OWASP Bucharest AppSec Conference 2018

Jump to: navigation, search


OWASP Bucharest AppSec Conference 2018 - October 24th - 26th

OWASP Bucharest team is happy to announce the OWASP Bucharest AppSec Conference 2018 a three days Security and Hacking Conference with additional training days dedicated to the application security. It will take place between 24th and 26th of October, 2018 - Bucharest, Romania.

The objective of the OWASP's Bucharest AppSec Conference is to raise awareness about application security and to bring high-quality security content provided by renowned professionals in the European region. Everyone is free to participate in OWASP and all our materials are available under a free and open software license.

Important dates
Call for papers deadline: 24th of September 2018
Call for trainings deadline 24th of September 2018
The final agenda will be published after 1st of October 2018
CTF qualifiers will be on 29th of September 2018
Conference trainings day is 24th of October 2018
Conference trainings and CTF final day is 25th of October 2018
Conference presentation tracks and workshops day is 26th of October 2018

Who Should Attend?

  • Application Developers
  • Application Testers and Quality Assurance
  • Application Project Management and Staff
  • Chief Information Officers, Chief Information Security Officers, Chief Technology Officers, Deputies, Associates and Staff
  • Chief Financial Officers, Auditors, and Staff Responsible for IT Security Oversight and Compliance
  • Security Managers and Staff
  • Executives, Managers, and Staff Responsible for IT Security Governance
  • IT Professionals interested in improving IT Security
  • Anyone interested in learning about or promoting Web Application Security

CONFERENCE (Friday 26th of October)

Date Location
Friday 26th of October, 8.00 AM
Venue Location: Hotel Caro Workshops: Hotel Caro

Venue Address: 164A Barbu Vacarescu Blvd. 2nd District, 020285 Bucharest, Romania

Price and registration
The conference entrance is FREE, you need to register on the link provided below, print your ticket and present it at the entrance.
The training sessions will be paid. The workshops and CTF attendance is free of charge

Limited number of seats!

Sponshorship opportunities
Why sponsor?

  • Join 300+ leaders, security consultants, security architects and developers gathered to share cutting-edge ideas, initiatives and trends in technology.
  • OWASP events attract an audience interested in "What's next?" - As a sponsor, you will be promoted as an answer to this question.
  • Increase awareness and recognition in Romanian Security IT environment.
  • Support and involvement in the world of information security enthusiasts.

Conference agenda, 26th of October

Time Title Speaker Description
8:30 - 9:00
(30 mins)
Registration and coffee break
9:00 - 9:15
(15 mins)
Introduction Oana Cornea Introduction to the OWASP Bucharest Event, Schedule for the Day
9:15 - 9:45
(30 mins)
So you think you do security? Martin Knobloch Security is hot and we get all the fancy old and new titles: Chief Information Security Officer, Security Archtect, Security Tester, Security Engineer, Security and Risk Auditor! Of course, now the days you are falling behind if you do not have cyber in your title or job description, giving us the possibility of more fancy titles as for exampel 'Cyer security expert'! And we all doing security, right? Really, do you think you 'do security'?

As if compliancy has not been complex enough, let's add privacy vs security and don't forgeth moving to cloud and serverless architectures. Do you still think you are in control? Let me lift the smoke screen of cyber security obscurity and show you how to do security right! Getting in control buttom up and top down (is there really a choice), by building alliances, sharing knowledge and deligate responsibilities. Not the least by setting the right examples! Let me show you an holistic but practical aproach adding security to your business responsibilityies and development metrics. Get control by let go and enable scalable security for your software factories. How to manage security in traditional waterfall and project centric envirnoments and how to scale in the agile worlds of DevOps and CD/CI!

9:45 - 10:30
(45 mins)
Browsers - For better or worse ... Renato Rodrigues It is no news that security is under close scrutiny of the public eye. Everyone is on alert for the latest database leak, closely tracking the updates on the business losing millions on a hack or digging deep into the web to find ways to stay protected. In this presentation, we'll tap into the role browsers play from the security practices perspective - regarding defense and browsers as attack platforms. While some of the tricks covered in this presentation will be recognizable for most in the community, others are still kept away from the limelight. Hopefully, in the end, you will be able to take something new for your assessments.
10:45 - 11:30
(45 mins)
Access control, REST and sessions Johan Peeters There is a lot of confusion surrounding REST, state, sessions, and the implications for access control. Let’s clear this up.

