Hackfest 2020

Philippe Arteau

Philippe is a security researcher working for GoSecure. His research is focused on Web application security. His past work experience includes pentesting, secure code review and software development. He is the author of the widely used Java static analysis tool OWASP Find Security Bugs (FSB). He built many plugins for Burp and ZAP proxy tools: Retire.js, Reissue Request Scripter, CSP Auditor and many others. Philippe has presented at several conferences including Black Hat Arsenal, SecTor, AppSec USA, ATLSecCon, NorthSec, and 44CON.


Your twitter or other social network – https://twitter.com/h3xstream Which country are you from? – Canada

Talks

Template Injection in Action

Template engines are libraries mainly used to design views for web applications. Their use helps simplify common design tasks for developers. However, their use may introduce new risks when they are used in an improper way. Template injection is a vulnerability class that has emerged in 2016. The exploitation of this type of issue requires specific knowledge associated with the template library or programming language being used. Only knowing vulnerability basics is often insufficient to be effective. For these reasons, we are proposing a practical workshop with a special focus on template injection vulnerabilities. The training covers various template engines in the context of different programming languages (PHP, Python and Java) and explores how to successfully exploit them.

This workshop is a unique opportunity to have live access to vulnerable applications. The participants will receive a complete introduction to the template injection and step-by-step instructions on how to attack each exercise.