Level: Tehnical

Abstract:
There are a number of well known classes of vulnerabilities that an enterprising hacker or penetration tester wants to uncover in an application. Some of those issues are harder to detect or exploit because of well implemented browser security mechanisms or because of various improvements in web application frameworks that hide the potentially dangerous methods from the developers. In addition to the points outlined above, the collective awareness about common security issues, vulnerabilities and potential weaknesses has been raised, making discovery of potential issues more difficult, especially in hard, well audited targets.

In such cases, instead of subverting the code flow, an attacker might try to subvert the applications logic or even better manipulate the business process that the application supports. This class of vulnerabilities is commonly referred to as business logic vulnerabilities, and when discovered in the wild and reported, all specific and different nuanced cases of vulnerabilities are usually thrown into the bucket labeled “business logic” vulnerabilities. But when we review such issues, we can see that each case is unique.

This talk will present the result of a research study where the author manually reviewed about 300 publicly disclosed vulnerability reports and tried to classify and cluster discovered vulnerabilities into a few categories that can be used to detect business logic issues in applications. So let’s take a ride through some real life cases and examples on how to manipulate calculation, assumptions, processes, branching, logical and time based TOCTOU and other fun cases on how to break an application.

Bio:
Tonimir Kisasondi is a co-founder at Apatura, a boutique security consultancy from Varazdin, Croatia. His professional and research area of interest is application security, cryptography and embedded security.

Level: Tehnical

Abstract:
In this talk, we will explore a bug in Windows 11 which can be abused for phishing purposes. We will talk about our process in finding and analyzing the vulnerability, as well as show you how Microsoft fixed it, while further exploring the viability of the technique in present days.

Bio:

• Len Sadowski – Student | IT Security Researcher (seeking for a job)
• Oğuz Bektaş – (Freelance) IT Security Researcher / Red Teamer – Interested in exploits, malware, all that good stuff.

Level: Tehnical

Abstract:
Discover the world of encrypted DNS protocols – DoH, DoT, DoQ, and DNSCrypt – and why they matter for safeguarding your online privacy against eavesdroppers and censors.

Session explores the core concepts of DNS encryption, starting with a comparison of popular protocols like DNS over HTTPS (DoH), DNS over TLS (DoT), and DNS over QUIC (DoQ). These methods secure DNS queries from interception, but each has trade-offs in speed, compatibility, and deployment.

After DNS encryption, anonymized DNS will be presented with ODOH and DNSCrypt as two main actors in this area.

Shifting attention to DNSCrypt, the protocol that stands out with its unique blend of authentication, encryption, and short-term key rotation for enhanced anonymity. Learn practical setup tips, real-world use cases, and why it often outperforms others in privacy-focused scenarios.

There will be mention of modns, PoC fork of DNSCrypt aiming to extend anonymization by adding support for multiple relays in dns query chain.

Lastly, explain how encrypted dns can pose a threat in business environments, or generally in the wrong hands or with bad actors.

Bio:
Nikola Garafolic aka nix is a Linux enthusiast and self-hosting advocate who thrives on building homelab projects and exploring emerging tech trends. Comfortable with IPv6 and passionate about creating practical solutions from the ground up.

Level: Zero tech

Abstract:
I intend to present my journey as a Penetration Tester, trying to inspire and motivate youngsters to follow this path.

Bio:
Razvan Ionescu, Head of Offensive Security Services at Pentest-Tools.com. He spent the last decade+ deep in the world of ethical hacking and application security, breaking into complex systems so teams can build and ship software that’s actually secure.
His work focuses on uncovering business-impacting vulnerabilities in web apps, APIs, and AI-powered systems — especially the logic flaws, privilege issues, and hidden assumptions that tools rarely catch.

He is also GSE-certified (#298), one of the few security professionals globally to earn the GIAC Security Expert certification. For him, it’s less about the badge and more about the path to get there: years of hands-on testing, real-world problem-solving, and a constant desire to understand how things fail.

At Pentest-Tools.com, he leads offensive security engagements across industries. His goal is simple: turn complex technical findings into clear, practical guidance that developers and security teams can use immediately. Whether it’s bypassing access controls or chaining business logic flaws across AI-driven workflows, he enjoys the process of breaking things apart and helping others put them back together, stronger.

Level: Tehnical

Abstract:
Imagine a development pipeline where code writes itself, tests itself, and deploys itself—all before you finish your morning coffee. This is the promise of agentic IDEs and agent-driven development. But for security professionals, it’s a potential nightmare. When an LLM generates thousands of lines of code in minutes, human review cycles become the bottleneck, and the uncertainty of the output becomes the primary risk.

Traditional SDLC security is built for human velocity; it breaks under AI velocity. This session dissects the collision of AI agents and application security. We will move beyond the hype to dissect real-world implementations: where AI-native development shines, where it fails, and where it introduces terrifying new risks.

We will contrast the old world with the new, exploring the dual nature of AI-native coding: the massive productivity gains versus the anxiety of deploying code generated by a probabilistic engine. We will discuss how to build new verification layers and processes that don’t just “review” code, but validate it at the speed of the agent.

Join us to learn how to build security guardrails capable of handling high-velocity uncertainty, ensuring that the agent doesn’t just ship code faster, but ships it safely.

Bio:
Jozsef Ottucsak is a seasoned Product Security Architect with over a decade of experience in secure software development lifecycle (SDLC) initiatives for on-premise, hybrid, and cloud-native applications.

Currently serving as a Staff Product Security Architect at Diligent, he specializes in enabling developers to build secure products by establishing security requirements, designing secure-by-design processes, and providing technical guidance.