{"acronym":"god2024","aspect_ratio":"16:9","updated_at":"2026-04-04T10:45:04.289+02:00","title":"German OWASP Day 2024","schedule_url":"","slug":"conferences/god/2024","event_last_released_at":"2024-11-13T00:00:00.000+01:00","link":"https://god.owasp.de/2024/","description":"","webgen_location":"conferences/god/2024","logo_url":"https://static.media.ccc.de/media/events/god/2024/logo.jpg","images_url":"https://static.media.ccc.de/media/events/god/2024","recordings_url":"https://cdn.media.ccc.de/events/god/2024","url":"https://api.media.ccc.de/public/conferences/god2024","events":[{"guid":"f364d6f6-ab49-4577-80a3-167e577904e1","title":"How (Not) to Use OAuth in 2024","subtitle":null,"slug":"god2024-56271-how-not-to-use-oauth-in-20","link":"https://c3voc.de","description":"OAuth 2.0 has become the backbone of secure delegated authorization on the web, enabling users to grant third-party applications access to their data without revealing their credentials. It's also foundational for federated authentication via OpenID Connect and plays a critical role in emerging technologies like wallet ecosystems. However, despite its wide adoption, OAuth implementations are fraught with risks — many of which can lead to serious security breaches.\n\nThe challenges arise from OAuth's use in contexts far more dynamic and high-stakes than what was originally envisioned. Today, OAuth protects sensitive financial APIs, powers identity verification systems, and secures modern app ecosystems — yet, many implementations remain vulnerable to attack. Even with the guidance from RFC6749 and RFC6819, subtle misconfigurations and outdated practices are still common, often due to the complexities of real-world deployments.\n\nTo address these evolving security needs, the IETF is finalizing the OAuth 2.0 Security Best Current Practice (BCP), an updated set of recommendations designed to mitigate common vulnerabilities and improve OAuth implementations across industries. This new RFC introduces stronger security measures and deprecates insecure approaches like the Implicit Grant, while also tackling new threats such as the Authorization Server Mix-Up Attack.\n\nIn this talk, we will dive into the core challenges of securing OAuth in today's dynamic and high-stakes environments. Attendees will learn about the most critical updates from the Security BCP, including the MUSTs, MUST NOTs, and SHOULDs that are essential for robust OAuth implementations.\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["Daniel Fett"],"tags":["56271","god2024","god2024","OWASP","Saal 1","2024","Day 1"],"view_count":1045,"promoted":false,"date":"2024-11-13T09:35:00.000+01:00","release_date":"2024-11-13T00:00:00.000+01:00","updated_at":"2026-02-02T10:15:09.402+01:00","length":2208,"duration":2208,"thumb_url":"https://static.media.ccc.de/media/events/god/2024/56271-f364d6f6-ab49-4577-80a3-167e577904e1.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2024/56271-f364d6f6-ab49-4577-80a3-167e577904e1_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2024/56271-f364d6f6-ab49-4577-80a3-167e577904e1.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2024/56271-f364d6f6-ab49-4577-80a3-167e577904e1.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2024-56271-how-not-to-use-oauth-in-20","url":"https://api.media.ccc.de/public/events/f364d6f6-ab49-4577-80a3-167e577904e1","conference_title":"German OWASP Day 2024","conference_url":"https://api.media.ccc.de/public/conferences/god2024","related":[]},{"guid":"fc198c3e-aa26-4d94-a491-a5e5851a6474","title":"„Well, What Would You Say if I Said That You Could?” – Scanning for Vulnerabilities Without Getting Into Trouble","subtitle":null,"slug":"god2024-56279-well-what-would-you-say-if","link":"https://c3voc.de","description":"The need for comprehensive measurements of security and privacy risks on the Web is undeniable as it helps developers in focusing on emerging trends in security. However, large-scale scans for server-side vulnerabilities remains a sensitive topic, due to their potential to harm servers, disrupt services, and incur financial losses. Even smaller, singular tests can be controversial, as demonstrated by incidents like the CSU scandal around Lilith Wittmann in 2021 or the Modern Solution case in 2023. The gray area surrounding the legality, ethics, and industry perspectives on server-side scanning has led to hesitancy among researchers and ethical hackers, creating a critical gap in our understanding of how to conduct such scans responsibly.\n\nIn this talk, we investigate and interactively discuss the murky boundaries of vulnerability scanning by exploring five typical scanning scenarios that researchers face on the Web. Drawing from We give insights into 23 in-depth interviews we conducted with legal experts, research ethics committee members, and website/server operators to identify what types of scanning practices are acceptable and where the red lines are drawn. We further substantiate these insights with findings from an online survey conducted with 119 server operators.