{"acronym":"god2025","aspect_ratio":"16:9","updated_at":"2026-03-10T09:45:08.661+01:00","title":"German OWASP Day 2025","schedule_url":"","slug":"conferences/god/2025","event_last_released_at":"2025-11-26T00:00:00.000+01:00","link":"https://god.owasp.de/2025/","description":"","webgen_location":"conferences/god/2025","logo_url":"https://static.media.ccc.de/media/events/god/2025/logo.jpg","images_url":"https://static.media.ccc.de/media/events/god/2025","recordings_url":"https://cdn.media.ccc.de/events/god/2025","url":"https://api.media.ccc.de/public/conferences/god2025","events":[{"guid":"fa9e001a-77f8-4a85-81c1-5decbc29a54e","title":"Der Cyber Resilience Act: Wie OWASP für die Software-Hersteller eine entscheidende Rolle spielen kann","subtitle":null,"slug":"god2025-56492-der-cyber-resilience-act-w","link":"https://c3voc.de","description":"Der Cyber Resilience Act, kurz CRA, ist eine neue Verordnung der EU und tritt im Dezember 2027 vollständig in Kraft. Das Kernelement der Verordnung ist die Softwaresicherheit für alle so genannten „Produkte mit digitalen Elementen“, die auf dem EU-Markt kommerziell angeboten werden. Diese umfassen sowohl vernetzte Hardware-Produkte, in denen Firmwares laufen, als auch reine Softwareprodukte. Die Anforderungen an die Software-Hersteller erstrecken sich von grundsätzlichem „Security by Design“ und „Secure by Default“, über Bedrohungsanalysen der Software bis hin zu verpflichtendem Patching und Schwachstellenmanagement.\nDie Themen klingen irgendwie familiär? Kein Wunder, denn eine ganze Reihe von Projekten aus dem OWASP-Ökosystem sind geradezu prädestiniert zum Einsatz im Kontext des CRAs. Nicht nur, dass mit CycloneDX einer der zwei de-facto SBOM-Standards aus OWASP heraus entstanden ist - auch Frameworks wie OWASP SAMM oder Tools wie Dependency-Track können ganz entscheidende Rollen für die Umsetzung von Supply-Chain-Security und SDLC-Prozessen spielen.\nIn diesem Talk schauen wir uns die Anforderungen der Verordnung genauer an und blicken dann auf Schnittstellen zu OWASP-Projekten. Dies soll am Ende helfen, sowohl für die Seite der Hersteller ein besseres Bild für OWASP zu erzeugen, als auch von OWASP-Seite aus zielgenauer auf CRA-Verpflichtete zugehen zu können. Je mehr Menschen sich in den Themen wiederfinden und Zusammenarbeit entstehen kann, desto besser.\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"deu","persons":["Dominik Pataky"],"tags":["56492","2025","god2025","Track 1","god2025-deu","god2025","Day 1"],"view_count":348,"promoted":false,"date":"2025-11-26T16:35:00.000+01:00","release_date":"2025-11-26T00:00:00.000+01:00","updated_at":"2026-03-10T07:00:04.979+01:00","length":1272,"duration":1272,"thumb_url":"https://static.media.ccc.de/media/events/god/2025/56492-fa9e001a-77f8-4a85-81c1-5decbc29a54e.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2025/56492-fa9e001a-77f8-4a85-81c1-5decbc29a54e_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2025/56492-fa9e001a-77f8-4a85-81c1-5decbc29a54e.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2025/56492-fa9e001a-77f8-4a85-81c1-5decbc29a54e.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2025-56492-der-cyber-resilience-act-w","url":"https://api.media.ccc.de/public/events/fa9e001a-77f8-4a85-81c1-5decbc29a54e","conference_title":"German OWASP Day 2025","conference_url":"https://api.media.ccc.de/public/conferences/god2025","related":[]},{"guid":"93ba92ed-1e79-45e3-80a7-02f39db0f693","title":"Pwn My Ride: Jailbreaking Cars with CarPlay","subtitle":null,"slug":"god2025-56485-pwn-my-ride-jailbreaking-c","link":"https://c3voc.de","description":"Apple CarPlay is a widely known protocol that connects smartphones to car multimedia systems. Based on AirPlay, CarPlay is installed in millions of cars, as it is supported by hundreds of car models from dozens of different manufacturers across the globe. In our talk, we will share how we managed to exploit all devices running CarPlay using a single vulnerability we discovered in the AirPlay SDK.\nWe'll take you through our entire exploit development process from identifying the vulnerability, to testing it on a custom device emulator, and finally, executing the exploit on actual devices.  The session will include a demonstration of our RCE exploit on a well known third-party CarPlay device to show how an attacker can run arbitrary code while in physical proximity to a target car.\nWe will also share how we managed to blindly exploit CarPlay without a debugger, knowing the vulnerable code is present on the system.\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["Avi Lumelsky"],"tags":["56485","2025","god2025","Track 2","god2025-eng","god2025","Day 1"],"view_count":606,"promoted":false,"date":"2025-11-26T13:45:00.000+01:00","release_date":"2025-11-26T00:00:00.000+01:00","updated_at":"2026-03-06T15:15:09.801+01:00","length":2458,"duration":2458,"thumb_url":"https://static.media.ccc.de/media/events/god/2025/56485-93ba92ed-1e79-45e3-80a7-02f39db0f693.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2025/56485-93ba92ed-1e79-45e3-80a7-02f39db0f693_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2025/56485-93ba92ed-1e79-45e3-80a7-02f39db0f693.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2025/56485-93ba92ed-1e79-45e3-80a7-02f39db0f693.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2025-56485-pwn-my-ride-jailbreaking-c","url":"https://api.media.ccc.de/public/events/93ba92ed-1e79-45e3-80a7-02f39db0f693","conference_title":"German OWASP Day 2025","conference_url":"https://api.media.ccc.de/public/conferences/god2025","related":[]},{"guid":"90b1b8de-07c2-4937-a9d0-f53fd96595a1","title":"Introducing Passkeys - Strategies and Challenges for Developers","subtitle":null,"slug":"god2025-56479-introducing-passkeys-strat","link":"https://c3voc.de","description":"The future of authentication is passwordless - Passkeys are the key technology. This talk supports developers in implementing Passkeys in their organizations and helps with the decision between in-house development, SDK, or Passkey-as-a-Service solutions. You will learn how to design recovery flows and fallback mechanisms in a user-friendly way, how Passkeys can be securely shared across devices and platforms, and what level of security they offer compared to traditional methods. Practical user stories and concrete examples highlight common pitfalls and help you optimally communicate the benefits of Passkeys.\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["Clemens Hübner"],"tags":["56479","2025","god2025","Track 1","god2025-eng","god2025","Day 1"],"view_count":245,"promoted":false,"date":"2025-11-26T11:55:00.000+01:00","release_date":"2025-11-26T00:00:00.000+01:00","updated_at":"2026-03-06T15:45:07.222+01:00","length":1338,"duration":1338,"thumb_url":"https://static.media.ccc.de/media/events/god/2025/56479-90b1b8de-07c2-4937-a9d0-f53fd96595a1.