Video from my AppSec USA 2014 presentation with David Lindner. Learn how to debug complicated and non-proxiable iOS and Android applications using JDB, Cycript, and Snoop-it.
Rugged Consumerism
Regarding PCI, and disclosure of data breaches.
My credit card recently got cancelled as a preventative measure for doing business with a particular merchant. Which merchant, I have no idea. How did the breach occur? No clue.
Remote Code with Expression Language Injection
Discovering and Exploiting a Spring Framework Vulnerability
Previously, Expression Language Injection has only meant information disclosure. I’ll illustrate how it can actually be used for remote code execution on Glassfish and potentially other EL 2.2 containers.
Mobile Applications & Proxy Shenanigans
Slides and Video from my AppSec USA 2012 presentation with David Lindner. Learn how to:
- Setup an intercepting proxy. Android or iOS, SSL or non-SSL, device or emulator/simulator.
- Overcome edge cases with a forward proxy.
- Brief overview and references for Android APK reverse engineering.
Enterprise Security API (ESAPI) for C Plus Plus
The OWASP ESAPI for C Plus Plus was introduced to the community at AppSec DC 2012. Here are some key takeaways from the presentation:
- ESAPI Project Overview, and why a C Plus Plus implementation is necessary.
- Our approach to porting the ESAPI for Java API and a demonstration.
- The future of ESAPI (3.0), and how to get involved.