Application Security

Nullcon 2022: Tech Talks Compilation 2

Application Security
Sep 28, 2022
5 mins
Ajmal M

This is a serialised narration of the Tech Talks that happened over Nullcon 2022. Contributors include:  Ajmal M,Anurag M, Bhagavan B, Saumya K, Sai Deepak and Varun B

Hi! We’re back with another set of our learnings from the Nullcon talks.  

This part includes the Keynote by Dr. Mario Heiderich – on putting an end to the class of vulnerabilities like XSS, as well as content on technologies including Cloud, Web 3.0, Electron framework.  

DO WE GET STUFF DONE?  - Dr.-Ing. Mario Heiderich
Dr. -Ing Mario Heiderch, Founder Cure53

Byline : Varun B

Dr.-Ing. Mario Heiderich, founder Cure53 , gave the keynote. The talk took us 20 years back in time, to understand the breakthrough discoveries in medicine that were game changers. A few are listed below:

  • Ignac Semmelweis - invented washing hands
  • Edward Jenner - creator of vaccinology

The author then compared this to problems in web security and the researchers behind some key solutions. We saw how we overcame significant problems in medicine and Web security over the last 20 years

Fast forward to 2022, two of the most significant web security problems we still face are:

  1. SQL Injection
  2. Cross-Site Scripting

The author shed light on how it has been more than 20 years that our security frontline workers (security engineers, developers, sys admins, browser vendors….) failed to solve these problems .

Through the eyes of the speaker, we looked at a New Paradigm, a new approach to make vulnerabilities impossible ie, “Secure by default” (More details here)   

This talk not only motivated researchers to be bold and work on innovative ideas and asked researchers to not reinvent repeatedly.  

A slight hint by the author: Focus on Security built into frameworks.

SCALE HACKING TO SECURE YOUR CLOUD AND BEYOND - Anand Prakash, PingSafe
Nullcon 22 : Anand Prakash

Byline : Bhagavan B

The talk was about the vulnerabilities which were identified by Anand Prakash, while doing the bug bounty. He has found some coolest bugs in the wild. Most of the vulnerabilities were related to account takeovers. The last vulnerability is something which caught my eye, He has found that a crypto company called “Shiba Inu” which has leaked their credentials in the GitHub. In short, these credentials were having the high privileges, which can be used to perform privilege escalation or can be used for crypto mining. The consequences of leaving bugs unsolved in the software or applications are too huge. The outcomes may not be immediately critical, but they could cause severe damage to a business's reputation and result in compromised user data. Businesses can stay ahead of the game by being proactive and predictive.

Conclusion

  • Do no overlook minor issues.  
  • IT is evolving, stay ahead of the game and always keep upgrading the security infrastructure.  
  • Bug bounty programs are not scalable and do not solve for cloud security in the long run.

WINJA TRACK : WEB 3.0 SMART CONTRACTS COULD BE LEAKY - Ridhishree
Nullcon 22 : WINJA Ridhishree

Byline: Saumya K

Riddhi’s talk was something we all were planning to attend early on. She is an Appsecco alum 😎 and has published remarkable security research. The talk was about sharing experiences about things that worked and that did not work as expected when she wrote her first Smart Contract and deployed it to a ‘decentralised’ server. Crux of the talk:  

  • How sensitive information that is hidden from plain sight, in a Smart contract can be leaked? (The CTF flag)
  • How to go about fixing sensitive information leakage?

And here are few Web 3.0 security challenges that were covered in the talk:

  1. Integer Overflow:
    Addition of 2 unsigned integers can overflow to a smaller value INT_MAX+1 = INT_MIN
    Subtraction of 2 unsigned integers can underflow to a greater value INT_MIN-1=INT_MAX
  2. In Solidity 0.8, the compiler will automatically take care of checking for overflows and underflows.
  3. Data Privacy: Everything that us inside a contract are visible to all external observers. Making something ‘private’ only prevents other contracts from accessing and modifying the information, but it will still be visible to the world outside of the blockchain.

It was such a great learning about how Riddhi explored a new area – Web 3.0, made challenges for a CTF, and delivered a talk about her thought process and learnings during the whole journey.

ELECTROVOLT: PWNING POPULAR DESKTOP APPS - Mohan Sri Ramakrishna Pedhapati & Maxwell Garrett
Nullcon 22 : Electrovolt Talk

Byline: Ajmal M

Every tech giant is making their desktop client using Electron these days. MS Teams, VS Code, Discord to name few. The talk is about the latest research ElectroVolt group did in Electron misconfigurations and the popular applications they managed to break. Electron is based on web technologies, and it was amazing to see how conventional web vulnerabilities we’re familiar, combined with misconfigurations in Electron, has led to RCE.  

The speaker – s1r1us himself is well known in lining up experts in a certain domain to get research in unexplored territory done. This is well known from the research on Prototype pollution, which created a huge impact.  It was really inspiring and eye opening to see the power of collabs right from the beast. Later, when we got to have a quick chat with him, he pointed out that CTFs are great entry points for people who do not know how to get started in research. His research ideas in Prototype Pollution and Electron were sparked by some certain challenges in fact.  

The talk deck.

## End of Part 2 ##

With this we conclude the second part. Hope you learned something new.  

HAZE WEBFLOW TEMPLATE

Build a website that actually performs better.

1
Lorem ipsum dolor sit amet consectutar
2
Lorem ipsum dolor sit amet consectutar
3
Lorem ipsum dolor sit amet consectutar