BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//pretalx.com//bsides-canberra-2025//speaker//7PBAML
BEGIN:VTIMEZONE
TZID:AEST
BEGIN:STANDARD
DTSTART:20000326T040000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3;UNTIL=20050326T170000Z
TZNAME:AEST
TZOFFSETFROM:+1100
TZOFFSETTO:+1000
END:STANDARD
BEGIN:STANDARD
DTSTART:20060402T040000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4;UNTIL=20060401T170000Z
TZNAME:AEST
TZOFFSETFROM:+1100
TZOFFSETTO:+1000
END:STANDARD
BEGIN:STANDARD
DTSTART:20070325T040000
RRULE:FREQ=YEARLY;BYDAY=4SU;BYMONTH=3;UNTIL=20070324T170000Z
TZNAME:AEST
TZOFFSETFROM:+1100
TZOFFSETTO:+1000
END:STANDARD
BEGIN:STANDARD
DTSTART:20080406T040000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4
TZNAME:AEST
TZOFFSETFROM:+1100
TZOFFSETTO:+1000
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000827T030000
RRULE:FREQ=YEARLY;BYDAY=4SU;BYMONTH=8;UNTIL=20000826T170000Z
TZNAME:AEDT
TZOFFSETFROM:+1000
TZOFFSETTO:+1100
END:DAYLIGHT
BEGIN:DAYLIGHT
DTSTART:20011028T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10;UNTIL=20071027T170000Z
TZNAME:AEDT
TZOFFSETFROM:+1000
TZOFFSETTO:+1100
END:DAYLIGHT
BEGIN:DAYLIGHT
DTSTART:20081005T030000
RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=10
TZNAME:AEDT
TZOFFSETFROM:+1000
TZOFFSETTO:+1100
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-bsides-canberra-2025-MEXLVK@pretalx.com
DTSTART;TZID=AEST:20250927T113000
DTEND;TZID=AEST:20250927T122500
DESCRIPTION:Insomnia by Kong is a popular API client\, especially among dev
 elopers and security testers. Marcio and Justin discovered a critical temp
 late injection vulnerability (CVE-2025-1087) in Insomnia\, exposing users 
 to remote command execution with just a couple of requests to a malicious 
 HTTP server.\n\nThey will walk you through the story in how they stumbled 
 upon the initial "weird behaviour" during a routine API penetration test\,
  examine Insomnia's templating implementation\, dive into exotic Nunjucks 
 template injection\, dissect their exploitation strategy\, and show you ho
 w they bypassed several attempted patches by the vendor. They'll close wit
 h some thoughts on the disclosure and patching experience\, discuss the fr
 agility of quick-fix sanitisation-based mitigations\, explore the challeng
 es of bug triage in the real world\, and consider how decisions made durin
 g software development can lead to trouble down the road.
DTSTAMP:20260603T234325Z
LOCATION:Main Track
SUMMARY:Sleepless Strings - Template Injection in Insomnia - Marcio Almeida
 \, Justin Steven
URL:https://pretalx.com/bsides-canberra-2025/talk/MEXLVK/
END:VEVENT
END:VCALENDAR