A place: Russia, St. Petersburg, A2 Green Concert
date of: November 12-13, 2019
Conference site: https://zeronights.ru/
At ZeroNights 2019, you can listen to the reports of Web Village and find out how the modern web works, learn about vulnerabilities and modern attacks on web applications, take part in a quiz and win memorable prizes.
Web Village will be held on the second day of the conference – November 13, 2019. Papers will begin at 12:00 in the Sputnik hall of Club A2. Please note that Web Village reports are not available in English.
Alexey “GreenDog” Tyurin – “From the misconfig to the harsh consequences” (25 min.)
This report is about signed cookies and everything related to them.
Pavel “sorokinpf” Sorokin (@sorokinpf) – GraphQL applications security testing automatization (25 min.)
They will talk about aspects of automation of GraphQL application security: scanning all parameters in SDL with testing Burp access control, searching for DoS-loops, detecting various paths to critical data.
Valery “krevetk0” Shevchenko – “Testing principles and bugs that the others overlooked” (25 min.)
What does the ordinary tester know what the bug hunter does not know? Of course, a deep understanding of the application. And the "hunter" may not know about the principles of testing themselves. In this report, we will analyze the principles of software testing and how they help in everyday work. And of course, we will analyze it with real examples, when these principles helped to find critical problems of various companies.
Alexey “SooLFaa” Morozov (@xSooLFaa) – “Blind SSRF” (25 min.)
SSRF (Server-Side Request Forgery) is the ability to pass the url that the vulnerable server will go through. An attacker can collect internal infrastructure data and plan an attack using RCE. However, a situation often arises where SSRF exists implicitly or with a number of restrictions. The report describes methods for detecting and subsequently using the BLIND SSRF in various technologies.
Anton “Bo0oM” Lopanitsyn (@ i_bo0om) – “Hunting the Phoenix” (25 min.)
Community report on deanonymizing phishers with software vulnerabilities that they exploit.
Ramadan “r0hack” Ramazanov – “Injection Operation in ORM Libraries” (25 min.)
This report is about an interesting class of attacks – injections into SQL ORM dialects, which are a grammatical layer of abstraction between an application and a DBMS. Let's take a closer look at the injections in the Doctrine Query Language dialect.
Sergey “BeLove” Belov (@sergeybelove) – “The future without passwords – about WebAuthN and not only” (25 min.)
Having passwords for users for a modern service is a big difficulty. Phishing, credentials stuffing, weak passwords, anti-brute force protection – all this is a headache for any security department. A safe and massive alternative is only beginning to be supported by the modern web – the standard WebAuthN. About all the problems of refusing passwords, how users without passwords will be attacked – in this report.
Paul Ax (@Paul_Axe) – “ZN PWN Challenge” (25 min.)
A fascinating story about the continuation of many years of tradition.
Denis “ttffdd” Rybin (@_ttffdd_) – “Audit AWS Services Zoo” (45 min.)
The report addresses various aspects of auditing AWS infrastructures. We will deal with the variety of services provided, how their interaction is built and how security is ensured. Analysis of auxiliary tools and live cases.
Andrey Plastunov – “OOP in mvc frameworks. How not to do worse than it was ”(25 min.)
In the report, we show by examples how to break the default access control policies in some popular MVC frameworks using the inaccurate use of OOP paradigms, in particular inheritance.
Presentation time can be found in conference program.