0x02 Break It Till You Make It

Break It Till You Make It is the first OWASP Beja meetup of 2025 taking place on March 21st at 15:00, sponsored by Dashlane. This edition dives into the challenges of vulnerability research, exploring the fine line between breaking and securing systems. Join us for insightful talks on turning theoretical knowledge into real-world exploits.

Schedule

15:00 - Welcome Notes by OWASP Beja chapter leadership team
15:10 - From Theory to Practice: Navigating the Challenges of Vulnerability Research by Raphael Silva
16:10 - Speed Bumps and Speed Hacks: Adventures in Car Manufacturers Security by Paulo Silva
17:00 - Snacks & Drinks sponsored by Dashlane

Talks

From Theory to Practice: Navigating the Challenges of Vulnerability Research
by Raphael Silva, Security Research Lead @ Checkmarx

Transitioning from theoretical knowledge to the practical aspect in web security often presents some extra challenges. Real-world scenarios introduce complexities such as bad character filters and Web Application Firewalls (WAFs), demanding the researcher to investigate some way to bypass these restrictions. Here's some of our learnings:

1. Drawing from collaborative efforts and senior industry research becomes pivotal, offering insights that streamline exploits.
2. Embracing failure as a learning experience is fundamental. Despite unsuccessful attempts to escalate Cross-Site Scripting (XSS) vulnerabilities, this still proves useful as it makes you investigate topics you wouldn’t otherwise.

Also learn a bit about how ethical security research faces legal hurdles in countries like Portugal, hindering progress and discouraging potential researchers.

Navigating this bridge from theory to practice in web security requires both technical prowess and resilience, and I hope to share some of my learnings from this journey with you on this talk.

About the Speaker
Raphael Silva is a Security Research Lead at Checkmarx, specializing in security research, SAST methodologies, and Supply Chain Security. Over the course of his career, he has presented at various conferences, as well as conducted a workshop at DEFCON. In addition, he is experienced in vulnerability analysis, research, and disclosure, having reported multiple bugs to companies and open-source projects.

---

Speed Bumps and Speed Hacks: Adventures in Car Manufacturers Security
by Paulo A. Silva, Principal Security Researcher @ Char49

In the age of AI, when choosing a new ride, we could have just asked ChatGPT or Bard for a quick recommendation. But nope, we're not taking the easy route. We put our hacking skills at service to check how seriously car manufacturers take their security game.

We're here to spill the tea on some of the security hiccups we've uncovered in the online realms of various car manufacturers. This is a presentation that's as street legal as your grandma's Sunday drive, respecting all those speed limits. We're not just here to bore you with technical jargon; we're here to make you dream of owning a Ferrari, give you a taste of a wild Porsche experience, and spill the beans on how to overtake a Mercedes with the utmost style. And hey, if you're rolling in a different brand, don't worry - we've got your back.

So buckle up, folks! This talk is going to be a wild ride, but fear not, a
driving license is not required. We promise not to crash your expectations – just the insecure parts of those online car assets. See you at the intersection of laughs and cybersecurity!

About the Speaker
Paulo is a security practitioner with a solid background in software development, who has spent the last decade focused on identifying critical vulnerabilities and breaking software. He is a long-time OWASP volunteer and co-leader of the OWASP API Security Project, where he advocates for secure API practices and contributes significantly to mitigating security risks in the API landscape.