If you thought from the title that either was unlikely this presentation will prove you wrong. Modern Java web frameworks are very complex and are used by some of the most critical web frontends (banks, airlines, etc). However, due to the nature of Java, a lot of people using such frameworks assume that they are immune to certain classes of vulnerabilities and thus use no exploitation mitigation techniques at all. I'll discuss the current state of (in)security in some of the popular Java web frameworks (e.g. Spring, Struts2) based on my security review, which involved spending no more than one week on each framework. In most cases, I was able to get a shell in a HelloWorld application within 3-4 days. The presentation will also cover some of the ways to harden web applications built using these frameworks.
Secdocs is a project aimed to index high-quality IT security and hacking documents. These are fetched from multiple data sources: events, conferences and generally from interwebs.
Serving 8166 documents and 531.0 GB of hacking knowledge, indexed from 2419 authors from 163 security conferences.