10:00 – 10:15
Carola Frediani has written about hacking, surveillance and cybercrime for Italian and foreign publications. She then went on to work as a cybersecurity awareness manager in international organisations. She joined the global security team at Amnesty International and is now an Infosec technologist at Human Rights Watch. She writes the free weekly newsletter Guerre di Rete, which analyses news and stories on cyber and digital rights. The newsletter has since evolved into an independent information project, Guerredirete.it, created together with the association Cyber Saiyan.
10:15 – 11:05
Some people think the days of critical HTTP request smuggling attacks on hardened targets have passed. Unfortunately, this is an illusion propped up by wafer-thin mitigations that collapse as soon as you apply a little creativity. As long as HTTP/1.1 lives, desync attacks will thrive.
In this talk, I’ll introduce multiple new classes of desync attack, enabling mass compromise of user credentials across hundreds of targets, including tech giants, SaaS providers, US government systems, and almost every company using a certain CDN. Every technique has been honed for maximum impact with minimum effort, with an unplanned collaboration yielding over $200,000 in bug bounties in two weeks.
I’ll also share the research methodology and open-source toolkit that made this possible, replacing outdated, canned-exploit probes with focused analysis that reveals each target’s unique weak spots. This strategy creates an avalanche of desync research leads, yielding results ranging from entire new attack classes, down to exotic implementation flaws that bleed server memory into attackers’ welcoming arms. You’ll witness attacks meticulously crafted from theoretical foundations alongside accidental exploits with a root cause so incomprehensible, the developers ended up even more confused than me.
You’ll leave this talk equipped with everything you need to join me in the desync research endgame: the mission to kill HTTP/1.1
James ‘albinowax’ Kettle is the Director of Research at PortSwigger, the makers of Burp Suite. He’s best-known for pioneering novel web attack techniques, and publishing them at major conferences like DEF CON and Black Hat USA, at which he’s presented for eight consecutive years. His most impactful research is HTTP Desync Attacks, which popularised HTTP Request Smuggling. Other popular attack techniques that can be traced back to his research include web cache poisoning, the single-packet attack, server-side template injection, and password reset poisoning.
He also loves exploring innovative tool concepts for security professionals, many of which have since become industry standard. Examples include introducing OAST via Burp Collaborator, bulk parameter discovery via Param Miner, billion-request attacks with Turbo Intruder, and human-style scanning with Backslash Powered Scanner. He’s also the designer behind many of the topics and labs that make up the Web Security Academy.
11:05 – 11:55
Windows offers drivers the ability to subscribe to a kernel callback that notifies about DLL image load operations. Many security products use this callback to initiate scanning of the loaded file for viruses or enforce custom security and code integrity policies on their processes. But how reliable is this approach? After all, this feature lies at the intersection of two complex subsystems: I/O and memory management. In this talk, we’ll explore the assumptions that the OS and drivers make when using image load callbacks and present a handful of attack vectors that an unprivileged caller can employ to violate various guarantees and fake returned information. There will be edge cases, filesystem magic, obscure APIs, and real-life examples of how these attacks used to work against the driver-enforced protections in System Informer. Finally, we will discuss how driver developers can harden their code to mitigate against these issues and why these are “technically not vulnerabilities” in Windows’s design.
I work as a Security Researcher at Hunt & Hackett, specializing in Windows internals. I do user-mode system programming (C for sharing code; Delphi for personal projects), fluently speak Native API, write technical blog posts and occasional documentation, and have fun breaking assumptions (from low privileges, of course!) made by security products. And then slowly figuring out how to fix them…
11:55 – 12:45
Bloatware. We all hate it, and most of us are good at avoiding it. But some vendor tools – especially those managing critical drivers – can be useful when the Windows Update versions aren’t good enough for performance-critical computing.
What started as a routine driver update took a sharp turn when I confirmed a reboot modal… from my browser. Wait, my browser shouldn’t be able to do that!? To my disappointment (and maybe some surprise), it turned out to be arbitrary code execution – right from the browser. This kicked off a week-long deep dive, uncovering seven CVEs in seven days across several prominent vendors, all exploiting a common pattern: privileged services managing software on Windows with little regard for security.
In this talk, I’ll walk through the journey of discovery and exploitation of several vulnerabilities that lead to LPE/RCE. I’ll cover everything from the initial attack surface discovery, reverse engineering and finally exploitation of several vulnerabilities. By the end, participants will probably be uninstalling similar software mid-session. While the exploitation journey is fun and impactful, these are not the software bugs we should have in 2025. In fact, we have everything we need to do better.
With over two decades in IT – 15 years focused on cybersecurity – Leon is the CTO of Orange Cyberdefense’s SensePost Team. His career has taken him from a Tier 1 ISP, a private investment bank and now into full-time consulting, giving him a broad, real-world view of security challenges across industries. Today, Leon spends his time researching and hacking everything from enterprise networks to web and mobile applications. Passionate about building and innovating, he’s a regular contributor to the InfoSec community, sharing tools, insights, and lessons learned to help push the field forward.
12:45 – 14:45
We believe that a long lunch break will give you the opportunity to recharge your batteries in preparation for the afternoon sessions, meet friends, know our sponsors and your prospects without rushing.
IMPORTANT: It is possible to have a lunch at the bar located inside the venue or at one of the many bar, fast food and restaurant located outside. If you go outside we recommend to reserve in advance.
14:45 – 15:35
The proliferation of new Top-Level Domains (TLDs) has sparked security concerns primarily around phishing and social engineering attacks. However, the emergence of these new TLDs has also broadened the attack surface, making it easier for threat actors to exploit other domain-related vulnerabilities.
