OWASP 2024 Global AppSec San Francisco

Whatever your need as a hacker post-compromise, Microsoft Copilot has got you covered. Covertly search for sensitive data and parse it nicely for your use. Exfiltrate it out without generating logs. Most frightening, Microsoft Copilot will help you phish to move lately. Heck, it will even social engineer victims for you!




This talk is a comprehensive analysis of Microsoft copilot taken to red-team-level practicality. We will show how Copilot plugins can be used to install a backdoor into other user’s copilot interactions, allowing for data theft as a starter and AI-based social engineering as the main course. We’ll show how hackers can circumvent built-in security controls which focus on files and data by using AI against them.




Next, we will drop LOLCopilot, a red-teaming tool for abusing Microsoft Copilot as an ethical hacker to do all of the above. The tool works with default configuration in any M365 copilot-enabled tenant.




Finally, we will recommend detection and hardening your can put in place to protect against malicious insiders and threat actors with Copilot access.

In this 45 minute offensively focused presentation we dive into GraphQL secondary context attacks and business logic vulnerabilities exploited in real world assessments. Secondary context attacks in particular can access impactful API endpoints using GraphQL as the jumping off point. The impact from these issues when exploited can be significant including unauthorized access to data, the ability to modify other users accounts, cross-tenancy failures, and SSRF. 

This presentation is fresh material to this topic and does not rehash existing GraphQL exploitation discussions. If you are interested in GraphQL attacks, you should attend this talk.

This session presents a new attack technique called “OData Injection” that affects many API based environments and in particular Microsoft Power Automate, part of the Microsoft Power Platform. The technique can be used by attackers to extract sensitive data and bypass access controls. Furthermore, we show that if you think that “No Code” = “No Vulnerabilities”, you are in for a BIG surprise. Not only that applications and automations written by citizen developers are vulnerable to good ol’ injection attacks but these could be exploited by external attackers. We prove our points using demos of the attacks and vulnerabilities that simulate our findings in the field.


Low Code / No Code (LCNC) Development and Robotic Process Automations (RPA, automations) is a rapidly growing trend within enterprises going through a digital transformation process. These tools and environments allow business users (called citizen developers), who are not software engineers, to quickly build enterprise applications, by just dragging and dropping objects within the platform’s UI. These applications typically automate their daily tasks and accelerate digital transformation within the organization - all this without writing a single line of code. Top platforms to support LCNC are Microsoft Power Platform and UiPath Cloud Automation.


It is widely believed by organizations that since no code is involved in the development process, it is safe to assume that the resulting applications are not vulnerable to traditional security issues.Think again! Our research, backed by analyzing tens of thousands of applications and flows in large enterprises, shows that automations and applications which are perceived as “internal applications” are in fact exposed to external attackers. For the first time at BlackHat, we will show how applications and automations built in the Microsoft Power Platform and UiPath Automation Cloud environments are also vulnerable to SQL Injection, OS Command Injection and more.

Compromising AI infrastructure can have devastating consequences, making it a prime target for attackers. Often, a simple misconfiguration or vulnerability in AI applications is all it takes to compromise the entire system. Many developers are not fully aware of the threat landscape and end up deploying vulnerable AI infrastructures. Traditional pentesting tools like DVWA and bWAPP have helped the infosec community understand popular web attack vectors, but there is a gap when it comes to AI environments. In this talk, we introduce AI Goat, a deliberately vulnerable AI infrastructure featuring vulnerabilities based on the OWASP AI Top 10. AI Goat mimics real-world AI applications but includes added vulnerabilities, providing security enthusiasts and pen-testers with an easy-to-deploy and destroy platform to learn how to identify and exploit AI vulnerabilities. The deployment scripts will be open-source and available after the talk.

As the web evolves, so do the complexities of securing it. WebRTC (Web Real-Time Communication) is a powerful technology embedded in every modern web browser, enabling audio, video, and data sharing. While WebRTC offers tremendous advantages for real-time communication, it introduces a unique set of security challenges that many web and API security professionals may overlook.


This presentation aims to bridge the knowledge gap between traditional web/API security and the specialized realm of WebRTC. Designed for OWASP attendees ranging from novice to advanced practitioners, it will provide a comprehensive overview of WebRTC security concepts, common vulnerabilities, and practical testing methodologies.

When a web application needs to safely render the user’s input as HTML, e.g., to enable rich text formatting, sanitization would be the solution. Generally speaking, sanitizing user input should be done on the server side, right? Well, this is not so obvious for XSS mitigation. While sanitizing on the client side sounds counterintuitive at first, in this talk, we will explain not only why it makes sense for HTML but also why it is important to do so. This talk showcases common pitfalls of sanitizing HTML server-side and dives into multiple interesting real-world vulnerabilities.

Despite defense in depth bounty hunters continue to bypass security measures. We will chronicle curated submissions from our bug bounty program. 


This talk covers bugs that span across application security and infrastructure security domain. Folks from Detection and response will find this especially useful to help further strengthen their D&R capabilities. Frankly we recommend this to all security practitioners (red\blue and purple team)  since we will share real world bugs reported to our program and how we applied the learnings to elevate our security program.


Expect to hear root cause analysis, technical details, and mitigations. You will take away practical strategies to elevate your own security program.