Security Day 2017
I gave a talk last Thursday in Lille at the conference Security Day 2017. It was organized by students of the Lille 1 University and around 40 people were attending.
My slides are available on the website of my current company, Synacktiv
Theses slides are slightly stripped since I was also presenting examples
of low-hanging vulnerabilities that could be found on real and popular plugins
using basic tools like
grep and a pinch of magic regexes. Several of them
were leading to RCE so I’m awaiting for responses from the concerned plugin
maintainers before releasing it fully. RIPS would
be a nicer solution but it’s way to expensive for this use case. They scanned
more than 44 705 plugins but the result is still not
Dimitri Fourny, from Quarkslab, also published his slides of his talk about ways to cheat in video games like CS:GO.
Nothing to do with it, but the conference organizers also created a challenge (with a “reward” for the first solver of each level), which is available at http://security.fil.cool. You should give it a try :-)
The two first can be easily resolved by using the right tools while the third one is a classic CTF challenge: you know a DSA public key and you can sign a much messages you want using the private one (but you don’t control what’s being signed).