The Open Web Application Security Project (OWASP) Los Angeles Chapter is teaming up with the Orange County, San Diego, SF Bay Area, and the Inland Empire chapters to bring you the FIFTH Annual AppSec California. The event is a one of a kind experience for information security professionals, developers, and QA and testing professionals, as they gather at the beach from around the world to learn and share knowledge and experiences about secure systems and secure development methodologies.

One and Two-day training sessions on various subjects by expert trainers kick off the conference on January 28th. World renown speakers follow on days three and four.

There will be four concurrent tracks throughout the day on both January 30 and 31, addressing a variety of topics to enhance knowledge.

Sign up or log in to bookmark your favorites and sync them to your phone or calendar.

Talk: Break It [clear filter]
Tuesday, January 30


ReproNow - Save time Reproducing and Triaging Security bugs
Abstract :
Crowdsourcing security aka Bug Bounty Programs are adapted by almost all companies today: big, small, mid size. While companies reap a lot of benefits, the challenge is to have a security engineer/engineers reproduce each of the bug, understand the replication method and spend time recreating the security bug that the researcher reported. And sometimes (read all the time) it may also require a lot of going back and forth with the researcher to reproduce the vulnerability. As security engineers we felt the pain as well and we created a tool that solves this challenge and helps organization focus their resources on resolving these vulnerabilities and strengthening their security posture.

Our tool is an open source software and an easy to install browser extension. A researcher can install this extension on their browser and record the entire walkthrough of the vulnerability. Our tool captures not only the screen but even Network requests. So, a researcher can capture the entire session and submit this video to the organization. Then, the security engineers who validate this can play the video on the tool and see the exploit in action. They don’t have to spin up Burp Suite or other bazillion tools and again spend time on reproducing  the entire thing. The tool also lets you search for a string, therefore you can jump to a specific payload to see the exploit. This makes triaging much easier, saving engineers valuable time.

avatar for Vinayendra Nataraja

Vinayendra Nataraja

Senior Product Security Engineer, Salesforce
Vinayendra Nataraja is a Senior Product Security Engineer at Salesforce and an independent security researcher. He has been in the security industry for 5 years now and holds a Masters degree in Information Security from Northeastern University. He leads the bug bounty efforts for... Read More →
avatar for Lakshmi Sudheer

Lakshmi Sudheer

Senior Security Partner, Netflix
Lakshmi Sudheer is a Security engineer who is passionate about all things Information security and mostly been on Application Security side of the world. She also enjoys speaking about her open-source projects and has spoken at Defcon’s BTV, BSides LV, RSA 2018, Appsec USA & AppSec... Read More →

Tuesday January 30, 2018 11:45am - 12:35pm
Club Room


Breaking Fraud & Bot Detection Solutions
Browser fingerprinting and user behavior tracking are powerful techniques used by most fraud and bot detection solutions. These are implemented as JavaScript snippets running the user browser. In this presentation, we’ll demystify what kind of signals these snippets collect. We'll then describe why these signals are unreliable, propose attacks against defenses relying on them and finally show demos of POC attacks.

avatar for Mayank Dhiman

Mayank Dhiman

Principal Security Researcher, Stealth Security
Mayank Dhiman serves as Stealth Security’s Principal Security Researcher. His primary interests include solving problems related to online fraud and internet abuse. His current focus lies in detecting and mitigating malicious automation attacks. Previously, he had worked on fraud... Read More →

Tuesday January 30, 2018 2:00pm - 2:50pm
Garden Terrace Room


MarkDoom: How I Hacked Every Major IDE in 2 Weeks.
JavaScript (and HTML) has completely conquered the Web, and now it’s taking over the Desktop. In order to provide more user-friendly graphical interfaces, today's software applications are being built with embedded browsers. Companies such as GitHub, Apple, Microsoft, Facebook, and Slack all build complex, desktop-like web applications completely in JavaScript. Many other organizations embed entire browsers into their products for rendering content. We call all of this the “Desktop Web,” and it’s full of security problems that have more devastating consequences than your typical JavaScript injection. 
I will walk through examples of arbitrary code execution that I discovered in Visual Studio Code, GitHub Atom Editor, Sublime Text, Adobe Brackets Editor, all JetBrains Products (IntelliJ IDEA, PhpStorm, WebStorm, PyCharm, RubyMine, AppCode, CLion, ...) and more. This research resulted in 5 CVEs and $(TBD)k in bounties. 
Welcome to the unholy marriage of web application and desktop security. Let’s explore how each editor was implemented, what went wrong, and the controls that can be used to do this more safely.

avatar for Matt  Austin

Matt Austin

Director of Security Research, Contrast Security
Matt Austin is the Director of Security Research at Contrast Security focused on runtime security assessment and protection through instrumentation. Prior to Contrast Matt worked as a security consultant at Aspect Security, and is currently active is many of the top Bug Bounty pl... Read More →

