Black Hat Middle East and Africa 2023 recently played host to some brightest minds in the infosec industry, and two of our very own talented team members Vikas Khanna (Technical Specialist), and Anas Roubi Nasr (Senior Security Consultant), brought their A-game and took center stage at the prestigious Black Hat Middle East and Africa 2023 information security conference.
As Black Hat MEA 2023 unfolded, it brought together the convergence of global infosec experts. Our dynamic duo showcased their expertise, sharing their knowledge and insights with the global infosec community in two remarkable sessions each. From the corporate and government sectors to academic and underground researchers, they captivated a diverse audience with their insightful presentations and reinforced the vital importance of robust cybersecurity practices.
Vikas: Fortifying Cybersecurity and API Expertise
Vikas presented on “Unlocking the Gates – Understanding Authentication Bypass Vulnerabilities”, offering practical strategies for fortifying application security against unauthorized access to safeguard sensitive data, and user identities. Vikas shared his own discovery of an authentication bypass vulnerability in Apple’s subdomains, offering real-world examples of its impact. His comprehensive discussion provided valuable insights into multiple methods attackers use to bypass authentication or gain control of user accounts, empowering attendees to proactively defend against potential threats.
In his second presentation, “API Security 101,” Vikas focused on common API flows outlined in the OWASP Top 10, exploring various vulnerabilities and associated potential security risks that can arise in API implementations and how to mitigate them effectively. He also shared his firsthand experience of discovering security issues in Apple’s API, which resulted in a significant bounty reward of 10,000 USD. The specific vulnerabilities Vikas identified were an Authentication Bypass and Personally Identifiable Information (PII) Disclosure Through BOLA/IDOR. Given that tech giants can fall victim to cyberattacks, smaller enterprises could encounter similar exposure risks. These findings underscore the importance of rigorous security testing and the need for organisations to prioritise the protection of user data and system integrity in their API designs.
Anas: Navigating the Complex World of Web Application Security
In today’s interconnected digital landscape, web application security is more critical than ever. Anas, in his presentation “Navigating Complex XSS Filters with Advanced Evasion Tactics,” delved into the intricate world of web application security. He equipped attendees with a comprehensive understanding of the challenges posed by increasingly sophisticated XSS filters and offered innovative methods to overcome them. From exploring advanced evasion tactics to dissecting real-world examples, Anas provided informative and actionable knowledge for enhancing web application security practices.
His second presentation, “Unraveling the Directory Traversal Dilemma in NodeJs,” addressed the newly emerging vulnerability within NodeJs applications: Directory Traversal. Directory traversal vulnerabilities, previously seen in other contexts, have taken on a unique character when it comes to NodeJ apps. Anas not only shed light on potential consequences, real world implications, but also emphasised the importance of understanding this threat in today’s ever-evolving web development landscape. He went further by presenting innovative and practical techniques for identifying and thwarting directory traversal attempts on NodeJ apps, providing valuable tools for developers and security professionals.
Vikas and Anas’s presentations at Black Hat MEA 2023 served as a testament to their expertise and their dedication to advancing the field of information security. Their knowledge and insights continue to inspire the information security community, and their contributions and real-world examples underscore the paramount importance of proactive and robust cybersecurity practices. We couldn’t be prouder of their contributions to the infosec community and look forward to witnessing their ongoing impact in the field. Congratulations, Vikas and Anas, for representing Privasec so brilliantly at Black Hat MEA 2023!