Web Village will hold in the small hall of A2 Green Concert on Wednesday, November 13. Please note that all Web Village talks will be in Russian and won’t be translated into English.

Wondering what are the main topics of Web Village reports? We’ll tell you.

Aleksei «GreenDog» Tiurin — “Cookie Monster”  [25 min]

This talk is about signed cookie and all those things that are related to them.

Pavel “sorokinpf” Sorokin (@sorokinpf) — “GraphQL applications security testing automatization”  [25 min]

Pavel will discuss several aspects of GraphQL applications security testing automatization: scanning of all parameters defined in SDL with Burp, access control testing, finding DoS-loops, detecting different paths to critical data.

Valeriy “krevetk0” Shevchenko — “Principles in software testing and some bugs that others did not notice” [25 min]

The talk is dedicated to principles of software testing. This is what bug hunters may not know. We’ll discuss how they help in daily processes and see real cases where these principles help finding critical problems in different companies.

Alexei “SooLFaa” Morozov (@xSooLFaa) — “Blind SSRF”  [25 min]

SSRF (Server-Side Request Forgery) — the ability of the attacker to control the url that the server will go through. It gives an attacker the ability to collect data about internal infrastructure and develop an attack to RCE. However, there is often a situation where SSRF exists implicitly or with a number of restrictions: The report describes the methods for detecting and post-exploiting BLIND SSRF under limited conditions in various technologies.

Anton «Bo0oM» Lopanitsyn (@i_bo0om) — “Phoenix hunting” [25 min]

This report is about deanonymization of phishers exploiting vulnerabilities in the software they use.

Ramazan «r0hack» Ramazanov — “Operation of injections in ORM libraries” [25 min]

This report is focused on an interesting class of attacks — injections to SQL dialects ORM. This is a grammatical level of abstraction between the application and the DBMS. We’ll explore injections in the Doctrine Query Language dialect.

Sergey «BeLove» Belov (@sergeybelove) — «The future without passwords»

User passwords are a huge problem for modern services. Security departments have to take care of many things – phishing, credentials stuffing, weak passwords, brute-force protection, to name a few. A safe large-scale alternative to passwords is coming – it’s WebAuthN. This talk will cover the risks related to abandoning passwords.

Paul Axe (@Paul_Axe) — “ZN PWN Challenge” [25 min]

This is a fascinating story about the continuation of many years of tradition.

Denis “ttffdd” Rybin (@_ttffdd_) — “Doing AWS Zoo Audit” [45 min]

In this presentation, Denis will consider various aspects of AWS infrastructure audits. We’ll deal with the variety of services provided by Amazon, how their interaction is built and how security is ensured. This is an analysis of auxiliary tools and live cases.

Andrei Plastunov — “Misusing oop in mvc frameworks. How to conveniently develop broken apps” [25 min]

In the talk, we’re going to discuss some approaches in oop development and how those approaches might break access control in otherwise working applications.