BEGIN:VCALENDAR
PRODID:-//vBulletin 6//EN
VERSION:2.0
CALSCALE:GREGORIAN
BEGIN:VEVENT
UID:d4a4fb2c-acc6-492c-90bd-e1716052738b
DTSTAMP:20260502T161933Z
SUMMARY:FlowMate - Florian Haag\, Nicolas Schickert
DESCRIPTION:FlowMate\n\nFriday August 11\, 12:00 – 13:55\, Society Boardr
 oom\, Forum\nFlorian Haag & Nicolas Schickert\n\nImagine pentesting a larg
 e web application with hundreds of pages and forms\, as well as user roles
  and tenants. You discover that your chosen username is reflected in many 
 locations inside the application\, but you don't have a detailed overview.
  You want to test whether the chosen username is handled properly or allow
 s for injection attacks\, such as Cross-Site Scripting or Server-Site Temp
 late Injection. Now you face the challenge of finding all locations where 
 your payloads appear when injecting into the username. In large applicatio
 ns\, you'll likely miss some\, potentially leaving vulnerabilities undetec
 ted. This is where FlowMate comes into play\, our novel tool to detect dat
 a flows in applications for enhanced vulnerability assessments. FlowMate c
 onsists of two components: A BurpSuite plugin and a data flow graph based 
 on Neo4j. It records inputs to the application as you go through the pages
  exploring the application and searches for occurrences of the captured in
 puts in the responses. This results in a graph that can be visualized and 
 searched for parameters of interest and where they're occurring on the sit
 e. Understanding the data flows of an application helps to significantly i
 mprove the test coverage and bring your pentesting to the next level.\n\nF
 lorian Haag is a senior security consultant at usd AG with experience in p
 enetration testing\, software security assessments as well as code reviews
 . He is specialized in penetration tests of thick client applications\, le
 veraging his background in software development to reverse engineer propri
 etary client applications and network protocols. In previous scientific wo
 rk\, he worked on novel approaches to application-level data flow analysis
  to improve penetration testing coverage. In addition\, he analyzed websit
 e clones used in phishing campaigns and the frameworks that are used by fr
 audsters to create and operate cloned websites.\n\nNicolas Schickert is se
 curity researcher and penetration tester at usd AG\, an information securi
 ty company based in Germany. He is in charge of SAP specific penetration t
 ests at the usd HeroLab. In this role\, Nicolas is responsible for the col
 lection of SAP related knowledge and the development of new analysis tools
 . He is interested in reverse engineering and vulnerability research and h
 as published several zero-day vulnerabilities\, not only in the context of
  SAP.\n\nAudience: Offense\, AppSec​
URL:https://forum.defcon.org/node/246221
DTSTART:20230811T200000Z
DTEND:20230811T215501Z
LOCATION:Society Boardroom\, Forum
END:VEVENT
END:VCALENDAR