Tuesday January 30, 2018 3:00pm - 3:50pm
Garden Terrace Room


The Bug Hunters Methodology 2.0
Building on the Bug Hunter's Methodology 1.0 given at Defcon 23, 2.0 brings the newest testing techniques, tools, and vulnerability data to penetration testers and security folk. Dive into new-school advents in discovery, XSS, server-side template injection, server-side request forgery, Code injection (SQLi, PHP, ++), XXE, robbing misconfigured infrastructure, CI, Code repositories, and more!

avatar for Jason Haddix

Jason Haddix

VP of Researcher Growth, Bugcrowd
Jason is the Director of Technical Operations at Bugcrowd. Jason trains and works with internal analysts to triage and validate hardcore vulnerabilities in mobile, web, and IoT applications/devices. He also works with Bugcrowd to improve the security industries relations with the... Read More →

Tuesday January 30, 2018 4:20pm - 5:10pm
Sand and Sea Room
Wednesday, January 31


Pack your Android: Everything you need to know about Android Boxing
Android malware authors may enforce one or a combination of protection techniques like obfuscators, packers and protectors. This additional step just before publishing the app adds complexity for Android Bouncers and various static, and dynamic code analysis tools. Along with these protection techniques a combination of features such as emulation detection, anti debugging, root detection, tampering detection, anti runtime injection enables malicious application practically makes malicious app go undetected. As a result we have seen a steady increase in the malicious apps published in various Android app stores. ZDNet reported around 1000 spyware mobile apps are published in the official Google Play Store this year alone. These apps may have the capability to monitor almost every action on an infected device. Actions such as taking photos, recording calls, monitoring information about Wi-Fi access point and inspecting user’s web traffic. 
We will focus on all three commonly used Apk protection techniques and how they operate under the hood. For obfuscation, we will demo a tool designed to remove switch case injection, dead code injection, and string encryption and get a readable code. In case of packer talk will showcase avenues to unpack the packer by first finding the algorithm, hooking into libc before packer opens DEX file, dumping DEX from memory. Protectors such as DexProtector mangles code by modifying entry point to loader stub and perform anti-emulation, anti-debug and anti-tampering checks. Protector are easy to patch, one can by attaching cloned process or dump odex and get readable code. By adding these techniques an ethical hacker or Android bouncer can identify many a malicious application published in app store.

avatar for Swapnil Deshmukh

Swapnil Deshmukh

Swapnil Deshmukh has over a decade of information technology and information security experience, including technical expertise, leadership, strategy, operational and risk management. Charged with incubating and evangelizing security-driven, context-driven risk management strategies... Read More →

Wednesday January 31, 2018 10:30am - 11:20am
Club Room


Hunter – Optimize your Pentesters time
Abstract: Is your pentest report filled with low risk items? Are these projects that you pentest too short for a full-fledged secure SDLC process or are they third party systems that you have little control over? We at eBay had a similar problem wherein more than 25% of our pentesting resources used to get bogged down by these low risk items. We understand that it takes time to find, document and report these items (some which get entangled in a never ending remediation cycle). 
So we built Hunter to help us get ahead of some of these time sinks. Hunter is a simple open source tool that grades any website or rest endpoint. It quickly checks for certain low risk items and provides the requester with a grade (A – F). You can use hunter as a precursor to your pentest. Non security product development managers don’t understand security jargon, but they love to see a grade A on their product. The use of Hunter sits in between doing nothing before a pentest and a full-fledged secure SDLC process that might be an overkill. 
This talk is about our journey of why we built Hunter and how we saved about 10 – 15% of our pentesting budget. This talk is aimed at managers and pentesters who want to optimize their team’s resources and attendees will walk away with the knowledge of how they can leverage this open source tool.

avatar for Kiran Shirali

Kiran Shirali

Senior Security Engineer, eBay
Kiran Shirali is a Senior Security Engineer in eBay’s blue team. Prior to joining the blue team, Kiran has worked on the Security Assessments Team (Red Team and Pentesting) and Application Security team at eBay. When he is not at work, he is at home souring the web finding security... Read More →

Wednesday January 31, 2018 11:30am - 12:20pm
Terrace Lounge


Predicting Random Numbers in Ethereum Smart Contracts
Smart contracts are not only about ICOs - various lotteries, roulettes and card games are implemented in Solidity and can be played by anyone on the Ethereum blockchain. Autonomy of the blockchain limits the sources of entropy for random number generators. There is no common library that could help developers to create secure RNGs either.  That is why it is very easy to mess things up when implementing your own random number generator.

The talk features the analysis of the gambling smart contracts on the blockchain. As you will see many of them failed to implement a secure RNG which allows to predict the outcome and steal significant sums of money.  At the talk the examples of wrong RNG implementations found in the wild will be demonstrated. The attendees will also learn how to spot problems in RNGs as well as how to build a secure random number generator under blockchain limitations.

avatar for Arseny Reutov

Arseny Reutov

Head of Application Security Research, Positive Technologies Ltd
Arseny Reutov is a web application security researcher from Moscow, Russia. Arseny is the Head of Application Security Research at Positive Technologies Ltd where he specializes in penetration testing, the analysis of web applications, and, more recently, smart contracts audit. He... Read More →

Wednesday January 31, 2018 2:00pm - 2:50pm
Garden Terrace Room