Github Actions, the recent (from 2018) CI/CD addition to the popular source control system, is becoming an increasingly popular DevOps tool mainly due to its rich marketplace and simple integration. As part of our research of the Github actions security landscape, we discovered that in writing a perfectly secure Github actions workflow, several pitfalls could cause severe security consequences. Unless the developers are proficient in the depths of Github best-practices documents, these workflows would have mistakes. Such mistakes are costly - and could cause a potential supply-chain risk to the product. During the talk, we’ll walk you through our journey on how we found and disclosed vulnerable workflows in several popular open-source tools, delved into Github actions architecture to understand the possible consequences of these vulnerabilities, and present what could be the mitigations for such issues.

Security Operations Centers (SOCs) strive to provide an infallible line of defense to their customers against targeted attacks and malware lurking in the cyberspace. For that, several security sensors are used to flag any suspicious activity, ensuring that even needle-in-the-haystack attacks are caught. However, not every suspicious event is truly malicious. As such, these detectors can quickly generate an overwhelming influx of alerts for SOC analysts to inspect. Thousands of alerts to manually sift through every single day, out of which only a minute proportion constitutes true relevant alerts that require action. In an endeavor to help analysts strike a balance between thoroughly protecting their customers and controlling the alerts firehose, we present a lightweight system that automates this grueling process. It triages critical alerts while filtering out false alarms. Our approach leverages the historical context around alerts across the underlying heterogeneous detector technology and serviced organizations. Using these signals, the model automatically filters out more than 52% of the noisy false alerts daily compared to the existing manual workflow, while successfully prioritizing more than 90% of the true critical alerts and bringing them to analysts’ attention.

As more cross-chain projects come out in the blockchain space, we often see them getting breached by new types of Bridge vulnerabilities (think about the Wrapped ETH hack where $320 million was lost). This is where the so called "Web3.0" and "Web2.0" meet. Most exploitation methods rely on the combination of using smart contract functions and typical web server provided functionalities. We'll look into how these complex systems can be hacked and propose truly decentralized solutions.

The Diffie–Hellman key exchange is affected in D(HE)at vulnerability (CVE-2002-20001), a DoS attack forcing the server to compute the CPU-intensive part of the mechanism overloading it seriously. Of course, the effectiveness of the attack depends on the key sizes, the used cryptographic protocol, and the server application, but it also highly depends on the cryptographic library implementation. There are significant differences between the crypto libraries in what bandwidth is sufficient to consume a whole CPU core on a server. I will demo how a server that implements TLS, SSH, or IPsec protocol can be overloaded and how the peculiarities of the crypto implementation influence the vulnerability.

Tobias was testing an "anti-theft software" for laptops on a German TV show when it turned out that finding a real thief is not that easy. The story finally slipped away when a brutal criminal and a bodyguard entered the scene. But the person who finally ended up spreading the most fear surprised everyone. Unfortunately, the funny parts of this shooting could not be broadcasted on TV ... but they will be part of this lecture. So take your seat and fasten your seatbelt while you listen to this hilarious story, in which nothing went as planned!

In connection with an internal red team task, I designed and built a Rust-based Windows application that avoids and circumvents all current protection on a 100% fresh Windows 10 machine. Protections I had to avoid: Automatic Sandbox Analysis, Chrome Browser Protection, Antivirus, Endpoint Protection, Firewalls, and other built-in protections for Windows 10. The goal was to implement a non-persistent offensive device that creates the smallest possible footprint on the background, thus reducing the risk of falling over and being analyzed. The presentation describes the development process, the components used, as well as any problems that may arise and their solutions. (As well as some key moments in a video demo.)

Hacktivizmus mindig volt és mindig lesz. Egészen pontosan mindig lesznek olyan lánglelkű fiatalok, akik rendszerkritikusságukat vagy éppen hazafiságukat a hackerizmus eszközeivel élik meg. Amennyiben egy ország tudatosan törekszik ezen fiatalok honvédelembe való integrálására – hasonlóan a nagyhatalmakhoz –, akár rövid távon is megvalósítható az offenzív kiberképességek létrehozása. A 2012-es Hacktivity konferencián készült felmérés szerint Magyarországon az információbiztonságban dolgozó vagy az iránt érdeklődő személyek 59%-a akár ingyen is szolgálná a hazáját, míg 27%-uk pénzt kérne ezért. Csupán 14% válaszolt úgy, hogy nem venne részt a honvédelemben. Bár a felmérés régi, feltehetően továbbra is sikerrel lehetne meríteni a magyar hackerek közül, ami tudatos tervezéssel a magyar kiberhadviselési képességek fejlesztésének egyik fontos eleme lehet. De mi a helyzet 2022-ben? És egyáltalán, mit mond nekünk az ukrán-orosz háború a hacktivista csoportokról? A kerekasztal-beszélgetésen ezt járjuk körbe.

Because of the prevalence of watering-hole attacks, drive-by-downloads, and browser exploits, the security of an organization is partly a function of the kinds of content its employees browse. The content of those websites widely ranges from pages that enable social networking to sites that engage in sharing protected intellectual property. To help organizations profile the risk of the internet usage of their employees we have developed a neural network approach for web content classification in support of security goals. Introducing web control might prevent employees from accessing pages with inappropriate content, risk of legal liability, or that simply have a negative impact on productivity. Here we demonstrate that we can effectively expand upon the coverage of a blocklist for 80 distinct categories by building a machine learning model, using only the URL as an input, that can accurately predict the category of previously unseen websites.

