0x03 Assumption: Failed

Assumption: Failed is the fourth OWASP Beja meetup, happening on June 27th at 15:00, sponsored by Char49. Join us as we explore what happens when assumptions meet reality, featuring hands-on hardware tinkering and a deep dive into a critical vulnerability that aged far too well.

Schedule

15:00 - Welcome Notes by OWASP Beja chapter leadership team
15:10 - The Parking Chronicles - A DIY Guide to Controller Detection by David Sopas
16:10 - Aged Like a Fine Port: Old Yet Impactful by Paulo Silva
17:00 - Snacks & Drinks sponsored by Char49

Talks

The Parking Chronicles - A DIY Guide to Controller Detection
by David Sopas, Co-Founder & COO @ Char49

What started as a casual curiosity about a local parking system evolved into a hardware exploration into how controllers communicate, hide and sometimes expose more than they should. In this talk, we'll walk through the journey of identifying, locating, and analyzing parking controllers using DIY tools and techniques.

We'll explore a classic Bluetooth and BLE highlighting how accessible methods can uncover vulnerabilities in seemingly innocuous infrastructure. The goal isn't just to break things but to understand them and show how anyone with a soldering iron, a few scripts and a lot of persistence can demystify some systems.

This session will give you practical insights, real-world examples and a few laughs along the way.

About the Speaker
David Sopas is an experienced security researcher with a wide range of expertise. As COO of Char49, he has played a key role in driving the company’s success. David is also a sought-after speaker, having presented at numerous conferences including Def Con, BSides, and RSA, sharing his ideas and knowledge with audiences around the world. His exceptional work includes being the creator of MindAPI - an open-source API security methodology, which has gained recognition within the industry.

---

Aged Like a Fine Port: Old Yet Impactful
by Paulo A. Silva, Principal Security Researcher @ Char49

In this talk, we will delve into a critical XML Signature Wrapping (XSW) vulnerability (CVE-2023-34923) in a service management platform that remained undetected for over a decade despite regular penetration testing. The vulnerability was found in a Microsoft Azure AD integration, which many assumed to be "safe by default" due to the software giant's reputation for adhering to security best practices. However, the responsibility for validating the SAML response remained with the receiving party, and this crucial step had been overlooked. This session will explore the technical details, possible human factors behind the oversight, and the broader lessons for the security community.

This session will provide a comprehensive look at how seemingly minor assumptions can lead to long-term security blind spots. While XML Signature Wrapping is a well-known and well-documented vulnerability, this illustrates how even established weaknesses can persist when certain assumptions go unchallenged. Attendees will learn about the technical mechanisms of the vulnerability, the psychological factors that might have contributed to its prolonged existence, and practical strategies for identifying similar weaknesses in their own systems. The talk will emphasize the importance of questioning assumptions, thoroughly validating third-party integrations, and giving proper attention to complex, resource-intensive features.

Join this talk to gain insights into the technical specifics of XML Signature Wrapping and its exploitation, the psychological and operational biases that might have kept it hidden for so long, and practical recommendations to avoid similar pitfalls in your own environments.

About the Speaker
Paulo is a security practitioner with a solid background in software development, who has spent the last decade focused on identifying critical vulnerabilities and breaking software. He is a long-time OWASP volunteer and co-leader of the OWASP API Security Project, where he advocates for secure API practices and contributes significantly to mitigating security risks in the API landscape.