Episode #295 - DEF CON Recap, Crocs and Socks (And Bots)

DEF CON 33 Review, and the value of CTFs

This week on the #295th episode of Absolute AppSec, Seth (@sethlaw) and Ken (@cktricky) return to discuss their experiences at this year’s Hacker Summer Camp during DEF CON 33 and all things Las Vegas. They talk panels, talks, workshops, happy hours, and even corporate events. Then, they delve into a few research items that emerged from the conference, including James Kettle’s "HTTP 1.1 Must Die" talk, and finally, why AI is impacting Application Security. To find this episode and 294 others, go to https://www.youtube.com/@AbsoluteAppSec. Or, find us on Spotify or Apple Podcasts.

“There’s not a lot of places that you and I can go where […], in a group setting, over drinks, [we can talk] to people that understand what we do on a day-to-day basis and have real in-depth discussions.”

Ken

Seth and Ken, as part of their Absolute AppSec tradition, hosted a happy hour there. Thank you to everyone who came in for a drink or to pick up some merch! They also recorded an AppSec panel with Tanya Jance and Jason Haddix. Keep an eye out on our channels and the AppSec Village’s YouTube channel to view the discussion when it drops. Our hosts were booked and busy the entire week, and are just now catching up on some sleep, but DEF CON has evolved into an event that is worth losing a bit of sleep for. This was the second year the conference was held at the Las Vegas Convention Center, and the larger space has made it easier than ever to accommodate more people attending talks as the conference continues to grow. The overwhelming number of options, with over 1,200 separate events, can lead to “paralysis” for attendees trying to decide what to do. The Hacker Tracker app definitely assisted by helping attendees prioritize which talks they wanted to attend and directing them to where they could find them.

Both within and outside DEF CON 33, the industry can talk about nothing but AI. It’s hard to find articles that don’t focus on AI, given its dominance in every aspect of the field. Ken notes that almost every application he has tested over the past six months includes AI components, and that AI is introducing a new API with access to data sources, often without proper controls, which can impact everything from the velocity of shipping to how security teams respond.

“One of the things I appreciate about CTFs is that it really highlights the sorts of mistakes that developers will make in code and distills them down to something usually fairly simple to exploit. It’s not always easy to find or easy to figure out the format in which you have to exploit that. But at the very least, you know that there is a vulnerability that exists […] and it’s [about] unlocking the puzzle.”

Seth

Finally, Seth and Ken introduce the latest issue of Phrack Magazine, which has a retrospective on classic PHP exploits, specifically those found in CTF competitions. The author is Orange Tsai, a well-known and skilled bug bounty hunter who has a reputation (over the course of his eighteen-plus year hacking career) for being particularly good at chaining exploits together. The article is a fun read that includes cool hacks and provides a look back at classic PHP vulnerabilities. For instance, it discusses Local File Inclusion (LFI) issues where attackers can put a web shell on a PHP application to gain command execution. It then shows how to bypass LFI protections using filters, which allow operations like Base64 encoding and decoding. The article also explains how attackers can chain filters together to gain arbitrary file read access, even after initial protections are in place. Seth and Ken particularly recommend this type of ‘classic AppSec’ article as a resource for anyone new to AppSec or junior security professionals because it introduces core concepts of application security, such as picking apart an application, finding edge cases, and exploiting them. It helps people learn how to approach looking at code and the fundamental basics of security. The article is also valuable for highlighting common mistakes that developers make, which are often distilled down to something simple to exploit in a CTF format. Other topics in the article include deserialization attacks and the concept of “reviving forgotten bugs”.

This episode was sponsored by Redpoint Security™. Redpoint specializes in "Code Security by Coders," bolstered by years of experience testing applications and conducting code reviews against all types of apps, including AI, web, and mobile. Redpoint also offers developer AppSec and secure-code training to help ground your teams in better security practices across the development lifecycle. Check out redpointsecurity.com for more information and put your company on a path to better security.

