Bio: This is Mohan Sri Rama Krishna Pedhapati, also known as s1r1us on Twitter. My area of interest is Web and Browser Security. I spend most of my time doing CTFs, security research and finding vulnerabilities in the wild. Recently, I graduated from my bachelor's and was offered a position as an Application Security Engineer at Bugcrowd.

Talk Title: A tale of making internet pollution free - Exploiting Client-Side Prototype Pollution in the wild

Abstract: Prototype pollution, whether server-side or client-side, is a fascinating vulnerability. Prototype pollution might lead to various vulnerabilities depending on the application logic. This session will focus on the client-side prototype pollution studies that we conducted. We'll illustrate how we used our approaches to uncover pollution in over 18 widely used JavaScript libraries, as well as the 80 bugs reported to the VDPs. We found vulnerabilities in Apple.com, Jira Service Management, HubSpot Analytics, Segment Analytics, and the websites of several undisclosed companies, netting us a collective $40,000 in bug bounties.

Bio: Hello, I'm Harsh, and I'm from India. I've been a regular contributor to the infosec community for the past five years. I worked as a full-time bug bounty hunter while gradually shifting to the other side of the fence. I started my career in industry with Zomato as a full-time security engineer. I'm currently working at Vimeo as an application security engineer. As a bug bounty hunter and security engineer, I'm particularly interested in server-side vulnerabilities, complex architecture design flaws, and unique bug classes, whether they're server or client-side. Though I no longer operate as a full-time bug bounty hunter, I do occasionally take part in bug bounties. Over the course of my bug bounty adventure, I've uncovered a number of bugs, including RCE in PayPal and Apple, which resulted in payouts of $30,000 and $50,000, respectively.

Talk Title: A tale of making internet pollution free - Exploiting Client-Side Prototype Pollution in the wild

Abstract: Prototype pollution, whether server-side or client-side, is a fascinating vulnerability. Prototype pollution might lead to various vulnerabilities depending on the application logic. This session will focus on the client-side prototype pollution studies that we conducted. We'll illustrate how we used our approaches to uncover pollution in over 18 widely used JavaScript libraries, as well as the 80 bugs reported to the VDPs. We found vulnerabilities in Apple.com, Jira Service Management, HubSpot Analytics, Segment Analytics, and the websites of several undisclosed companies, netting us a collective $40,000 in bug bounties.

Bio: Kavisha is a security Analyst by profession. She is a cloud security and machine learning enthusiast who dabbles in the application and API security. She has been recognized by the Government of India for helping them to find security issues in their websites. She has also been listed in the list of security researchers of the nation, in the newsletter of NCIIPC RVDP. She believes in giving back to the community and frequently finds audiences to talk. She is also a cyber security speaker and loves to share her views on various infosec threads. She has spoken at various securiy national and international conferences across the Globe including OWASP, Defcon Cloud village, OWASP Bay area, Null ahmedabad, Bsides Noida, Infosec girl, and many more.

Talk Title: Amazon Cognito (Mis)configurations

Abstract: Enterprises are increasingly running their IT and application infrastructure native. This fundamentally changes the security models and enterprise threatscape. Using Cognito for authentication is quite popular nowadays especially in web and mobile apps.it's been observed that Web and Mobile applications that are using Amazon Cognito or Identity Platform to manage authentication and authorization. However, due to mis-configured Amazon Cognito allows attackers to make the most out of these mis-configurations. In this session, we will talk about How AWS Cognito works?  What are the attack vectors to look for AWS Cognito mis-configuration? How are attackers able to exploit AWS cognito mis-configurations? Some tips for developer folks.

Bio: Hrishikesh has been a speaker in conferences such as c0c0n, bsides Delhi 2019, Defcamp Romania 2019. He is the OWASP Nagpur Chapter leader and is an active speaker in monthly meetups. He has keen interest in Hardware and RF Hacking, he has been a Lead Innovator at the National Innovation Foundation and Makers Asylum for improvement of social causes and Sustainable Development Goals. Hrishikesh also has a podcast named "The StorytellingHacker" where he speaks on Hardware Hacking, Radio Engineering, some interesting research papers and "Thought Experiments".

