OWASP AppSec Days Singapore 2024

In an era where digital transformation is accelerating, our future is being written, "coded", by the decisions we make today. But securing this future requires more than just traditional security measures; it demands the ingenuity of hackers and the power of community-driven collaboration. This keynote explores how the hacker mindset and community innovation are key to embedding security into the very DNA of our digital infrastructure. By leveraging the creativity, curiosity, and collaborative spirit of the hacking community, we can craft a resilient digital future where security is not an afterthought but a fundamental element. This talk will challenge you to rethink how we approach security, empowering hackers and communities to shape a safer, more secure digital world—one line of code at a time.

OWASP AppSec Days Singapore brings you an exciting, offensive, jeopardy-style Capture the Flag (CTF) event on October 2, 2024.  We have collaborated with Cybercohesion and WARZONE (one platform, all CYBER) to bring this thrilling competition to the OWASP AppSec Days Singapore Conference, happening at the iconic Marina Bay Sands Singapore.

This CTF offers participants the opportunity to test their offensive application security skills in a competitive and engaging environment. Join us for a full day of challenging scenarios and the chance to showcase your experiense alongside fellow security professionals.

Ready Set Hack: THE AppSec Arena Showdown Challenges:

Morning Session: Cryptography Challenges | Time: 9:30 AM - 12:30 PM  (Players need to be at Venue by 9am as we will do a event brief)
Challenges: BLOWFISH | CUSTOM | S33DER
Afternoon Session: Web Security Challenges | Time: 1:30 PM - 4:00 PM
Challenges: CCTV | KAER MORHEN COIN | REVIEW

Scoring Details:

• Speed: The first player to score gets 100% of the points, with subsequent players receiving progressively lower scores.
• Accuracy: Points are awarded based on the accuracy of the solutions. For wrong attempt there is no negative scoring.

The Open Web Application Security Project (OWASP) boasts over 200 Projects, whose volunteers have developed tools and resources covering nearly every aspect of application security and software assurance. The challenge lies in knowing what they are, where to find them, and how they can help.

In this talk, we'll present brief glimpses of more than 30 interesting and useful OWASP Projects - including the current Flagship and Production Projects. We'll provide insights into how each can be used to build and improve your AppSec program, in every phase of the development lifecycle.

In this session we will leverage the Extended Berkeley Packet Filter (eBPF) technology for enhanced File Integrity Monitoring (FIM) solution for Kubernetes. This talk will cover the basics of eBPF, its advantages over traditional FIM methods, and practical implementation techniques. We will showcase OWASP KubeFIM which is an open source FIM solution for Kubernetes, and discuss future prospects for eBPF in security applications. Attendees will gain practical knowledge on setting up eBPF for FIM, understanding its benefits, and navigating potential challenges.

As AppSec professionals, securing and protecting our users and business is paramount. This session will delve into data from the OWASP Appdome Global Consumer Mobile Security Expectations Report, launched at OWASP Global AppSec in Lisbon, with a focus on Singapore and APAC consumer insights. We will explore the latest mobile threats such as social engineering, vishing, smishing, fraud, overlay attacks, accessibility exploits, bots, and more. Additionally, we'll provide updates on the OWASP mobile project and demonstrate how to leverage consumer voices in security discussions with developers and business leaders to drive prioritization and success in your mobile AppSec program. This session is applicable to all AppSec teams, whether focused on mobile, web, or API security.

During the session, I will present an extensive array of over 15 distinct techniques and vulnerabilities that can be exploited for authentication bypass or account takeover. Some of the vulnerabilities I will cover include Session Puzzling, Session Fixation, Rate Limit Bypasses, Broken Brute-Force Protection, 2FA/OTP Misconfigurations, HTTP-Parameter Pollution, PHP Type Juggling, and many more. These insights will provide attendees with a comprehensive understanding of the various methods used by attackers to compromise authentication mechanisms and take control of user accounts.