REST services are stateless. In other words, there are no sessions between REST API producers and consumers. Given the difficulties of securing sessions, this is A Good Thing from a security perspective.
Access to REST APIs is incumbent on the presentation of a valid security token. Typically, this is an access token issued by an OAuth authorization server. The authZ server maintains a session with the user agent so that the user does not need to re-authenticate each time a new access token is needed. This is not entirely unproblematic, as will be illustrated through a discussion of logout and the tenuous implementation of silent authentication in client libraries. Conversely, I will argue for leveraging authorization server sessions to raise the consent game to a level where it truly serves the interests of the user.
In summary, while REST APIs are stateless and do not maintain a session, access control architectures *do* rely on sessions trying to provide a good user experience while enforcing authorization policies.

11:45 - 12:30
(45 mins)
Cookies versus tokens: a paradoxical choice Philippe De Ryck When you’re building Angular applications, you will need to figure out how to manage your user’s sessions. Back in the days, this used to be simple. But now, there are many different options, all with specific advantages and disadvantages. How can you make a sensible choice, and how will that impact the security of your application?

This talk lays it out for you. We dive into the technicalities of cookies, JWT tokens and Authorization headers. You will learn how to assess your past choices, and how to substantiate future decisions.

12:30 - 13:30
(60 mins)
Lunch/Coffee Break
13:30 - 14:15
(40 mins)
Women in AppSec Panel

WiA 400x400.jpg

14:20 - 15:05
(45 mins)
Short A.V Evasion and Fast Incident Response Lucian Ilca The field of Anti-Virus Evasion and Fast Incident Response, combined with Malware Analysis comprises the art and science of dissecting malicious software using diverse tools like: FLARE, Cuckoo Sandbox or other forensics tools and response immediatly to any type of incident.

The study and analysis of these tools fall within the general purview of the broad disciplines of Digital Forensics, PSIRT, Cyber Security Operations and general principles of Reverse Engineering. In this paper, we explore and discuss the current state of anti-virus evasion, malware analysis and fast incident response, . Based on author research, he conclude that the domain of malware analysis, A.V Evasion and Fast Incident Response has effectively been relegated from the academic realm to the domain of the practitioner's skill set. For the final presentation, author will show how you can respond to an incident and how to protect your environment for new attacks.

15:05 - 15:20
(15 mins)
Coffee break
15:20 - 16:05
(45 mins)
Secure your cyber battlefield leveraging cyber threat intelligence Cristian Calita Cyber crime, Cyber environment, Cyber activities, Cyber security, etc - Cyber is the new black. Therefore cyber threat intelligence (CTI) was expected to arise.

As web applications are important pieces of the operational environment - at least to the fact that these may be entry points into internal networks, one of the CTI's goals is to keep the defenders (e.g. application security architects, application developers, etc) and stakeholders ahead threats and adversaries by feeding them with the missing piece from their knowledge. The presentation provides details on how this goal could be achieved.

16:05 - 16:50
(45 mins)
Automating Security Operations using Phantom Isabella Minca Our challenge consists in working with a SIEM which manages over 30 TB of logs per day and over 100 different types of Security Alerts, triggered based on the logs. Challenge accepted! This presentation aims to reveal our efforts towards automating Security Alerts triaging workflow using a Python based tool, Phantom. We investigate further and decide upon the actions needed in order to remediate the vulnerabilities. A wide range of workflow actions can be automated, such as running searches or scripts that enrich alert data, reporting and proactively resolving security misconfigurations using various app integrations like Exchange, Slack and Jira. While the adoption of such an initiative is not a quick win but a bumpy road, it easily results in translating the day-to-day Security Operations Center work into a highly scalable, automated and tailored approach when it comes to dealing with the threat landscape! As a consequence, the whole organisation is moving towards a world of SecDevOps.
16:50 - 17:00
(15 mins)
Closing ceremony OWASP Bucharest team CTF Prizes

Conference agenda, 26th of October

Time Title Speaker Description
8:30 - 9:00
(30 mins)
Registration and coffee break
9:00 - 9:15
(15 mins)
Introduction Oana Cornea Introduction to the OWASP Bucharest Event, Schedule for the Day
9:15 - 9:45
(30 mins)
It's a World of SecDevOps @ OWASP Daniel Barbu SecDevOps comes with a built-in security mindset and ideally adopts the proven practices already in use by embedded SRE teams. Day-to-day activities for this role contribute not only to achievement of operational and development goals but also to keeping high levels of confidentiality, integrity and availability. While improving the security posture, the processes become easier to audit and compliance controls better assessed. With product teams engaging with security as early as possible as opposed to the end of the project, the focus shifts from a reactive approach to a proactive one integrating defensive practices through the lifecycle. Consequently the systems’ predictability and understanding of the infrastructure behavior increases. When possible, open security issues should be tracked in the same work tracking system that Development and Operations are using, ensuring visibility and prioritization against all other work. Infosec being embedded within the product teams, enables informed decisions by gaining business context.
9:45 - 10.30
(45 mins)
Tales of Practical Android Penetration Testing (Mobile Pentest Toolkit) Alexander Subbotin A vast number of open source tools and commercial products has been developed to support the security analysis of mobile apps. It has become a great challenge for a penetration tester to choose suitable or the best tools and the adequate pentest environment/distribution. And even when the test tools have been chosen, the problem remains that most of the tools only offer a CLI interface and that their usage can be very time consuming.

In order to automatize the setup of the test environment and the common processes during a mobile pentest, the author has developed the "Mobile Pentest Toolkit" (PMT). This toolkit takes over recurring and time consuming tasks for the tester. It has a standardized user interface for the usage of locally installed security tools (and installs them on demand). An example of use is: After the tester has modified the Smali code, the generation of a valid and signed APK file only takes a few moments. Aside from that, this talk illustrates techniques for dynamic analysis and tracking of changes within the app. The goal is to present the Mobile Pentest Toolkit to an interested audience and to publish it as an open source tool.

10:45 - 11.30
(45 mins)
Breaking the Apple iOS Sandbox Razvan Deaconescu Apple iOS uses sandboxing to confine apps to certain calls they can make to services and the kernel. Apps are attached a sandbox profile: a set of rules that allow or deny actions. All 3rd party apps (i.e. downloaded from the AppStore) use the same sandbox profile (container). Sandbox profiles are stored as binary blobs in the iOS kernel.

In this talk, I will highlight the way iOS sandboxing works and steps we undertook in reversing binary blobs. We then analyzed reversed human-readable sandbox profiles and found misconfigurations in the profiles that allowed crippling the system from a valid app. We let Apple know of our findings, now published as CVEs.

11:45 - 12.30
(45 mins)
Evading your protection and exfiltrate data Cosmin Alexandru Radu Evading your protection and exfiltrate data

This presentation is meant to be an introduction into a number of ex-filtration techniques that are out there, used by malicious attackers. It should be a view into the attackers toolset for developers and how they can counteract the issues attackers use to get data out of their applications, or how system administrators can guard their network against egress data leakage.

12:30 - 13:30
(60 mins)
Lunch/Coffee Break
13:30 - 14:15
(45 mins)
OWASP Top 10 with .NET Core Andrei Ignat We will show OWASP Top 10 and how to counter them in .NET Core
14:20 - 15:05
(45 mins)
AWS VMS Gabriel Pilat This presentation looks at how Vulnerability Management is generally performed (Scanning, Asset management, Reporting, TI etc. ), how it can be performed in the Amazon Cloud ( Deploy scanners, Use Integrated scanner, etc), the possibilities of automation Amazon offers and ways to integrate it with 3rd party tools such as Qualys. General AWS architecture, security services and benefits, inherited security flaws, issues and limitations encountered.
15:05 - 15:20
(15 mins)
Coffee break
15:20 - 16:05
(45 mins)
Protecting company information for GDPR compliance. A software architect’s perspective. Ovidiu Ariton For years cybersecurity has been approached at the network level and at endpoint level. Best practices are good but sometimes user behavior makes the difference between a compromised system and a safe one. Most of the times they don’t understand if something went wrong. What if they knew?

The solution that I am going to present brings the tools available in a SOC to the user level, at the endpoint. It combines some of the best practices in security (like backup and DLP) with SOAR solutions and LRA in order to prevent loss of data and ensure rapid automated reaction to cybersecurity incidents.

16:05 - 16:50
(45 mins)
DevSecOps Use Case: Automate Early… But Securely Serban Bejan In today’s increasingly digitalized world, the need for security in DevOps is met by a new concept, called DevSecOps. Aimed at creating and including modern security practices that can be incorporated into the fast and agile world of DevOps, DevSecOps is, in fact, an extension of DevOps’ main goal.

In our use case we studied the possible benefits and challenges of integrating SAST and DAST tools into the existing toolchain (application lifecycle manager, IDE, source code management tool and continuous integration pipeline) for developing, deploying and testing a Java web application.
Implementing DevSecOps brings a lot of value to organizations, it also comes with some challenges, like integrating more agile security methods and properly training users for using these advanced tools. Last but not least, we also need to take into consideration that any security functionality not automated in the available tools will result in creating friction in the cycle.