Talk Title: Hacking with Physics

Abstract: It is undeniable that sensors are the backbone for any IoT, smart devices or Industrial Control Systems and have been playing an important role in the technology world. They play a major role in taking inputs from the surrounding and giving output to the respective systems. But what if these sensor based systems operate in an unintended manner? What if their inputs inadvertently lead to compromising the system? Also, how often do organizations talk about security in Sensors? In this talk we will discuss various attacks which can be used to hack sensor based systems using Physics.

Bio: Swaroop Yermalkar works as a Head of Cyber Security for HackerU (India) where he is responsible for training and managing the Red Teaming Program . Swaroop is the author of the book “Learning iOS Pentesting” and leads an open-source project - OWASP iGoat which is developed for mobile security. He has given talks and workshops at many security conferences including AppSec USA, AppSec Israel, DEFCON (AppSec Village), Kazhackstan, BruCON, SEC-T, EuropeanSec, Hacks in Taiwan (HITCON), GroundZero, c0c0n, 0x90, GNUnify. Swaroop holds OSCE, OSCP, OSWP, CREST CRT certifications. Swaroop is also one of the top pentesters working with Cobalt.

Talk Title: The Spy In Your Mobile

Abstract: Do you think it’s too difficult to spy on mobile phones considering OS security? Or are you already being watched by someone? Or do you suspect someone is trying to spy on you? Or do you know what happens when your mobile device gets lost? If you’re interested in getting these answers, this talk is for you! In this talk, I will be presenting my research on various spyware functioning at the application level, OS level to analyze what it takes to spy on someone’s mobile. I will also be presenting an analysis of famous mobile hacks. This talk will discuss what are the prerequisites, attack vectors, and various techniques used by attackers to spy on someone’s smartphone. I will be also presenting several researched spyware from the internet, the dark web, and social engineering techniques used by attackers for successful spying and data exfiltration.

Bio: Sharan is an information security expert and bug hunter who enjoys experimenting with novel methodologies for security implications. He is in charge of doing daily pentests for NotSoSecure. Web applications, mobile apps, and infrastructure penetration testing are among his specialties. He is an expert in online and infrastructure pentesting techniques. Every new project gives Sharan the opportunity to learn new things, which motivates him and helps him enhance his talents.

Workshop Title: Exploiting esoteric android vulnerability

Abstract: Because the majority of an Android application's code is on the client side, innovative techniques to bypass them using frida, an android application analyzer, have emerged. What effect does clicking on a URL link have on an Android application? How may a WebView be used to commit account takeover? What is the difference between App Link and Deep Link on Android? How to get around the passcode using client-side approaches. All these techniques will be shown in this workshop.

Bio: Sanjay has been a Principal Security Consultant at NotSoSecure since June 2018, and his work mostly entails web application, mobile application (particularly Android), and external infrastructure penetration testing. He also performs code reviews for a number of high-profile companies. These are often huge corporations and ecommerce platforms situated in Europe and the United States. He also contributes to the NotSoSecure Advanced Web Hacking training courses by studying and upgrading them. He enjoys conducting various forms of research, which he shares on the NotSoSecure blog and GitHub Repository. He is the creator of well-known opensource programmes such as Blacklist3r, Android application analyzer, and Serialiazed payload generator, all of which can be found on NotSoSecure's github.

Workshop Title: Exploiting esoteric android vulnerability

Abstract: Because the majority of an Android application's code is on the client side, innovative techniques to bypass them using frida, an android application analyzer, have emerged. What effect does clicking on a URL link have on an Android application? How may a WebView be used to commit account takeover? What is the difference between App Link and Deep Link on Android? How to get around the passcode using client-side approaches. All these techniques will be shown in this workshop.