OWASP AppSec Days Singapore 2024

In this session we will leverage the Extended Berkeley Packet Filter (eBPF) technology for enhanced File Integrity Monitoring (FIM) solution for Kubernetes. This talk will cover the basics of eBPF, its advantages over traditional FIM methods, and practical implementation techniques. We will showcase OWASP KubeFIM which is an open source FIM solution for Kubernetes, and discuss future prospects for eBPF in security applications. Attendees will gain practical knowledge on setting up eBPF for FIM, understanding its benefits, and navigating potential challenges.

During the session, I will present an extensive array of over 15 distinct techniques and vulnerabilities that can be exploited for authentication bypass or account takeover. Some of the vulnerabilities I will cover include Session Puzzling, Session Fixation, Rate Limit Bypasses, Broken Brute-Force Protection, 2FA/OTP Misconfigurations, HTTP-Parameter Pollution, PHP Type Juggling, and many more. These insights will provide attendees with a comprehensive understanding of the various methods used by attackers to compromise authentication mechanisms and take control of user accounts.

Out of Bound (OOB) tools (such as Interact.sh, Burp collaborator, etc) are powerful tools for penetration testers who want to find and exploit blind vulnerabilities. Blind vulnerabilities are those that do not show any output in the response, making them hard to detect and OOB tools can make the vulnerable server send a request to a controlled server, where the tool can capture the request and reveal the vulnerability. OOB tools are especially useful for finding SSRF, SQLi, XXE, RCE vulnerabilities, and can also be used to exfiltrate data from the target. They are often used in manual penetration testing activities where pentesters or attackers send requests to the web server using these tools to identify the presence of vulnerability. This happened in Log4J and Text4shell vulnerability exploitation too where mass scanning took place. In this talk, we will discuss about how to effectively leverage this known concept of Out of band testing to identify security vulnerabilities that are actively being tested for or exploited using techniques such as process hierarchy validation, request baselining, etc. In this talk, we will also discuss how to identify and hunt for OOB adversarial infrastructure using techniques such as response fingerprinting, network analysis, and process execution logs. This will help them identify attacks known or unknown against web applications. The talk will also cover some case studies of real-world attacks where OOB tools were used or detected. This talk will give you a comprehensive overview of the various techniques that can be used by defenders to detect unusual out of bound requests originating out of web applications.

As artificial intelligence (AI) becomes an integral part of our digital landscape, the looming threat of adversarial attacks casts a shadow over its immense potential. This presentation takes a technical deep dive into the evolving landscape of AI security and the relentless tactics employed by adversaries to exploit vulnerabilities. Attendees will gain insights into the various attacker strategies including OWASP LLM TOP 10, and security flaws in LLM frameworks that are exploitable. Moreover, there will be demos of adversarial AI attacks on POC applications. Demos covered include the Fast Gradient Sign Method (FGSM), Prompt injection to Code execution, Poisoning Training Data, Model Serialization Attacks, and SQL injection in LLM applications. The session aims to equip attendees with a comprehensive understanding of the adversarial tactics prevalent in AI security and empower them to guard against the shadows that threaten AI systems.