| Date | Day | Time | Duration |
| 16 Oct | Monday | 09:00 to 17:00 GST/GMT+4 | 8 Hours |
| 17 Oct | Tuesday | 09:00 to 17:00 GST/GMT+4 | 8 Hours |
| 18 Oct | Wednesday | 09:00 to 17:00 GST/GMT+4 | 8 Hours |
This training is focused on the dangers of NPM package hacking and account takeover. As many of you know, NPM packages are crucial dependencies for the widely-used Javascript programming language. Unfortunately, in recent times there have been numerous instances of NPM package hacking, including confusion attacks and account takeovers, puting developers at risk without their knowledge.
In this training, we will focus on a specific aspect of Supply-Chain Attacks: the vulnerability of NPM packages to account takeover when the email address of the package maintainer expires. This may sound less impactful, but the reality is far from it. Just one package could be used by hundreds of thousands of applications, and the impact of such an attack would be devastating. We will demonstrate how an innocent NPM package can become a disaster, and how an NPM account takeover can evade detection even by security tools such as Dependabot, SAST, and DAST.
We have conducted extensive research on this issue, scanning the internet for widely-used NPM packages and collecting over 2.1 million packages with millions of downloads. We extracted the email addresses of these packages and scanned the domains to identify expired ones.
We then gathered download numbers of the vulnerable packages to demonstrate the impact of this vulnerability globally.
– This training program provides a comprehensive understanding of supply chain security from both an offensive and defensive perspective.
– Participants will learn the latest tactics and techniques used by attackers to compromise supply chains, as well as the most effective countermeasures to prevent and respond to these attacks.
– The program includes case studies and simulations, enabling participants to practice their critical thinking skills and gain practical experience in securing their own supply chains.
– Real-world examples of supply chain attacks are analyzed, and lessons learned are shared, providing practical takeaways for participants to implement in their own organizations.
– The course is suitable for software developers, security engineers, architects, researchers, bug bounty hunters, system administrators, students, and curious security professionals who want to expand their skills in application security with automation.
– Gain a holistic view of supply-chain security, covering open-source vulnerabilities beyond NPM.
– Identify and mitigate risks in NPM packages and other open-source components.
– Master automated vulnerability detection for NPM packages, understanding its broader cybersecurity implications.
– Advocate for open-source security best practices within your organization.
– Protect your applications from diverse supply-chain and open-source threats.
This training program is designed to provide participants with a comprehensive understanding of supply chain security from both an offensive and defensive perspective. The program covers the latest tactics and techniques used by attackers to compromise supply chains, as well as the most effective countermeasures to prevent and respond to these attacks. Participants will gain practical skills and knowledge to help them secure their own supply chains and mitigate risks
- Understanding the importance of supply chain security - Overview of supply chain attack types and techniques - Common vulnerabilities in supply chains
- Javascript - NPM packages account takeover tale. - Offensive / Attacker’s perspective simulation. - Defensive simulation and practices. - How to detect NPM account takeover vulnerability in your code base? - How to automate? - Research - thought pattern and critical thinking class. Where the research on 2.1 Million NPM packages would be discussed and problem solving would be practiced.
- Brief introduction. - Simulation from attacker’s perspective. - Prevention methodologies from the defensive perspective. - Our research on it on how well-spread it is. - Customized scripts to detect.
- Offensive approach simulation - Proactive approach of prevention discussion.
- How to automate the detection and keep your code secure? - Methodologies for your SDLC. - Why dependabot is not enough - GemScanner for your Ruby stack.
- Analysis of recent supply chain attacks - Examination of successful and failed supply chain security measures - Lessons learned and practical takeaways
- How to prevent supply chain attacks? - Software Bill Of Materials: Setting up, good practices etc. - Custom sauce of scripts. - Dependabot and a lot more.
Hassan Khan Yusufzai is a highly experienced Security Researcher with a proven track record of internet-wide scanning and penetration testing. A sought-after speaker, Hassan recently presented at the BlackHatMEA 2022 conference. His expertise extends to Ruby security, where he has conducted extensive research over the past few years. As a certified OSCP (Offensive Security Certified Professional), Hassan has also made a name for himself as a successful bug bounty hunter on both HackerOne and Bugcrowd.
Hassan’s achievements have earned him recognition in the industry, including inclusion in the Google Security Hall of Fame (2017), Twitter Security Hall of Fame (2017), and Microsoft Security Hall of Fame (2017). He has also conducted extensive research into WordPress security and won the HackFest CTF competition. In addition to his research, Hassan is also the developer of GemScanner.py and an npm scanner for account hijacking, further demonstrating his commitment to the security field and his skills as a developer.
Past speaking experience
– Presented twice at an Arsenal stage of BlackHat MEA and once at a Briefing stage at BlackHat MEA 2022.
– Hassan Khan has presented at local universities as well.
Danish Tariq is a Security Engineer by profession and a Security researcher by passion. He has been working in Cyber Security for over 8 years and it all started out of a curiosity to break things and look deep down into those things (physical or virtual) back in his teenage years. His major expertise is Penetration Testing and Vulnerability Assessments.
He was also involved in bug bounty programs as well, where he helped many companies by finding vulnerabilities at different levels. Companies include Microsoft, Apple, Nokia, Blackberry, Adobe, etc.
– Spoke @ BlackHat MEA 2022 (Briefing: Supply-Chain Attacks)
– Featured in “The Register” for an initial workaround for the NPM dependency attacks.
– Certified Ethical Hacker, Certified Vulnerability Assessor (CVA), Certified AppSec Practitioner, Certified Network Security Specialist (CNSS), IBM Cyber Security Analyst
– Ex-Chapter Leader @ OWASP
– Ex-Top Rated freelancer (Information security category) on Upwork
– Recent security research and CVEs include – CVE-2022-2848 & CVE-2022-25523
– Served as a Moderator @ OWASP 2022 Global AppSec APAC.
