Practical Modern Web & Desktop App Attacks By Example

What is common between Walmart, eBay, PayPal, Microsoft, LinkedIn, Google and Netflix? They all use Node.js: JavaScript on the server.

What is common between Microsoft Teams, Skype, Bitwarden, Slack and Discord? All of them are written in Electron: JavaScript on the client.

This talk is a comprehensive review of interesting security flaws discovered over the years in many Node.js and Electron apps: A practical walkthrough that covers anonymized juicy findings from reports that could not be public, interesting vulnerabilities in open source apps with strong security requirements, and more.

Vorkenntnisse

Knowledge of any of the following is not required but will be an advantage: Web security, Desktop app security, JavaScript security, Electron Security, Node.js Security, Static analysis, Dynamic analysis, File storage, Crypto, XSS, SSRF, SQLi, RCE, Data exfiltration

Lernziele

This talk aims to increase awareness about modern web and desktop app attack vectors and how security auditors and developers can use these to make the world a safer place.

 

Speaker

 

Abraham Aranguren
Abraham Aranguren has worked in the IT industry for 20 years (13 years in itsec) and is now the CEO of 7ASecurity, a company specializing in penetration testing of web and mobile apps, infrastructure, code reviews and training. He writes on Twitter as @7asecurity @7a_, @owtfp or https://7asecurity.com/blog. Multiple presentations, pentest reports and recordings can be found at https://7asecurity.com/publications

Gold-Sponsoren

WIBU Systems
Snyk
Palo Alto Networks
Xanitizer


heise-devSec-Newsletter

Sie möchten über die heise devSec
auf dem Laufenden gehalten werden?

 

Anmelden