ICMP is an Internet Control Message Protocol, hence as its name indicates it has capabilities to control the flow of traffic on the network layer. This means that certain scenarios such as network congestion, unreachable destination and excessive packet size are properly communicated and sometimes even remediated by the ICMP. ICMP is also not an exception when it comes to abusing its powerful capabilities - a malicious actor can craft the ICMP packets and manipulate the flow of legitimate network traffic. This presentation dissects two Proof of Concepts- one attack injects the arbitrary IPv6 route whereas the other sends request to redirect all traffic via the router controlled by the attacker. The attack works against Windows (2012/2016/2019) as well as CentOS7 and is executed through the Proof of Concept script. Even more interesting is that both attacks abuse fully legitimate protocol functionalities. The attacking scripts do not create any complicated application payloads or corrupted headers. They simply abuse the protocol logic and relaxed default setting of Windows and CentOS operating systems to compromise them.

RATs, Ransomwares, APT Espionage and Vulnerabilities are all part of a blue team ongoing thoughts, on the other hand "The Insider Threat" is probably one of the most overlooked areas of those teams around the world. "Insiders" stories have been here forever with examples like Anat Kam & Edward Snowden- and while it is ALWAYS floating in the back of our head as defenders - we fail short in thinking of creative ways to pro-actively identifying rogue personnel. In this talk, We will present the audience with different methods to use their EDR solutions not to solely spot threat actors- but also utilize the collected data to hunt for the next insider within their organization. We will of course, share unique Threat Hunting ideas and concepts that we believe will help organizations world wide covering this blind spot.

In the most recent OWASP TOP 10 the category injection finally moved from the first position to a still respectable third place. Why is this category such an unkillable problem and why do people dismiss it despite of its prelevance? In this talk we are diving into the jungle of injection attacks and will avoid the obvious. If you are interested in the diverse species in this group pop in for a lightweight talk!

When it comes to web applications security testing and looking for bugs, reconnaissance plays a crucial step in identifying the right path for spotting vulnerabilities. The power of deep manual recon led to some serious bugs discovered in a short amount of time. In the other hand, some people use automation in this process as an intention to speed it up and not waste too much time in understanding the organization and the technologies it uses. In this talk we are going to cover the (unique) ways and methods to perform a healthy recon process on a bug bounty program. We will also cover some real world examples of bugs found using different recon techniques, as well as some tips to enhance your searching methodologies.

This workshop will introduce you to the basics of the command injection vulnerability, and after having some solid foundations, we will deep dive into the different restrictions and bypasses. We will discuss blind command injections, double-blind command injections, character limitations, and other exciting topics. The techniques learned can be later used in IoT vulnerability research or even in bug bounties. One will only need docker and optionally ghidra to participate in the workshop. The docker environment will be provided one week before the workshop starts.

This will be a simple and short (in the limit of the 2h) introduction into Android reverse engineering. No previous reversing knowledge is required and all of the tools will be provided in the form of a VM packed with goodies. The course will cover the basics of Android, APK structure, DEX file internals and how this can be exploited in order to decompile and deobfuscate malware. In addition, hands on exercises will be provided with fresh malware samples where the knowledge can be put to good use in extracting C2s and other interesting information.

This workshop is an introduction to the newer, not so classical web applicaion attacks, like XSS, and SQL injection. The purpose is to introduce multiple different methods, not to deep in one single one, it is more like broad introduction. During the workshop we would like to present the following attack types: Cross Site Request Forgery (CSRF), Server Side Request Forgery (SSRF), CORS konfigurációs gondok, OAUTH konfigurációs gondok, serialization, may be more depend on the time.

The objective of this workshop is an in-depth dive into the world of in-memory malware and how Red Teamers benefit from coding offensive tools as position independent code (=PIC). To do so, the advantages of PIC over traditional PE loading techniques, will be highlighted and it will be demonstrated how PIC can be used to avoid suspicious memory artifacts and thus to evade security products. Next, we will learn about the flexibility of PIC, allowing offensive coders to use their implementations in various stages of an operation, such as Initial Access or Post Exploitation. We will see, how PIC can be integrated into various file extensions, such as VBA, HTA or used as part of DLL Side Loading techniques. As a last step, we will see how the metamorph characteristic of PIC can be used to protect your implementations from signature based security solutions. Attendees will learn how to implement PIC using the C programming language and concepts, such as function pointer resolving or string stacking will be explained. As part of this workshop, attendees will write a minimal C2 implant using (non PICed) code-snippets and a given C2 implementation. Prerequisites: - Good knowledge of C and x64 Assembly - Windows VM - Linux with installed Mingw

Most cryptographic challenges are based on either implementation attacks (the key is somewhere in the working environment), mathematical attacks (finding weaknesses in the encryption algorithm) or on poor key management techniques (weak keys or weak key setup). In this workshop, we deal with a different approach based on a real case. A practical implementation of the Shamir Secret Sharing Protocol is presented in which a flaw enables to break the protocol far more efficiently than brute-force.