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2025/56479-90b1b8de-07c2-4937-a9d0-f53fd96595a1_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2025/56479-90b1b8de-07c2-4937-a9d0-f53fd96595a1.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2025/56479-90b1b8de-07c2-4937-a9d0-f53fd96595a1.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2025-56479-introducing-passkeys-strat","url":"https://api.media.ccc.de/public/events/90b1b8de-07c2-4937-a9d0-f53fd96595a1","conference_title":"German OWASP Day 2025","conference_url":"https://api.media.ccc.de/public/conferences/god2025","related":[]},{"guid":"69326d17-20c7-4993-a8e1-3d3fa7c26b1f","title":"Extract: A PHP Foot-Gun Case Study","subtitle":null,"slug":"god2025-56486-extract-a-php-foot-gun-cas","link":"https://c3voc.de","description":"Do you always read the documentation before using a function in your languages' standard library? This talk explores the attack surface of a special feature in PHP which is easy to misuse with unforseen consequences. The `extract` function allows to replace the value of local variables named after the keys in an array. Calling it with user-controlled input allows the attacker to change arbitrary variables in the program. The documentation warns against the dangers of using it with untrusted data, but our large-scale analysis on 28.325 PHP projects from GitHub shows, that this warning is ignored.\nThe talk walks through the process of identifing `extract`-based vulnerabilities and how they might have ended up the way they are by looking at the surrounding code. After introducing different levels of attacker-control guided by concrete exploits, listeners gain an intuition on what to look out for while reviewing code.\nAttending this talk, the audience will learn:\n\nRich ways users have control over input in PHP.\nHow to exploit insecure calls to `extract` given multiple real-world case-studies from the dataset of open source projects from GitHub.\nTips on how to avoid this and similar threats in new and legacy code.\nPossible changes to PHP itself for risk reduction.\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["Jannik Hartung","Martin Johns","Simon Koch"],"tags":["56486","2025","god2025","Track 1","god2025-eng","god2025","Day 1"],"view_count":185,"promoted":false,"date":"2025-11-26T14:30:00.000+01:00","release_date":"2025-11-26T00:00:00.000+01:00","updated_at":"2026-03-10T02:30:03.423+01:00","length":1477,"duration":1477,"thumb_url":"https://static.media.ccc.de/media/events/god/2025/56486-69326d17-20c7-4993-a8e1-3d3fa7c26b1f.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2025/56486-69326d17-20c7-4993-a8e1-3d3fa7c26b1f_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2025/56486-69326d17-20c7-4993-a8e1-3d3fa7c26b1f.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2025/56486-69326d17-20c7-4993-a8e1-3d3fa7c26b1f.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2025-56486-extract-a-php-foot-gun-cas","url":"https://api.media.ccc.de/public/events/69326d17-20c7-4993-a8e1-3d3fa7c26b1f","conference_title":"German OWASP Day 2025","conference_url":"https://api.media.ccc.de/public/conferences/god2025","related":[]},{"guid":"c2cff574-070b-48c0-ae1d-65967952bee5","title":"A CISO's Adventures in AI Wonderland","subtitle":null,"slug":"god2025-56490-a-cisos-adventures-in-ai-w","link":"https://c3voc.de","description":"As a CISO (or any other security expert) in the area of AI, you can find yourself in increasingly challenging and sometimes bizarre AI-related situations not unlike Alice's adventures in Wonderland.\nDepending on whom you speak to, people either have high (inflated?) expectations about the (magic?) benefits of AI for security efforts, or try to explain why \"AI security Armageddon\" is looming... and that is just the security part of the story. All other areas in your organization are heavily using or experimenting with AI (e.g., vibe coding, automation, decision making, etc.), challenging (or ignoring) established security practices.\nThis talk tells the story of the daily experience of dealing with AI as a CISO in a cloud-application startup. Which experiments failed or were successful, which advice is helpful, what is difficult to apply in practice, which questions are still open...\nThe motivation for this talk is to start a conversation among security experts on how we can shape a secure AI future and not get pushed into the role of being seen as \"hindering\" AI progress.\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["Holger Mack"],"tags":["56490","2025","god2025","Track 1","god2025-eng","god2025","Day 1"],"view_count":205,"promoted":false,"date":"2025-11-26T15:50:00.000+01:00","release_date":"2025-11-26T00:00:00.000+01:00","updated_at":"2026-03-09T18:30:07.092+01:00","length":2542,"duration":2542,"thumb_url":"https://static.media.ccc.de/media/events/god/2025/56490-c2cff574-070b-48c0-ae1d-65967952bee5.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2025/56490-c2cff574-070b-48c0-ae1d-65967952bee5_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2025/56490-c2cff574-070b-48c0-ae1d-65967952bee5.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2025/56490-c2cff574-070b-48c0-ae1d-65967952bee5.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2025-56490-a-cisos-adventures-in-ai-w","url":"https://api.media.ccc.de/public/events/c2cff574-070b-48c0-ae1d-65967952bee5","conference_title":"German OWASP Day 2025","conference_url":"https://api.media.ccc.de/public/conferences/god2025","related":[]},{"guid":"b873d52c-a991-4a71-93aa-f1564620c209","title":"LangSec for AppSec folks","subtitle":null,"slug":"god2025-56477-langsec-for-appsec-folks","link":"https://c3voc.de","description":"Die von LangSec beschrieben grundlegenden Sicherheitsprinzipien erklären die Hauptursachen vieler Sicherheitslücken und wie man diese beheben kann. LangSec sieht die anhaltende Schwachstellen-Epidemie in Software als eine Folge der ad-hock Entwicklung von Code, der Ein- und Ausgaben verarbeitet. Gemäß LangSec besteht der Schlüssel zur Entwicklung vertrauenswürdiger Software, die mit potenziell bösartigen Eingaben korrekt umgeht, darin alle gültigen oder erwarteten Eingaben und Ausgaben als formale Sprache zu behandeln. Dementsprechend müssen die Routinen zur Verarbeitung von Eingaben und Ausgaben als Parser beziehungsweise Unparser für diese Sprache behandelt werden und auch dementsprechend entwickelt werden. In diesem Vortrag möchte ich LangSec und die Implikationen für unsere tägliche Arbeit in AppSec vorstellen ohne in die Tiefen der Theoretischen Informatik und des Compilerbaus abzudriften.