Watch recordings from OWASP AppSec conferences and expand your knowledge on application security.
This channel was created by the OWASP Media Project to gather, consolidate and promote OWASP content in video format on a central appealing hub.
The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.
Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.
I just discovered this video and the content is amazing. I see it’s from a few months ago; do you have any more recent videos or articles you suggest on this topic?
The part where talks about spoofing a ship's gps signal really made me think of the Key bridge incident. I'm not saying it was hacked, but the fact that it's possible is mind boggling.
Great talk by 4 great people. I'm fortunate to know Aubrey for years and have met with Cameron and Dan and looking forward to meeting Corey some day. Thanks for putting this content out, well worth my time.
Thanks for sharing! However do you have a tutorial which implements Backend For Frontend (BFF) framework with Authorization code with PKCE in addition to this tutorial? It is unsafe to store access token on browser.
Actually, you've been publishing videos for the past 9 years, and you're still posting them today. You don't have many subscribers, but you're incredibly strong and patient.
I don't agree with the conclusion of this talk. The whole point of BFF and http-only auth cookies is to prevent an attacker that has gained acces to execute js code through an xss attack, to steal the auth-token from your storage and thereby execute requests on your behalf. If an attacker has managed to sucessfully gain access, he can execute api calls directly from the clients browser with or without bff.
FIDO2 with keys and credentials generated by the user himself/herself is more private and you don't need to give up your face, phone number or email etc. Great!
what if Cookies are set to lax but Access Control Allow Credentials is being sent as true. As Lax does not allow cookies to be set in XHR requests. how will the cookies be sent?
@@somebody3014 Hey man, Lax settings are prioritised. Even if one condition is false, the cookies are not sent. So in my question cookies will not be sent as even Allow Credentials are true, Cookies are LAX (one true condition and one false) No cookies will be sent. Hope that clears the doubt.
All well said - how about some suggestions on how to protect yourself from key fob attacks? A simple one is to shield the key fob with a simple faraday cage, such as an aluminum foil, while at home or in the parking lot, if it comes to that.
Your keynote speaker, Jackie Singh, was fired from the Biden Administration for her history of racist and homophobic troll posts made while a member of the White supremacist group GNAA. She was also alleged to have engaged in sexual activity with minors and sent them nudes in exchange for help in her "hacking", she doxxed the identity and location of a 13 year old girl ( Loli Chan) putting her in danger from predators because she was jealous of the attention she was getting, and she is currently living in Puerto Rico, where she is hiding from her hundreds of thousands of dollars in debt to the IRS and other creditors.
Explain why you hosted Jackie Singh please, a literal known troll and racist debt fraudster? Oh I'm sure she'll just tell you we're "trolls". Quite convenient. Do your research.
