Scala Security: Examining the Play and LiftWeb Frameworks

Presented at Black Hat Europe 2014, Oct. 16, 2014, 2:15 p.m. (60 minutes)

Scala is an increasingly popular language that runs on the JVM. LiftWeb and Play are the two main web application frameworks developed for Scala. The language is getting really hot in the web start-up and Financial Tech world, but nobody has dug deep into the frameworks to see if they're secure. This talk reviews the various exploitation mitigations built into each framework and what this means for attackers and defenders. The core of our talk examines the OWASP Top 10 as it applies to Lift/Play and we'll also publicly release our "hack me" app as well a Scala library to help prevent SSRF.


Presenters:

  • Paolo Soto - Include Security
    Paolo Soto earned a BS in Computer Science from UC Berkeley and specializes in the field of mobile security -specifically in the Android and iOS platforms. His research on evading host-based intrusion detection has been published in the ACM Conference on Computer and Communications Security. Paolo prefers researching exploitation techniques involving memory corruption and privacy flaws in mobile applications.
  • Erik Cabetas - Include Security
    Erik has been hacking on apps since 2000, he's previously worked in big consulting companies, software vendors, and even ran an E-Commerce security team for three years. In 2010, Erik founded Include Security to bring together some of the best hackers to kick-butt for silicon valley and NYC. Since then the team has performed hundreds of assessments in over 26 languages. Outside of his day job, Erik has won a number of ethical hacking contests including Defcon CTF. He has also served as a hacking consultant for TV shows and movies produced by Sony Pictures and MGM Studios.

Links:

Similar Presentations: