Which is the username and password to access where I see the tools?

Nice video

Is this the infamous pedophile SuperDaE?

nice session

Rainbow Unicorn Attack anyone? 🔔

Come back home Dylan

Interesting, informative, and chocked full of chuckles. Looking forward to the periodic refresh of this video through 2024.

Well done !

I'm just about to sign up for my OWASP Membership, but there is a factor that is still unclear to me, when i become a member do i have access to additional resources from OWASP? Like documentation, best practices and all that? I want to support OWASP, and ive been following OWASP for some years now, but the main "benefit" i see on the membership site are discounts so i dont really know if i get "under the hood" of security resources to improve my knowledge, thanks in advance.

2:00

Great talk! I could be wrong, but I don't believe burp was forked from Paros (mentioned at the very end).

Guys I think the title is wrong... is it 2021 no?

Awesome!

.he .oundtrack is .ery .istorted. .he start of .early every word .s .ut .ff. .akes it .ery .ifficult to .nderstand

This guy fled Australia because of Child Exploitation Material charges...

Is there a course available that would help me understand the script of rules?

owasp.org/www-pdf-archive/OWASPLondon_PostMessage_Security_in_Chrome_Extensions.pdf

03:14 Chrome extensions ecosystem 06:27 postMessage(), Same Origin Policy, iFrames 07:38

01:25 what is API ? 01:55 who uses API ? beating heart of every modern applications 02:52 agenda 03:29 client devices are becoming varied and stronger 04:35 flow of information 05:30 traditional application 05:48 in the modern applications 06:23 less abstraction layers, JSON language 06:36 server is more used as proxy for data 06:40 the rendering component is the client not the server 06:45 client consume raw data, API's exposes the underlying implementation of the app 06:50 the API's expose underlying implementation of the app 07:03 and the user's state is monitored and maintained by the client 07:35 REST AP standard, predictable entry point 08:03 Traditional vulnerabilities are less common in API-Based applications, SQLi, ORM's, CSRF 08:26 Path Manipulations are very different with Cloud-based storage 08:39 SaaS, 08:47 DevOps, API's change all the time, 09:38 planned projects 10:30 Roadmap 11:22 the creation process of the top ten 11:58 API Security Top 10 ------------------------------------------------------------------------- Inon Shkedy ------------------------------------------------------------------------- 13:04 IDF red team, Israeli army 13:37 silicon valley, CI/CD, cloud-based, CSRF 14:12 authorization, decentralized, something very spread in the API 14:57 it's really hard to create a good authorization mechanism with API ------------------------------------------------------------------------- 15:21 A1, IDOR, BOLA 16:28 by far the most common vulnerabilities in API, it's not about ID its about a lack of authorization 18:37 BOLA, UBER, full account takeover, Anand Prakash ------------------------------------------------------------------------- 19:21 A2, Broken Authentication, Facebook, full account takeover ------------------------------------------------------------------------- 21:43 A3 Excessive Data Exposure, dating app 23:07 Why ? API economy, 3fun, example, Alex Lomas ------------------------------------------------------------------------- 24:32 A4 Lack of resources & rate limiting ------------------------------------------------------------------------- 25:00 A5 Broken Function Level Authorization, BFLA 27:38 Function Level Authorization, different roles 28:00 Shopify, lack of the validation of the user role ------------------------------------------------------------------------- 28:22 A6 Mass Assignment, Ruby on Rails, Node.js, black magic 30:24 Why is so common in API's, mass assignment is a bit tricky vulnerability 32:28 James Kettle, example ------------------------------------------------------------------------- 32:38 A7 Security misconfiguration ------------------------------------------------------------------------- 32:59 A8 Injection, why from A1 to A8 ?, ORM's ------------------------------------------------------------------------- 34:05 A9 Improper Asset management 35:02 Unknown API hosts, CI/CD ------------------------------------------------------------------------- 36:11 A10 Insufficient logging, monitoring 37:09 First thing to do, A9

why...i did not get one bit

I like that he makes note of how no one reads the documentation and that is where the answers are. I have screwed myself over many lost hours by just searching instead of reading the docs. The HUD is great. Thanks OWASP.

Awesome!

I really do appreciate fextyhackers.wordpress,com for the $45,000 i got from them

Awesome Video for security gurus. i will make sure to read the book.

Great talk, very informative and still entertaining. Thanks for sharing!

Being in the audience with representations across the board including large financial services, the talk was merely touching responsible disclosure. It was clearly stated which actions would be a breach of the computer misuse act. See also: kzfaq.info/get/bejne/jJyIndil25e4pWw.html

Surprised to see OWASP hosting a talk in which the speaker openly admits to breaches of the Computer Misuse Act. Even more surprised to see it uploaded!

2019 and OWASP uploads a youtube video in 360p

bullshit

thank you for the thank you :-)

If you want to help to get the full Juice Shop jingle done (kzfaq.info/get/bejne/jr6bgLyQu9-uXY0.html) this is the GitHub issue you need to upvote: github.com/braimee/bpatty/issues/13

Why the resolution is so low ? About 360p ?

Nice. Thats what i been waiting for :-D

Wow, a lot of useful information. Got inspired to build a new idea. Thank you so much and appreciate your efforts Ibrahim.

You have not shown the process of AJAX spider? Could you please give me details the process of the same?

this worked great for me: www.we45.com/blog/how-to-integrate-zap-into-jenkins-ci-pipeline-we45-blog

Thanks man! Sure there are some that complain about the audio but the info is there for those who need it. Very useful for me in any case!

Thanks for the video, it helped me understand lot of concepts ! Kudos !!

What's great to see apart from the speaker obviously is Greg in a suit!!!!

This is a very useful topic ,why donot you release it with good quality? there is no audio / poor audio in most the places

As to how the `let` code at 1:34 works, see stackoverflow.com/q/49604335/4642212.

Hi, how I create a Zaproxy_home if I work on Ubuntu?

Vedio has good topic . but need better explanation which will help user. allot . else this is like other video to just dump on youtube and most people watch luck by chance !!!

Superb talk and shocking, to be frank. Wow.

Hi Goran, very good your demo. A couple of question because I am trying to do a demo for my developers team in my work, but I can't make it to work. Maybe is because I use 2 Ubuntu servers without graphical user interface. For what I can see in this video demo you run the Jenkins in Windows server (Or desktop edition) machine right ? how many virtual servers yo use in this demo? just one? thanks in advise for any help that you can give me My best regards Diego

For this to work ZAP itself needs to have the export report and custom report plugins. zap 2.6.0 and a bunch of other stuff - this tutorial is not fully accurate.

great video

where i can see full video of this presentation ??????????

the audio is very poor :(