\n\nAttendees will gain great insights into the current state of Web scanning, including the lack of judicial clarity and the ethical dilemmas researchers and ethical hackers face. This interactive session also offers a platform for audience members to challenge their own understanding of ethics, share opinions, and contribute to shaping the future of responsible Web security scans.\n\nIn this talk, the audience will:\n\n    Get an in-depth understanding of the legal and ethical challenges associated with large-scale server-side scanning research.\n    Learn current best practices for conducting responsible Web security scans (at scale).\n    See firsthand insights from legal experts, ethics committees, and operators on acceptable security research practices.\n    Get an opportunity to engage in an interactive discussion to voice opinions and help influence future research\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["Florian Hantke","Sebastian Roth"],"tags":["56279","god2024","god2024","OWASP","Saal 1","2024","Day 1"],"view_count":314,"promoted":false,"date":"2024-11-13T14:55:00.000+01:00","release_date":"2024-11-13T00:00:00.000+01:00","updated_at":"2026-04-04T10:45:04.287+02:00","length":1627,"duration":1627,"thumb_url":"https://static.media.ccc.de/media/events/god/2024/56279-fc198c3e-aa26-4d94-a491-a5e5851a6474.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2024/56279-fc198c3e-aa26-4d94-a491-a5e5851a6474_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2024/56279-fc198c3e-aa26-4d94-a491-a5e5851a6474.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2024/56279-fc198c3e-aa26-4d94-a491-a5e5851a6474.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2024-56279-well-what-would-you-say-if","url":"https://api.media.ccc.de/public/events/fc198c3e-aa26-4d94-a491-a5e5851a6474","conference_title":"German OWASP Day 2024","conference_url":"https://api.media.ccc.de/public/conferences/god2024","related":[]},{"guid":"e1d77911-dc73-45b3-aebd-b06a56680d30","title":"Double-Edged Crime: How Browser Extension Fingerprinting Might Endanger Users and Extensions Alike","subtitle":null,"slug":"god2024-56283-double-edged-crime-how-bro","link":"https://c3voc.de","description":"Browser extensions are powerful tools that enhance the web browsing experience, offering their users a wide range of functionalities. However, these features can also introduce security and privacy issues for their users, mainly through a technique known as extension fingerprinting — where malicious websites track users based on the extensions they have installed. This is particularly interesting since many websites rely on advertising-based revenue for their existence, and the cookie-less form of tracking is also increasingly getting traction on the Web. Popular libraries such as FingerprintJS and Castle have already incorporated extensions as identifiable sources in their armor.\n\nIn this talk, we will present the growing threat of browser extension fingerprinting, shedding light on how extensions can inadvertently expose both users and the extension to certain risks. Our recent research uncovers that over 3,000 Chrome and Firefox extensions are vulnerable to fingerprinting through techniques such as JavaScript namespace pollution and other observable side effects despite existing defense mechanisms [1].\n\nThe audience will takeaway the following:\n\n    What are some of the ways by which browser extensions can be fingerprinted.\n    The risks for both user privacy and extensions' behavior.\n    Insights from recent research on vulnerable extensions.\n    Potential strategies to mitigate fingerprinting risks.\n    And, of course, how to keep your extensions from being the \"most wanted\" on the Web!\n\n[1] Agarwal, Shubham, Aurore Fass, and Ben Stock. \"Peeking through the window: Fingerprinting Browser Extensions through Page-Visible Execution Traces and Interactions.\" (To appear at) Proceedings of the 31st ACM SIGSAC Conference on Computer and Communications Security. 2024.\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["Shubham Agarwal"],"tags":["56283","god2024","god2024","OWASP","Saal 1","2024","Day 1"],"view_count":346,"promoted":false,"date":"2024-11-13T16:35:00.000+01:00","release_date":"2024-11-13T00:00:00.000+01:00","updated_at":"2026-02-09T12:15:11.909+01:00","length":1423,"duration":1423,"thumb_url":"https://static.media.ccc.de/media/events/god/2024/56283-e1d77911-dc73-45b3-aebd-b06a56680d30.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2024/56283-e1d77911-dc73-45b3-aebd-b06a56680d30_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2024/56283-e1d77911-dc73-45b3-aebd-b06a56680d30.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2024/56283-e1d77911-dc73-45b3-aebd-b06a56680d30.