaz Walikar (@riyazw) via Zainab Bawa (@zainabbawa) on Thursday, 16 January 2020
Duration of the session: 30 mins full talk Status: Confirmed & Scheduled
The key takeways for attendees from this talk would be:
- Introduction to attacks and techniques/usage of JS beyond the standard XSS
- Introduction to the talk
- Why is XSS bad anyways?
- I’ve Got No BeEF With You
- Demo of a real world account and browser compromise
- Mutation XSS
- Abusing browsers’ code normalisation against them
- Server Side JS attacks
- The perils of insecure templating
- Server Side JS injection
- Remote Code Execution
- JS and Desktop Applications
- Case Study of
- HTML/JS Injection in a popular messaging client
- Breaking filters and Web Application Firewalls
- JS weirdness
- Twisted XSS payloads
- Case Study 1
- Case Study 2
- JS fuzzing engines
- Browser crashes and the $$$
- Session Hijacking using ActionScript and Flash
- Weaponising ActionScript for account takeovers
- Taking over the DNS of a local home router from the Internet
- Closing notes
- The End / Q&A
- Enthusiastic Audience
Riyaz Walikar currently heads the Security Research Team at Appsecco. His team primarily works on identifying vulnerabilities in cloud solutions, container technologies, web app frameworks, maritime systems and anything else that can be reused by the larger security community. In the past, he has led multiple security testing teams, include the one at Appsecco which is responsible for the assessment and delivery of Web, Mobile Application and Cloud Security Testing engagements. He is a OSCP and CREST certified Web Application Pentester, security evangelist and researcher. He has been active in the security community for the better part of the last 12 years. He has been actively involved with the Bangalore OWASP and null chapter for the last 9 years and is one of the OWASP Bangalore chapter leads.
In his time in the security industry, Riyaz has penned two books, has trained and spoken at numerous security conferences and helped many Fortune 500 companies become secure by training their teams, testing their apps and responsibly disclosing security weaknesses in enterprise software.
When not dabbling in security research or testing, Riyaz likes to spend his time reading, travelling and stargazing.