OWASP AppSec Days Singapore brings you an exciting, offensive, jeopardy-style Capture the Flag (CTF) event on October 2, 2024.  We have collaborated with Cybercohesion and WARZONE (one platform, all CYBER) to bring this thrilling competition to the OWASP AppSec Days Singapore Conference, happening at the iconic Marina Bay Sands Singapore.

This CTF offers participants the opportunity to test their offensive application security skills in a competitive and engaging environment. Join us for a full day of challenging scenarios and the chance to showcase your experiense alongside fellow security professionals.

Ready Set Hack: THE AppSec Arena Showdown Challenges:

Morning Session: Cryptography Challenges | Time: 9:30 AM - 12:30 PM  (Players need to be at Venue by 9am as we will do a event brief)
Challenges: BLOWFISH | CUSTOM | S33DER
Afternoon Session: Web Security Challenges | Time: 1:30 PM - 4:00 PM
Challenges: CCTV | KAER MORHEN COIN | REVIEW

Scoring Details:

• Speed: The first player to score gets 100% of the points, with subsequent players receiving progressively lower scores.
• Accuracy: Points are awarded based on the accuracy of the solutions. For wrong attempt there is no negative scoring.

Out of Bound (OOB) tools (such as Interact.sh, Burp collaborator, etc) are powerful tools for penetration testers who want to find and exploit blind vulnerabilities. Blind vulnerabilities are those that do not show any output in the response, making them hard to detect and OOB tools can make the vulnerable server send a request to a controlled server, where the tool can capture the request and reveal the vulnerability. OOB tools are especially useful for finding SSRF, SQLi, XXE, RCE vulnerabilities, and can also be used to exfiltrate data from the target. They are often used in manual penetration testing activities where pentesters or attackers send requests to the web server using these tools to identify the presence of vulnerability. This happened in Log4J and Text4shell vulnerability exploitation too where mass scanning took place. In this talk, we will discuss about how to effectively leverage this known concept of Out of band testing to identify security vulnerabilities that are actively being tested for or exploited using techniques such as process hierarchy validation, request baselining, etc. In this talk, we will also discuss how to identify and hunt for OOB adversarial infrastructure using techniques such as response fingerprinting, network analysis, and process execution logs. This will help them identify attacks known or unknown against web applications. The talk will also cover some case studies of real-world attacks where OOB tools were used or detected. This talk will give you a comprehensive overview of the various techniques that can be used by defenders to detect unusual out of bound requests originating out of web applications.

Real examples of API security breaches, how they map to the OWASP API Security Top 10, and what you can do about it in your own projects. This presentation will dive deep into recent API security incidents, illustrating the vulnerabilities outlined in the OWASP API Security Top 10 – 2023. We will explore practical mitigation strategies to enhance the security of your APIs and protect your data from similar threats.

This presentation captures findings from a public AI security challenge designed to evaluate the resilience of Large Language Models (LLMs) against prompt injection attacks. The experiment involved an Attack & Defence wargame where participants were tasked with securing their LLMs, specifically preventing secret phrase disclosure. They were given access to the source code of the app that interfaced with OpenAI API. Simultaneously, participants were to attack other LLMs in an attempt to exfiltrate the secret phrase. A notable aspect of this experiment was the real-time evolution of defensive strategies and offensive tactics by participants. The results indicated that all LLMs were exploited at least once. This underscores how there is no silver bullet for securing against prompt injection and that it remains as an open problem.

As artificial intelligence (AI) becomes an integral part of our digital landscape, the looming threat of adversarial attacks casts a shadow over its immense potential. This presentation takes a technical deep dive into the evolving landscape of AI security and the relentless tactics employed by adversaries to exploit vulnerabilities. Attendees will gain insights into the various attacker strategies including OWASP LLM TOP 10, and security flaws in LLM frameworks that are exploitable. Moreover, there will be demos of adversarial AI attacks on POC applications. Demos covered include the Fast Gradient Sign Method (FGSM), Prompt injection to Code execution, Poisoning Training Data, Model Serialization Attacks, and SQL injection in LLM applications. The session aims to equip attendees with a comprehensive understanding of the adversarial tactics prevalent in AI security and empower them to guard against the shadows that threaten AI systems.