Tuesday, November 10, 2009

Lust 2.0 talk @ SecurityByte and OWASP AppSec Asia 2009

India's largest security conference, SecurityByte and OWASP AppSec Asia 2009 is happening this November in Gurgoan. It’s being organized by Nish Bhalla of Security Compass along with OWASP Delhi's dynamic duo of Puneet Mehta and Dhruv Soi. They have got a very impressive line-up of speakers pulled in from across the world, many of them are regulars at BlackHat and other big conferences. The exciting part is that my talk has got selected and I would be releasing my research on ‘browser phishing’ there. My talk is titled 'Lust 2.0 – Desire for free Wi-Fi and the threat of the Imposter'.

The talk will primarily cover two attacks:

  1. Stealing files through Flash and Internet Explorer
  2. Stealing data and placing backdoors on sites using Google Gears

These attacks can be performed on any user who connects to an unsecured Wi-Fi controlled by the attacker. Imposter is a tool that I have made to carry out these attacks. It’s got inbuilt web and DNS server and SMB sniffer modules. This makes the execution of these attacks as simple as clicking on a single button! I would be showing live demos of these attacks with Imposter.

I would also be talking about the very first Google Gears Database based persistent XSS vulnerability which is still open after private disclosure, yes it would be an 0-day.


  1. Phew! Finally got the link to your blog and papers. Hey!! andlabs.org should be the first page to show up on Google when searching for "Lavakumar Kuppan" :-)

  2. lol..I am working on it, its currently way down on 12th or 13th I guess. I had sent out mails about release of Imposter and the whitepapers to all the mailing lists, looks like I have missed some people, sorry about that. welcome! and hope you enjoyed the content. And you forgot to leave your name in the comment :)