Exploiting Modern Desktop Applications

Presented at Kernelcon 2020 Virtual, March 27, 2020, 10:30 a.m. (60 minutes).

Let's learn how to attack “Modern Desktop” applications. Specifically we will look at the blurring lines between desktop and web applications, and how embedded (browsers) renders can be exploited, the methods for discovering exploits, and how they can be fixed. On this journey we go over remote code execution vulnerabilities I discovered in apps like Teams, Outlook, Facebook Workplace, chat apps like Slack and Google Chat, and even a Docker sandbox escape. I will also be introducing a new IAST (interactive application security testing) tool I developed to help find these issues. Last and most importantly look at how to prevent / fix these issues in your applications.

Presenters:

• Matt Austin
  Matt Austin is a security researcher and bug bounty hunter with 15 years of appsec experience. He is also the Director of Security Research at Contrast Security focused on runtime security assessment and protection through instrumentation.

Similar Presentations:

• THOTCON 0x6 (2015) / Bypassing the Secure Desktop Protections
• Kiwicon X: The Truth is In Here (2016) / Out of the Browser into the Fire: Exploiting Native Web-based Applications
• DEF CON 27 (2019) / Web2Own: Attacking Desktop Apps From Web Security's Perspective