\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["Lars Hermerschmidt"],"tags":["56477","2025","god2025","Track 1","god2025-eng","god2025","Day 1"],"view_count":97,"promoted":false,"date":"2025-11-26T11:10:00.000+01:00","release_date":"2025-11-26T00:00:00.000+01:00","updated_at":"2026-03-06T16:30:07.251+01:00","length":1764,"duration":1764,"thumb_url":"https://static.media.ccc.de/media/events/god/2025/56477-b873d52c-a991-4a71-93aa-f1564620c209.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2025/56477-b873d52c-a991-4a71-93aa-f1564620c209_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2025/56477-b873d52c-a991-4a71-93aa-f1564620c209.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2025/56477-b873d52c-a991-4a71-93aa-f1564620c209.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2025-56477-langsec-for-appsec-folks","url":"https://api.media.ccc.de/public/events/b873d52c-a991-4a71-93aa-f1564620c209","conference_title":"German OWASP Day 2025","conference_url":"https://api.media.ccc.de/public/conferences/god2025","related":[]},{"guid":"17d6ccbe-6241-4c2e-b223-d6d6514d7374","title":"YuraScanner: Leveraging LLMs for Task-driven Web App Scanning","subtitle":null,"slug":"god2025-56493-yurascanner-leveraging-llm","link":"https://c3voc.de","description":"Web application scanners are popular and effective black-box testing tools, automating the detection of vulnerabilities by exploring and interacting with user interfaces. Despite their effectiveness, these scanners struggle with discovering deeper states in modern web applications due to their limited understanding of workflows. This study addresses this limitation by introducing YuraScanner, a task-driven web application scanner that leverages large-language models (LLMs) to autonomously execute tasks and workflows.\nYuraScanner operates as a goal-based agent, suggesting actions to achieve predefined objectives by processing webpages to extract semantic information. Unlike traditional methods that rely on user-provided traces, YuraScanner uses LLMs to bridge the semantic gap, making it web application-agnostic. Using the XSS engine of Black Widow, YuraScanner tests discovered input points for vulnerabilities, enhancing the scanning process's comprehensiveness and accuracy.\nWe evaluated YuraScanner on 20 diverse web applications, focusing on task extraction, execution accuracy, and vulnerability detection. The results demonstrate YuraScanner's superiority in discovering new attack surfaces and deeper states, significantly improving vulnerability detection. Notably, YuraScanner identified 12 unique zero-day XSS vulnerabilities, compared to three by Black Widow. This study highlights YuraScanner's potential to revolutionize web application scanning with its automated, task-driven approach.\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["Aleksei Stafeev"],"tags":["56493","2025","god2025","Track 2","god2025-eng","god2025","Day 1"],"view_count":468,"promoted":false,"date":"2025-11-26T16:35:00.000+01:00","release_date":"2025-11-26T00:00:00.000+01:00","updated_at":"2026-03-06T13:45:05.554+01:00","length":1328,"duration":1328,"thumb_url":"https://static.media.ccc.de/media/events/god/2025/56493-17d6ccbe-6241-4c2e-b223-d6d6514d7374.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2025/56493-17d6ccbe-6241-4c2e-b223-d6d6514d7374_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2025/56493-17d6ccbe-6241-4c2e-b223-d6d6514d7374.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2025/56493-17d6ccbe-6241-4c2e-b223-d6d6514d7374.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2025-56493-yurascanner-leveraging-llm","url":"https://api.media.ccc.de/public/events/17d6ccbe-6241-4c2e-b223-d6d6514d7374","conference_title":"German OWASP Day 2025","conference_url":"https://api.media.ccc.de/public/conferences/god2025","related":[]},{"guid":"b62e489d-ccc9-4d8b-b9b4-d92b4c27337d","title":"From Startup to Scale: Choosing the Right AppSec Path","subtitle":null,"slug":"god2025-56475-from-startup-to-scale-choo","link":"https://c3voc.de","description":"Security teams often inherit their organisation's structure - for better or worse. The way you design your AppSec programme and choose your team topology can determine whether security becomes a trusted enabler or a frustrating bottleneck.\nIn this story-driven session, we follow Alex, who begins as the only security person in a 50-person startup. At first, Alex builds a centralised AppSec team, finding it effective for control but slow to scale. As the company grows to hundreds of employees, bottlenecks appear, and burnout looms. Alex experiments with embedded security engineers, Security as a Platform, and a Security Champions network, learning the trade-offs of each approach along the way.\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["Javan Rasokat","Vanessa Sutter"],"tags":["56475","2025","god2025","Track 1","god2025-eng","god2025","Day 1"],"view_count":142,"promoted":false,"date":"2025-11-26T10:15:00.000+01:00","release_date":"2025-11-26T00:00:00.000+01:00","updated_at":"2026-03-06T13:45:07.412+01:00","length":1277,"duration":1277,"thumb_url":"https://static.media.ccc.de/media/events/god/2025/56475-b62e489d-ccc9-4d8b-b9b4-d92b4c27337d.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2025/56475-b62e489d-ccc9-4d8b-b9b4-d92b4c27337d_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2025/56475-b62e489d-ccc9-4d8b-b9b4-d92b4c27337d.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2025/56475-b62e489d-ccc9-4d8b-b9b4-d92b4c27337d.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2025-56475-from-startup-to-scale-choo","url":"https://api.media.ccc.de/public/events/b62e489d-ccc9-4d8b-b9b4-d92b4c27337d","conference_title":"German OWASP Day 2025","conference_url":"https://api.media.ccc.de/public/conferences/god2025","related":[]},{"guid":"dae5a632-92c6-4d65-b9d1-b4c61b311223","title":"The Surprising Complexity of Finding Known Vulnerabilities","subtitle":null,"slug":"god2025-56473-the-surprising-complexity","link":"https://c3voc.de","description":"With the increasing reliance on third-party software components, ensuring their security against known vulnerabilities has become a daily challenge for individuals and organizations. Despite the availability of a variety of tools and databases, we found all of them fall\n                            short when applied to real-world scenarios - raising questions about their effectiveness, generalizability, and practical utility.\nStarting from our perspective as penetration testers, we identified three main problems with existing solutions in vulnerability identification:\n\nAccuracy and completeness of results - Many tools exhibit limited precision and recall, often depending on a single data source (e.g. NVD) and overlooking critical indicators such as known exploits or patch history.\nRigid input requirements - Most solutions enforce strict formatting constraints (e.g., requiring exact CPEs), creating usability and reliability issues when dealing with diverse or incomplete data.\nLack of usable outputs - The inability to meaningfully export or integrate results into broader workflows hampers both manual and automated security processes.\n\nIn order to solve these challenges, we developed the open-source tool search_vulns. It leverages information from multiple data sources and uses text comparison techniques and CPEs in combination to increase accuracy in software identification. Due to this approach, it can even automatically generate CPEs that have yet to be published. Together with its custom logic for version comparison, this further enhances the quality of results. Finally, search_vulns provides a fine-granular export of results in different formats.\nIn conclusion, this talk aims to simplify the surprising complexity of finding known vulnerabilities in software. To do so, we discuss common challenges in mapping software names to CPEs, e.g. for product rebrandings, single-version vulnerabilities and yet to be published software versions. In addition, we present an approach using multiple data  sources in combination to enrich CVE data with information on known exploits, likelihood of exploitability (EPSS) and other data sources. Finally, we present search_vulns as open-source tool.\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["Dustin Born","Matthias Göhring"],"tags":["56473","2025","god2025","Track 1","god2025-eng","god2025","Day 1"],"view_count":307,"promoted":false,"date":"2025-11-26T09:50:00.000+01:00","release_date":"2025-11-26T00:00:00.000+01:00","updated_at":"2026-03-09T18:30:06.642+01:00","length":1415,"duration":1415,"thumb_url":"https://static.media.ccc.de/media/events/god/2025/56473-dae5a632-92c6-4d65-b9d1-b4c61b311223.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2025/56473-dae5a632-92c6-4d65-b9d1-b4c61b311223_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2025/56473-dae5a632-92c6-4d65-b9d1-b4c61b311223.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2025/56473-dae5a632-92c6-4d65-b9d1-b4c61b311223.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2025-56473-the-surprising-complexity","url":"https://api.media.ccc.de/public/events/dae5a632-92c6-4d65-b9d1-b4c61b311223","conference_title":"German OWASP Day 2025","conference_url":"https://api.media.ccc.de/public/conferences/god2025","related":[]},{"guid":"591309e4-b4c7-4ecc-9667-efe5d34c8f2c","title":"MCP security hot potato: how to stay secure integrating external tools to your LLM","subtitle":null,"slug":"god2025-56487-mcp-security-hot-potato-ho","link":"https://c3voc.de","description":"Model Context Protocol (MCP) is the latest hot topic in cybersecurity. Business wants it (AI is the new mantra), developers are excited (new toys, new code), and security teams are left to make it safe—often with already packed schedules. Let's treat it like just another Tuesday. Like many shiny new technologies (remember the early days of cloud?), MCP is being built with a “features first, security later” mindset. As a fresh piece of tech, it blends novel vulnerabilities with familiar, well-known ones. If you're an early adopter, it's important to accept that MCP and its current implementations are imperfect—and to be ready for that. In this talk, we'll dive into the real-world challenges companies are facing with MCP and equip you with practical remediations.\n We'll cover topics such as:\n                            \nAn introduction to the MCP protocol and its security considerations, including authentication\nEmerging vulnerabilities like prompt injections, tool poisoning, rug pull attacks, and cross-server tool shadowing\nClassic vulnerabilities that may resurface around MCP, based on recent CVEs\nRemediation strategies and available tooling\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["Mateusz Olejarka","Dawid Nastaj"],"tags":["56487","2025","god2025","Track 2","god2025-eng","god2025","Day 1"],"view_count":177,"promoted":false,"date":"2025-11-26T14:30:00.000+01:00","release_date":"2025-11-26T00:00:00.000+01:00","updated_at":"2026-03-03T16:30:05.726+01:00","length":1478,"duration":1478,"thumb_url":"https://static.media.ccc.de/media/events/god/2025/56487-591309e4-b4c7-4ecc-9667-efe5d34c8f2c.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2025/56487-591309e4-b4c7-4ecc-9667-efe5d34c8f2c_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2025/56487-591309e4-b4c7-4ecc-9667-efe5d34c8f2c.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2025/56487-591309e4-b4c7-4ecc-9667-efe5d34c8f2c.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2025-56487-mcp-security-hot-potato-ho","url":"https://api.media.ccc.de/public/events/591309e4-b4c7-4ecc-9667-efe5d34c8f2c","conference_title":"German OWASP Day 2025","conference_url":"https://api.media.ccc.de/public/conferences/god2025","related":[]},{"guid":"7410cd2e-0fd2-47b0-b439-4f7e8da5130d","title":"Closing","subtitle":null,"slug":"god2025-56496-closing","link":"https://c3voc.de","description":"Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["OWASP German Chapter"],"tags":["56496","2025","god2025","Track 1","god2025-eng","god2025","Day 1"],"view_count":176,"promoted":false,"date":"2025-11-26T17:35:00.000+01:00","release_date":"2025-11-26T00:00:00.000+01:00","updated_at":"2026-02-20T09:00:07.421+01:00","length":246,"duration":246,"thumb_url":"https://static.media.ccc.de/media/events/god/2025/56496-7410cd2e-0fd2-47b0-b439-4f7e8da5130d.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2025/56496-7410cd2e-0fd2-47b0-b439-4f7e8da5130d_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2025/56496-7410cd2e-0fd2-47b0-b439-4f7e8da5130d.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2025/56496-7410cd2e-0fd2-47b0-b439-4f7e8da5130d.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2025-56496-closing","url":"https://api.media.ccc.de/public/events/7410cd2e-0fd2-47b0-b439-4f7e8da5130d","conference_title":"German OWASP Day 2025","conference_url":"https://api.media.ccc.de/public/conferences/god2025","related":[]},{"guid":"7d2530a7-3b5e-44a6-8297-8d3a7abf99eb","title":"How the EU created Electronic Invoices without considering Security","subtitle":null,"slug":"god2025-56476-how-the-eu-created-electro","link":"https://c3voc.de","description":"Companies within the European Union are increasingly required to be able to issue and process electronic invoices according to EU standards. For example, since January 2025, companies in Germany have been required to support electronic invoices in B2B contexts.\nWhile it is desirable to standardize invoice data formats, the EU standards have severe problems. They are overly and needlessly complicated, and security was not given much consideration. An unfortunate design choice to use a problematic \"standard\" (XSLT 2/3) only supported by a single implementation with inherent security problems makes security vulnerabilities in electronic invoicing software even more likely.\nThe EU standard allows multiple redundant XML data formats to encode electronic invoices. XML processing has several well-known, inherent security problems, most notably file exfiltration via XML eXternal Entity (XXE) attacks.\nIt appears that XML security was not considered during the creation of these standards. Neither the standardization documents nor the information found on various government and EU web pages contain any information about avoiding XML security flaws.\nTherefore, unsurprisingly, security vulnerabilities in software processing these electronic invoices are very common.\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["Hanno Böck"],"tags":["56476","2025","god2025","Track 2","god2025-eng","god2025","Day 1"],"view_count":1307,"promoted":false,"date":"2025-11-26T10:15:00.000+01:00","release_date":"2025-11-26T00:00:00.000+01:00","updated_at":"2026-02-23T16:30:10.169+01:00","length":1671,"duration":1671,"thumb_url":"https://static.media.ccc.de/media/events/god/2025/56476-7d2530a7-3b5e-44a6-8297-8d3a7abf99eb.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2025/56476-7d2530a7-3b5e-44a6-8297-8d3a7abf99eb_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2025/56476-7d2530a7-3b5e-44a6-8297-8d3a7abf99eb.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2025/56476-7d2530a7-3b5e-44a6-8297-8d3a7abf99eb.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2025-56476-how-the-eu-created-electro","url":"https://api.media.ccc.de/public/events/7d2530a7-3b5e-44a6-8297-8d3a7abf99eb","conference_title":"German OWASP Day 2025","conference_url":"https://api.media.ccc.de/public/conferences/god2025","related":[]},{"guid":"9e712464-901b-4fcc-87cd-f80e84e4d6f4","title":"\"I have no idea how to make it safer\": Security and Privacy Mindsets of Browser Extension Developers","subtitle":null,"slug":"god2025-56488-i-have-no-idea-how-to-make","link":"https://c3voc.de","description":"Browser extensions are a powerful part of the Web ecosystem as they extend browser functionality and let users personalize their online experience. But with higher privileges than regular web apps, extensions bring unique security and privacy risks. Much like web applications, vulnerabilities often creep in, not just through poor implementation, but also through gaps in developer awareness and ecosystem support.\nIn this talk, we share insights from a recent study in which we interviewed and observed 21 extension developers across the world [1] as they worked on security and privacy-related tasks that we designed based on our prior works and observations [2, 3]. Their live decision-making revealed common misconceptions, unexpected pain points, and ecosystemic obstacles in the extension development lifecycle. Extending beyond our published results, we plan to highlight some of the untold anecdotes, insecure development practices, their threat perception, the design-level challenges, as well as the misconceptions around them.\nThe audience will take away the following items from the presentation/discussion:\n                            \nCommon insecure practices in extension development.\nWhy security ≠ privacy ≠ store compliance, as often perceived by extension developers!\nHidden design gaps and loopholes in extension architecture that developers can't spot or comprehend.\nAnecdotes on the course of extension development in the era of LLMs.\nDevelopers, regulations (GDPR/CCPA/CRA), and a few “interesting” opinions.\nAnd, most importantly, why you should NOT give up on them just yet! :)\n\n\nReferences:\n                            \n[1] Agarwal, Shubham, et al. “I have no idea how to make it safer”: Studying Security and Privacy Mindsets of Browser Extension Developers. Proceedings of the 34th USENIX Security Symposium 2025.\n[2] Agarwal, Shubham, Aurore Fass, and Ben Stock. Peeking through the window: Fingerprinting Browser Extensions through Page-Visible Execution Traces and Interactions. Proceedings of the 31st ACM SIGSAC Conference on Computer and Communications Security. 2024.\n[3] Agarwal, Shubham. Helping or hindering? How browser extensions undermine security. Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 2022.\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["Shubham Agrawal"],"tags":["56488","2025","god2025","Track 1","god2025-eng","god2025","Day 1"],"view_count":149,"promoted":false,"date":"2025-11-26T14:55:00.000+01:00","release_date":"2025-11-26T00:00:00.000+01:00","updated_at":"2026-03-07T12:00:04.914+01:00","length":1482,"duration":1482,"thumb_url":"https://static.media.ccc.de/media/events/god/2025/56488-9e712464-901b-4fcc-87cd-f80e84e4d6f4.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2025/56488-9e712464-901b-4fcc-87cd-f80e84e4d6f4_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2025/56488-9e712464-901b-4fcc-87cd-f80e84e4d6f4.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2025/56488-9e712464-901b-4fcc-87cd-f80e84e4d6f4.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2025-56488-i-have-no-idea-how-to-make","url":"https://api.media.ccc.de/public/events/9e712464-901b-4fcc-87cd-f80e84e4d6f4","conference_title":"German OWASP Day 2025","conference_url":"https://api.media.ccc.de/public/conferences/god2025","related":[]},{"guid":"bd3aa5dd-5842-4971-be51-11b48a56002f","title":"OWASP Cumulus: Threat Modeling the Ops of DevOps","subtitle":null,"slug":"god2025-56482-owasp-cumulus-threat-model","link":"https://c3voc.de","description":"In this presentation, we will highlight how threat modeling, as a proactive measure, can increase security in DevOps projects.\nWe will introduce OWASP Cumulus, a threat modeling card game designed for threat modeling the Ops part of DevOps processes. This game (in combination with similar games like Elevation of Privilege or OWASP Cornucopia) enables DevOps teams to take the security responsibility for their project in a lightweight and engaging way.\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["Christoph Niehoff"],"tags":["56482","2025","god2025","Track 2","god2025-eng","god2025","Day 1"],"view_count":151,"promoted":false,"date":"2025-11-26T12:20:00.000+01:00","release_date":"2025-11-26T00:00:00.000+01:00","updated_at":"2026-02-23T16:15:05.890+01:00","length":1568,"duration":1568,"thumb_url":"https://static.media.ccc.de/media/events/god/2025/56482-bd3aa5dd-5842-4971-be51-11b48a56002f.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2025/56482-bd3aa5dd-5842-4971-be51-11b48a56002f_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2025/56482-bd3aa5dd-5842-4971-be51-11b48a56002f.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2025/56482-bd3aa5dd-5842-4971-be51-11b48a56002f.