https://media.ccc.de/c/god2025 This feed contains all events from god2025 as mp4 see video outro Sun, 01 Feb 2026 17:06:38 -0000 https://static.media.ccc.de/media/events/god/2025/logo.jpg https://media.ccc.de/c/god2025 https://media.ccc.de/v/god2025-56485-pwn-my-ride-jailbreaking-c Apple CarPlay is a widely known protocol that connects smartphones to car multimedia systems. Based on AirPlay, CarPlay is installed in millions of cars, as it is supported by hundreds of car models from dozens of different manufacturers across the globe. In our talk, we will share how we managed to exploit all devices running CarPlay using a single vulnerability we discovered in the AirPlay SDK. We'll take you through our entire exploit development process from identifying the vulnerability, to testing it on a custom device emulator, and finally, executing the exploit on actual devices. The session will include a demonstration of our RCE exploit on a well known third-party CarPlay device to show how an attacker can run arbitrary code while in physical proximity to a target car. We will also share how we managed to blindly exploit CarPlay without a debugger, knowing the vulnerable code is present on the system. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 26 Nov 2025 13:45:00 +0100 https://cdn.media.ccc.de/events/god/2025/h264-sd/god2025-56485-eng-Pwn_My_Ride_Jailbreaking_Cars_with_CarPlay_sd.mp4?1764169780 93ba92ed-1e79-45e3-80a7-02f39db0f693 2025-11-26T13:45:00+01:00 Avi Lumelsky No 56485, 2025, god2025, Track 2, god2025-eng, god2025, Day 1 Apple CarPlay is a widely known protocol that connects smartphones to car multimedia systems. Based on AirPlay, CarPlay is installed in millions of cars, as it is supported by hundreds of car models from dozens of different manufacturers across the globe. In our talk, we will share how we managed to exploit all devices running CarPlay using a single vulnerability we discovered in the AirPlay SDK. We'll take you through our entire exploit development process from identifying the vulnerability, to testing it on a custom device emulator, and finally, executing the exploit on actual devices. The session will include a demonstration of our RCE exploit on a well known third-party CarPlay device to show how an attacker can run arbitrary code while in physical proximity to a target car. We will also share how we managed to blindly exploit CarPlay without a debugger, knowing the vulnerable code is present on the system. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:40:58 https://media.ccc.de/v/god2025-56491-the-trust-trap-security-vo Coding Assistants wie Github Copilot, Cursor oder Claude versprechen einen Effizienzboost für die Softwareentwicklung. Doch welchen Einfluss hat die Nutzung dieser Tools auf die Software Security? Dieser Vortrag analysiert die Vor- und Nachteile von Coding Assistants in Hinblick auf die Sicherheit des entstehenden Codes. Er gibt einen Überblick über die aktuelle Studienlage und die Benchmarks zu den verschiedenen Modellen und diskutiert die Ergebnisse. Neben der Bedeutung von eingebrachten Schwachstellen im Code selbst werden Risiken wie Slopsquatting, Model Poisoning und Rules File Backdoors erläutert. Zuletzt gibt der Vortrag Empfehlungen zu Best Practices für die Nutzung von Coding Assistants: von der richtigen Konfiguration und Nutzung über Richtlinien zum Review und Testen von solchem Code. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 26 Nov 2025 15:50:00 +0100 https://cdn.media.ccc.de/events/god/2025/h264-sd/god2025-56491-eng-The_Trust_Trap_-_Security_von_Coding_Assistants_sd.mp4?1764189909 0a83a3f1-0f25-42c8-ae7a-7d06ea291672 2025-11-26T15:50:00+01:00 Clemens Hübner No 56491, 2025, god2025, Track 2, god2025-eng, god2025, Day 1 Coding Assistants wie Github Copilot, Cursor oder Claude versprechen einen Effizienzboost für die Softwareentwicklung. Doch welchen Einfluss hat die Nutzung dieser Tools auf die Software Security? Dieser Vortrag analysiert die Vor- und Nachteile von Coding Assistants in Hinblick auf die Sicherheit des entstehenden Codes. Er gibt einen Überblick über die aktuelle Studienlage und die Benchmarks zu den verschiedenen Modellen und diskutiert die Ergebnisse. Neben der Bedeutung von eingebrachten Schwachstellen im Code selbst werden Risiken wie Slopsquatting, Model Poisoning und Rules File Backdoors erläutert. Zuletzt gibt der Vortrag Empfehlungen zu Best Practices für die Nutzung von Coding Assistants: von der richtigen Konfiguration und Nutzung über Richtlinien zum Review und Testen von solchem Code. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:43:05 https://media.ccc.de/v/god2025-56481-phishing-for-passkeys-an-a WebAuthn was supposed to replace swords on the web: uniform, secure, manageable authentication for everyone! One of its unique selling points was supposed to be the impossibility of phishing attacks. When passkeys were introduced, some of WebAuthn's security principles were watered down in order to achieve some usability improvements and thus reach more widespread adoption. This presentation discusses the security of passkeys against phishing attacks. It explains the possibilities for an attacker to gain access to accounts secured with passkeys using spear phishing, and what conditions must be met for this to happen. It also practically demonstrates such an attack and discusses countermeasures. Participants will learn which WebAuthn security principles still apply to passkeys and which do not. They will learn why passkeys are no longer completely phishing-proof and how they can evaluate this consideration for their own use of passkeys. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 26 Nov 2025 12:20:00 +0100 https://cdn.media.ccc.de/events/god/2025/h264-sd/god2025-56481-eng-Phishing_for_Passkeys_An_Analysis_of_WebAuthn_and_CTAP_sd.mp4?1764164439 ccc2f9a5-01b4-4482-bafd-fd86279a13d3 2025-11-26T12:20:00+01:00 Michael Kuckuk No 56481, 2025, god2025, Track 1, god2025-eng, god2025, Day 1 WebAuthn was supposed to replace swords on the web: uniform, secure, manageable authentication for everyone! One of its unique selling points was supposed to be the impossibility of phishing attacks. When passkeys were introduced, some of WebAuthn's security principles were watered down in order to achieve some usability improvements and thus reach more widespread adoption. This presentation discusses the security of passkeys against phishing attacks. It explains the possibilities for an attacker to gain access to accounts secured with passkeys using spear phishing, and what conditions must be met for this to happen. It also practically demonstrates such an attack and discusses countermeasures. Participants will learn which WebAuthn security principles still apply to passkeys and which do not. They will learn why passkeys are no longer completely phishing-proof and how they can evaluate this consideration for their own use of passkeys. