Benjamin Mossé

Senior IT security consultant

Conference presentations and workshops

Workshop: Introduction to binary exploit and source code auditing (AISA Perth Techdays 2009)

Software is everywhere; and insecure software is everywhere too! In this two hour workshop you will be thrown into the world of vulnerability research and exploit development. You will see what software vulnerabilities actually look like, find out how to exploit them and what tools you should have in your kit.

This workshop will cover bizarre names everyone hears about but do not understand such as stack overflows, shellcodes or ‘getting pwned’. While any programming knowledge you may have will definitely help you for this journey, the presenter plans to explain the most important concepts you will need to get started. And even if you have experience with all of the words stated above, the presenter has some hacking challenge for you to play with.

Browser Rider: Your way to Fun Browsing

Browser exploitation is in fashion but it doesn't seem that there's a popular tool to build and run attacks. Browser Rider will try to fill the gap by providing a framework to build, deploy and manage payloads that exploit the browser. This project aims on the long term to provide a powerful, simple and flexible interface to any client side attack for hackers. (download: ruxcon 2008, OWASP App Sec 2009, OWASP Melbourne Chapter)

Workshop: Web 2.0 INsecurity (AusCert 2008)

Many service providers have offered their business through web applications. Web services have developed through the past years to a powerful and flexible platform where business meets business and customers. This has triggered a surge for new requirements, leading to some significant changes in the way we use and consume software, store data and develop applications; completely transforming the Web. Probably the most popular Web development in recent years is AJAX. Together with other technologies, AJAX forms the foundation for Web 2.0 which revolutionised the way we use and experience the web. Unfortunately the industry has created a new popular technology without much security in mind. Not only have new attack vectors evolved but also the attack surface for old web application attacks has increased. Cross Site Scripting (XSS), parameter manipulation, session hijacking are just a few of them. Additionally security professionals have to be concerned about the new data containers like JSON, new architecture principles like REST, new protocols like SOAP and especially the JavaScript language.

Javascript worms: the next step in the evolution (OWASP Australia AppSec 2008)

Hackers are designing JavaScript worms that exploit permanent cross-site scripting attacks, which protects their identity and automatically infect other vulnerable websites. (download ppt)

Online projects

Browser Rider: a client-side exploitation framework

Browser Rider is a powerful hacking framework to build payloads that exploit the browser. It allows to send javascript on the fly to computers browsing an infected web page. Technically Browser Rider has the following features:

^ Easily create powerful payloads
^ Obfuscation
^ Polymorphisme
^ Control more than one zombie at a time
^ Simple administration panel

visit the project page