OWASP Meeting in Krakow - OAuth secrets + Bug bounty

Hi,

We are Polish chapter of OWASP - worldwide, non-profit organisation focused on application security issues.

This time we have invited Grzegorz Niedziela, "Bug Bounty Reports Explained" Youtube channel host. He will have a talk about OAuth security and then we will discuss bright and dark sides of bug bounty.

Agenda:

1. OAuth Secrets (Grzegorz Niedziela)
2. These days, Oauth is a key protocol, allowing us to log in with one click to many websites. As anything, this convenience doesn’t come without a cost. The cost here is the risk of an account takeover bug. And that’s not only changing the redirect_uri to an attacker-controlled host which, for many hackers, is the only attack they know. That attack won't work too well in 2024. This talk will be about exploiting smaller misconfigurations. For example, what do to if you only control the path of the redirect_uri or how to exfiltrate the code when your open doesn't preserve parameters. It will also focus on particular auth providers and how they don't make it hard for us by being way more relaxed than the standard defines.
3. After the break, we will be hosting a discussion about bug boutnty. We want to discuss both sides - bug bounters and companies which have bug bounty programs.
4. How to report vulnerabilities? Where to seek? What should be your goal - easy bugs occuring en masse or sophisticated kill-chains? What to expect? Bug bounty myths and reality.
5. How bug bounty might help your organisation? What are the real costs of having bb program? What can go wrong? How to manage good bb program? Bug bounty or penetration testing?

Please RSVP and save the date!

If you have a minute, please share this invitation with friends and in your social media.