OWASP Bay chapter SF May Meetup
Details
Finally we are able to get a space in SF city and host our in-person meet in SF city. Thank you Noisebridge for hosting the event and Avatao for sponsoring the Food/Drinks
Please join us for 2 awesome talks:
Talk #1 :
Building a TV That Steals All of Your Private YouTube Videos
Abstract:
Back in 2019, I was at a friend’s place and we were flying tiny FPV drones. After draining all of our batteries, I wanted to show them an old personal video from my YouTube account. They had a Smart TV. I opened the YouTube app on my phone, selected my private video, and it gave me the option to play it on the nearby TV. After just one click, the TV was already playing my private video. This planted an idea in my head that stayed there for years. My question was very simple: "How on earth did the TV gain access to my private video?". Later on, this led me down a road of reverse-engineering the YouTube TV application and finding a vulnerability that allowed me to steal anyone's private/unlisted videos if they opened my malicious website.
Speaker:
David Schütz (@xdavidhu)
Speaker bio:
I am a 20-year-old CS student working at Avatao as a full-stack engineer. I have been around the IT security field for as long as I can remember, sort of. I wrote my first hacking tools six years ago, and stumbled upon bug bounties in 2018. Most recently I have been exclusively hacking on Google VRP, Google’s bug bounty program, where every product of the company is in scope, from the thermostat on your wall to the production Google applications serving billions of users. I found quite a few bugs, and moved up on the leaderboard, currently being one of the top 50 Google VRP hackers worldwide. You might know me as @xdavidhu.
Talk#2 Malicious kubernetes webhooks
Abstract: Admission Controllers are an integral part of Kubernetes Security. Specifically, Access Control. These take the form of mutating and validating web-hooks. Kubernetes clusters use these webhooks to enforce/mutate security policy checks. Everything from security context to memory limits can be enforced through the use of these webhooks. However, attackers can leverage custom-built webhooks as a way of maintaining persistence in an exploited Kubernetes cluster. In this talk, I will detail the admission controller implementation in Kubernetes. I will build and deploy both mutating and validating, malicious webhooks to a cluster to demonstrate a bevy of post-exploit persistence approaches that one can leverage, entirely using Kubernetes webhooks.
Speaker: Abhay Bhargav, Founder and Chief Research Officer at AppSecEngineer/We45. He’s a renowned application security expert and a leader in the domain of DevSecOps. Abhay brings with him, a rich experience with working on complex security engagements, from penetration testing to security architecture reviews to compliance consulting. He’s the author of “Secure Java: For Web Application Development” and “PCI Compliance: A Definitive Guide” from CRC Press. He’s also the author of, and lead trainer for we45’s highly recognized workshops on DevSecOps, Threat Modeling, Web Application Security, to name a few.