AppSec Israel 2016 has ended

Log in to bookmark your favorites and sync them to your phone or calendar.

Track 1 [clear filter]
Monday, September 19

10:05 IDT

The Unwanted Sons - Formalizing and Demonstrating WAF Bypass Methods for the REST of the Top 10
The once uncommon application-level protection mechanisms are EVERYWHERE these days, and sooner or later, you'll have to face them.
Web Application Firewalls (WAF) and Intrusion Detection Systems (IDS), Filters and RASP Modules, all common and widespread countermeasures you have to face on a regular basis, with the power to turn a typical assessment into a nightmare, and make automated tools practically useless.
While the attack vectors are well covered in CWE, CAPEC, TECAPI RvR, WASC, OWASP Top 10 and Testing Guide, all you have to cover evasion techniques is a couple of cheat sheets focused on a limited set of attacks.
Sure, there are numerous XSS and SQL Injection evasion cheat sheets, but what about Path Traversal, Remote File Inclusion, OS Command Injection? What about Forced Browsing? What about other attacks?
Formalizing evasion techniques and methods for the REST of the common attack vectors makes a LOT of sense, for manual pen-testing and automated tools - and THIS is phase one, aimed to cover the rest of the unattended top 10.

avatar for Shay Chen

Shay Chen

CEO, Effective Security
Shay Chen is the CEO of Effective Security, an information-security boutique company specializing in information security assessments and in automating security processes of vulnerability management and SDLC. He has over twelve years in information technology and security, a strong... Read More →

Monday September 19, 2016 10:05 - 10:50 IDT
Main Auditorium
  Track 1
  • Audience Breakers
  • Language Hebrew
  • Technical Level Intermediate / Advanced

10:55 IDT

Don't Feed the Hippos!
The security community is trying to solve insecurity caused by bugs and flaws in software for many years now, but with what success? 
We almost never look in successes and failures experiences in other areas, but we could really learn from. This talk is inspired by Ernesto Sirolli’s TED talk “Want to help someone? Shut up and listen!” about failures in the aid program’s around the world. Listening to Ernesto Sirolli, you cannot miss the similarity with the security community trying to tell developers how to write secure code.  This talk points out common failures of the security community when communicating with developers, trying to solve their problems without understanding what their problems really are. 
Using the hippo-analogy for security failures, during the talks those ‘(in-)secure hippos’ are identified, advice on how to avoid them are provided, by anecdotes and best practices from the experience of the past 10 years in the security field as a consultant.

avatar for Martin Knobloch

Martin Knobloch

Member of the BoD / OWASP Netherlands Chapter Lead, OWASP

Monday September 19, 2016 10:55 - 11:25 IDT
Main Auditorium
  Track 1

11:45 IDT

Hacking The IoT (Internet of Things) - PenTesting RF Operated Devices
We often encounter IoT (Internet of Things) systems during our work as penetration testers and security consultants. We know how to assess the security of the server side API, the associated mobile apps, the web apps and so on - but what about the device itself (the "thing")? Moreover, what happens if the device is not using traditional HTTP/S request, or does not even "speak" plain old tcp/ip?

During this talk, we'll go over the obstacles we have to face when analyzing unknown, custom RF based communication that drives the target IoT system we're pentesting. We'll talk about and see in action tools that will allow us to capture RF traffic, analyze it, brute force it, replay it, and of course forge it. It's like plain old appsec hacking tricks, but at the RF level. So let's hack some things belonging to the real world!

avatar for Erez Metula

Erez Metula

Application Security Expert, Founder, AppSec Labs
Erez Metula is the founder and Chairman of AppSec Labs, a leading company in the field of application security.He is the author of the book "Managed Code Rootkits", and is a world renowned application security expert.Erez has extensive hands-on experience performing security assessments... Read More →

Monday September 19, 2016 11:45 - 12:30 IDT
Main Auditorium
  Track 1

12:35 IDT

Hacking HTTP/2 - New attacks on the Internet’s Next Generation Foundation
HTTP/2 is the emerging network protocol for the Internet, facilitating leaner and faster web browsing by introducing several new mechanisms which can be seen as a single transition layer for web traffic. The adoption of HTTP/2 is lightning fast, and even though only a year has passed since its publication, HTTP/2 is already supported by all significant players in the field including browsers, web servers and Content Delivery Networks.
In the presentation we will overview the HTTP/2 attack surface - stream multiplexing, flow control, HPACK compression and server push, with a focus on how the way HTTP/2 servers implement these mechanisms can make or break your security posture. We will continue with presenting new classes of vulnerabilities that have been introduced by the mechanisms used with HTTP/2, and explaining how these vulnerabilities can be used for mounting effective attacks against web servers like Apache, IIS, Ngnix, Jetty and nghttp. We will explain in details several serious zero-day vulnerabilities, such as CVE-2016-1546, CVE-2016-0150 and CVE-2016-1544, and end with discussing several approaches for mitigating attacks of these types.
Those attending this session will understand that:
1. As an emerging technology that introduces novel and flexible mechanisms, HTTP/2 also induces new risks.
2. HTTP/2 implementations are still not “security mature.” Therefore it is almost certain that scrutiny of HTTP/2 implementations will increase in coming years, resulting in the discovery of new vulnerabilities, exploits and security patches. With HTTP/2 gaining more popularity, this trend will intensify.
3. An effective security strategy for newly adopted technologies must rely on supplemental solutions rather than patching


Nadav Avital

Application Security Research Team Leader, Imperva
Nadav Avital is an expert in Web Application Security. He leads an Imperva team who captures and analyzes hacking activities and then create mitigation strategies. These efforts result in research for new technologies and protocols. Nadav has more than 10 years’ industry experience... Read More →

