This is a serialised narration of the Tech Talks that happened over Nullcon 2022. Contributors include: Ajmal M,Anurag M, Bhagavan B, Saumya K, Sai Deepak and Varun B
Hi! We’re back with another set of our learnings from the Nullcon talks.
This part includes the Keynote by Dr. Mario Heiderich – on putting an end to the class of vulnerabilities like XSS, as well as content on technologies including Cloud, Web 3.0, Electron framework.
DO WE GET STUFF DONE? - Dr.-Ing. Mario Heiderich
Byline : Varun B
Dr.-Ing. Mario Heiderich, founder Cure53 , gave the keynote. The talk took us 20 years back in time, to understand the breakthrough discoveries in medicine that were game changers. A few are listed below:
The author then compared this to problems in web security and the researchers behind some key solutions. We saw how we overcame significant problems in medicine and Web security over the last 20 years
Fast forward to 2022, two of the most significant web security problems we still face are:
The author shed light on how it has been more than 20 years that our security frontline workers (security engineers, developers, sys admins, browser vendors….) failed to solve these problems .
Through the eyes of the speaker, we looked at a New Paradigm, a new approach to make vulnerabilities impossible ie, “Secure by default” (More details here)
This talk not only motivated researchers to be bold and work on innovative ideas and asked researchers to not reinvent repeatedly.
A slight hint by the author: Focus on Security built into frameworks.
SCALE HACKING TO SECURE YOUR CLOUD AND BEYOND - Anand Prakash, PingSafe
Byline : Bhagavan B
The talk was about the vulnerabilities which were identified by Anand Prakash, while doing the bug bounty. He has found some coolest bugs in the wild. Most of the vulnerabilities were related to account takeovers. The last vulnerability is something which caught my eye, He has found that a crypto company called “Shiba Inu” which has leaked their credentials in the GitHub. In short, these credentials were having the high privileges, which can be used to perform privilege escalation or can be used for crypto mining. The consequences of leaving bugs unsolved in the software or applications are too huge. The outcomes may not be immediately critical, but they could cause severe damage to a business's reputation and result in compromised user data. Businesses can stay ahead of the game by being proactive and predictive.
WINJA TRACK : WEB 3.0 SMART CONTRACTS COULD BE LEAKY - Ridhishree
Byline: Saumya K
Riddhi’s talk was something we all were planning to attend early on. She is an Appsecco alum 😎 and has published remarkable security research. The talk was about sharing experiences about things that worked and that did not work as expected when she wrote her first Smart Contract and deployed it to a ‘decentralised’ server. Crux of the talk:
And here are few Web 3.0 security challenges that were covered in the talk:
It was such a great learning about how Riddhi explored a new area – Web 3.0, made challenges for a CTF, and delivered a talk about her thought process and learnings during the whole journey.
ELECTROVOLT: PWNING POPULAR DESKTOP APPS - Mohan Sri Ramakrishna Pedhapati & Maxwell Garrett
Byline: Ajmal M
Every tech giant is making their desktop client using Electron these days. MS Teams, VS Code, Discord to name few. The talk is about the latest research ElectroVolt group did in Electron misconfigurations and the popular applications they managed to break. Electron is based on web technologies, and it was amazing to see how conventional web vulnerabilities we’re familiar, combined with misconfigurations in Electron, has led to RCE.
The speaker – s1r1us himself is well known in lining up experts in a certain domain to get research in unexplored territory done. This is well known from the research on Prototype pollution, which created a huge impact. It was really inspiring and eye opening to see the power of collabs right from the beast. Later, when we got to have a quick chat with him, he pointed out that CTFs are great entry points for people who do not know how to get started in research. His research ideas in Prototype Pollution and Electron were sparked by some certain challenges in fact.
The talk deck.
## End of Part 2 ##
With this we conclude the second part. Hope you learned something new.