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2025-56482-owasp-cumulus-threat-model","url":"https://api.media.ccc.de/public/events/bd3aa5dd-5842-4971-be51-11b48a56002f","conference_title":"German OWASP Day 2025","conference_url":"https://api.media.ccc.de/public/conferences/god2025","related":[]},{"guid":"402cfa63-18e2-4c55-945d-e564437c0807","title":"News from the Juice Shop ecosystem","subtitle":null,"slug":"god2025-56495-news-from-the-juice-shop-e","link":"https://c3voc.de","description":"OWASP Juice Shop went through some significant renovation and enhancements over the last year in order to keep current with the underlying Node.js and Angular frameworks. MultiJuicer was entirely rewritten in GoLang and is now faster and more reliable than ever before. All Juice Shop side-projects have been migrated to TypeScript and brought to a common stack for testing and code linting.\nBut the team did not only clean up and refactor behind the scenes. There are also lots of exciting new features and enhancements available, such as:\n\nSeveral new hacking challenges, e.g. a YAML memory bomb attack and an API key leakage\nEnhancing MultiJuicer's team score board to deliver a more holistic CTF experience\nReimagining the hint system for all challenges, integrating now even better with CTF servers and making the use of hints more explicit for users\n\nOf course the popular Juice Shop Success Pyramid™ will be back with beyond-crazy Docker image download stats and other usage figures!\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["Björn Kimminich"],"tags":["56495","2025","god2025","Track 1","god2025-eng","god2025","Day 1"],"view_count":432,"promoted":false,"date":"2025-11-26T17:15:00.000+01:00","release_date":"2025-11-26T00:00:00.000+01:00","updated_at":"2026-03-10T09:45:08.656+01:00","length":1356,"duration":1356,"thumb_url":"https://static.media.ccc.de/media/events/god/2025/56495-402cfa63-18e2-4c55-945d-e564437c0807.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2025/56495-402cfa63-18e2-4c55-945d-e564437c0807_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2025/56495-402cfa63-18e2-4c55-945d-e564437c0807.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2025/56495-402cfa63-18e2-4c55-945d-e564437c0807.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2025-56495-news-from-the-juice-shop-e","url":"https://api.media.ccc.de/public/events/402cfa63-18e2-4c55-945d-e564437c0807","conference_title":"German OWASP Day 2025","conference_url":"https://api.media.ccc.de/public/conferences/god2025","related":[]},{"guid":"0a83a3f1-0f25-42c8-ae7a-7d06ea291672","title":"The Trust Trap - Security von Coding Assistants","subtitle":null,"slug":"god2025-56491-the-trust-trap-security-vo","link":"https://c3voc.de","description":"Coding Assistants wie Github Copilot, Cursor oder Claude versprechen einen Effizienzboost für die Softwareentwicklung. Doch welchen Einfluss hat die Nutzung dieser Tools auf die Software Security?\nDieser Vortrag analysiert die Vor- und Nachteile von Coding Assistants in Hinblick auf die Sicherheit des entstehenden Codes. Er gibt einen Überblick über die aktuelle Studienlage und die Benchmarks zu den verschiedenen Modellen und diskutiert die Ergebnisse. Neben der Bedeutung von eingebrachten Schwachstellen im Code selbst werden Risiken wie Slopsquatting, Model Poisoning und Rules File Backdoors erläutert. Zuletzt gibt der Vortrag Empfehlungen zu Best Practices für die Nutzung von Coding Assistants: von der richtigen Konfiguration und Nutzung über Richtlinien zum Review und Testen von solchem Code.\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["Clemens Hübner"],"tags":["56491","2025","god2025","Track 2","god2025-eng","god2025","Day 1"],"view_count":191,"promoted":false,"date":"2025-11-26T15:50:00.000+01:00","release_date":"2025-11-26T00:00:00.000+01:00","updated_at":"2026-02-24T17:45:06.506+01:00","length":2585,"duration":2585,"thumb_url":"https://static.media.ccc.de/media/events/god/2025/56491-0a83a3f1-0f25-42c8-ae7a-7d06ea291672.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2025/56491-0a83a3f1-0f25-42c8-ae7a-7d06ea291672_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2025/56491-0a83a3f1-0f25-42c8-ae7a-7d06ea291672.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2025/56491-0a83a3f1-0f25-42c8-ae7a-7d06ea291672.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2025-56491-the-trust-trap-security-vo","url":"https://api.media.ccc.de/public/events/0a83a3f1-0f25-42c8-ae7a-7d06ea291672","conference_title":"German OWASP Day 2025","conference_url":"https://api.media.ccc.de/public/conferences/god2025","related":[]},{"guid":"ccc2f9a5-01b4-4482-bafd-fd86279a13d3","title":"Phishing for Passkeys: An Analysis of WebAuthn and CTAP","subtitle":null,"slug":"god2025-56481-phishing-for-passkeys-an-a","link":"https://c3voc.de","description":"WebAuthn was supposed to replace \n                            swords on the web: uniform, secure, manageable authentication for everyone! One of its unique selling points was supposed to be the impossibility of phishing attacks. When passkeys were introduced, some of WebAuthn's security principles were watered down in order to achieve some usability improvements and thus reach more widespread adoption.\nThis presentation discusses the security of passkeys against phishing attacks. It explains the possibilities for an attacker to gain access to accounts secured with passkeys using spear phishing, and what conditions must be met for this to happen. It also practically demonstrates such an attack and discusses countermeasures.\nParticipants will learn which WebAuthn security principles still apply to passkeys and which do not. They will learn why passkeys are no longer completely phishing-proof and how they can evaluate this consideration for their own use of passkeys.\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["Michael Kuckuk"],"tags":["56481","2025","god2025","Track 1","god2025-eng","god2025","Day 1"],"view_count":532,"promoted":false,"date":"2025-11-26T12:20:00.000+01:00","release_date":"2025-11-26T00:00:00.000+01:00","updated_at":"2026-03-09T00:15:05.106+01:00","length":1164,"duration":1164,"thumb_url":"https://static.media.ccc.de/media/events/god/2025/56481-ccc2f9a5-01b4-4482-bafd-fd86279a13d3.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2025/56481-ccc2f9a5-01b4-4482-bafd-fd86279a13d3_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2025/56481-ccc2f9a5-01b4-4482-bafd-fd86279a13d3.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2025/56481-ccc2f9a5-01b4-4482-bafd-fd86279a13d3.