BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//ScaleUp Porto - ECPv5.1.5//NONSGML v1.0//EN
CALSCALE:GREGORIAN
METHOD:PUBLISH
X-WR-CALNAME:ScaleUp Porto
X-ORIGINAL-URL:https://scaleupporto.pt
X-WR-CALDESC:Events for ScaleUp Porto
BEGIN:VTIMEZONE
TZID:UTC
BEGIN:STANDARD
TZOFFSETFROM:+0000
TZOFFSETTO:+0000
TZNAME:UTC
DTSTART:20190101T000000
END:STANDARD
END:VTIMEZONE
BEGIN:VEVENT
DTSTART;TZID=UTC:20190619T093000
DTEND;TZID=UTC:20190619T123000
DTSTAMP:20260528T043321
CREATED:20190531T141006Z
LAST-MODIFIED:20230310T135027Z
UID:8701-1560936600-1560947400@scaleupporto.pt
SUMMARY:Masterclass Security
DESCRIPTION:Bounty life\, with André Baptista\nIn this talk\, André will show his journey\, how to achieve the #bountylife\, how live hacking events work and how to get invites. He will walk you through his best bugs and techniques\, found during live hacking events and doing bug bounties. \n  \nTrusted Types and the end of DOM XSS\, with Krzysztof Kotowicz\n18 years have passed since Cross-Site Scripting (XSS) has been identified as a web vulnerability class. Since then\, numerous efforts have been proposed to detect\, fix or mitigate it. We’ve seen vulnerability scanners\, fuzzers\, static & dynamic code analyzers\, taint tracking engines\, linters\, and finally XSS filters\, WAFs and all various flavours of Content Security Policy. \nVarious libraries have been created to minimize or eliminate the risk of XSS: HTML sanitizers\, templating libraries\, sandboxing solutions – and yet XSS is still one of the most prevalent vulnerabilities plaguing web applications. \nIt seems like\, while we have a pretty good grasp on how to address stored & reflected XSS\, “solving” DOM XSS remains an open question. DOM XSS is caused by ever-growing complexity of client-side JavaScript code (see script gadgets)\, but most importantly – the lack of security in DOM API design. \nBut perhaps we have a chance this time? Trusted Types is a new browser API that allows a web application to limit its interaction with the DOM\, with the goal of obliterating DOM XSS. Based on the battle-tested design that prevents XSS in most of the Google web applications\, Trusted Types add the DOM XSS prevention API to the browsers. Trusted Types allow to isolate the application components that may potentially introduce DOM XSS into tiny\, reviewable pieces\, and guarantee that the rest of the code is DOM-XSS free. They can also leverage existing solutions like autoescaping templating libraries\, or client-side sanitizers to use them as building blocks of a secure application. \nTrusted Types have a working polyfill\, an implementation in Chrome and integrate well with existing JS frameworks and libraries. Oddly similar to both XSS filters and CSP\, they are also fundamentally different\, and in our opinion have a reasonable chance of eliminating DOM XSS – once and for all. \n  \nAbout the Guests\nAndré Baptista is a Professor at Master in Information Security in the University of Porto and Security researcher. He’s the captain of xSTF CTF team and the winner of the Most Valuable Hacker prize in a HackerOne live-hacking event in Washington DC\, 2018. Bug Bounty hunter and C3P collaborator (Center of Competence in Cyber Security and Privacy) – University of Porto. \nKrzysztof Kotowicz is an Information Security Engineer at Google and a panel member of Google’s Vulnerability Rewards Program. He’s a web security researcher specialized in JavaScript\, browser extensions and client-side security. Author of multiple open-source pentesting tools\, and recognized HTML5/UI redressing attack vectors. Speaker at international IT security conferences & meetings (Black Hat\, BruCON\, Hack In Paris\, CONFidence\, SecurityByte\, HackPra\, OWASP AppSec\, Insomni’Hack). \n
URL:https://scaleupporto.pt/event/masterclass-security/
LOCATION:Porto Innovation Hub\, Largo Tito Fontes 15\, Porto\, 4000-124\, Portugal
CATEGORIES:Masterclass
ATTACH;FMTTYPE=image/png:https://scaleupporto.pt/wp-content/uploads/2019/05/Masterclass-Security.png
END:VEVENT
END:VCALENDAR