Events for 2024
Events Schedule
Events Location
Classroom workshops
Salesforce Custom Application Vulnerabilities
By Rodney Beede
This training will cover how to discover vulnerabilities in custom Salesforce applications hosted on the Salesforce PaaS platform. This is not hacking Salesforce itself, but instead custom applications deployed by customers of Salesforce. You should already know OWASP Top 10 fundamentals such as how XSS or injection attacks work. You will learn how to find vulnerabilities specific to Salesforce apps such as SOQL injection, SOSL, cross-site scripting filter bypasses, and bypassing access controls of hidden functions to exfiltrate data.
A new open-source tool “PaaS Cloud Goat” will be used to provide a simulated vulnerable Salesforce application for testing. Students will be expected to use a MitM proxy tool (Burp Suite) to craft malicious attacks to exploit the application. This training will provide a lab manual and live walk-through of the attack process and methods. We will also cover source code review and practice how to find vulnerabilities in code and translate them to working exploits of the simulator app.
Takeaways:
1. Hands-on learning opportunity of security tests for a custom Salesforce application
2. Detailed training documentation material about the underlying flaws to look for
3. Single consolidated list of common Salesforce application vulnerabilities
Audience members must sign-up for a free Salesforce Developer Edition account (https://developer.salesforce.com/signup) as well as bring a laptop equipped with BurpSuite community or pro.
By Rodney Beede
This training will cover how to discover vulnerabilities in custom Salesforce applications hosted on the Salesforce PaaS platform. This is not hacking Salesforce itself, but instead custom applications deployed by customers of Salesforce. You should already know OWASP Top 10 fundamentals such as how XSS or injection attacks work. You will learn how to find vulnerabilities specific to Salesforce apps such as SOQL injection, SOSL, cross-site scripting filter bypasses, and bypassing access controls of hidden functions to exfiltrate data.
A new open-source tool “PaaS Cloud Goat” will be used to provide a simulated vulnerable Salesforce application for testing. Students will be expected to use a MitM proxy tool (Burp Suite) to craft malicious attacks to exploit the application. This training will provide a lab manual and live walk-through of the attack process and methods. We will also cover source code review and practice how to find vulnerabilities in code and translate them to working exploits of the simulator app.
Takeaways:
1. Hands-on learning opportunity of security tests for a custom Salesforce application
2. Detailed training documentation material about the underlying flaws to look for
3. Single consolidated list of common Salesforce application vulnerabilities
Audience members must sign-up for a free Salesforce Developer Edition account (https://developer.salesforce.com/signup) as well as bring a laptop equipped with BurpSuite community or pro.
Intro to Web App Pen-Testing
By Phillip Wylie
Web applications have become the most popular and widely used application type due to portability and compatibility, and these attributes have made them widely used for businesses of all sizes. Web application security and the assessment of security is often misunderstood, overlooked, or just ignored. Web applications and websites accessible through the Internet can be a risk and, when not secure, can expose sensitive information and access to underlying IT infrastructure. The skills taught in this workshop are valuable to aspiring to become pentesters or security researchers and participate in bug bounties. Attendees will be provided with a virtual machine-based lab learning environment for use in the workshop and after to continue learning web app pentesting. Participants will receive a list of resources to further their study of web app pentesting.
In this workshop, participants will learn about web application vulnerability assessments and web application pentests. Attendees will learn how to discover, validate, and exploit vulnerabilities from the OWASP Top 10 using industry-standard commercial tools and Free and open-source software (FOSS) following the OWASP Testing Guide. During the workshop, attendees will learn how to conduct a web application pentests and write a report on the findings and security posture of the web application.
The following web app pentesting methodology steps will be covered during the workshop:
- Pre-engagement Interactions • Intelligence Gathering • Threat Modeling • Vulnerability Analysis • Exploitation • Post Exploitation • Reporting
Hardware requirements for the virtual lab: Laptop with 20GB for free disk space VirtualBox or VMWare required to run the virtual lab.
Audience members must bring a laptop with a Chrome browser installed.
By Phillip Wylie
Web applications have become the most popular and widely used application type due to portability and compatibility, and these attributes have made them widely used for businesses of all sizes. Web application security and the assessment of security is often misunderstood, overlooked, or just ignored. Web applications and websites accessible through the Internet can be a risk and, when not secure, can expose sensitive information and access to underlying IT infrastructure. The skills taught in this workshop are valuable to aspiring to become pentesters or security researchers and participate in bug bounties. Attendees will be provided with a virtual machine-based lab learning environment for use in the workshop and after to continue learning web app pentesting. Participants will receive a list of resources to further their study of web app pentesting.
