Breaking Yourselves, But In The Best Way Possible

Hello & Welcome

In this session we'll be discussing various ways to improve your offensive security testing.

Using these offensive security techniques, your teams will find new ways to break applications, and test your defenses.

Due to a corporate policy from the venue sponsor, to get into the venue & up to the event, you will need to register with your full name AND show photo ID when checking in to the event.

Please note this event will be recorded so we can put these talks on our YouTube channel afterwards. We will also be trying out our live streaming capabilities.

6:00 - Open doors & networking & drinks
6:30 - Dr Katie Paxton-Fear: Go Hack Yourself: API hacking for beginners
Over the past few years, we've really seen API hacking take off as a field of its own, diverging from typical web app security, but yet parallel to it. Often we point to the amorphous blob that is web security and go: "here you go, now you can be a hacker too", with top 10 lists, write-ups, conference talks and whitepapers smiling as we do. This creates a major challenge for developers who want to test their APIs for security or just people who want to get into API hacking, how on earth do you wade through all the general web security to get to the meat of API hacking, what do you even need to know? This talk is going to break down API hacking from a developer point of view, teaching you everything you need to know about API hacking, from the bugs you can find and to the impact you can cause, to how you can easily test your own work or review your peers. So what are you waiting for join me and go hack yourself!

7:15 - Refreshments (Food & Drinks & Networking
8:00 - Gerald Benischke - Application DoS vulnerabilities
This AppSec-focussed talk demonstrates how denial of service attacks can be carried out without throwing lots and lots of traffic at a system and effectively stop services. This uses a couple of vulnerabilities in the play framework as an example and describes the impact. This approach can be likened to using precision guided missiles rather than the carpet bombing of DDoS attacks.

I will explore the role that convenience for developers in frameworks combined with unexpected payloads and how this can be exploited. I also draw on how the service mesh can amplify this attack such that multiple instances can be killed with a single request. Furthermore, we look at how Web Application Firewalls (WAFs) offer no protection against this type of attack.

Lastly, I will look at what can be done to protect applications against this type of attack.

9:00 - Vacate venue -> to the pub for more socialising

LOCATION
-------------------------
Booking.com
6 Goods Yard Street Manchester M3 3BG

SPEAKERS
-------------------------
Dr Katie Paxton-Fear
A lecturer in Cyber Security at Manchester Metropolitan University and a cyber security researcher, but she's far more well known for her hobby. In her free time, she's a hacker, specialising in API hacking teaching others through her YouTube videos. A former developer turned hacker, she used to make RESTful APIs and now she breaks them. She found her first API vulnerability in 2019 which affected Uber and since then she has been hacking APIs ever since, creating hours of content to help others follow in her footsteps. With her PhD in cyber security and machine learning, she loves to introduce a data-driven approach to hacking combining new tools with manual testing to ensure an impactful bug report every time.

Gerald Benischke
I tend to describe myself as both an Agile Fundamentalist and an AppSec Snooper. What does this mean? On the one hand my software development experience has led me to think that the principles of the agile manifesto form the basis of good practices. It boils down to lots of common sense, small steps, learning along the way, not writing code that nobody will want or need and taking processes and procedures with a pinch of salt.

As an AppSec Snooper, I have been working to make security more approachable and more pragmatic. You could even say, more agile. The only way to deal with a deluge of supply chain vulnerabilities, bad practices copied from StackOverflow or hallucinated by an LLM is to bring security together with development (this is where the “shift left” buzzword applies).

SPONSORS (Thank you for supporting our community!!)
-------------------------
Booking.com - Venue Sponsor
Booking.com - Food & Drink Sponsor

-------------------------
Are you passionate about a security topic?

Do you want to speak at a future event?

Submit your interest here - https://forms.gle/zcm9bVNhgDixe8Gq5

Does your company want to sponsor a venue and/or refreshments?

Email Paul - paul.johnston@owasp.org