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2024-56283-double-edged-crime-how-bro","url":"https://api.media.ccc.de/public/events/e1d77911-dc73-45b3-aebd-b06a56680d30","conference_title":"German OWASP Day 2024","conference_url":"https://api.media.ccc.de/public/conferences/god2024","related":[]},{"guid":"53320cbf-383d-4103-a809-b225ca1ae27d","title":"Closing","subtitle":null,"slug":"god2024-56287-closing","link":"https://c3voc.de","description":"Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["OWASP German Chapter"],"tags":["56287","god2024","god2024","OWASP","Saal 1","2024","Day 1"],"view_count":103,"promoted":false,"date":"2024-11-13T17:25:00.000+01:00","release_date":"2024-11-13T00:00:00.000+01:00","updated_at":"2025-12-31T17:30:22.625+01:00","length":241,"duration":241,"thumb_url":"https://static.media.ccc.de/media/events/god/2024/56287-53320cbf-383d-4103-a809-b225ca1ae27d.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2024/56287-53320cbf-383d-4103-a809-b225ca1ae27d_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2024/56287-53320cbf-383d-4103-a809-b225ca1ae27d.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2024/56287-53320cbf-383d-4103-a809-b225ca1ae27d.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2024-56287-closing","url":"https://api.media.ccc.de/public/events/53320cbf-383d-4103-a809-b225ca1ae27d","conference_title":"German OWASP Day 2024","conference_url":"https://api.media.ccc.de/public/conferences/god2024","related":[]},{"guid":"f5faa8fc-8506-46c9-bce0-51bbd85a0898","title":"Modern solutions against Cross-Site Attacks","subtitle":null,"slug":"god2024-56286-modern-solutions-against-c","link":"https://c3voc.de","description":"Web security is increasingly an opt-in approach, leaving developers with both the opportunity and the responsibility to protect their applications. This talk will explore why and how developers can secure their sites against evolving threats.\n\nWe'll delve into the nuances of cross-site leaks (xs-leaks) and discuss the Cross-Origin Resource Policy (CORP) as well as the abstractions provided by. Learn how these tools can empower you to build custom defenses and proactively safeguard your web applications.\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["Frederik Braun"],"tags":["56286","god2024","god2024","OWASP","Saal 1","2024","Day 1"],"view_count":730,"promoted":false,"date":"2024-11-13T17:00:00.000+01:00","release_date":"2024-11-13T00:00:00.000+01:00","updated_at":"2026-03-16T09:45:05.035+01:00","length":1631,"duration":1631,"thumb_url":"https://static.media.ccc.de/media/events/god/2024/56286-f5faa8fc-8506-46c9-bce0-51bbd85a0898.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2024/56286-f5faa8fc-8506-46c9-bce0-51bbd85a0898_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2024/56286-f5faa8fc-8506-46c9-bce0-51bbd85a0898.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2024/56286-f5faa8fc-8506-46c9-bce0-51bbd85a0898.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2024-56286-modern-solutions-against-c","url":"https://api.media.ccc.de/public/events/f5faa8fc-8506-46c9-bce0-51bbd85a0898","conference_title":"German OWASP Day 2024","conference_url":"https://api.media.ccc.de/public/conferences/god2024","related":[]},{"guid":"68eadd0f-8415-4e85-a2f2-451dc69a2428","title":"Overview of OWASP AI Exchange: A Comprehensive Guide to AI Security","subtitle":null,"slug":"god2024-56274-overview-of-owasp-ai-excha","link":"https://c3voc.de","description":"The OWASP AI Exchange provides a comprehensive framework to address the evolving security challenges presented by AI systems. As artificial intelligence continues to transform industries, securing these systems against emerging threats has become a top priority. This presentation will offer an in-depth overview of the OWASP AI Exchange, focusing on its mission to foster collaboration and align AI security standards across various industries. Attendees will explore the major security risks in AI, such as model poisoning, data theft, adversarial attacks, and vulnerabilities in machine learning algorithms. The session will also delve into the controls and countermeasures highlighted in the OWASP AI Exchange, offering mitigating risks throughout the AI lifecycle. Additionally, the session will address how organizations can use the AI Exchange to improve governance, implement best practices, and protect the confidentiality, integrity, and availability of AI systems.\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["Behnaz Karimi"],"tags":["56274","god2024","god2024","OWASP","Saal 1","2024","Day 1"],"view_count":152,"promoted":false,"date":"2024-11-13T11:40:00.000+01:00","release_date":"2024-11-13T00:00:00.000+01:00","updated_at":"2026-03-24T01:00:04.089+01:00","length":1306,"duration":1306,"thumb_url":"https://static.media.ccc.de/media/events/god/2024/56274-68eadd0f-8415-4e85-a2f2-451dc69a2428.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2024/56274-68eadd0f-8415-4e85-a2f2-451dc69a2428_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2024/56274-68eadd0f-8415-4e85-a2f2-451dc69a2428.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2024/56274-68eadd0f-8415-4e85-a2f2-451dc69a2428.