OWASP Scotland Chapter Meeting - October

Join us at the OWASP Scotland Chapter Meeting where we have three talks lined up for our October session - see talk details below.

Pizza and drinks will be provided to the attendees.

This event is perfect for software developers, ethical hackers, and cybersecurity enthusiasts interested in learning about the latest trends in cyber security.

#### Talk 1 - A tale of two Fortiinets

Speaker: Jim Slaughter

Blurb: Most large organizations monitor their brand space for infringement from things like typosquating. This can turn up interesting results at different times.
In July 2024, FortiGuard Labs came across one such typosquatted domain, Fortiinet.com. The domain was registered a few months prior and did an excellent job impersonating our trade dress. In addition to being an excellent facsimile, the site was also dropping an infostealer, Lumma. The goal of this presentation is to detail the efforts we took to find and investigate the domain and infostealer.

Speaker bio:
Who Am I?
I'm Canadian, eh!
Currently a Senior Threat Intel Engineer at Fortinet
Day-to-day responsibility for looking for "interesting samples", reversing them and then passing the results on to our customers and government partners.
Prior to Fortinet:
8 years at NatWest as the Cyber Threat Hunting and Analytics Tech Lead
10 years at BlackBerry as a Dev
My hobbies match my vocation. You can usually find me tinkering with malware or code that I stick up on GitHub - https://github.com/slaughterjames

#### Talk 2 – Global Insights from Security Leaders across the Globe

Speaker: James Walsh

Blurb: Explanation of findings from Hays Global Cyber Survey, looking at Talent, AI, Cyber Budgets and Risks.

Speaker bio:
James Walsh CISMP- Director of Cyber Security Practice UK&I has over 14 years of experience working specifically within the Cyber Security sector supporting a variety of industries with there Talent and Project Requirements.

#### Talk 3 – Cross-Site Scripting Beyond Alert(1)

Speaker: Paul Johnston

Blurb: XSS is one of the most common web application vulnerabilities. Most proof-of-concept exploits simply display an alert box, proving that JavaScript code has been executed. This talk explores what an attacker can do beyond an alert box, to maliciously exploit an XSS flaw. We investigate how browser security features such as HttpOnly cookies and Content-Security-Policy can be bypassed, in certain circumstances. And we look some difficult XSS scenarios, that are not detected by leading scanners, but can be exploited with a carefully crafted payload.

Speaker bio:
Paul is a security consultant at Pentest, specialising in web applications, and particularly in securing cloud-native, multi-tenant, SaaS platforms. He has worked in security for a number of year, and previously was a software developer and sys-admin.