Are you passionate about bug hunting? Are you a bug bounty
participant and a fan of quotation marks? Don’t miss out
on AppSec.Zone! Here you can learn how to develop applications that
won’t get hacked.
Yuri will talk about the practical research
of the security of an IP‑camera from
a well‑known vendor. In the report,
the speaker will look at the encryption
algorithms used by the manufacturer to protect
the device firmware, followed
by reverse‑engineering of these algorithms ...
Most large and medium‑sized companies, regardless
of the industry, have moved beyond just having
the internal IT infrastructure. While proprietory
software development is already the standard rather
than the exception, this process poses new security
risks and threats ...
Nikita is going to look at the process
of reversing the firmware of the
NVME‑to‑USB adapter and demonstrate
the process of organizing dual‑booting
the laptop with the modified adapter ...
Every month, malicious packages are reported
to be found and neutralized
in the PyPI, npm, and RubyGems repositories.
They steal AWS tokens, payment card data, browser
passwords, and other sensitive information.
Open‑source projects appear to be a great
opportunity for information security vendors
to demonstrate their ...
The report is about ATM security analysis, beginning with
the simplest and most common cases. The consequences
of not ensuring proper security will be demonstrated
using real‑life examples. We will also analyze
possible attack scenarios and talk about how ATMs
are actually protected nowadays ...
We all use open‑source software and enjoy
the variety and functionality of programs that
have been created for us. The downside
of flexibility and functionality
is the possibility of making a mistake that
leads to vulnerabilities in the design, code,
and configuration of applications. This talk ...
The workshop will guide you into the basics of Linux
kernel security. In a series
of exercise‑driven labs, you are going
to explore the process of exploiting kernel bugs
in modern Linux distributions on the
x86‑64 architecture ...
During the Summ3r of h4ck internship at DSec,
the speaker chose the topic of AMD PSP research
and writing a dumper of PEI phase files. Given
the ridiculous shortage of material on this topic
on the Internet in any language, the speaker
decided to talk about how the UEFI firmware works
for devices containing ...
This report examines the method of obtaining access
to protected data stored on mobile devices
in the context of forensic analysis without
a password. This appears to be extremely
complicated, but for a number of devices
(Huawei P9, Samsung A5 2016) it is feasible
due to the presence ...
A CTF‑style cybersecurity competition is part
of a training program on secure design and
programming of information systems. The CTF allows
developers to get hands‑on experience
with typical vulnerabilities and exploitation
techniques to avoid any such vulnerabilities
in released products ...
The BI.ZONE team will take the opportunity at OFFZONE
to showcase the platform interface, demonstrate which
companies the product is designed
for, and explain the process of earning
rewards for bug hunters ...
Walls have ears and houses have eyes. The report
is dedicated to the privacy and anonymity
of cryptocurrencies. It will be useful
for newcomers to learn about the principles
of blockchain, and advanced users will learn more
about ensuring their own privacy ...
The deception phase of information systems security
is often unjustifiably neglected. Even though it can
be used to provoke an intruder, who
is trying to infiltrate your system
or has already done so, to expose themselves
and thereby detect them ...
The speakers will talk about their experience in testing
payment applications and about interesting vulnerabilities
that they have come across in real projects ...
What is a Privacy Sandbox? What problems
are being solved with it, and what problems
are eventually created by rejecting third‑party
cookies? Let’s discuss the proposed technologies
(FPS, CHIPS, FedCM, etc.) and the current status
of their adoption ...
You can come across Flutter applications in security
analysis projects or bug bounty programs. Most often,
such assets are simply overlooked due to the lack
of methodologies and ways to reverse engineer
them ...
Finding secrets in a codebase
is an essential stage of any mature SDLC.
This report is about Avito’s approach
to finding secrets in their codebase and docker
images. The speaker will talk in depth about
the process in the context of SDLC, why
the current open source does not cover all needs,
and most ...
A story of one bad pentest, which teaches us that
even an absolutely hopeless situation can be dealt
with if you think carefully and believe
in yourself ...
There is a trend toward the possible use
of cryptocurrencies at the corporate level.
The speaker will share how to minimize mistakes
when it comes to implementation. The report
compiles the main technologies and practices
that will allow corporations
to use cryptocurrency for settlements safely ...
The word panopticum literally translates
from the Greek as “the place where you
can see everything.” In the report
the audience will learn about the technologies
to ensure their own privacy. Cryptographic methods
of protection will be discussed for the most
part ...
The organization of fault tolerance systems
in corporate networks is a crucial link
in order to make a computer network more
reliable. This research delves into FHRPs and what
they can mean for a pentester during a network
attack ...
Modern frameworks eliminate a whole layer of security
issues that were commonplace just a few years
ago. In the report, the speaker will show
what the security analysis of modern web applications
looks like and share his experience in improving
the efficiency of this approach ...
The speakers will give a detailed overview of Yubikey
security keys, using such tools as GPG, U2F (FIDO/FIDO2),
OTP, Git. They will show how to use passwordless, how
to use TPM in Linux, and how to store SSH
keys in it ...
The report talks about the mistakes
that the speaker made when implementing SDLC from
scratch and the lessons learned from these mistakes
that may help in the future ...
Security antipatterns are common insecure application
design practices. Without realizing it, such patterns
“leave land mines” in the application’s
core, which leads to recurring vulnerabilities
and security issues. Meanwhile, all that patching can
cost a fortune, especially in mature services ...
One of the fundamental properties of blockchain
is the impossibility of data spoofing
(immutability). However, not all smart contracts have
immutable code. A common practice is to use
the contract logic update template with the help
of a proxy. You have to be very careful when
updating implementation ...
