Hi all, In end of May in Moscow Russia finished Positive Hack Days 2012 forum (www.phdays.com<http://www.phdays.com>). There are was several interesting Web App Sec topics I want to share. You can find other slides here: http://phdays.blogspot.com/2012/06/presentations-from-positive-hack-days.html WEB SECURITY Report: Miroslav Štampar. DNS exfiltration using sqlmap [video<http://live.digitaloctober.ru/embed/1208?language=en&params%5bpw%5d=630&params%5bph%5d=355&params%5bepisodes_under%5d=1&params%5beh%5d=100#time1338461956>], [presentation<http://www.slideshare.net/phdays/dns-exfiltration-using-sqlmap-13376798>]. The speaker represented DNS exfiltration technique using SQL injection, described its pros and contras, and provided illustrative examples. Report: Vladimir Vorontsov. Blind XXE Expluatation [presentation 2<http://www.slideshare.net/phdays/cookie-mechanism-and-attacks-on-webclient>] [video<http://live.digitaloctober.ru/embed/1208?language=en&params%5bpw%5d=630&params%5bph%5d=355&params%5bepisodes_under%5d=1&params%5beh%5d=100#time1338440538>]. Attacks against Microsoft network web clients, [presentation 1<http://www.slideshare.net/phdays/attacks-against-microsoft-network-web-clients>], The report covered methods of attacks on Internet Explorer users functioning as part of Microsoft networks. The considered attacks are aimed at obtaining confidential information about users both on remote servers (bypassing access policy restrictions) and local PCs. Hands-on-lab: Andres Riancho. Web 2.0 security. Advanced techniques [video<http://live.digitaloctober.ru/embed/1204?language=en&params%5bpw%5d=630&params%5bph%5d=355&params%5bepisodes_under%5d=1&params%5beh%5d=100#time1338372196>], [presentation<http://www.slideshare.net/phdays/andres-riancho-advanced-web-20-security>] The hand-on-lab covered protection techniques against attacks exploiting XML and HPP/HPC, as well as Click Jacking and Session Puzzling. Report: Sergey Scherbel. Not all PHP implementations are equally useful. [presentation<http://www.slideshare.net/phdays/not-all-php-implementations-are-equally-useful>]. The reporter considered detected security problems and operational features of Web applications using third-party implementations of PHP and gave examples of 0-day vulnerabilities. Report: Thibault Koechlin. Naxsi, an open source WAF for Nginx, [presentation<http://www.slideshare.net/phdays/naxsi-an-open-source-waf-for-nginx>] Report: Aleksey Moskvin. On secure application of PHP wrappers [video<http://live.digitaloctober.ru/embed/1210?language=en&params%5bpw%5d=630&params%5bph%5d=355&params%5bepisodes_under%5d=1&params%5beh%5d=100#time1338447970>], [presentation<http://www.slideshare.net/phdays/on-secure-application-of-php-wrappers> RUS]. Videos of demonstrations: http://www.youtube.com/watch?feature=player_detailpage&v=rkgPFIGofYs http://www.youtube.com/watch?feature=player_detailpage&v=J5HTTxuuu3o Report: Vladimir Kochetkov. Hack an ASP.NET site? It is difficult, but possible! [video<http://live.digitaloctober.ru/embed/1210?language=en&params%5bpw%5d=630&params%5bph%5d=355&params%5bepisodes_under%5d=1&params%5beh%5d=100#time1338469292>], [presentation<http://www.slideshare.net/phdays/to-hack-an-asp-net-website>]