Our research revisits a critical yet underexamined issue: the resurgence of internal domain name collisions. Once considered a legacy risk, domain name collisions have reemerged thanks to the introduction of over 1,200 new TLDs over the past decade.
Philippe has over 25 years of experience in Information Security. Prior to founding Seralys in 2012, Philippe was a Senior Manager within the Information & Technology Risk practice at Deloitte Luxembourg where he led a team in charge of Security & Privacy engagements. Prior to Deloitte, Philippe held several roles within the information system security department of a global pharmaceutical company in London. While working with a heterogeneous network of over 100,000 users across the world and strict regulatory requirements, Philippe gained hands-on experience with various security technologies (VPN, Network and Application Firewalls, IDS, IPS, Host Intrusion Prevention, etc.).
15:35 – 16:25
This research was a joint effort by three people: Shang-De “John” Jiang, Kazma Ye, and Echo Lee.
Modern Single Sign-On (SSO) should offer security and simplicity—but Microsoft’s Intune implementation on macOS fails to securely validate the caller’s identity, exposing Primary Refresh Token Cookie to theft by user-level attackers.
This talk breaks down the full trust chain behind Intune’s macOS SSO flow—from BrowserCore to Apple’s AppSSOAgent—and shows how weak identity checks can be bypassed using a spoofed, signed Swift app. By impersonating trusted browsers, attackers can trigger SSO token flows and extract valid PRT cookies. Our findings expose subtle flaws in how trust is enforced across processes and code signatures.
Another obstacle for attackers has been Microsoft’s efforts to make it more difficult to register new devices using stolen credentials for persistence. Our research introduces a trick: once an attacker acquires a token with an MFA claim on the device, they can still register new devices and generate new tokens without concern for the original stolen token’s expiration.
We will demonstrate PRT Cookie extraction on macOS, showing how credential theft techniques have expanded from Windows to macOS environments and how attackers can use these methods to maintain long-term persistence.
Shang-De “John” Jiang is a deputy director of the research team of CyCraft. Currently, he focuses on research on Incident Response and Endpoint Security and Microsoft Security. He has presented technical presentations in non-academic technical conferences, such as DEF CON, TROOPERS, HITB, HITCON, CodeBlue, Blue Team Summit and BlackHat USA. He is the co-founder of UCCU Hacker the private hacker group in Taiwan.
Twitter: @SecurityThunder
LinkedIn URL: https://www.linkedin.com/in/johnthunder
Kazma Ye is a cybersecurity researcher of CyCraft. His current work focuses on how Microsoft Entra ID integrates and behaves on macOS, diving deep into binary internals and real-world authentication logic. He’s also a CTF player with the B33F 50UP team, with a passion for reverse engineering and binary exploitation. He has presented at industry conferences, including TROOPERS and DEF CON.
Twitter Username: @kazma_tw
LinkedIn URL: https://www.linkedin.com/in/kazmatw/
16:25 – 17:15
Hybrid identities make administration easier and improve user experience when using cloud services. However, connecting the on-premises environment to the cloud makes identities prone to legacy attacks, enabling threat actors to move laterally from on-premises to cloud. Most of these attacks can be mitigated by carefully securing on-premises assets and properly configuring Entra ID. While there are many built-in mitigation options, they are not well know.
Dr Nestori Syynimaa is a Principal Identity Security Researcher at Microsoft Threat Intelligence Center. He has over a decade of experience with the security of Microsoft cloud services and is known as the creator of the AADInternals toolkit. Before joining Microsoft in early 2024, Dr Syynimaa worked as a researcher, CIO, consultant, trainer, and university lecturer for over 20 years.
Dr Syynimaa has spoken in many international scientific and professional conferences, including IEEE TrustCom, Black Hat USA, Europe, and Asia, Def Con, RSA Conference, and TROOPERS.
17:15 – 18:05
Delegated Managed Service Account (dMSA) is a new type of account introduced in Windows Server 2025 to improve domain security in Active Directory. That didn’t go so well—at least initially.
In this talk, we’ll dig deep into dMSA: how they work, how we found a vulnerability (CVE-2025-53779), and how we developed BadSuccessor—a technique that abuses that vulnerability—to escalate privileges and compromise the domain.
Microsoft has since patched the vulnerability. We’ll explain what the patch did and why attackers and defenders should still care about BadSuccessor even after the fix.
We’ll demonstrate that, pre-patch, a common, seemingly benign permission in Active Directory allowed an attacker to trick a Domain Controller into issuing a Kerberos ticket with the effective privileges of any principal—including Domain Admins and Domain Controllers—even in domains that never deployed dMSAs. Then we’ll take it a step further, showing how the same mechanism enabled attackers to obtain the NTLM hash of every user in the domain—without ever touching the domain controller.
We’ll close with the post-patch landscape and practical detection and mitigation guidance you can apply immediately.
Yuval Gordon is a Security Researcher at Akamai Technologies, specializing in Active Directory security, identity-based attacks, and protocol research.
Yuval started his career in security operations, incident response, and detection engineering before moving into security research with a focus on AD internals, OT environments and offensive security. His recent work includes uncovering design flaws and logic abuses.
Yuval occasionally dabbles in malware analysis and reverse engineering, and enjoys sharing insights from both attacker and defender perspectives.
18:05 – 18:15
Starting at 19:00
RomHack is made with 🤍 by Cyber Saiyan
Support us making a donation or becoming a member
[ Code of Conduct ]
Cyber Saiyan Ente del Terzo Settore – C.F. (FC) 97958200582 – VAT 14669161003
