Regarding PCI, and disclosure of data breaches.
My credit card recently got cancelled as a preventative measure for doing business with a particular merchant. Which merchant, I have no idea. How did the breach occur? No clue.
- Do we have a problem with visibility into the security culture of organizations today?
- How can I be more proactive as a consumer?
Discovering and Exploiting a Spring Framework Vulnerability
Previously, Expression Language Injection has only meant information disclosure. I’ll illustrate how it can actually be used for remote code execution on Glassfish and potentially other EL 2.2 containers. We’ll cover the following:
- Background on the original issue.
- Play by play from discovery to exploitation.
- Breadth of the issue, along with how to prevent it from affecting your applications.
This research was cross-posted from Aspect Security.
Slides and Video from my AppSec USA 2012 presentation with David Lindner. Learn how to:
- Setup an intercepting proxy. Android or iOS, SSL or non-SSL, device or emulator/simulator.
- Overcome edge cases with a forward proxy.
- Brief overview and references for Android APK reverse engineering.
The OWASP ESAPI for C Plus Plus was introduced to the community at AppSec DC 2012. Here are some key takeaways from the presentation:
- ESAPI Project Overview, and why a C Plus Plus implementation is necessary.
- Our approach to porting the ESAPI for Java API and a demonstration.
- The future of ESAPI (3.0), and how to get involved.