Beyond OWASP - what they don’t teach you in the top 10

Cory marsh
4:30-5:45, Jordan B


We will be going over many aspects of web security that aren’t often discussed outside of the security industry. We will review some commonly used software and common web languages and how attacker’s can abuse them to bypass system controls. Topics: Server Side Request Forgery bypasses Using image upload features to upload PHP archives ImageTragic fails Bypassing HMAC with length extension Type Juggling Vuleravilities Abusing CDNs to super charge XSS More if time allows

Presenter Bio

I am a security researcher living in Boise Idaho. My career in security began teaching myself C and assembly programming in school in the early 1990s to experiment with computer viruses. Since then I have been fortunate enough to leverage my knowledge to perform penetration testing for banking systems, power utilities, and some of the largest corporate environments in America. With that experience I have run security operation centers for some of the largest tech companies in Idaho and given many security talks here in the valley. I now focus on performing security analysis for organizations working to improve their security posture and am one of the few who does physical security testing. By performing actual penetration testing we are able to show organizations exactly where the weak points are in both their physical, system and network access controls. After the engagement we work closely with clients to either create remediation strategy or directly resolve issues discovered during testing. Have an idea for a talk or a new piece of software? Need security awareness training, or pen testing? Send me a message or schedule a meeting, consultation for interesting projects is always free.