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:19:24 https://media.ccc.de/v/god2025-56487-mcp-security-hot-potato-ho Model Context Protocol (MCP) is the latest hot topic in cybersecurity. Business wants it (AI is the new mantra), developers are excited (new toys, new code), and security teams are left to make it safe—often with already packed schedules. Let's treat it like just another Tuesday. Like many shiny new technologies (remember the early days of cloud?), MCP is being built with a “features first, security later” mindset. As a fresh piece of tech, it blends novel vulnerabilities with familiar, well-known ones. If you're an early adopter, it's important to accept that MCP and its current implementations are imperfect—and to be ready for that. In this talk, we'll dive into the real-world challenges companies are facing with MCP and equip you with practical remediations. We'll cover topics such as: An introduction to the MCP protocol and its security considerations, including authentication Emerging vulnerabilities like prompt injections, tool poisoning, rug pull attacks, and cross-server tool shadowing Classic vulnerabilities that may resurface around MCP, based on recent CVEs Remediation strategies and available tooling Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 26 Nov 2025 14:30:00 +0100 https://cdn.media.ccc.de/events/god/2025/h264-sd/god2025-56487-eng-MCP_security_hot_potato_how_to_stay_secure_integrating_external_tools_to_your_LLM_sd.mp4?1764170493 591309e4-b4c7-4ecc-9667-efe5d34c8f2c 2025-11-26T14:30:00+01:00 Mateusz Olejarka, Dawid Nastaj No 56487, 2025, god2025, Track 2, god2025-eng, god2025, Day 1 Model Context Protocol (MCP) is the latest hot topic in cybersecurity. Business wants it (AI is the new mantra), developers are excited (new toys, new code), and security teams are left to make it safe—often with already packed schedules. Let's treat it like just another Tuesday. Like many shiny new technologies (remember the early days of cloud?), MCP is being built with a “features first, security later” mindset. As a fresh piece of tech, it blends novel vulnerabilities with familiar, well-known ones. If you're an early adopter, it's important to accept that MCP and its current implementations are imperfect—and to be ready for that. In this talk, we'll dive into the real-world challenges companies are facing with MCP and equip you with practical remediations. We'll cover topics such as: An introduction to the MCP protocol and its security considerations, including authentication Emerging vulnerabilities like prompt injections, tool poisoning, rug pull attacks, and cross-server tool shadowing Classic vulnerabilities that may resurface around MCP, based on recent CVEs Remediation strategies and available tooling Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:24:38 https://media.ccc.de/v/god2025-56486-extract-a-php-foot-gun-cas Do you always read the documentation before using a function in your languages' standard library? This talk explores the attack surface of a special feature in PHP which is easy to misuse with unforseen consequences. The `extract` function allows to replace the value of local variables named after the keys in an array. Calling it with user-controlled input allows the attacker to change arbitrary variables in the program. The documentation warns against the dangers of using it with untrusted data, but our large-scale analysis on 28.325 PHP projects from GitHub shows, that this warning is ignored. The talk walks through the process of identifing `extract`-based vulnerabilities and how they might have ended up the way they are by looking at the surrounding code. After introducing different levels of attacker-control guided by concrete exploits, listeners gain an intuition on what to look out for while reviewing code. Attending this talk, the audience will learn: Rich ways users have control over input in PHP. How to exploit insecure calls to `extract` given multiple real-world case-studies from the dataset of open source projects from GitHub. Tips on how to avoid this and similar threats in new and legacy code. Possible changes to PHP itself for risk reduction. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 26 Nov 2025 14:30:00 +0100 https://cdn.media.ccc.de/events/god/2025/h264-sd/god2025-56486-eng-Extract_A_PHP_Foot-Gun_Case_Study_sd.mp4?1764169966 69326d17-20c7-4993-a8e1-3d3fa7c26b1f 2025-11-26T14:30:00+01:00 Jannik Hartung, Martin Johns, Simon Koch No 56486, 2025, god2025, Track 1, god2025-eng, god2025, Day 1 Do you always read the documentation before using a function in your languages' standard library? This talk explores the attack surface of a special feature in PHP which is easy to misuse with unforseen consequences. The `extract` function allows to replace the value of local variables named after the keys in an array. Calling it with user-controlled input allows the attacker to change arbitrary variables in the program. The documentation warns against the dangers of using it with untrusted data, but our large-scale analysis on 28.325 PHP projects from GitHub shows, that this warning is ignored. The talk walks through the process of identifing `extract`-based vulnerabilities and how they might have ended up the way they are by looking at the surrounding code. After introducing different levels of attacker-control guided by concrete exploits, listeners gain an intuition on what to look out for while reviewing code. Attending this talk, the audience will learn: Rich ways users have control over input in PHP. How to exploit insecure calls to `extract` given multiple real-world case-studies from the dataset of open source projects from GitHub. Tips on how to avoid this and similar threats in new and legacy code. Possible changes to PHP itself for risk reduction. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:24:37 https://media.ccc.de/v/god2025-56494-owasp-top-102025-aktuelle Der Kurzvortrag stellt den aktuellen Stand der OWASP Top 10:2025 vor, mit etwas Glück haben wir bis dahin schon mehr... Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 26 Nov 2025 17:05:00 +0100 https://cdn.media.ccc.de/events/god/2025/h264-sd/god2025-56494-deu-OWASP_Top_102025_Aktuelle_Informationen_und_Insights_zum_Projekt_sd.mp4?1764190375 f9291c47-6a2d-4ad3-8fff-36877a8684c4 2025-11-26T17:05:00+01:00 Torsten Gigler No 56494, 2025, god2025, Track 1, god2025-deu, god2025, Day 1 Der Kurzvortrag stellt den aktuellen Stand der OWASP Top 10:2025 vor, mit etwas Glück haben wir bis dahin schon mehr... Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:11:10 https://media.ccc.de/v/god2025-56492-der-cyber-resilience-act-w Der Cyber Resilience Act, kurz CRA, ist eine neue Verordnung der EU und tritt im Dezember 2027 vollständig in Kraft. Das Kernelement der Verordnung ist die Softwaresicherheit für alle so genannten „Produkte mit digitalen Elementen“, die auf dem EU-Markt kommerziell angeboten werden. Diese umfassen sowohl vernetzte Hardware-Produkte, in denen Firmwares laufen, als auch reine Softwareprodukte. Die Anforderungen an die Software-Hersteller erstrecken sich von grundsätzlichem „Security by Design“ und „Secure by Default“, über Bedrohungsanalysen der Software bis hin zu verpflichtendem Patching und Schwachstellenmanagement. Die Themen klingen irgendwie familiär? Kein Wunder, denn eine ganze Reihe von Projekten aus dem OWASP-Ökosystem sind geradezu prädestiniert zum Einsatz im Kontext des CRAs. Nicht nur, dass mit CycloneDX einer der zwei de-facto SBOM-Standards aus OWASP heraus entstanden ist - auch Frameworks wie OWASP SAMM oder Tools wie Dependency-Track können ganz entscheidende Rollen für die Umsetzung von Supply-Chain-Security und SDLC-Prozessen spielen. In diesem Talk schauen wir uns die Anforderungen der Verordnung genauer an und blicken dann auf Schnittstellen zu OWASP-Projekten. Dies soll am Ende helfen, sowohl für die Seite der Hersteller ein besseres Bild für OWASP zu erzeugen, als auch von OWASP-Seite aus zielgenauer auf CRA-Verpflichtete zugehen zu können. Je mehr Menschen sich in den Themen wiederfinden und Zusammenarbeit entstehen kann, desto besser. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 26 Nov 2025 16:35:00 +0100 https://cdn.media.ccc.de/events/god/2025/h264-sd/god2025-56492-deu-Der_Cyber_Resilience_Act_Wie_OWASP_fuer_die_Software-Hersteller_eine_entscheidende_Rolle_spielen_kann_sd.mp4?1764190127 fa9e001a-77f8-4a85-81c1-5decbc29a54e 2025-11-26T16:35:00+01:00 Dominik Pataky No 56492, 2025, god2025, Track 1, god2025-deu, god2025, Day 1 Der Cyber Resilience Act, kurz CRA, ist eine neue Verordnung der EU und tritt im Dezember 2027 vollständig in Kraft. Das Kernelement der Verordnung ist die Softwaresicherheit für alle so genannten „Produkte mit digitalen Elementen“, die auf dem EU-Markt kommerziell angeboten werden. Diese umfassen sowohl vernetzte Hardware-Produkte, in denen Firmwares laufen, als auch reine Softwareprodukte. Die Anforderungen an die Software-Hersteller erstrecken sich von grundsätzlichem „Security by Design“ und „Secure by Default“, über Bedrohungsanalysen der Software bis hin zu verpflichtendem Patching und Schwachstellenmanagement. Die Themen klingen irgendwie familiär? Kein Wunder, denn eine ganze Reihe von Projekten aus dem OWASP-Ökosystem sind geradezu prädestiniert zum Einsatz im Kontext des CRAs. Nicht nur, dass mit CycloneDX einer der zwei de-facto SBOM-Standards aus OWASP heraus entstanden ist - auch Frameworks wie OWASP SAMM oder Tools wie Dependency-Track können ganz entscheidende Rollen für die Umsetzung von Supply-Chain-Security und SDLC-Prozessen spielen. In diesem Talk schauen wir uns die Anforderungen der Verordnung genauer an und blicken dann auf Schnittstellen zu OWASP-Projekten. Dies soll am Ende helfen, sowohl für die Seite der Hersteller ein besseres Bild für OWASP zu erzeugen, als auch von OWASP-Seite aus zielgenauer auf CRA-Verpflichtete zugehen zu können. Je mehr Menschen sich in den Themen wiederfinden und Zusammenarbeit entstehen kann, desto besser. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:21:12 https://media.ccc.de/v/god2025-56484-the-automation-illusion-wh Threat modeling stands at a critical juncture. While essential for creating secure systems, it remains mostly manual, handcrafted, and often too slow for today's development cycles. At the same time, automation and AI offer new levels of speed and scalability— but how much can we rely on them? This talk explores the tension between automation and human expertise in threat modeling. We'll dissect the traditional threat modeling process—scoping, modeling, threat identification, risk analysis, and mitigation—and perform a step-by-step gap analysis to identify what can realistically be automated today, what cannot, and why. We'll dive into: Current tooling: Review the AI threat modeling tools that handle diagram-based automation, template-driven modeling, risk scoring, and pattern matching. Emerging AI use cases: automatically generating threat models from architecture diagrams, user stories, or use case descriptions; providing AI-assisted mitigation suggestions; and conducting NLP-driven threat analysis. Limitations and risks: False confidence, hallucinations, model bias, ethical accountability, and the challenge of modeling new or context-specific threats. We will ground this analysis with examples from organizations and academic research that aim to scale threat modeling without compromising depth or quality, drawing parallels to how other activities, such as SAST and DAST scanning, evolved. Attendees will walk away with a practical roadmap for integrating automation without undermining the human insight threat modeling still requires. This talk isn't a tool pitch. It's a candid, experience-based view of where automation can meaningfully accelerate threat modeling—and where the human must remain firmly in the loop. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 26 Nov 2025 13:45:00 +0100 https://cdn.media.ccc.de/events/god/2025/h264-sd/god2025-56484-eng-The_Automation_Illusion_What_Machines_Cant_Do_in_Threat_Modeling_sd.mp4?1764168046 10ffd66f-86de-4021-8f69-c9cedc94a3f8 2025-11-26T13:45:00+01:00 Sebastian Deleersnyder, Georges Bolssens No 56484, 2025, god2025, Track 1, god2025-eng, god2025, Day 1 Threat modeling stands at a critical juncture. While essential for creating secure systems, it remains mostly manual, handcrafted, and often too slow for today's development cycles. At the same time, automation and AI offer new levels of speed and scalability— but how much can we rely on them? This talk explores the tension between automation and human expertise in threat modeling. We'll dissect the traditional threat modeling process—scoping, modeling, threat identification, risk analysis, and mitigation—and perform a step-by-step gap analysis to identify what can realistically be automated today, what cannot, and why. We'll dive into: Current tooling: Review the AI threat modeling tools that handle diagram-based automation, template-driven modeling, risk scoring, and pattern matching. Emerging AI use cases: automatically generating threat models from architecture diagrams, user stories, or use case descriptions; providing AI-assisted mitigation suggestions; and conducting NLP-driven threat analysis. Limitations and risks: False confidence, hallucinations, model bias, ethical accountability, and the challenge of modeling new or context-specific threats. We will ground this analysis with examples from organizations and academic research that aim to scale threat modeling without compromising depth or quality, drawing parallels to how other activities, such as SAST and DAST scanning, evolved. Attendees will walk away with a practical roadmap for integrating automation without undermining the human insight threat modeling still requires. This talk isn't a tool pitch. It's a candid, experience-based view of where automation can meaningfully accelerate threat modeling—and where the human must remain firmly in the loop. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:39:58 https://media.ccc.de/v/god2025-56475-from-startup-to-scale-choo Security teams often inherit their organisation's structure - for better or worse. The way you design your AppSec programme and choose your team topology can determine whether security becomes a trusted enabler or a frustrating bottleneck. In this story-driven session, we follow Alex, who begins as the only security person in a 50-person startup. At first, Alex builds a centralised AppSec team, finding it effective for control but slow to scale. As the company grows to hundreds of employees, bottlenecks appear, and burnout looms. Alex experiments with embedded security engineers, Security as a Platform, and a Security Champions network, learning the trade-offs of each approach along the way. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 26 Nov 2025 10:15:00 +0100 https://cdn.media.ccc.de/events/god/2025/h264-sd/god2025-56475-eng-From_Startup_to_Scale_Choosing_the_Right_AppSec_Path_sd.mp4?1764162651 b62e489d-ccc9-4d8b-b9b4-d92b4c27337d 2025-11-26T10:15:00+01:00 Javan Rasokat, Vanessa Sutter No 56475, 2025, god2025, Track 1, god2025-eng, god2025, Day 1 Security teams often inherit their organisation's structure - for better or worse. The way you design your AppSec programme and choose your team topology can determine whether security becomes a trusted enabler or a frustrating bottleneck. In this story-driven session, we follow Alex, who begins as the only security person in a 50-person startup. At first, Alex builds a centralised AppSec team, finding it effective for control but slow to scale. As the company grows to hundreds of employees, bottlenecks appear, and burnout looms. Alex experiments with embedded security engineers, Security as a Platform, and a Security Champions network, learning the trade-offs of each approach along the way. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:21:17 https://media.ccc.de/v/god2025-56476-how-the-eu-created-electro Companies within the European Union are increasingly required to be able to issue and process electronic invoices according to EU standards. For example, since January 2025, companies in Germany have been required to support electronic invoices in B2B contexts. While it is desirable to standardize invoice data formats, the EU standards have severe problems. They are overly and needlessly complicated, and security was not given much consideration. An unfortunate design choice to use a problematic "standard" (XSLT 2/3) only supported by a single implementation with inherent security problems makes security vulnerabilities in electronic invoicing software even more likely. The EU standard allows multiple redundant XML data formats to encode electronic invoices. XML processing has several well-known, inherent security problems, most notably file exfiltration via XML eXternal Entity (XXE) attacks. It appears that XML security was not considered during the creation of these standards. Neither the standardization documents nor the information found on various government and EU web pages contain any information about avoiding XML security flaws. Therefore, unsurprisingly, security vulnerabilities in software processing these electronic invoices are very common. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 26 Nov 2025 10:15:00 +0100 https://cdn.media.ccc.de/events/god/2025/h264-sd/god2025-56476-eng-How_the_EU_created_Electronic_Invoices_without_considering_Security_sd.mp4?1764161604 7d2530a7-3b5e-44a6-8297-8d3a7abf99eb 2025-11-26T10:15:00+01:00 Hanno Böck No 56476, 2025, god2025, Track 2, god2025-eng, god2025, Day 1 Companies within the European Union are increasingly required to be able to issue and process electronic invoices according to EU standards. For example, since January 2025, companies in Germany have been required to support electronic invoices in B2B contexts. While it is desirable to standardize invoice data formats, the EU standards have severe problems. They are overly and needlessly complicated, and security was not given much consideration. An unfortunate design choice to use a problematic "standard" (XSLT 2/3) only supported by a single implementation with inherent security problems makes security vulnerabilities in electronic invoicing software even more likely. The EU standard allows multiple redundant XML data formats to encode electronic invoices. XML processing has several well-known, inherent security problems, most notably file exfiltration via XML eXternal Entity (XXE) attacks. It appears that XML security was not considered during the creation of these standards. Neither the standardization documents nor the information found on various government and EU web pages contain any information about avoiding XML security flaws. Therefore, unsurprisingly, security vulnerabilities in software processing these electronic invoices are very common. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:27:51 https://media.ccc.de/v/god2025-56482-owasp-cumulus-threat-model In this presentation, we will highlight how threat modeling, as a proactive measure, can increase security in DevOps projects. We will introduce OWASP Cumulus, a threat modeling card game designed for threat modeling the Ops part of DevOps processes. This game (in combination with similar games like Elevation of Privilege or OWASP Cornucopia) enables DevOps teams to take the security responsibility for their project in a lightweight and engaging way. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 26 Nov 2025 12:20:00 +0100 https://cdn.media.ccc.de/events/god/2025/h264-sd/god2025-56482-eng-OWASP_Cumulus_Threat_Modeling_the_Ops_of_DevOps_sd.mp4?1764164728 bd3aa5dd-5842-4971-be51-11b48a56002f 2025-11-26T12:20:00+01:00 Christoph Niehoff No 56482, 2025, god2025, Track 2, god2025-eng, god2025, Day 1 In this presentation, we will highlight how threat modeling, as a proactive measure, can increase security in DevOps projects. We will introduce OWASP Cumulus, a threat modeling card game designed for threat modeling the Ops part of DevOps processes. This game (in combination with similar games like Elevation of Privilege or OWASP Cornucopia) enables DevOps teams to take the security responsibility for their project in a lightweight and engaging way. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:26:08 https://media.ccc.de/v/god2025-56490-a-cisos-adventures-in-ai-w As a CISO (or any other security expert) in the area of AI, you can find yourself in increasingly challenging and sometimes bizarre AI-related situations not unlike Alice's adventures in Wonderland. Depending on whom you speak to, people either have high (inflated?) expectations about the (magic?) benefits of AI for security efforts, or try to explain why "AI security Armageddon" is looming... and that is just the security part of the story. All other areas in your organization are heavily using or experimenting with AI (e.g., vibe coding, automation, decision making, etc.), challenging (or ignoring) established security practices. This talk tells the story of the daily experience of dealing with AI as a CISO in a cloud-application startup. Which experiments failed or were successful, which advice is helpful, what is difficult to apply in practice, which questions are still open... The motivation for this talk is to start a conversation among security experts on how we can shape a secure AI future and not get pushed into the role of being seen as "hindering" AI progress. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 26 Nov 2025 15:50:00 +0100 https://cdn.media.ccc.de/events/god/2025/h264-sd/god2025-56490-eng-A_CISOs_Adventures_in_AI_Wonderland_sd.mp4?1764190003 c2cff574-070b-48c0-ae1d-65967952bee5 2025-11-26T15:50:00+01:00 Holger Mack No 56490, 2025, god2025, Track 1, god2025-eng, god2025, Day 1 As a CISO (or any other security expert) in the area of AI, you can find yourself in increasingly challenging and sometimes bizarre AI-related situations not unlike Alice's adventures in Wonderland. Depending on whom you speak to, people either have high (inflated?) expectations about the (magic?) benefits of AI for security efforts, or try to explain why "AI security Armageddon" is looming... and that is just the security part of the story. All other areas in your organization are heavily using or experimenting with AI (e.g., vibe coding, automation, decision making, etc.), challenging (or ignoring) established security practices. This talk tells the story of the daily experience of dealing with AI as a CISO in a cloud-application startup. Which experiments failed or were successful, which advice is helpful, what is difficult to apply in practice, which questions are still open... The motivation for this talk is to start a conversation among security experts on how we can shape a secure AI future and not get pushed into the role of being seen as "hindering" AI progress. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:42:22 https://media.ccc.de/v/god2025-56495-news-from-the-juice-shop-e OWASP Juice Shop went through some significant renovation and enhancements over the last year in order to keep current with the underlying Node.js and Angular frameworks. MultiJuicer was entirely rewritten in GoLang and is now faster and more reliable than ever before. All Juice Shop side-projects have been migrated to TypeScript and brought to a common stack for testing and code linting. But the team did not only clean up and refactor behind the scenes. There are also lots of exciting new features and enhancements available, such as: Several new hacking challenges, e.g. a YAML memory bomb attack and an API key leakage Enhancing MultiJuicer's team score board to deliver a more holistic CTF experience Reimagining the hint system for all challenges, integrating now even better with CTF servers and making the use of hints more explicit for users Of course the popular Juice Shop Success Pyramid™ will be back with beyond-crazy Docker image download stats and other usage figures! Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 26 Nov 2025 17:15:00 +0100 https://cdn.media.ccc.de/events/god/2025/h264-sd/god2025-56495-eng-News_from_the_Juice_Shop_ecosystem_sd.mp4?1764190464 402cfa63-18e2-4c55-945d-e564437c0807 2025-11-26T17:15:00+01:00 Björn Kimminich No 56495, 2025, god2025, Track 1, god2025-eng, god2025, Day 1 OWASP Juice Shop went through some significant renovation and enhancements over the last year in order to keep current with the underlying Node.js and Angular frameworks. MultiJuicer was entirely rewritten in GoLang and is now faster and more reliable than ever before. All Juice Shop side-projects have been migrated to TypeScript and brought to a common stack for testing and code linting. But the team did not only clean up and refactor behind the scenes. There are also lots of exciting new features and enhancements available, such as: Several new hacking challenges, e.g. a YAML memory bomb attack and an API key leakage Enhancing MultiJuicer's team score board to deliver a more holistic CTF experience Reimagining the hint system for all challenges, integrating now even better with CTF servers and making the use of hints more explicit for users Of course the popular Juice Shop Success Pyramid™ will be back with beyond-crazy Docker image download stats and other usage figures! Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:22:36 https://media.ccc.de/v/god2025-56480-continuous-vulnerability-s The OWASP secureCodeBox project aims to provide a unified way to run and automate open-source scanning tools like nmap, nuclei, zap, ssh-audit, and sslyze to continuously scan the code and infrastructure of entire organizations. This allows setting up automated scans that will regularly scan internal networks and internet-facing systems for vulnerabilities. The SCB also allows defining rules to automatically start more in-depth scans based on previous findings, e.g., to start a specialized SSH scan if a port scan discovers an open SSH port. Scan results can be uniformly handled with prebuilt hooks, e.g. to send out alerts via messaging tools, or to ingest the findings into vulnerability management systems like OWASP DefectDojo. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 26 Nov 2025 11:55:00 +0100 https://cdn.media.ccc.de/events/god/2025/h264-sd/god2025-56480-eng-Continuous_Vulnerability_Scanning_with_OWASP_secureCodeBox_sd.mp4?1764163774 03b7a38c-7228-4752-b714-846f0c41d36c 2025-11-26T11:55:00+01:00 Jannik Hollenbach No 56480, 2025, god2025, Track 2, god2025-eng, god2025, Day 1 The OWASP secureCodeBox project aims to provide a unified way to run and automate open-source scanning tools like nmap, nuclei, zap, ssh-audit, and sslyze to continuously scan the code and infrastructure of entire organizations. This allows setting up automated scans that will regularly scan internal networks and internet-facing systems for vulnerabilities. The SCB also allows defining rules to automatically start more in-depth scans based on previous findings, e.g., to start a specialized SSH scan if a port scan discovers an open SSH port. Scan results can be uniformly handled with prebuilt hooks, e.g. to send out alerts via messaging tools, or to ingest the findings into vulnerability management systems like OWASP DefectDojo. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:24:21 https://media.ccc.de/v/god2025-56479-introducing-passkeys-strat The future of authentication is passwordless - Passkeys are the key technology. This talk supports developers in implementing Passkeys in their organizations and helps with the decision between in-house development, SDK, or Passkey-as-a-Service solutions. You will learn how to design recovery flows and fallback mechanisms in a user-friendly way, how Passkeys can be securely shared across devices and platforms, and what level of security they offer compared to traditional methods. Practical user stories and concrete examples highlight common pitfalls and help you optimally communicate the benefits of Passkeys. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 26 Nov 2025 11:55:00 +0100 https://cdn.media.ccc.de/events/god/2025/h264-sd/god2025-56479-eng-Introducing_Passkeys_-_Strategies_and_Challenges_for_Developers_sd.mp4?1764163922 90b1b8de-07c2-4937-a9d0-f53fd96595a1 2025-11-26T11:55:00+01:00 Clemens Hübner No 56479, 2025, god2025, Track 1, god2025-eng, god2025, Day 1 The future of authentication is passwordless - Passkeys are the key technology. This talk supports developers in implementing Passkeys in their organizations and helps with the decision between in-house development, SDK, or Passkey-as-a-Service solutions. You will learn how to design recovery flows and fallback mechanisms in a user-friendly way, how Passkeys can be securely shared across devices and platforms, and what level of security they offer compared to traditional methods. Practical user stories and concrete examples highlight common pitfalls and help you optimally communicate the benefits of Passkeys. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:22:18 https://media.ccc.de/v/god2025-56472-keynote-code-dark-age Generative AI is supposed to make our lives easier. But what if it's really just coding us straight into a new Dark Age? We hand over our systems to AI agents, only to watch them invent backdoors nobody asked for. Developers are left with the glamorous job of bug janitors, while attackers get new exploits. It's hard not to feel like we are front-row spectators to the collapse of digital civilization. This talk shows how these risks are multiplying, and how the public debate around security often misses the point, making it even harder to fix what is broken. Maybe what we are really witnessing is the world's biggest live demo of the digital apocalypse. But sometimes you have to watch everything burn down before you can rebuild it better. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 26 Nov 2025 09:05:00 +0100 https://cdn.media.ccc.de/events/god/2025/h264-sd/god2025-56472-eng-Keynote_Code_Dark_Age_sd.mp4?1764153983 5cee4aae-a611-484a-9706-27fd2e6a9f4a 2025-11-26T09:05:00+01:00 Eva Wolfangel No 56472, 2025, god2025, Track 1, god2025-eng, god2025, Day 1 Generative AI is supposed to make our lives easier. But what if it's really just coding us straight into a new Dark Age? We hand over our systems to AI agents, only to watch them invent backdoors nobody asked for. Developers are left with the glamorous job of bug janitors, while attackers get new exploits. It's hard not to feel like we are front-row spectators to the collapse of digital civilization. This talk shows how these risks are multiplying, and how the public debate around security often misses the point, making it even harder to fix what is broken. Maybe what we are really witnessing is the world's biggest live demo of the digital apocalypse. But sometimes you have to watch everything burn down before you can rebuild it better. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:39:37 https://media.ccc.de/v/god2025-56477-langsec-for-appsec-folks Die von LangSec beschrieben grundlegenden Sicherheitsprinzipien erklären die Hauptursachen vieler Sicherheitslücken und wie man diese beheben kann. LangSec sieht die anhaltende Schwachstellen-Epidemie in Software als eine Folge der ad-hock Entwicklung von Code, der Ein- und Ausgaben verarbeitet. Gemäß LangSec besteht der Schlüssel zur Entwicklung vertrauenswürdiger Software, die mit potenziell bösartigen Eingaben korrekt umgeht, darin alle gültigen oder erwarteten Eingaben und Ausgaben als formale Sprache zu behandeln. Dementsprechend müssen die Routinen zur Verarbeitung von Eingaben und Ausgaben als Parser beziehungsweise Unparser für diese Sprache behandelt werden und auch dementsprechend entwickelt werden. In diesem Vortrag möchte ich LangSec und die Implikationen für unsere tägliche Arbeit in AppSec vorstellen ohne in die Tiefen der Theoretischen Informatik und des Compilerbaus abzudriften. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 26 Nov 2025 11:10:00 +0100 https://cdn.media.ccc.de/events/god/2025/h264-sd/god2025-56477-eng-LangSec_for_AppSec_folks_sd.mp4?1764161890 b873d52c-a991-4a71-93aa-f1564620c209 2025-11-26T11:10:00+01:00 Lars Hermerschmidt No 56477, 2025, god2025, Track 1, god2025-eng, god2025, Day 1 Die von LangSec beschrieben grundlegenden Sicherheitsprinzipien erklären die Hauptursachen vieler Sicherheitslücken und wie man diese beheben kann. LangSec sieht die anhaltende Schwachstellen-Epidemie in Software als eine Folge der ad-hock Entwicklung von Code, der Ein- und Ausgaben verarbeitet. Gemäß LangSec besteht der Schlüssel zur Entwicklung vertrauenswürdiger Software, die mit potenziell bösartigen Eingaben korrekt umgeht, darin alle gültigen oder erwarteten Eingaben und Ausgaben als formale Sprache zu behandeln. Dementsprechend müssen die Routinen zur Verarbeitung von Eingaben und Ausgaben als Parser beziehungsweise Unparser für diese Sprache behandelt werden und auch dementsprechend entwickelt werden. In diesem Vortrag möchte ich LangSec und die Implikationen für unsere tägliche Arbeit in AppSec vorstellen ohne in die Tiefen der Theoretischen Informatik und des Compilerbaus abzudriften. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:29:24 https://media.ccc.de/v/god2025-56471-welcome Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 26 Nov 2025 09:00:00 +0100 https://cdn.media.ccc.de/events/god/2025/h264-sd/god2025-56471-eng-Welcome_sd.mp4?1764146887 7c1d0211-0a19-470e-9081-be1966ecc4bf 2025-11-26T09:00:00+01:00 OWASP German Chapter No 56471, 2025, god2025, Track 1, god2025-eng, god2025, Day 1 Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:09:21 https://media.ccc.de/v/god2025-56493-yurascanner-leveraging-llm Web application scanners are popular and effective black-box testing tools, automating the detection of vulnerabilities by exploring and interacting with user interfaces. Despite their effectiveness, these scanners struggle with discovering deeper states in modern web applications due to their limited understanding of workflows. This study addresses this limitation by introducing YuraScanner, a task-driven web application scanner that leverages large-language models (LLMs) to autonomously execute tasks and workflows. YuraScanner operates as a goal-based agent, suggesting actions to achieve predefined objectives by processing webpages to extract semantic information. Unlike traditional methods that rely on user-provided traces, YuraScanner uses LLMs to bridge the semantic gap, making it web application-agnostic. Using the XSS engine of Black Widow, YuraScanner tests discovered input points for vulnerabilities, enhancing the scanning process's comprehensiveness and accuracy. We evaluated YuraScanner on 20 diverse web applications, focusing on task extraction, execution accuracy, and vulnerability detection. The results demonstrate YuraScanner's superiority in discovering new attack surfaces and deeper states, significantly improving vulnerability detection. Notably, YuraScanner identified 12 unique zero-day XSS vulnerabilities, compared to three by Black Widow. This study highlights YuraScanner's potential to revolutionize web application scanning with its automated, task-driven approach. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 26 Nov 2025 16:35:00 +0100 https://cdn.media.ccc.de/events/god/2025/h264-sd/god2025-56493-eng-YuraScanner_Leveraging_LLMs_for_Task-driven_Web_App_Scanning_sd.mp4?1764190249 17d6ccbe-6241-4c2e-b223-d6d6514d7374 2025-11-26T16:35:00+01:00 Aleksei Stafeev No 56493, 2025, god2025, Track 2, god2025-eng, god2025, Day 1 Web application scanners are popular and effective black-box testing tools, automating the detection of vulnerabilities by exploring and interacting with user interfaces. Despite their effectiveness, these scanners struggle with discovering deeper states in modern web applications due to their limited understanding of workflows. This study addresses this limitation by introducing YuraScanner, a task-driven web application scanner that leverages large-language models (LLMs) to autonomously execute tasks and workflows. YuraScanner operates as a goal-based agent, suggesting actions to achieve predefined objectives by processing webpages to extract semantic information. Unlike traditional methods that rely on user-provided traces, YuraScanner uses LLMs to bridge the semantic gap, making it web application-agnostic. Using the XSS engine of Black Widow, YuraScanner tests discovered input points for vulnerabilities, enhancing the scanning process's comprehensiveness and accuracy. We evaluated YuraScanner on 20 diverse web applications, focusing on task extraction, execution accuracy, and vulnerability detection. The results demonstrate YuraScanner's superiority in discovering new attack surfaces and deeper states, significantly improving vulnerability detection. Notably, YuraScanner identified 12 unique zero-day XSS vulnerabilities, compared to three by Black Widow. This study highlights YuraScanner's potential to revolutionize web application scanning with its automated, task-driven approach. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:22:08 https://media.ccc.de/v/god2025-56473-the-surprising-complexity With the increasing reliance on third-party software components, ensuring their security against known vulnerabilities has become a daily challenge for individuals and organizations. Despite the availability of a variety of tools and databases, we found all of them fall short when applied to real-world scenarios - raising questions about their effectiveness, generalizability, and practical utility. Starting from our perspective as penetration testers, we identified three main problems with existing solutions in vulnerability identification: Accuracy and completeness of results - Many tools exhibit limited precision and recall, often depending on a single data source (e.g. NVD) and overlooking critical indicators such as known exploits or patch history. Rigid input requirements - Most solutions enforce strict formatting constraints (e.g., requiring exact CPEs), creating usability and reliability issues when dealing with diverse or incomplete data. Lack of usable outputs - The inability to meaningfully export or integrate results into broader workflows hampers both manual and automated security processes. In order to solve these challenges, we developed the open-source tool search_vulns. It leverages information from multiple data sources and uses text comparison techniques and CPEs in combination to increase accuracy in software identification. Due to this approach, it can even automatically generate CPEs that have yet to be published. Together with its custom logic for version comparison, this further enhances the quality of results. Finally, search_vulns provides a fine-granular export of results in different formats. In conclusion, this talk aims to simplify the surprising complexity of finding known vulnerabilities in software. To do so, we discuss common challenges in mapping software names to CPEs, e.g. for product rebrandings, single-version vulnerabilities and yet to be published software versions. In addition, we present an approach using multiple data sources in combination to enrich CVE data with information on known exploits, likelihood of exploitability (EPSS) and other data sources. Finally, we present search_vulns as open-source tool. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 26 Nov 2025 09:50:00 +0100 https://cdn.media.ccc.de/events/god/2025/h264-sd/god2025-56473-eng-The_Surprising_Complexity_of_Finding_Known_Vulnerabilities_sd.mp4?1764151782 dae5a632-92c6-4d65-b9d1-b4c61b311223 2025-11-26T09:50:00+01:00 Dustin Born, Matthias Göhring No 56473, 2025, god2025, Track 1, god2025-eng, god2025, Day 1 With the increasing reliance on third-party software components, ensuring their security against known vulnerabilities has become a daily challenge for individuals and organizations. Despite the availability of a variety of tools and databases, we found all of them fall short when applied to real-world scenarios - raising questions about their effectiveness, generalizability, and practical utility. Starting from our perspective as penetration testers, we identified three main problems with existing solutions in vulnerability identification: Accuracy and completeness of results - Many tools exhibit limited precision and recall, often depending on a single data source (e.g. NVD) and overlooking critical indicators such as known exploits or patch history. Rigid input requirements - Most solutions enforce strict formatting constraints (e.g., requiring exact CPEs), creating usability and reliability issues when dealing with diverse or incomplete data. Lack of usable outputs - The inability to meaningfully export or integrate results into broader workflows hampers both manual and automated security processes. In order to solve these challenges, we developed the open-source tool search_vulns. It leverages information from multiple data sources and uses text comparison techniques and CPEs in combination to increase accuracy in software identification. Due to this approach, it can even automatically generate CPEs that have yet to be published. Together with its custom logic for version comparison, this further enhances the quality of results. Finally, search_vulns provides a fine-granular export of results in different formats. In conclusion, this talk aims to simplify the surprising complexity of finding known vulnerabilities in software. To do so, we discuss common challenges in mapping software names to CPEs, e.g. for product rebrandings, single-version vulnerabilities and yet to be published software versions. In addition, we present an approach using multiple data sources in combination to enrich CVE data with information on known exploits, likelihood of exploitability (EPSS) and other data sources. Finally, we present search_vulns as open-source tool. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:23:35 https://media.ccc.de/v/god2025-56489-how-we-hacked-y-combinator We hacked 7 of the16 publicly-accessible YC X25 AI agents. This allowed us to leak user data, execute code remotely, and take over databases. All within 30 minutes each. In this session, we'll walk through the common mistakes these companies made and how you can mitigate these security concerns before your agents put your business at risk. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 26 Nov 2025 14:55:00 +0100 https://cdn.media.ccc.de/events/god/2025/h264-sd/god2025-56489-eng-How_we_hacked_Y_Combinator_companies_AI_agents_sd.mp4?1764171282 626be573-f64c-480c-a2db-1ccaeec57764 2025-11-26T14:55:00+01:00 René Brandel No 56489, 2025, god2025, Track 2, god2025-eng, god2025, Day 1 We hacked 7 of the16 publicly-accessible YC X25 AI agents. This allowed us to leak user data, execute code remotely, and take over databases. All within 30 minutes each. In this session, we'll walk through the common mistakes these companies made and how you can mitigate these security concerns before your agents put your business at risk. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:24:28 https://media.ccc.de/v/god2025-56496-closing Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 26 Nov 2025 17:35:00 +0100 https://cdn.media.ccc.de/events/god/2025/h264-sd/god2025-56496-eng-Closing_sd.mp4?1764190506 7410cd2e-0fd2-47b0-b439-4f7e8da5130d 2025-11-26T17:35:00+01:00 OWASP German Chapter No 56496, 2025, god2025, Track 1, god2025-eng, god2025, Day 1 Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:04:06 https://media.ccc.de/v/god2025-56478-all-the-waf-power-to-the-d Web application firewalls are often seen as a hindrance when going live, as perimeter WAFs can clash with GitOps-driven platforms. Empowering development teams with an application-centric WAF setup allows them to run and tune the WAF throughout the entire development lifecycle. It also enables full integration into any CI/CD pipeline or GitOps approach, reducing late surprises during deployment. In this talk, we demonstrate the application-centric approach with Envoy Proxy, OWASP Coraza, and the OWASP Core Rule Set (components are examples and interchangeable; focus is on principles and selection criteria), and take you along our real-world journey - highlighting the challenges and lessons learned. What you'll take away: We show where this reusable reference design reduces friction and where it backfires, and we outline the governance and guardrails needed to make it work in practice. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 26 Nov 2025 11:10:00 +0100 https://cdn.media.ccc.de/events/god/2025/h264-sd/god2025-56478-eng-All_the_WAF_power_to_the_devs_-_why_it_reduces_friction_and_where_it_backfires_sd.mp4?1764161756 9a191c51-bf9c-4cb8-a6e4-cd3c7068bbb3 2025-11-26T11:10:00+01:00 Lukas Funk No 56478, 2025, god2025, Track 2, god2025-eng, god2025, Day 1 Web application firewalls are often seen as a hindrance when going live, as perimeter WAFs can clash with GitOps-driven platforms. Empowering development teams with an application-centric WAF setup allows them to run and tune the WAF throughout the entire development lifecycle. It also enables full integration into any CI/CD pipeline or GitOps approach, reducing late surprises during deployment. In this talk, we demonstrate the application-centric approach with Envoy Proxy, OWASP Coraza, and the OWASP Core Rule Set (components are examples and interchangeable; focus is on principles and selection criteria), and take you along our real-world journey - highlighting the challenges and lessons learned. What you'll take away: We show where this reusable reference design reduces friction and where it backfires, and we outline the governance and guardrails needed to make it work in practice. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:34:16 https://media.ccc.de/v/god2025-56488-i-have-no-idea-how-to-make Browser extensions are a powerful part of the Web ecosystem as they extend browser functionality and let users personalize their online experience. But with higher privileges than regular web apps, extensions bring unique security and privacy risks. Much like web applications, vulnerabilities often creep in, not just through poor implementation, but also through gaps in developer awareness and ecosystem support. In this talk, we share insights from a recent study in which we interviewed and observed 21 extension developers across the world [1] as they worked on security and privacy-related tasks that we designed based on our prior works and observations [2, 3]. Their live decision-making revealed common misconceptions, unexpected pain points, and ecosystemic obstacles in the extension development lifecycle. Extending beyond our published results, we plan to highlight some of the untold anecdotes, insecure development practices, their threat perception, the design-level challenges, as well as the misconceptions around them. The audience will take away the following items from the presentation/discussion: Common insecure practices in extension development. Why security ≠ privacy ≠ store compliance, as often perceived by extension developers! Hidden design gaps and loopholes in extension architecture that developers can't spot or comprehend. Anecdotes on the course of extension development in the era of LLMs. Developers, regulations (GDPR/CCPA/CRA), and a few “interesting” opinions. And, most importantly, why you should NOT give up on them just yet! :) References: [1] Agarwal, Shubham, et al. “I have no idea how to make it safer”: Studying Security and Privacy Mindsets of Browser Extension Developers. Proceedings of the 34th USENIX Security Symposium 2025. [2] Agarwal, Shubham, Aurore Fass, and Ben Stock. Peeking through the window: Fingerprinting Browser Extensions through Page-Visible Execution Traces and Interactions. Proceedings of the 31st ACM SIGSAC Conference on Computer and Communications Security. 2024. [3] Agarwal, Shubham. Helping or hindering? How browser extensions undermine security. Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 2022. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de Wed, 26 Nov 2025 14:55:00 +0100 https://cdn.media.ccc.de/events/god/2025/h264-sd/god2025-56488-eng-I_have_no_idea_how_to_make_it_safer_Security_and_Privacy_Mindsets_of_Browser_Extension_Developers_sd.mp4?1764170874 9e712464-901b-4fcc-87cd-f80e84e4d6f4 2025-11-26T14:55:00+01:00 Shubham Agrawal No 56488, 2025, god2025, Track 1, god2025-eng, god2025, Day 1 Browser extensions are a powerful part of the Web ecosystem as they extend browser functionality and let users personalize their online experience. But with higher privileges than regular web apps, extensions bring unique security and privacy risks. Much like web applications, vulnerabilities often creep in, not just through poor implementation, but also through gaps in developer awareness and ecosystem support. In this talk, we share insights from a recent study in which we interviewed and observed 21 extension developers across the world [1] as they worked on security and privacy-related tasks that we designed based on our prior works and observations [2, 3]. Their live decision-making revealed common misconceptions, unexpected pain points, and ecosystemic obstacles in the extension development lifecycle. Extending beyond our published results, we plan to highlight some of the untold anecdotes, insecure development practices, their threat perception, the design-level challenges, as well as the misconceptions around them. The audience will take away the following items from the presentation/discussion: Common insecure practices in extension development. Why security ≠ privacy ≠ store compliance, as often perceived by extension developers! Hidden design gaps and loopholes in extension architecture that developers can't spot or comprehend. Anecdotes on the course of extension development in the era of LLMs. Developers, regulations (GDPR/CCPA/CRA), and a few “interesting” opinions. And, most importantly, why you should NOT give up on them just yet! :) References: [1] Agarwal, Shubham, et al. “I have no idea how to make it safer”: Studying Security and Privacy Mindsets of Browser Extension Developers. Proceedings of the 34th USENIX Security Symposium 2025. [2] Agarwal, Shubham, Aurore Fass, and Ben Stock. Peeking through the window: Fingerprinting Browser Extensions through Page-Visible Execution Traces and Interactions. Proceedings of the 31st ACM SIGSAC Conference on Computer and Communications Security. 2024. [3] Agarwal, Shubham. Helping or hindering? How browser extensions undermine security. Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. 2022. Licensed to the public under https://creativecommons.org/licenses/by-sa/4.0/ about this event: https://c3voc.de 00:24:42 media.ccc.de / RSS 0.3.2 CCC media team media@c3voc.de CCC media team No CCC Congress Hacking Security Netzpolitik A wide variety of video material distributed by the CCC. All content is taken from cdn.media.ccc.de and media.ccc.de A wide variety of video material distributed by the Chaos Computer Club. This feed contains all events from god2025 as mp4