16:50 - 17:00
(15 mins)
Closing ceremony OWASP Bucharest team CTF Prizes

WiA 400x400.jpg


Time Title Trainers Description
25th of October
3,5 hours:
begins at 09:00

Automating CI Sec - Pipelines using ZAP, Docker and static code analysis Spyros Gasteratos and Nataliya Dubrovska Description: In this workshop we will go through customizing ZAP's docker images and some static code analysis scripts to work with Concourse CI so that it automatically tests the deployed web application.

Moreover we will write an example ZAP orchestration script to better test specific parts of the example application.
Last, we will create Docker containers of two static code analysis scripts so that we can easily integrate them into the CI pipeline.
We will go through:

  • Configuring Concourse CI to work with ZAP.
  • Configuring the testing harness to work with ZAP
  • Writing orchestration scripts to better test specific part of the application.
  • Package extra tooling so that we better test the committed codebase

At the end of the workshop the attendees will have example configuration files, orchestration scripts, rules and Dockerfiles for all tools used.
Intended audience: security engineers, developers, pentesters
Skill level: beginner - intermediate
Requirements: a laptop with Virtual Box installed
Seats available: 20 (first-come, first served)
Price: free
Register here

25th of October
3 hours:
begins at 13:30

OAuth and OpenID Connect best practices
Johan Peeters Description: OAuth and OpenID Connect (OIDC) quickly became dominant in the API economy. Was this because they were shiny new toys or are they really superior to older protocols for obtaining authorization and identity information such as SAML? While SAML was designed for the enterprise, OAuth and OIDC’s creation myth is from a different universe: it gives social media users the possibility to delegate limited access to partially trusted clients. Since, OAuth and OIDC have been employed well beyond the confines of social media. Consequently, a good deal of creativity to adapt a protocol designed for Discretionary Access Control (DAC) in a social media context to enterprise Mandatory Access Control (MAC) requirements has been observed - I cannot help feeling the wheel has been reinvented many times over.

In this workshop, we discuss some of the design patterns that have come to the fore and reflect on the road ahead. What standard updates can we expect? Should we be compiling best practices? If so, what do they contain?
Here are some candidate topics for an in-depth discussion:

  • a format for OAuth access tokens
  • principle of least privilege: what does this mean for security tokens?
  • how are permissions represented?
  • how are users granted permissions?
  • how are permissions communicated to resource servers?
  • security token Time To Live
  • access token claims

Intended audience: developers, security professionals
Skill level: intermediate
Requirements: for optimal benefit, participants should have a good knowledge of the OAuth and OIDC frameworks
Seats available: 20 (first-come, first served)
Price: free
Register here


Time Title Trainers Description
2 days training
24th and 25th of October
daily: 9:00 - 17:00

Advanced Web Hacking and Secure Coding Vikram Salunke Description: Web applications are becoming more complex and targets are become more hardened to penetrate. Nowadays Load Balancers, Web Application Firewalls (WAF) are very common in infrastructure. So, as a pentester, we should improve our skills to defeat modern access controls mechanisms.

This hands-on training covers both offensive and defensive approaches to web applications. You’ll learn how to identify vulnerabilities of web applications, how to execute exploit against that vulnerability, how the attacks works, and how to prevent them in the future. This training closes that gap between web application attack and defense. Because as they say - if you want to stop attacker from stealing you data then you must think like one.
This training starts with the basic web app hacking and then moves into more advanced stuff such as bypassing Filters, bypassing Web Application Firewalls(WAF), HTML5 attacks and recent vulnerabilities such as Shellshock, Heartbleed, POODLE, Serialization, SSL Strip etc. You’ll learn how to get shell on the box using web application vulnerabilities as well as how to write secure code so you can avoid that attack.
This training covers both offensive and defensive approach towards web applications. Firstly, the training would cover how to use certain attack on a web application and then how does this attack happened. So it covers where the developer went wrong and how to write secure code, so that the attack would not have happened. It covers various mistakes made by developers who wrote vulnerable code. This training covers how to write secure code in multiple languages such as PHP, Java, C# etc. Lab contains multiple CMS such as Wordpress, Drupal, Joomla and multiple databases such as MySql, SQL Server, MongoDB etc. Also, the training contains various client side attacks as well as server side attacks such as XSS, CSRF, SQL Injections etc.
Training will teach attendees how to gain shell on the box and how to chain multiple attacks to pwn the entire infrastructure. Training follows Capture The Flag (CTF) approach to attack web applications and compromise the machines.
After this training, attendees will be able to successfully identify and avoid insecure code and test their web applications for vulnerabilities. Attendees will get to know the difference between vulnerable code and secure code.
This training contains over 50 labs and 30+ challenges which are inspired by real world vulnerabilities and case studies.
Day 1:

  • Introduction
  • Spidering Web Applications and analyzing results
  • Fuzzing
  • Input Validation
  • User Enumeration
  • Bypassing Password Verification
  • Information Leakage
  • HTTP Verb Tampering
  • Injection - HTML, iFrame, LDAP, CSS, JSON
  • Advanced Cross Site Scripting (XSS) - XSS to system compromise
  • Advanced client side exploitation with BeEF
  • Extending Burp Proxy
  • Clickjacking
  • Insecure direct object reference (IDOR) and Open Redirects
  • Server Side Request Forgery (SSRF)
  • Server Side Includes Injection (SSI Injection)
  • JavaScript Validation Bypass
  • Advanced SQL Injection - SQL Injection to system compromise
  • JSON Hijacking
  • Session Management and Cookie Stealing
  • HTML5

Day 2:

  • Advanced XML Attacks
  • JSON Web Token
  • API Attacks
  • Insecure System/Service configuration - FTP, NTP, VNC, SNMP, WebDav, Samba etc.
  • Database Security - MySql, SQL Server, MongoDB etc.
  • Remote Command Injection
  • Local File Inclusion (LFI) and Remote File Inclusion (RFI)
  • RCE via serialization/deserialization
  • Serialization Attacks
  • HTTP Response Splitting
  • SSL Strip attack
  • CMS Attacks and Defenses - Wordpress, Drupal, Joomla
  • Recent Vulnerabilities Case Study - Shellshock, Heartbleed, POODLE, Struts, PHPMailer RCE, SSL Strip attack
  • Logical Flaws
  • Detection of Web Application Firewall and Load Balancers
  • Filter Evasion and Bypassing Web Application Firewalls (WAF) - Tricks to Penetrate Firewall
  • OWASP Top 10 Attacks
  • OWASP Secure Coding Practices
  • and more ...

Intended audience: software developers, security people with some programming experience
This course requires following pre-requisites:

  • Basic knowledge on HTTP, HTML
  • Basic Web Application Penetration Skills
  • Reading and understanding of PHP

Seats available: 20 (first-come, first served)
Price: 650 Euro / person
Register here

CTF (Capture The Flag) contests are popular ways to hone your practical security skills by solving challenges on topics such as web, crypto, reverse, exploiting.

We invite all students passionate about practical security at the OWASP AppSec 2018 CTF! You and your team will solve challenges on web, reverse and exploiting. Challenges will be Linux-centric and web.
Please note that this is a competition designed for students.
Here are the important dates:

  • The qualifiers are online on 29th of September, between 10:00 and 22:00 (Bucharest time, UTC+2). In order to participate please REGISTER HERE!
  • The first 10 teams will be invited to the final.
  • The final will be on 25th of October. The qualified teams that want to compete for the prizes must be on site, in the competition room.

The CTF final will take place during the OWASP Bucharest AppSec 2018 conference, on site, for 8 hours, from 9am to 5pm. Teams will consist of at most 5 players; everyone has to be on site at the conference.
The CTF webpage is here

We would not cover any transport or accommodation costs for the final competitors, in order to attend the event on 25th of October.
Hope you can make it! You’ll have tons of fun!

If you’re new to CTFs or you want to know more please check these links:


  • 1st place: 1024 euros
  • 2nd place: 512 euros
  • 3rd place: 256 euros


  • Oana Cornea [1]
  • Cosmin Marius Ilie [2]
  • Andreea Druga[3]
  • Andreea Cutlacai [4]
  • Daniel Barbu [5]
  • Raluca Vasilache [6]
  • Vlad Cotenescu [7]
  • Alexandra Tautan [8]
  • Uzoma Ogbonna [9]


  • Razvan Deaconescu [10]
  • Vali Ghita [11]
  • Vladimir Diaconescu
  • Ștefania Popescu
  • Alexandra Săndulescu
  • Alexandru Razvan Caciulescu [12]




Diamond Sponsor


Platinum Sponsors


Gold Sponsor

Endava Logo CMYK 300dpi-01.jpg

CTF and Dinner Sponsor

Adobe logoB.png

Event Supporters

CERT-RO banner.png