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2024-56274-overview-of-owasp-ai-excha","url":"https://api.media.ccc.de/public/events/68eadd0f-8415-4e85-a2f2-451dc69a2428","conference_title":"German OWASP Day 2024","conference_url":"https://api.media.ccc.de/public/conferences/god2024","related":[]},{"guid":"096a9297-01b7-4bdf-8c6d-06f96a5cab24","title":"NIS2 entmystifiziert - Was Unternehmen nun tun müssen","subtitle":null,"slug":"god2024-56273-nis2-entmystifiziert-was-u","link":"https://c3voc.de","description":"Die NIS2-Richtlinie (Network and Information Security Directive) der Europäischen Union stellt eine Weiterentwicklung der bestehenden Cybersicherheitsanforderungen dar und zielt darauf ab, die Resilienz und Sicherheit kritischer Infrastrukturen in der EU zu stärken. In Deutschland liegt derzeit mit dem NIS2UmsuCG (NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz) ein Regierungsentwurf zur konkreten Ausprägung auf nationaler Ebene vor.\n\nIm Vergleich zur ursprünglichen NIS-Richtlinie erweitert NIS2 den Anwendungsbereich und verpflichtet mehr Unternehmen und Sektoren, strenge Cybersicherheitsmaßnahmen zu implementieren. Unternehmen müssen sich nun auf umfassendere Risikomanagementanforderungen, Meldepflichten bei Sicherheitsvorfällen und Sanktionen bei Nichteinhaltung einstellen. Doch was heißt das konkret für Unternehmen, sicherheitsverantwortliche Stellen und EntwicklerInnen in Unternehmen?\n\nDer Vortrag entmystifiziert die wesentlichen Neuerungen der NIS2 und zeigt, welche konkreten Schritte Unternehmen jetzt unternehmen müssen, um Compliance zu erreichen. Dazu gehören unter anderem die Etablierung robuster Cybersicherheitsstrategien, die Anpassung interner Prozesse und die Einführung effektiver Meldeverfahren. Angesichts strengerer Vorgaben und verstärkter Kontrollen wird es für Unternehmen entscheidend, die richtigen Maßnahmen rechtzeitig umzusetzen, um Bußgelder und Reputationsverluste zu vermeiden. Im Rahmen des Vortrages wird insbesondere praxisnah auf den aktuellen Stand des Gesetzgebungsverfahrens und relevante Pflichten für Unternehmen eingegangen.\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"deu","persons":["Tim Philipp Schäfers"],"tags":["56273","god2024","god2024","OWASP","Saal 1","2024","Day 1"],"view_count":823,"promoted":false,"date":"2024-11-13T10:45:00.000+01:00","release_date":"2024-11-13T00:00:00.000+01:00","updated_at":"2026-04-02T15:00:07.283+02:00","length":1394,"duration":1394,"thumb_url":"https://static.media.ccc.de/media/events/god/2024/56273-096a9297-01b7-4bdf-8c6d-06f96a5cab24.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2024/56273-096a9297-01b7-4bdf-8c6d-06f96a5cab24_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2024/56273-096a9297-01b7-4bdf-8c6d-06f96a5cab24.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2024/56273-096a9297-01b7-4bdf-8c6d-06f96a5cab24.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2024-56273-nis2-entmystifiziert-was-u","url":"https://api.media.ccc.de/public/events/096a9297-01b7-4bdf-8c6d-06f96a5cab24","conference_title":"German OWASP Day 2024","conference_url":"https://api.media.ccc.de/public/conferences/god2024","related":[]},{"guid":"d5e8aa57-cb38-4ef6-ad4c-c46f3222396b","title":"SAP from an Attacker's Perspective – Common Vulnerabilities and Pitfalls","subtitle":null,"slug":"god2024-56278-sap-from-an-attackers-pers","link":"https://c3voc.de","description":"As organizations increasingly rely on SAP systems to manage critical business processes, the security of these environments is an increasing challenge for companies and has also been recognized by the OWASP Core Business Application Security (CBAS) project. This talk will explore the security of SAP systems from an attacker's perspective, uncovering common vulnerabilities and pitfalls and their respective impact. Drawing from extensive penetration testing experience, this presentation will provide a deep dive into how attackers might exploit SAP vulnerabilities and offer practical guidance on mitigating these threats.\n\nWe will begin by highlighting prevalent SAP vulnerabilities discovered during real-world pentesting engagements, covering key attack techniques used against SAP systems that exploit misconfigurations, insecure coding practices, and authentication flaws.\n\nAs an example, we will illustrate the configuration options of SNC, the proprietary protocol for transport layer encryption in SAP environments. Using the open-source tool sncscan, security professionals and administrators alike can assess the encryption and signing settings of SAP systems, ensuring the confidentiality and integrity of sensitive data.\n\nThe session will also provide actionable guidance on mitigating these vulnerabilities, focusing on best practices and tools that can significantly enhance the security posture of SAP systems. By raising awareness of common vulnerabilities and pitfalls we aim to empower security professionals and SAP administrators to better protect their systems against potential exploitation.