In this workshop, participants will learn about web application vulnerability assessments and web application pentests. Attendees will learn how to discover, validate, and exploit vulnerabilities from the OWASP Top 10 using industry-standard commercial tools and Free and open-source software (FOSS) following the OWASP Testing Guide. During the workshop, attendees will learn how to conduct a web application pentests and write a report on the findings and security posture of the web application.
The following web app pentesting methodology steps will be covered during the workshop:
- Pre-engagement Interactions • Intelligence Gathering • Threat Modeling • Vulnerability Analysis • Exploitation • Post Exploitation • Reporting
Hardware requirements for the virtual lab: Laptop with 20GB for free disk space VirtualBox or VMWare required to run the virtual lab.
Audience members must bring a laptop with a Chrome browser installed.
Malware Archaeology: Checking Files, Folders, Autoruns, Running Processes for Malicious Crafting
By Michael Gough
Checking Autoruns, Running Processes, Files and entire folders for files with signs of malicious crafting. Is this file or files good, suspicious or malicious?
Ever wondered if you can quickly check one or more suspicious autoruns, one or all running processes, a file, or a whole directory of files, or a share of files for signs of malicious crafting within the file?
This workshop will go over a method for these scenarios you can quickly check a static file for signs of malicious crafting, also known as static analysis of the file. We will discuss why these three methods are important and how you can check them and what tools to use. No internet required.
A must for security analysts, incident responders, or even Red Teamers to learn about how to check files for signs of malicious crafting.
By Michael Gough
Checking Autoruns, Running Processes, Files and entire folders for files with signs of malicious crafting. Is this file or files good, suspicious or malicious?
Ever wondered if you can quickly check one or more suspicious autoruns, one or all running processes, a file, or a whole directory of files, or a share of files for signs of malicious crafting within the file?
This workshop will go over a method for these scenarios you can quickly check a static file for signs of malicious crafting, also known as static analysis of the file. We will discuss why these three methods are important and how you can check them and what tools to use. No internet required.
A must for security analysts, incident responders, or even Red Teamers to learn about how to check files for signs of malicious crafting.
Ghidra and CodeWalker RE
By Chilton Webb
Ghidra is a top notch tool for reverse engineering certain types of code, and creating C source code from that. Unfortunately, that code is rather useless because the function names have either been obfuscated or stripped away. CodeWalker can easily penetrate all forms of text obfuscation and will show exactly how the code works, and what it does. Between these two tools, you can reverse engineer many common viruses and pieces of malware, find the command and control servers if they exist, and unlock any other secrets the virus authors are trying to hide. And I'll show you how to do it in about an hour.
Audience members must bring a laptop and will get a link to a free special version of the latest version of CodeWalker that will time out after a month.
By Chilton Webb
Ghidra is a top notch tool for reverse engineering certain types of code, and creating C source code from that. Unfortunately, that code is rather useless because the function names have either been obfuscated or stripped away. CodeWalker can easily penetrate all forms of text obfuscation and will show exactly how the code works, and what it does. Between these two tools, you can reverse engineer many common viruses and pieces of malware, find the command and control servers if they exist, and unlock any other secrets the virus authors are trying to hide. And I'll show you how to do it in about an hour.
Audience members must bring a laptop and will get a link to a free special version of the latest version of CodeWalker that will time out after a month.
AppSec Forensics Workshop
By David Neal
Often, forensic investigators face challenges when dealing with in-house developed applications compromised by novel vulnerabilities and exploits. This can make it difficult to uncover the full chain of events. Investigating such scenarios requires a blend of traditional forensics, application security, and offensive security knowledge.
Attendees will receive a REMnux virtual machine containing a small Linux OS image of a compromised web application, where attackers have gained complete control of the system. We'll guide participants through mounting the image and utilizing common open-source tools to investigate the compromise. By the end of the session, attendees will grasp the dynamic nature of these situations and be equipped to apply these tools to real-world compromises.
Audience Requirements: Laptop with SSH client installed (Putty/OpenSSH)
By David Neal
Often, forensic investigators face challenges when dealing with in-house developed applications compromised by novel vulnerabilities and exploits. This can make it difficult to uncover the full chain of events. Investigating such scenarios requires a blend of traditional forensics, application security, and offensive security knowledge.
