|=------------------------------------------------------------------------------------------------=|

 ########  ######## ########  ######   #######  ##    ##    ########   #######  ##     ## ######## 
 ##     ## ##       ##       ##    ## ##     ## ###   ##    ##     ## ##     ## ###   ### ##       
 ##     ## ##       ##       ##       ##     ## ####  ##    ##     ## ##     ## #### #### ##       
 ##     ## ######   ######   ##       ##     ## ## ## ##    ########  ##     ## ## ### ## ######   
 ##     ## ##       ##       ##       ##     ## ##  ####    ##   ##   ##     ## ##     ## ##       
 ##     ## ##       ##       ##    ## ##     ## ##   ###    ##    ##  ##     ## ##     ## ##       
 ########  ######## ##        ######   #######  ##    ##    ##     ##  #######  ##     ## ######## 
 
|=------------------------------------------------------------------------------------------------=|

                                 DEF CON group 11396 @ Rome, Italy
                                
                               [Main] [Meetings] [Posts] [Projects] 


|=--------------------------------------=[ September 2019 ]=--------------------------------------=|

by malweisse
This is the 9th meeting of the DEF CON group. Date and location: September 27th from 5 p.m. to 7 p.m. in the A4 room at the Department of Computer, Control, and Management Engineering (DIAG) Antonio Ruberti at Sapienza University of Rome. The schedule is: ---[ The layman guide to ChakraCore Exploitation, by chqmatteo A walkthrough in the lands of libChakraCore.so. This talk is an introduction to the exploitation of JavaScript, an untyped language in which types are a pot of gold for bugs. The focus is on ChakraCore and CVE-2019-0567, a bug discovered by Lokihardt of Google Project Zero and recently proposed as a challenge of Trend Micro CTF 2019. It is a type confusion caused by a broken assumption during the type transition of an object. Slides link: https://drive.google.com/file/d/1_0uqHAa0aRPAXVe6zmuoFDUoAsoyVNCu/view?usp=sharing Exploits and binaries: /assets/chakra_talk_stuffs.tar.gz. ---[ Smashing the SOP for fun and profit, by bonaff and TheNodi Web sites are slaves of a program called "Same Origin Policy (SOP)". Due to this program, the reality perceived by web sites is not the actual reality. It is a dream world which is almost similar to the real world. But since web sites have no idea about this, they react to every situation in the dream world as they do in the real world. Do not try and bend the spoon. That's impossible. Instead, only try to realize the truth: all web sites are in the same world. In the talk, we will show the rules all web sites are constrained by when they try to communicate with each other. And, of course, because you are the chosen ones, you will learn how to bend them to your will and join us in the marvelous world of web exploiting. Slides link: https://docs.google.com/presentation/d/1KY2ihbJf4MyL6jbvHBwLX-MyIit4mCpxBJ0mFmn44fc/edit?usp=sharing