\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["Nicolas Schickert","Tobias Hamann"],"tags":["56278","god2024","god2024","OWASP","Saal 1","2024","Day 1"],"view_count":268,"promoted":false,"date":"2024-11-13T14:30:00.000+01:00","release_date":"2024-11-13T00:00:00.000+01:00","updated_at":"2026-04-04T09:45:04.627+02:00","length":1355,"duration":1355,"thumb_url":"https://static.media.ccc.de/media/events/god/2024/56278-d5e8aa57-cb38-4ef6-ad4c-c46f3222396b.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2024/56278-d5e8aa57-cb38-4ef6-ad4c-c46f3222396b_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2024/56278-d5e8aa57-cb38-4ef6-ad4c-c46f3222396b.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2024/56278-d5e8aa57-cb38-4ef6-ad4c-c46f3222396b.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2024-56278-sap-from-an-attackers-pers","url":"https://api.media.ccc.de/public/events/d5e8aa57-cb38-4ef6-ad4c-c46f3222396b","conference_title":"German OWASP Day 2024","conference_url":"https://api.media.ccc.de/public/conferences/god2024","related":[]},{"guid":"b3d3e361-a623-4c26-94c1-5d7a2a94acea","title":"Network Fingerprinting for Securing User Accounts - Opportunities and Challenges","subtitle":null,"slug":"god2024-56277-network-fingerprinting-for","link":"https://c3voc.de","description":"Network fingerprinting exists for a while and some methods such as JA3 have achieved wide adoption across the industry. Introducing network fingerprinting into login flows can help you stave off attackers. However, there are various challenges that you need to overcome: technical, organizational and regulatory.\n\nIn this talk we will take a look at the opportunities that network fingerprinting provides us. We will go through the various challenges that can arise and discuss possible ways of tackling them. I will draw from insights gathered at 1\u00261 Mail \u0026 Media - the company behind web.de, GMX and mail.com.\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["Stephan Pinto Spindler"],"tags":["56277","god2024","god2024","OWASP","Saal 1","2024","Day 1"],"view_count":117,"promoted":false,"date":"2024-11-13T14:05:00.000+01:00","release_date":"2024-11-13T00:00:00.000+01:00","updated_at":"2026-02-03T19:00:22.220+01:00","length":1500,"duration":1500,"thumb_url":"https://static.media.ccc.de/media/events/god/2024/56277-b3d3e361-a623-4c26-94c1-5d7a2a94acea.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2024/56277-b3d3e361-a623-4c26-94c1-5d7a2a94acea_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2024/56277-b3d3e361-a623-4c26-94c1-5d7a2a94acea.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2024/56277-b3d3e361-a623-4c26-94c1-5d7a2a94acea.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2024-56277-network-fingerprinting-for","url":"https://api.media.ccc.de/public/events/b3d3e361-a623-4c26-94c1-5d7a2a94acea","conference_title":"German OWASP Day 2024","conference_url":"https://api.media.ccc.de/public/conferences/god2024","related":[]},{"guid":"aa6a62cf-f0b8-472f-90a4-4abb2e96a928","title":"Protecting Web Applications with Project Foxhound","subtitle":null,"slug":"god2024-56282-protecting-web-application","link":"https://c3voc.de","description":"Recent developments in web technologies have seen a paradigm shift from monolithic server-based applications to REST-based microservices with feature-rich browser-based frontends. This progression has brought with it novel classes of security flaws. In this talk we review how client-side variants of injection vulnerabilities such as cross-site scripting (XSS), cross-site request forgery (CSRF) and the recently discovered client-side request hijacking, arise and how traditional defense mechanisms are ineffective. We summarize recent research in this area which shows that such issues are widespread and can have a diverse range of consequences.\n\nWe go on to show how dynamic taint-tracking has proved to be an effective technique for the discovery of vulnerabilities in client-side JavaScript. The initial overhead in implementing tainting is, however, extremely high, as it typically involves delving into the inner workings of modern web browsers and JavaScript interpreters. We show how Project Foxhound (https://github.com/SAP/project-foxhound/) can help to reduce this burden by providing a flexible, open-source tool which can be fully integrated into browser automation frameworks such as Playwright. Foxhound is gaining traction in the community as the go-to tool for client-side vulnerability studies.\n\nWe finish the talk by showing how Foxhound can also be used in privacy studies, an update on upcoming features, and how the community use and contribute to the project to help build a safer web!\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["Thomas Barber"],"tags":["56282","god2024","god2024","OWASP","Saal 1","2024","Day 1"],"view_count":155,"promoted":false,"date":"2024-11-13T16:25:00.000+01:00","release_date":"2024-11-13T00:00:00.000+01:00","updated_at":"2026-03-23T23:15:05.783+01:00","length":691,"duration":691,"thumb_url":"https://static.media.ccc.de/media/events/god/2024/56282-aa6a62cf-f0b8-472f-90a4-4abb2e96a928.