Bristol Meetups

Red team: App Hacking and Exploiting Unknown Browsers

Come to next meetup to learn about Application Hacking and Exploiting Unknown Browsers.
Learn about the challenges of a capture the flag that looks at an application and the chain vulnerabilities in it.
Discover a new tool to exploit unknown browsers and objects . Doors Open at 6pm for registration, pizza, drinks and networking. The talks start at 6:30pm.
Agenda:
• 6:00 pm - Social
• 6:30 pm - OWASP update
• 6:35 pm - Presentation 1: Application hacking through the eyes of an attacker - Rob Hillier, XQ Cyber
• 8:00pm - Presentation 2: Exploiting unknown browsers and objects - Gareth Heyes, PortSwigger
• After - Pub: The Famous Royal Navy Volunteer (http://navyvolunteer.co.uk/)

Presentation 1: Application hacking through the eyes of an attacker

Abstract: This talk will look at a capture the flag challenge which I enjoyed doing and found captured nicely an attackers mindset when they look at an application and chain vulnerabilities, it also give practical walkthrough of how to leverage them. It is a technical talk that will cover:
* Basic Application Reconnaissance
* Using Local File Inclusion (LFI)
* Attacking Flask (A python lightweight web server)
* Exploiting Server Side Template Injection
* Breaking out of a python sandbox

Bio: Rob is a passionate senior security consultant working for XQ Cyber delivering web application and infrastructure consultancy to government and FTSE 500 organisations. He is a Check Team Leader in Infrastructure and also holds the OSCP qualification but mostly just loves the challenge of the technical aspects of security (Not only the breaking things but how to fix them too!).
When not working you will often find Rob playing CTFs, building labs (to break them) or sat on the beach waiting for enough wind to kitesurf.

Presentation 2: Exploiting unknown browsers and objects

Abstract: Browsers are embedded everywhere, from popular applications like Steam and Spotify to headless crawlers, IoT devices and games consoles. They execute JavaScript but you don't have a dev console and some don't even allow you to interact with them. Many add custom JavaScript objects and functions but how can you discover all this hidden treasure without any dev tools? My talk introduces a new tool for your arsenal that allows you to inspect and exploit these unknown entities. The Hackability inspector is the missing offensive dev toolkit for security researchers.

Bio: Gareth works as a researcher at PortSwigger and loves breaking sandboxes and anything to do with JavaScript. He has developed various free online tools such as Hackvertor and Shazzer. He also created MentalJS a free JavaScript sandbox that provides a safe DOM environment for sandboxed code.