2.0 -//Pentabarf//Schedule//EN PUBLISH 7MBSWZ@@cfp.owaspukraine.org 1150643799 -7MBSWZ Web Application Firewall bypass techniques Workshop en en 20190202T100000 20190202T113000 1.03000

Web Application Firewall bypass techniques Workshop

Для воркшопа нужно: доска, маркер, стакан воды, вайфай(интернет) (желательно чтобы пропускал трафик к таким ресурсам как ngrok), за пару дней до начало ивента разослать учасником письма с требованием для участия в воркшопе. Требования: - Зайти на ТГ канал до начало вокршопа: https://t.me/joinchat/AAAAAFA3ZGkcrhwb7JSrPA - Понимание что такое XSS и SQL injection - Kali Linux - Регистрация на таких ресурсах как https://www.root-me.org & https://lab.pentestit.ru - Хорошое настроение PUBLIC CONFIRMED Workshop https://cfp.owaspukraine.org/owaspkyivwinter2019/talk/7MBSWZ/ Innohub (https://innohub.innovecs.com) Bohdan Lukin PUBLISH VA9UAK@@cfp.owaspukraine.org 864355081 -VA9UAK Subdomain discovering as an essential part of the reconnaissance phase en en 20190202T114000 20190202T131000 1.03000

Subdomain discovering as an essential part of the reconnaissance phase

As a penetration tester or a bug bounty hunter, most of the times you are given a single domain or a set of domains when you start a security assessment. You’ll have to perform extensive reconnaissance to find interesting assets like servers, web applications, domains that belong to the target organization so that you can increase your chances of finding vulnerabilities. #####Requirements: * Linux based os (Kali Linux is Ok) * API Keys for: VirusTotal, Censys (use https://temp-mail.org) * Good mood #####Telegeram channel https://t.me/subd_enum PUBLIC CONFIRMED Workshop https://cfp.owaspukraine.org/owaspkyivwinter2019/talk/VA9UAK/ Innohub (https://innohub.innovecs.com) Kostiantyn Sanduliak PUBLISH ZEVVV7@@cfp.owaspukraine.org 1051129507 -ZEVVV7 Introduction lstio Service Mesh en en 20190202T132000 20190202T140000 0.04000

Introduction lstio Service Mesh

Istio is an open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data. Istio's control plane provides an abstraction layer over the underlying cluster management platform, such as Kubernetes, Mesos, etc. PUBLIC CONFIRMED Talk https://cfp.owaspukraine.org/owaspkyivwinter2019/talk/ZEVVV7/ Innohub (https://innohub.innovecs.com) Stanislav Kolenkin PUBLISH EY33C3@@cfp.owaspukraine.org 212112220 -EY33C3 OWASP Top-10 A2: Broken Authentication en en 20190202T145000 20190202T153000 0.04000

OWASP Top-10 A2: Broken Authentication

In this talk, I will demonstrate how important it is to put time and effort into security testing. I will introduce you to the Broken Authentication risk that is included in the OWASP Top-10. I will describe what attack vectors it has, how to understand if you are vulnerable to such attacks, and how to protect against them. The talk will be accompanied by practical examples of how to use the following tools to test the application against the Broken Authentication attacks: - Burp Suite - BeEF - Rainbowcrack PUBLIC CONFIRMED Talk https://cfp.owaspukraine.org/owaspkyivwinter2019/talk/EY33C3/ Innohub (https://innohub.innovecs.com) Svyat Login PUBLISH NUZV8K@@cfp.owaspukraine.org 570205985 -NUZV8K Email as an initial attack vector en en 20190202T154000 20190202T162000 0.04000

Email as an initial attack vector

Email as an initial (an in some occasions one and only) attack vector. With good preparation of the attacker and the lack of knowledge of the target, the attack has great chances for success. In this talk, we will discuss some key markers of dangerous emails, and some interesting examples of phishing emails. PUBLIC CONFIRMED Talk https://cfp.owaspukraine.org/owaspkyivwinter2019/talk/NUZV8K/ Innohub (https://innohub.innovecs.com) Artur Hil PUBLISH CHTFRS@@cfp.owaspukraine.org 100899674 -CHTFRS Building SQL firewall: insights from developers en en 20190202T163000 20190202T171000 0.04000

Building SQL firewall: insights from developers

Our general plan for talk: 1. SQL injections: what's that and how to protect against them. 2. Typical scenarios of fighting with injections: OWASP guide, WAF, SQL firewall. 3. WAF: pros, cons, why WAF is not enough. 4. SQL firewall: what is this, what are the main features of it. 5. How we built SQL firewall: - configuration and rules (allow, deny, ignore); - parsing SQL protocols; - pattern matching (WHERE, EQUAL, VALUE etc); - logging and masking requests; 6. SQL Firewall vs WAF. 7. Best use cases for SQL firewall. 8. Future improvements of SQL firewalls. 9. Outro. PUBLIC CONFIRMED Talk https://cfp.owaspukraine.org/owaspkyivwinter2019/talk/CHTFRS/ Innohub (https://innohub.innovecs.com) Artem Storozhuk PUBLISH 9YNHDA@@cfp.owaspukraine.org 1256635682 -9YNHDA Application Threat Modeling en en 20190202T172000 20190202T180000 0.04000

Application Threat Modeling

Threat Modeling is an essential part of a secure software development process of any maturity. Building up a map of threats that are relevant for an application or system, measuring the impact and probability of these threats, and mapping existing and planned security controls to the related risks – is a crucial exercise that must be performed before the team hits the code and regularly after that. During the talk, we will design an imaginary piece of software that implements a business idea, and build a Threat Model that maps all planned security activities throughout the software development project that implements it. PUBLIC CONFIRMED Talk https://cfp.owaspukraine.org/owaspkyivwinter2019/talk/9YNHDA/ Innohub (https://innohub.innovecs.com) Vlad Styran