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2024/56282-aa6a62cf-f0b8-472f-90a4-4abb2e96a928_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2024/56282-aa6a62cf-f0b8-472f-90a4-4abb2e96a928.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2024/56282-aa6a62cf-f0b8-472f-90a4-4abb2e96a928.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2024-56282-protecting-web-application","url":"https://api.media.ccc.de/public/events/aa6a62cf-f0b8-472f-90a4-4abb2e96a928","conference_title":"German OWASP Day 2024","conference_url":"https://api.media.ccc.de/public/conferences/god2024","related":[]},{"guid":"38ba35b7-c49c-47ea-b04e-c9c247af6e76","title":"SSRF: Attacks, Defense and Status Quo","subtitle":null,"slug":"god2024-56281-ssrf-attacks-defense-and-s","link":"https://c3voc.de","description":"Web apps use Server-Side Requests to request data from other servers, e.g., for link previews. However, they are exploited by attackers who might request internal resources or non-public services. This attack is called Server-Side Request Forgery (SSRF).\n\nThe talk explains what SSRF is, how it can be used to exploit servers, and how to defend against it, which is surprisingly complex.\n\nFinally, we will discuss our research on the prevalence of countermeasures in the wild.\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["Malte Wessels"],"tags":["56281","god2024","god2024","OWASP","Saal 1","2024","Day 1"],"view_count":221,"promoted":false,"date":"2024-11-13T16:15:00.000+01:00","release_date":"2024-11-13T00:00:00.000+01:00","updated_at":"2026-03-03T19:45:09.909+01:00","length":625,"duration":625,"thumb_url":"https://static.media.ccc.de/media/events/god/2024/56281-38ba35b7-c49c-47ea-b04e-c9c247af6e76.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2024/56281-38ba35b7-c49c-47ea-b04e-c9c247af6e76_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2024/56281-38ba35b7-c49c-47ea-b04e-c9c247af6e76.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2024/56281-38ba35b7-c49c-47ea-b04e-c9c247af6e76.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2024-56281-ssrf-attacks-defense-and-s","url":"https://api.media.ccc.de/public/events/38ba35b7-c49c-47ea-b04e-c9c247af6e76","conference_title":"German OWASP Day 2024","conference_url":"https://api.media.ccc.de/public/conferences/god2024","related":[]},{"guid":"8dc955ca-f97e-41f5-a943-ba6f24291e6e","title":"OWASP Juice Shop 10th anniversary: Is it still fresh?","subtitle":null,"slug":"god2024-56270-owasp-juice-shop-10th-anni","link":"https://c3voc.de","description":"Once upon a time, developers and security experts relied on mostly server-side rendered vulnerable applications to train their web hacking skills. In 2014 the Juice Shop entered the stage as one of the first Rich Internet Application representatives. What started as a personal pet project with two dozen hacking challenges, became an OWASP Flagship project shortly after and grew in size, scope and use case coverage significantly over the years. Join us on a 10th anniversary tour through the origins, history and evolution of OWASP Juice Shop from 2014 to 2024, including new juicy hacking delicacies as well as some crazy shenanigans happening in and around the project.\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"deu","persons":["Jannik Hollenbach"],"tags":["56270","god2024","god2024","OWASP","Saal 1","2024","Day 1"],"view_count":215,"promoted":false,"date":"2024-11-13T09:10:00.000+01:00","release_date":"2024-11-13T00:00:00.000+01:00","updated_at":"2026-03-23T18:30:07.184+01:00","length":1919,"duration":1919,"thumb_url":"https://static.media.ccc.de/media/events/god/2024/56270-8dc955ca-f97e-41f5-a943-ba6f24291e6e.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2024/56270-8dc955ca-f97e-41f5-a943-ba6f24291e6e_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2024/56270-8dc955ca-f97e-41f5-a943-ba6f24291e6e.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2024/56270-8dc955ca-f97e-41f5-a943-ba6f24291e6e.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2024-56270-owasp-juice-shop-10th-anni","url":"https://api.media.ccc.de/public/events/8dc955ca-f97e-41f5-a943-ba6f24291e6e","conference_title":"German OWASP Day 2024","conference_url":"https://api.media.ccc.de/public/conferences/god2024","related":[]},{"guid":"17a8c1a3-a7d9-4f6b-93b5-90045f45ad7b","title":"GenAI in the Battle of Security: Attacks, Defenses, and the Laws Shaping AI's Future","subtitle":null,"slug":"god2024-56275-genai-in-the-battle-of-sec","link":"https://c3voc.de","description":"The presentation explores the security challenges and opportunities posed by Generative AI (GenAI). While GenAI offers tremendous potential, it also has a darker side, such as its use in creating deepfakes that can spread misinformation, manipulate political events, or facilitate fraud, as demonstrated in a live deepfake example. Malicious variants of GenAI, are used in phishing attacks, social engineering schemes, and the creation of malware. Additionally, GenAI enables more intelligent network attacks through autonomous botnets decreasing the risk of exposure.\n\nDespite these risks, GenAI also provides defensive advantages by enhancing security measures, such as improving threat detection, strengthening access control, and identifying code vulnerabilities. This is exemplified in a live demo showcasing deepfake and AI-based content detection.\n\nThe presentation also examines the different types of attacks that AI models, including GenAI, are susceptible to, across any task, model, or modality. This includes adversarial attacks, where inputs are specifically crafted to deceive AI systems. Additionally, attacks such as Prompt Injection and Visual Prompt Injection manipulate inputs to mislead models.\n\nHowever, navigating the complex landscape of AI compliance is essential. Organizations must adhere to regulations like the EU AI Act and standards such as ISO 27090, while also following guidelines from bodies like OWASP to ensure the security, transparency, and ethical use of AI systems. The OWASP AI Exchange plays a key role in modeling threats to GenAI, addressing risks and point out solutions. To defend against these threats, various detection and mitigation techniques have been developed and will briefly be presented.\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["Niklas Bunzel","Raphael Antonius Frick"],"tags":["56275","god2024","god2024","OWASP","Saal 1","2024","Day 1"],"view_count":139,"promoted":false,"date":"2024-11-13T12:05:00.000+01:00","release_date":"2024-11-13T00:00:00.000+01:00","updated_at":"2026-03-20T12:15:06.530+01:00","length":1736,"duration":1736,"thumb_url":"https://static.media.ccc.de/media/events/god/2024/56275-17a8c1a3-a7d9-4f6b-93b5-90045f45ad7b.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2024/56275-17a8c1a3-a7d9-4f6b-93b5-90045f45ad7b_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2024/56275-17a8c1a3-a7d9-4f6b-93b5-90045f45ad7b.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2024/56275-17a8c1a3-a7d9-4f6b-93b5-90045f45ad7b.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2024-56275-genai-in-the-battle-of-sec","url":"https://api.media.ccc.de/public/events/17a8c1a3-a7d9-4f6b-93b5-90045f45ad7b","conference_title":"German OWASP Day 2024","conference_url":"https://api.media.ccc.de/public/conferences/god2024","related":[]},{"guid":"0f02fe5e-8c72-4d82-b858-909cbbc8e4d5","title":"Begrüßung","subtitle":null,"slug":"god2024-56269-begruung","link":"https://c3voc.de","description":"Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"deu","persons":["OWASP German Chapter"],"tags":["56269","god2024","god2024","OWASP","Saal 1","2024","Day 1"],"view_count":83,"promoted":false,"date":"2024-11-13T09:00:00.000+01:00","release_date":"2024-11-13T00:00:00.000+01:00","updated_at":"2026-03-10T02:45:03.771+01:00","length":256,"duration":256,"thumb_url":"https://static.media.ccc.de/media/events/god/2024/56269-0f02fe5e-8c72-4d82-b858-909cbbc8e4d5.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2024/56269-0f02fe5e-8c72-4d82-b858-909cbbc8e4d5_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2024/56269-0f02fe5e-8c72-4d82-b858-909cbbc8e4d5.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2024/56269-0f02fe5e-8c72-4d82-b858-909cbbc8e4d5.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2024-56269-begruung","url":"https://api.media.ccc.de/public/events/0f02fe5e-8c72-4d82-b858-909cbbc8e4d5","conference_title":"German OWASP Day 2024","conference_url":"https://api.media.ccc.de/public/conferences/god2024","related":[]},{"guid":"a308e387-da07-431e-b50a-04f06250d30e","title":"The Debian OpenSSL bug and other Public Private Keys","subtitle":null,"slug":"god2024-56276-the-debian-openssl-bug-and","link":"https://c3voc.de","description":"In early 2024, hundreds of DKIM setups still used cryptographic keys vulnerable to a bug from 2008 in Debian's OpenSSL package. Vulnerable hosts included prominent names like Cisco, Oracle, Skype, and Github.\n\nIn 2022, it was discovered that printers generated TLS keys that could be trivially broken with an over 300-year-old algorithm by Pierre de Fermat.\n\nVulnerabilities in public/private key generation are amongst the most severe ones in cryptographic software. The speaker has developed the open-source tool badkeys, a tool to check cryptographic keys for known vulnerabilities. The talk will cover some of the findings and plans for future improvements in badkeys.\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["Hanno Böck"],"tags":["56276","god2024","god2024","OWASP","Saal 1","2024","Day 1"],"view_count":229,"promoted":false,"date":"2024-11-13T13:40:00.000+01:00","release_date":"2024-11-13T00:00:00.000+01:00","updated_at":"2026-03-18T11:45:08.319+01:00","length":1310,"duration":1310,"thumb_url":"https://static.media.ccc.de/media/events/god/2024/56276-a308e387-da07-431e-b50a-04f06250d30e.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2024/56276-a308e387-da07-431e-b50a-04f06250d30e_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2024/56276-a308e387-da07-431e-b50a-04f06250d30e.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2024/56276-a308e387-da07-431e-b50a-04f06250d30e.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2024-56276-the-debian-openssl-bug-and","url":"https://api.media.ccc.de/public/events/a308e387-da07-431e-b50a-04f06250d30e","conference_title":"German OWASP Day 2024","conference_url":"https://api.media.ccc.de/public/conferences/god2024","related":[]},{"guid":"f4180e9b-91a8-404a-ad4a-f9008067b65d","title":"GenAI im Threat Modeling","subtitle":null,"slug":"god2024-56285-genai-im-threat-modeling","link":"https://c3voc.de","description":"Viele Teams stehen vor der Herausforderung, beim Threat Modeling relevante Bedrohungen zu identifizieren, insbesondere wenn nur wenig Security-Expertise vorhanden ist. Die Auswahl und Bewertung von potenziellen Risiken kann für Nicht-Experten schwierig sein. Dieser Lightning Talk zeigt, wie Generative AI (GenAI) hier unterstützen kann, indem sie Bedrohungsszenarien basierend auf bestehenden Daten und Modellen vorschlägt und hilft, erste Entscheidungen zu treffen. Der Vortrag gibt einen kurzen Überblick, wie GenAI als Hilfestellung den Threat-Modeling-Prozess effizienter und zugänglicher machen kann - und welche Einschränkungen es gibt.\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["Clemens Hübner"],"tags":["56285","god2024","god2024","Saal 1","2024","Day 1"],"view_count":220,"promoted":false,"date":"2024-11-13T12:30:00.000+01:00","release_date":"2024-11-13T00:00:00.000+01:00","updated_at":"2026-03-17T16:45:07.926+01:00","length":597,"duration":597,"thumb_url":"https://static.media.ccc.de/media/events/god/2024/56285-f4180e9b-91a8-404a-ad4a-f9008067b65d.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2024/56285-f4180e9b-91a8-404a-ad4a-f9008067b65d_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2024/56285-f4180e9b-91a8-404a-ad4a-f9008067b65d.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2024/56285-f4180e9b-91a8-404a-ad4a-f9008067b65d.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2024-56285-genai-im-threat-modeling","url":"https://api.media.ccc.de/public/events/f4180e9b-91a8-404a-ad4a-f9008067b65d","conference_title":"German OWASP Day 2024","conference_url":"https://api.media.ccc.de/public/conferences/god2024","related":[]},{"guid":"51036d08-9e96-4f7a-98ad-7848bccb2ef9","title":"The Crucial Role of Web Protocols and Standards in Digital Wallet Ecosystems","subtitle":null,"slug":"god2024-56272-the-crucial-role-of-web-pr","link":"https://c3voc.de","description":"In the coming years, all EU member states will be required to provide their citizens with a digital identity wallet, as mandated by the European Union. The EU Digital Identity Wallet (EUDI Wallet) represents the largest implementation of its kind to date and brings with it significant challenges, particularly in terms of security, privacy, and interoperability. To address these challenges, the EU has chosen to leverage open standards widely adopted in the web ecosystem — such as OpenID for Verifiable Presentations (OpenID4VP) based the widely-used web standard OAuth 2.0, and Selective Disclosure JWT (SD-JWT) built on the JSON Web Token (JWT) framework.\n\nHowever, wallet ecosystems operate quite differently from the traditional web, requiring adaptations to these protocols to meet the unique demands of secure, decentralized identity management. This talk will provide a comprehensive overview of the EUDI Wallet's architecture and the key challenges posed by adapting native web protocols for wallet ecosystems. It will also explore the crucial role browser vendors will play in ensuring the security and smooth functioning of this new digital identity landscape.\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["Kristina Yasuda"],"tags":["56272","god2024","god2024","OWASP","Saal 1","2024","Day 1"],"view_count":151,"promoted":false,"date":"2024-11-13T10:15:00.000+01:00","release_date":"2024-11-13T00:00:00.000+01:00","updated_at":"2026-03-26T13:00:09.255+01:00","length":1889,"duration":1889,"thumb_url":"https://static.media.ccc.de/media/events/god/2024/56272-51036d08-9e96-4f7a-98ad-7848bccb2ef9.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2024/56272-51036d08-9e96-4f7a-98ad-7848bccb2ef9_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2024/56272-51036d08-9e96-4f7a-98ad-7848bccb2ef9.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2024/56272-51036d08-9e96-4f7a-98ad-7848bccb2ef9.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2024-56272-the-crucial-role-of-web-pr","url":"https://api.media.ccc.de/public/events/51036d08-9e96-4f7a-98ad-7848bccb2ef9","conference_title":"German OWASP Day 2024","conference_url":"https://api.media.ccc.de/public/conferences/god2024","related":[]}]}