|16 Oct||Monday||09:00 to 17:00 GST/GMT+4||8 Hours|
|17 Oct||Tuesday||09:00 to 17:00 GST/GMT+4||8 Hours|
|18 Oct||Wednesday||09:00 to 17:00 GST/GMT+4||8 Hours|
This course distinguishes itself by unveiling the hidden risks within supply chain and NPM packages as an example, offering an eye-opening journey through supply-chain vulnerabilities, backed by cutting-edge research on 2.1 million packages and a game-changing automation techniques, tools and methodologies for proactive defense
In this training, we will focus on a specific aspect of Supply-Chain Attacks: the vulnerability of NPM packages to account takeover when the email address of the package maintainer expires. This may sound less impactful, but the reality is far from it. Just one package could be used by hundreds of thousands of applications, and the impact of such an attack would be devastating. We will demonstrate how an innocent NPM package can become a disaster, and how an NPM account takeover can evade detection even by security tools such as Dependabot, SAST, and DAST.
We have conducted extensive research on this issue, scanning the internet for widely-used NPM packages and collecting over 2.1 million packages with millions of downloads. We extracted the email addresses of these packages and scanned the domains to identify expired ones.
We then gathered download numbers of the vulnerable packages to demonstrate the impact of this vulnerability globally.
– Gain a holistic view of supply-chain security, covering open-source vulnerabilities beyond NPM.
– Identify and mitigate risks in NPM packages and other open-source components.
– Master automated vulnerability detection for NPM packages, understanding its broader cybersecurity implications.
– Advocate for open-source security best practices within your organization.
– Protect your applications from diverse supply-chain and open-source threats.
During this training, we will share our research methodology and tools, as well as an open- source script to automate the identification of this vulnerability within NPM packages used within your organization for defensive purposes. We urge you to take this threat seriously and take acQon to protect your applications from NPM package hacking and account takeover
– It would include the history of NPM dependencies attacks and how it could become the weakest link in the chain.
– Demonstration of a few recent vulnerabilities and exploitations. – Demonstration of NPM account takeover methodology.
– Demonstration of our research on 2.1 Million packages and finding the vulnerable ones out of those widely available and used packages.
– Identification of download numbers and usage of the vulnerable package to make a point.
– It would end by giving a demonstration on how to protect against the issues or vulnerabilities that could arise due to NPM packages.
– In the end, a new tool/script would be introduced to automate the process of catching shady or vulnerable packages.
Hassan Khan is a highly experienced Security Researcher with a proven track record of internet-wide scanning and penetration testing. A sought-after speaker, Hassan recently presented at the BlackHatMEA 2022 conference. His expertise extends to Ruby security, where he has conducted extensive research over the past few years. As a certified OSCP (Offensive Security Certified Professional), Hassan has also made a name for himself as a successful bug bounty hunter on both HackerOne and Bugcrowd.
Hassan’s achievements have earned him recognition in the industry, including inclusion in the Google Security Hall of Fame (2017), Twitter Security Hall of Fame (2017), and Microsoft Security Hall of Fame (2017). He has also conducted extensive research into WordPress security and won the HackFest CTF competition.
In addition to his research, Hassan is also the developer of GemScanner.py and an npm scanner for account hijacking, further demonstrating his commitment to the security field and his skills as a developer.
Past speaking experience
Hassan have presented twice at an Arsenal stage of BlackHat MEA, once at a Briefing stage at BlackHat MEA 2022 and at local universities as well.
Danish Tariq is a Security Engineer by profession and a Security researcher by passion. He has been working in Cyber Security for over 8 years and it all started out of a curiosity to break things and look deep down into those things (physical or virtual) back in his teenage years. His major expertise is Penetration Testing and Vulnerability Assessments.
– He was also involved in bug bounty programs as well, where he helped many companies by finding vulnerabilities at different levels. Companies include Microsoft, Apple, Nokia, Blackberry, Adobe, etc.
– Spoke @ BlackHat MEA 2022 (Briefing: Supply-Chain Attacks)
– Featured in “The Register” for an initial workaround for the NPM dependency attacks. – Certified Ethical Hacker, Certified Vulnerability Assessor (CVA), Certified AppSec Practitioner, Certified Network Security Specialist (CNSS), IBM Cyber Security Analyst – Ex-Chapter Leader @ OWASP
– Ex-Top Rated freelancer (Information security category) on Upwork
– Recent security research and CVEs include – CVE-2022-2848 & CVE-2022-25523 – Served as a Moderator @ OWASP 2022 Global AppSec APAC.