OWASP Day 2015
27 Feb 2015,
We all know about Wordpress and its (in)security. What about other CMSes? What about NZ made ones? Introducing 'droopescan', a plugin-based tool for scanning CMSs. In this talk we will see its effectiveness in identifying versions and plugins, and we will see how the landscape looks like for installations of two CMSs (Drupal & SilverStripe) in New Zealand.
09 Nov 2013,
Every day, technology quietly fails us. The causes of these failures can have serious ramifications. One could MitM large userbases - intercept email, web, voice and more - without detection or disruption. Or all of it could stop working, a universal Denial of Service. Technological defenses to protect against such attacks can be bypassed, and by doing so allow attackers to undermine core Internet infrastructure. These attacks have been discussed before, but the depth of the issue is greater than previously thought. Let me tell you just how out-of-this-world this problem is, and why it's important for network operators to step up to protect their users.
09 Nov 2013,
The current tools available to exploit XPath injection suck. In this talk I will go logarithmic on their ass and introduce an injection tool that your mother would be proud of. From web developers who use XML there shall be much wailing and gnashing of teeth.
09 Nov 2013,
Denis Andzakovic and Thomas Hibbert
Hypothesis: There is a strong correlation between the amount of bugs one can find in a specific piece of software and the amount of times said application's marketing team use the word 'Enterprise'. Method: Hack all the things. Conclusion: Well, you'll have to come to our talk.. This talk will be all about the bugs found in the applications that are designed to keep your favourite Zaibatsu, telco or goverment agency running smoothly. Who watches the watchers? We do. And now you can, too!
18 Nov 2012,
War driving has been around for a very, very long time, however it has been missing a few key things. Mainly leather, Judas Priest and Motorcycles. 'Ghost riders in your LAN' is a talk based around overclocking the wardriving game by introducing gasoline, angle grinders, cheap wifi gear and a build price smaller than your slightly more exorbitant weekend bender. This talk is a collaboration between Security-Assessment.com and Stray Rats Custom Motorcycles. I will be covering the details of how to build a wifi-attack-cycle from ground up - from electronics and cheap-and-cheerful heads up displays to the bike modifications required to mount all the tech and look awesome while terrorizing your local neighborhood TP-LINKs. Ride the metal monster, breathing deauth and fire. Closing in with vengeance broadcasting high. This is the WifiKiller.
17 Nov 2012,
Timing attacks are relatively well known in the shady recesses of the caves I assume cryptographers hide in. However less is known by us security and hacker folk. I intend to rectify this injustice by answering a simple question - Can a timing attack be used on a remote web app to guess a hashed password faster than a simple brute force attack? To this end I have pondered, coded, tested, sweated, cried, pondered some more, tested, cried again and coded until I have the tool to answer the question! Ha! This talk will outline the tool, the technique, and its limitations. They said it couldn't be done, I say watch my talk and find out.
New Zealand OWASP Day 2012
31 Aug 2012,
"Don't roll your own" has been common advice over the past decade; however even when heeding these words, insecure practices and common mistakes lead to glaring security holes. This talk will cover some of the common errors made when implementing applcations based around web frameworks, where to look for vulnerabilities and how to avoid them.