Are you looking to bulk up your clothing collection for fall weather? Well, the Absolute AppSec merch store might just have what you’re looking for. Pick out a hoodie or beanie to keep your core temperatures nice and toasty.

An Absolute AppSec hoodie for fall-worthy AppSec fashions

And, if you have thoughts you’d like to share with Seth and Ken and the Absolute AppSec audience, join us in Slack. Show topics often originate as discussion points with the Slack audience, and the newsletter incorporates that discussion as well. So, join in there to offer ideas for what you’d like the podcast to cover as well as pick the brains of a number of industry experts.

Stay Secure,

Seth & Ken

https://www.youtube.com/live/TudqDd9H2_k - Episode #275 - OpenGrep Summary, Secure By Design, Confusion Attacks - Orange Tsai’s work has shown up a couple times over the history of our podcast. Most recently, Seth and Ken covered his write-up on confusion attacks a few months back.

https://www.youtube.com/watch?v=lGSFHzkEJcI - Episode #132 - Supply Chain Attacks, What I Wish I Knew Starting in Security, a tribute to Dan Kaminsky - Thinking about classic AppSec reminded us of this episode where Seth and Ken reflected on what they wish they’d known from the beginning of their careers, as well as Seth and Ken providing reflections on Hacking legend Dan Kaminsky.

https://www.youtube.com/watch?v=pjTybGNSFT8 - AfterDark episode #4 - Discussions about CTFs reminded us of the After Dark CTF episode we did with SecDim’s Pedram Hayati. Check out SecDim if you’re interested in a CTF that includes remediation and wargaming components in addition to typical bug-finding CTF activities.

Absolute AppSec Happenings

https://secdim.com/blog/post/ai-and-secure-code-learning-an-empirical-analysis-of-420-ai-generated-security-fixes-14784/ - “AI and Secure Code Learning: An Empirical Analysis of 420 AI-Generated Security Fixes” from SecDim’s Pedram Hayati. Pedram shared this in the Absolute AppSec slack. Some interesting insights from the SecDim CTF platform and a recent wargaming event regarding how AI-coding assistants are affecting coding.

https://phrack.org/issues/72/5_md#article - “The Art of PHP - My CTF Journey and Untold Stories!” - Orange Tsai’s article in the latest Phrack. Seth and Ken discuss this in the episode presented this week, so we thought we’d provide a handy link for those looking to dig in further.

https://blog.trailofbits.com/2025/09/03/subverting-code-integrity-checks-to-locally-backdoor-signal-1password-slack-and-more/- “Subverting code integrity checks to locally backdoor Signal, 1Password, Slack, and more” from Darius Houle at Trail of Bits. This is the write-up from the ToB’s team’s work that led to Electron CVE-2025-55305, which remedied the hole whereby Darius writes he could “[backdoor] applications by overwriting V8 heap snapshot files.” Houle further writes up that similar issues are at work for Chromium/Chrome based projects, so take a look at the issues he dives in on.

Upcoming Events

Where in the world are Seth and Ken?

September 12, 2025 - BsidesCache - Seth will be present at the Bsides conference in Logan, Utah next week. Come say “hi” at the Redpoint Security booth there at the Bridgerland Applied Technical College if you’re attending.

September 23-25, 2025 - Enterprise Tech Leadership Summit - Las Vegas, NV - Ken will be attending so check in with us in the slack if you’d like to see about catching up with him for a pseudo-extension of Vegas summercamp.

December 8-11, 2025 - Next-Gen Secure Code Review: Black Hat Edition - Seth and Ken are bringing a four-day exclusive course to Black Hat Europe in London, UK. This is a great opportunity to get a truly in-depth understanding of Secure-Code Review and how it can be empowered through LLM-tooling. Seth and Ken have innovated industry-leading trainings in both of these topics, so this four-day course promises to provide a lot of valuable insight.