The Open Web Application Security Project (OWASP) Los Angeles Chapter is teaming up with the Orange County, San Diego, SF Bay Area, and the Inland Empire chapters to bring you the FIFTH Annual AppSec California. The event is a one of a kind experience for information security professionals, developers, and QA and testing professionals, as they gather at the beach from around the world to learn and share knowledge and experiences about secure systems and secure development methodologies.

One and Two-day training sessions on various subjects by expert trainers kick off the conference on January 28th. World renown speakers follow on days three and four.

There will be four concurrent tracks throughout the day on both January 30 and 31, addressing a variety of topics to enhance knowledge.

Back To Schedule
Tuesday, January 30 • 3:00pm - 3:50pm
MarkDoom: How I Hacked Every Major IDE in 2 Weeks.

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
JavaScript (and HTML) has completely conquered the Web, and now it’s taking over the Desktop. In order to provide more user-friendly graphical interfaces, today's software applications are being built with embedded browsers. Companies such as GitHub, Apple, Microsoft, Facebook, and Slack all build complex, desktop-like web applications completely in JavaScript. Many other organizations embed entire browsers into their products for rendering content. We call all of this the “Desktop Web,” and it’s full of security problems that have more devastating consequences than your typical JavaScript injection. 
I will walk through examples of arbitrary code execution that I discovered in Visual Studio Code, GitHub Atom Editor, Sublime Text, Adobe Brackets Editor, all JetBrains Products (IntelliJ IDEA, PhpStorm, WebStorm, PyCharm, RubyMine, AppCode, CLion, ...) and more. This research resulted in 5 CVEs and $(TBD)k in bounties. 
Welcome to the unholy marriage of web application and desktop security. Let’s explore how each editor was implemented, what went wrong, and the controls that can be used to do this more safely.

avatar for Matt  Austin

Matt Austin

Director of Security Research, Contrast Security
Matt Austin is the Director of Security Research at Contrast Security focused on runtime security assessment and protection through instrumentation. Prior to Contrast Matt worked as a security consultant at Aspect Security, and is currently active is many of the top Bug Bounty pl... Read More →

Tuesday January 30, 2018 3:00pm - 3:50pm PST
Garden Terrace Room