Noam Mazor

Noam Mazor worked in Imperva as security research engineer in the Web Application Security team. Noam has experience in analyzing hacking activities, creating mitigation and researching vulnerabilities. He holds BSc in Computer Science and is currently a MSc student in Tel Aviv U... Read More →

Monday September 19, 2016 12:35 - 13:20 IDT
Main Auditorium
  Track 1

14:15 IDT

NodeJS Security Done Right​ - The tips and tricks they won’t teach you in school​
NodeJS, and JavaScript at large are quickly taking over software whether it is GitHub’s statistics for projects growth, the IoT industry, ChatOps projects written in JavaScript and Enterprises adoption is growing as well.
With this trend, it is imperative to review OWASP security practices and learn how to harden NodeJS Web Applications.​

We will begin with a quick NodeJS intro and a few fail stories of how things can go wrong. ​
We will quickly dive into hands-on practical implementation of security measures to adopt in your current or future NodeJS project. Next I will show how to leverage widely adopted security tools for integration in the build and CI/CD process to audit and test for security vulnerabilities, as well as leveraging successful enterprise-level open source npm libraries to enhance your web application’s security.​

In summary: in this session I will demonstrate:​
* Securing ExpressJS by adopting mature and commonly used npm libraries​
* Secure code guidelines for JavaScript software developers​
* Integrating NodeJS security measures as part of your build CI/CD DevOps process​

avatar for Liran Tal

Liran Tal

Developer Advocate, Snyk
Liran Tal is a Developer Advocate at Snyk and a member of the Node.js Security working group. He is a JSHeroes ambassador, passionate about building communities and the open source movement and greatly enjoys pizza, wine, web technologies, and CLIs. Liran is also the author of Essential... Read More →

Monday September 19, 2016 14:15 - 15:00 IDT
Main Auditorium
  Track 1

15:05 IDT

Putting the 'I' in Code Review - Turning Code Review Interactive
Everybody knows that manual code review can be a tedious and lengthy effort, with complexity growing exponentially with the size of the code. However, understanding code flow and focusing on relevant parts can become much easier when employing interactive debugging techniques. This allows combining the best of penetration testing and code review benefits to achieve maximum results in the most efficient manner. In this talk we will explain and demonstrate this eye-opening technique for effectively performing a manual code review on a live system using a debugger and provide a quick starter kit for implementing this technique.


. .

Seeker R&D Manager, Synopsys
Tamir Shavro has been involved both in complex R&D endeavors and in the security field in the past 18 years. As the Chief Architect & VP RnD of Seeker (acquired by Synopsys in 2015), Tamir has been the driving force behind the development of the Seeker technology. Prior to Seeker... Read More →

Monday September 19, 2016 15:05 - 15:50 IDT
Main Auditorium
  Track 1

16:05 IDT

Crippling HTTPS with unholy PAC
You're in a potentially malicious network (free WiFi, guest network, or maybe your own corporate LAN). You're a security conscious netizen so you restrict yourself to HTTPS (browsing to HSTS sites and/or using a "Force TLS/SSL" browser extension). All your traffic is protected from the first byte. Or is it?

We will demonstrate that, by forcing your browser/system to use a malicious PAC (Proxy AutoConfiguration) resource, it is possible to leak HTTPS URLs. We will explain how this affects the privacy of the user and how credentials/sessions can be stolen. We will present the concept of "PAC Malware" (a malware which is implemented only as Javascript logic in a PAC resource) that features: a 2-way communication channel between the PAC malware and an external server, contextual phishing via messages, denial-of-service options, and sensitive data extraction from URI's. We present a comprehensive browser PAC feature matrix and elaborate more about this cross-platform (Linux, Windows, Mac) and cross-browser (IE, Chrome, Safari) threat.

avatar for Amit Klein

Amit Klein

VP Security Research, Safebreach
Amit Klein is a world renowned information security expert, with 25 years in information security and over 30 published technical papers on this topic. Amit is VP Security Research at SafeBreach, responsible for researching various infiltration, exfiltration and lateral movement attacks... Read More →

Monday September 19, 2016 16:05 - 16:50 IDT
Main Auditorium
  Track 1

16:55 IDT

Integrating Security in Agile Projects
There are many different security development lifecycles (SDLC) frameworks in the modern world. However, a fully implemented SDLC program is often represented as heavy, time-consuming and not suitable to Agile development methodology. We’d like to break the myth and show how a very comprehensive security program, managed by a dedicated security office, can be successfully integrated in agile development project on a real case example.

We’ll shortly describe the main challenges, and the techniques and procedures helping to overcome the challenges. We’ll present the Security Lifecycle Management (SLM) Framework developed and used in HPE SW in the last three years, and describe how it integrated into development of new SaaS based fully agile developed product, with emphasis on main activities and roles. As a part of the presentation we would like to highlight the importance of the proper program management and role of the PMO and how it became a key success factor in the effective security program implementation.

avatar for Elena Kravchenko

Elena Kravchenko

ADM BU Security Lead, Micro Focus (former HPE Software)
Elena represents the Security side of the project and brings vast experience in both development and security areas. She is responsible for a department developing 12 products ( ~400 developers) HPE Software Security Lead for HPE's Application Delivery Management (ADM) Business... Read More →
avatar for Efrat Wasserman

Efrat Wasserman

Product manager, Intel
Efrat is a Product Manager at Intel. Efrat brings deep knowledge and experience in both software development and project/product management areas. Efrat's former position was a Senior Program Manager at HPE SW, Efrat holds a BSc in Computer Science and Mathematics and an MBA in... Read More →

Monday September 19, 2016 16:55 - 17:25 IDT
Main Auditorium
  Track 1