Attendees will receive a REMnux virtual machine containing a small Linux OS image of a compromised web application, where attackers have gained complete control of the system. We'll guide participants through mounting the image and utilizing common open-source tools to investigate the compromise. By the end of the session, attendees will grasp the dynamic nature of these situations and be equipped to apply these tools to real-world compromises.
Audience Requirements: Laptop with SSH client installed (Putty/OpenSSH)
Value of Tabletop Exercises
By Rob Dodson
An exercise running through cyber security incident in a tabletop setting. This workshop explores the value of tabletop exercises in a defensive setting in their ability to guide a company’s response to cyber threats.
This will be a highly interactive session where audience participation is heavily encouraged!
By Rob Dodson
An exercise running through cyber security incident in a tabletop setting. This workshop explores the value of tabletop exercises in a defensive setting in their ability to guide a company’s response to cyber threats.
This will be a highly interactive session where audience participation is heavily encouraged!
Activities
Lockpicking Village
By Nathan Reyes
Whether you're a novice or an experienced lock picker, this challenge offers an opportunity to hone your abilities and have fun in the process. The event is set up in a casual drop-in/drop-out format, allowing participants to come and go as they please throughout the duration of the conference.
Drop in/Drop out
By Nathan Reyes
Whether you're a novice or an experienced lock picker, this challenge offers an opportunity to hone your abilities and have fun in the process. The event is set up in a casual drop-in/drop-out format, allowing participants to come and go as they please throughout the duration of the conference.
Drop in/Drop out
Soldering Workshop
By Andrew Neumann
Don't miss this opportunity to learn and get hands-on soldering experience with a soldering workshop presented by San Antonio Circuit Makers! Drop in any time to practice your soldering on your very own B-Sides San Antonio badge.
San Antonio Circuit Makers (SACM), a local organization dedicated to promoting electronics education, will present a soldering workshop at B-Sides SATX 2024. Soldering is a fundamental skill in electronics, essential for assembling circuits and creating electronic devices. Whether you've never held a soldering iron or you're an experienced enthusiast, this workshop will be an exciting maker space for all ages! Participants will complete their very own soldering kit that includes a printed circuit board, LED's, switch, badge pin and clasp, secure battery holder, and battery.
Drop in/Drop out
By Andrew Neumann
Don't miss this opportunity to learn and get hands-on soldering experience with a soldering workshop presented by San Antonio Circuit Makers! Drop in any time to practice your soldering on your very own B-Sides San Antonio badge.
San Antonio Circuit Makers (SACM), a local organization dedicated to promoting electronics education, will present a soldering workshop at B-Sides SATX 2024. Soldering is a fundamental skill in electronics, essential for assembling circuits and creating electronic devices. Whether you've never held a soldering iron or you're an experienced enthusiast, this workshop will be an exciting maker space for all ages! Participants will complete their very own soldering kit that includes a printed circuit board, LED's, switch, badge pin and clasp, secure battery holder, and battery.
Drop in/Drop out
CTFs and Competitions
SnekWars
By @0xAHHC
SnekWars is a series of increasingly difficult Python challenges meant to test your Python programming skills. It will take place throughout the day of BSides SATX - it will consist of a couple dozen challenges that will test your Python skills.
Access Here: https://antihackerhackerclub.com/snekwars/
Participants are required to bring a laptop with internet access and Python.
By @0xAHHC
SnekWars is a series of increasingly difficult Python challenges meant to test your Python programming skills. It will take place throughout the day of BSides SATX - it will consist of a couple dozen challenges that will test your Python skills.
Access Here: https://antihackerhackerclub.com/snekwars/
Participants are required to bring a laptop with internet access and Python.
Crypto Challenge
By Carl Mehner
The registration link will be provided the day of on this page. Try your hand at deciphering this year's challenge! There are ten puzzles in all, how many can you complete during the day?
Participants are required to bring a laptop with internet access.
Access here: http://crypto.bsidessatx.com/
Hacker Combat CTF
Access here: https://ctf.bsidessatx.com
*Firefox Recommended*
By Carl Mehner
The registration link will be provided the day of on this page. Try your hand at deciphering this year's challenge! There are ten puzzles in all, how many can you complete during the day?
Participants are required to bring a laptop with internet access.
Access here: http://crypto.bsidessatx.com/
Hacker Combat CTF
Access here: https://ctf.bsidessatx.com
*Firefox Recommended*