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2025-56481-phishing-for-passkeys-an-a","url":"https://api.media.ccc.de/public/events/ccc2f9a5-01b4-4482-bafd-fd86279a13d3","conference_title":"German OWASP Day 2025","conference_url":"https://api.media.ccc.de/public/conferences/god2025","related":[]},{"guid":"7c1d0211-0a19-470e-9081-be1966ecc4bf","title":"Welcome","subtitle":null,"slug":"god2025-56471-welcome","link":"https://c3voc.de","description":"Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["OWASP German Chapter"],"tags":["56471","2025","god2025","Track 1","god2025-eng","god2025","Day 1"],"view_count":156,"promoted":false,"date":"2025-11-26T09:00:00.000+01:00","release_date":"2025-11-26T00:00:00.000+01:00","updated_at":"2026-02-12T13:15:08.343+01:00","length":561,"duration":561,"thumb_url":"https://static.media.ccc.de/media/events/god/2025/56471-7c1d0211-0a19-470e-9081-be1966ecc4bf.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2025/56471-7c1d0211-0a19-470e-9081-be1966ecc4bf_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2025/56471-7c1d0211-0a19-470e-9081-be1966ecc4bf.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2025/56471-7c1d0211-0a19-470e-9081-be1966ecc4bf.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2025-56471-welcome","url":"https://api.media.ccc.de/public/events/7c1d0211-0a19-470e-9081-be1966ecc4bf","conference_title":"German OWASP Day 2025","conference_url":"https://api.media.ccc.de/public/conferences/god2025","related":[]},{"guid":"f9291c47-6a2d-4ad3-8fff-36877a8684c4","title":"OWASP Top 10:2025: Aktuelle Informationen und Insights zum Projekt","subtitle":null,"slug":"god2025-56494-owasp-top-102025-aktuelle","link":"https://c3voc.de","description":"Der Kurzvortrag stellt den aktuellen Stand der OWASP Top 10:2025 vor, mit etwas Glück haben wir bis dahin schon mehr...\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"deu","persons":["Torsten Gigler"],"tags":["56494","2025","god2025","Track 1","god2025-deu","god2025","Day 1"],"view_count":276,"promoted":false,"date":"2025-11-26T17:05:00.000+01:00","release_date":"2025-11-26T00:00:00.000+01:00","updated_at":"2026-03-05T08:30:05.204+01:00","length":670,"duration":670,"thumb_url":"https://static.media.ccc.de/media/events/god/2025/56494-f9291c47-6a2d-4ad3-8fff-36877a8684c4.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2025/56494-f9291c47-6a2d-4ad3-8fff-36877a8684c4_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2025/56494-f9291c47-6a2d-4ad3-8fff-36877a8684c4.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2025/56494-f9291c47-6a2d-4ad3-8fff-36877a8684c4.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2025-56494-owasp-top-102025-aktuelle","url":"https://api.media.ccc.de/public/events/f9291c47-6a2d-4ad3-8fff-36877a8684c4","conference_title":"German OWASP Day 2025","conference_url":"https://api.media.ccc.de/public/conferences/god2025","related":[]},{"guid":"9a191c51-bf9c-4cb8-a6e4-cd3c7068bbb3","title":"All the WAF power to the devs - why it reduces friction… and where it backfires","subtitle":null,"slug":"god2025-56478-all-the-waf-power-to-the-d","link":"https://c3voc.de","description":"Web application firewalls are often seen as a hindrance when going live, as perimeter WAFs can clash with GitOps-driven platforms. Empowering development teams with an application-centric WAF setup allows them to run and tune the WAF throughout the entire development lifecycle. It also enables full integration into any CI/CD pipeline or GitOps approach, reducing late surprises during deployment.\nIn this talk, we demonstrate the application-centric approach with Envoy Proxy, OWASP Coraza, and the OWASP Core Rule Set (components are examples and interchangeable; focus is on principles and selection criteria), and take you along our real-world journey - highlighting the challenges and lessons learned. What you'll take away: We show where this reusable reference design reduces friction and where it backfires, and we outline the governance and guardrails needed to make it work in practice.\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["Lukas Funk"],"tags":["56478","2025","god2025","Track 2","god2025-eng","god2025","Day 1"],"view_count":197,"promoted":false,"date":"2025-11-26T11:10:00.000+01:00","release_date":"2025-11-26T00:00:00.000+01:00","updated_at":"2026-03-09T18:45:05.778+01:00","length":2056,"duration":2056,"thumb_url":"https://static.media.ccc.de/media/events/god/2025/56478-9a191c51-bf9c-4cb8-a6e4-cd3c7068bbb3.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2025/56478-9a191c51-bf9c-4cb8-a6e4-cd3c7068bbb3_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2025/56478-9a191c51-bf9c-4cb8-a6e4-cd3c7068bbb3.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2025/56478-9a191c51-bf9c-4cb8-a6e4-cd3c7068bbb3.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2025-56478-all-the-waf-power-to-the-d","url":"https://api.media.ccc.de/public/events/9a191c51-bf9c-4cb8-a6e4-cd3c7068bbb3","conference_title":"German OWASP Day 2025","conference_url":"https://api.media.ccc.de/public/conferences/god2025","related":[]},{"guid":"626be573-f64c-480c-a2db-1ccaeec57764","title":"How we hacked Y Combinator companies' AI agents","subtitle":null,"slug":"god2025-56489-how-we-hacked-y-combinator","link":"https://c3voc.de","description":"We hacked 7 of the16 publicly-accessible YC X25 AI agents. This allowed us to leak user data, execute code remotely, and take over databases. All within 30 minutes each. In this session, we'll walk through the common mistakes these companies made and how you can mitigate these security concerns before your agents put your business at risk.\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["René Brandel"],"tags":["56489","2025","god2025","Track 2","god2025-eng","god2025","Day 1"],"view_count":332,"promoted":false,"date":"2025-11-26T14:55:00.000+01:00","release_date":"2025-11-26T00:00:00.000+01:00","updated_at":"2026-02-22T20:30:10.812+01:00","length":1468,"duration":1468,"thumb_url":"https://static.media.ccc.de/media/events/god/2025/56489-626be573-f64c-480c-a2db-1ccaeec57764.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2025/56489-626be573-f64c-480c-a2db-1ccaeec57764_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2025/56489-626be573-f64c-480c-a2db-1ccaeec57764.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2025/56489-626be573-f64c-480c-a2db-1ccaeec57764.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2025-56489-how-we-hacked-y-combinator","url":"https://api.media.ccc.de/public/events/626be573-f64c-480c-a2db-1ccaeec57764","conference_title":"German OWASP Day 2025","conference_url":"https://api.media.ccc.de/public/conferences/god2025","related":[]},{"guid":"10ffd66f-86de-4021-8f69-c9cedc94a3f8","title":"The Automation Illusion? What Machines Can't Do in Threat Modeling","subtitle":null,"slug":"god2025-56484-the-automation-illusion-wh","link":"https://c3voc.de","description":"Threat modeling stands at a critical juncture. While essential for creating secure systems, it remains mostly manual, handcrafted, and often too slow for today's development cycles. At the same time, automation and AI offer new levels of speed and scalability— but how much can we rely on them?\nThis talk explores the tension between automation and human expertise in threat modeling. We'll dissect the traditional threat modeling process—scoping, modeling, threat identification, risk analysis, and mitigation—and perform a step-by-step gap analysis to identify what can realistically be automated today, what cannot, and why.\nWe'll dive into:\n\nCurrent tooling: Review the AI threat modeling tools that handle diagram-based automation, template-driven modeling, risk scoring, and pattern matching.\nEmerging AI use cases: automatically generating threat models from architecture diagrams, user stories, or use case descriptions; providing AI-assisted mitigation suggestions; and conducting NLP-driven threat analysis.\nLimitations and risks: False confidence, hallucinations, model bias, ethical accountability, and the challenge of modeling new or context-specific threats.\n\nWe will ground this analysis with examples from organizations and academic research that aim to scale threat modeling without compromising depth or quality, drawing parallels to how other activities, such as SAST and DAST scanning, evolved.\nAttendees will walk away with a practical roadmap for integrating automation without undermining the human insight threat modeling still requires.\nThis talk isn't a tool pitch. It's a candid, experience-based view of where automation can meaningfully accelerate threat modeling—and where the human must remain firmly in the loop.\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["Sebastian Deleersnyder","Georges Bolssens"],"tags":["56484","2025","god2025","Track 1","god2025-eng","god2025","Day 1"],"view_count":150,"promoted":false,"date":"2025-11-26T13:45:00.000+01:00","release_date":"2025-11-26T00:00:00.000+01:00","updated_at":"2026-03-02T11:15:08.970+01:00","length":2398,"duration":2398,"thumb_url":"https://static.media.ccc.de/media/events/god/2025/56484-10ffd66f-86de-4021-8f69-c9cedc94a3f8.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2025/56484-10ffd66f-86de-4021-8f69-c9cedc94a3f8_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2025/56484-10ffd66f-86de-4021-8f69-c9cedc94a3f8.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2025/56484-10ffd66f-86de-4021-8f69-c9cedc94a3f8.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2025-56484-the-automation-illusion-wh","url":"https://api.media.ccc.de/public/events/10ffd66f-86de-4021-8f69-c9cedc94a3f8","conference_title":"German OWASP Day 2025","conference_url":"https://api.media.ccc.de/public/conferences/god2025","related":[]},{"guid":"03b7a38c-7228-4752-b714-846f0c41d36c","title":"Continuous Vulnerability Scanning with OWASP secureCodeBox","subtitle":null,"slug":"god2025-56480-continuous-vulnerability-s","link":"https://c3voc.de","description":"The OWASP secureCodeBox project aims to provide a unified way to run and automate open-source scanning tools like nmap, nuclei, zap, ssh-audit, and sslyze to continuously scan the code and infrastructure of entire organizations.\nThis allows setting up automated scans that will regularly scan internal networks and internet-facing systems for vulnerabilities. The SCB also allows defining rules to automatically start more in-depth scans based on previous findings, e.g., to start a specialized SSH scan if a port scan discovers an open SSH port.\nScan results can be uniformly handled with prebuilt hooks, e.g. to send out alerts via messaging tools, or to ingest the findings into vulnerability management systems like OWASP DefectDojo.\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["Jannik Hollenbach"],"tags":["56480","2025","god2025","Track 2","god2025-eng","god2025","Day 1"],"view_count":180,"promoted":false,"date":"2025-11-26T11:55:00.000+01:00","release_date":"2025-11-26T00:00:00.000+01:00","updated_at":"2026-03-03T20:45:07.102+01:00","length":1461,"duration":1461,"thumb_url":"https://static.media.ccc.de/media/events/god/2025/56480-03b7a38c-7228-4752-b714-846f0c41d36c.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2025/56480-03b7a38c-7228-4752-b714-846f0c41d36c_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2025/56480-03b7a38c-7228-4752-b714-846f0c41d36c.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2025/56480-03b7a38c-7228-4752-b714-846f0c41d36c.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2025-56480-continuous-vulnerability-s","url":"https://api.media.ccc.de/public/events/03b7a38c-7228-4752-b714-846f0c41d36c","conference_title":"German OWASP Day 2025","conference_url":"https://api.media.ccc.de/public/conferences/god2025","related":[]},{"guid":"5cee4aae-a611-484a-9706-27fd2e6a9f4a","title":"Keynote: Code Dark Age","subtitle":null,"slug":"god2025-56472-keynote-code-dark-age","link":"https://c3voc.de","description":"Generative AI is supposed to make our lives easier. But what if it's really just coding us straight into a new Dark Age? We hand over our systems to AI agents, only to watch them invent backdoors nobody asked for. Developers are left with the glamorous job of bug janitors, while attackers get new exploits. It's hard not to feel like we are front-row spectators to the collapse of digital civilization. This talk shows how these risks are multiplying, and how the public debate around security often misses the point, making it even harder to fix what is broken. Maybe what we are really witnessing is the world's biggest live demo of the digital apocalypse. But sometimes you have to watch everything burn down before you can rebuild it better.\n\nLicensed to the public under https://creativecommons.org/licenses/by-sa/4.0/","original_language":"eng","persons":["Eva Wolfangel"],"tags":["56472","2025","god2025","Track 1","god2025-eng","god2025","Day 1"],"view_count":1101,"promoted":false,"date":"2025-11-26T09:05:00.000+01:00","release_date":"2025-11-26T00:00:00.000+01:00","updated_at":"2026-03-10T00:30:05.608+01:00","length":2377,"duration":2377,"thumb_url":"https://static.media.ccc.de/media/events/god/2025/56472-5cee4aae-a611-484a-9706-27fd2e6a9f4a.jpg","poster_url":"https://static.media.ccc.de/media/events/god/2025/56472-5cee4aae-a611-484a-9706-27fd2e6a9f4a_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/god/2025/56472-5cee4aae-a611-484a-9706-27fd2e6a9f4a.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/god/2025/56472-5cee4aae-a611-484a-9706-27fd2e6a9f4a.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/god2025-56472-keynote-code-dark-age","url":"https://api.media.ccc.de/public/events/5cee4aae-a611-484a-9706-27fd2e6a9f4a","conference_title":"German OWASP Day 2025","conference_url":"https://api.media.ccc.de/public/conferences/god2025","related":[]}]}