BSides Cape Town 2024

login

Rohan Dayaram
.ical

🔐 Software Developer and Security Professional, merging development expertise with offensive security skills. Transforming a childhood passion for Arduino tinkering into a career in tech innovation and application security.

💻 Technical Portfolio:
Full-stack development focusing on secure, scalable solutions
Extensive experience in Python, C++, C#, and Pascal
Web application security and exploitation specialist
Active CTF competitor and security researcher

🛠️ Beyond The Code:
Maker and hardware enthusiast: 3D printing, Fusion 360 design
Electronics and microcontroller projects
Automation engineering and IoT solutions

Started by copy-pasting Arduino code at age 12, evolved into architecting secure applications and hunting vulnerabilities. This journey from curious tinkerer to security-focused developer shapes my approach to every project: hands-on, creative, and security-first.
Currently, securing applications at Whirly Labs while pursuing continuous learning in emerging technologies. Always eager to collaborate on projects that push technical boundaries.

The speaker’s profile picture
What is your LinkedIn profile URL?

https://www.linkedin.com/in/rohan-dayaram-704131236?utm_source=share&utm_campaign=share_via&utm_content=profile&utm_medium=android_app

 What is your blog or portfolio URL?

https://rohandayaram.co.za/

Session

12-07
15:05
45min
Attacking Pipelines: Large Scale Exploitation of Workflow Files
David Baker Effendi, Rohan Dayaram

In this talk, we present a tool designed to perform large-scale scanning of GitHub repositories to identify potential expression injection vulnerabilities within their workflow files. Our system efficiently scrapes repositories, concurrently pulling and analysing workflow configurations for insecure patterns. Through this mining process, we have discovered that expression injection vulnerabilities are surprisingly prevalent, even among popular projects, and often go unnoticed. We have reached out to affected vendors for remediation and hypothesis this prevalence attributed to a lack of in detection mechanisms and key documentation on GitHub’s end. Additionally, we found that even when vulnerabilities are patched, they can be easily reintroduced by interpolating sanitised values. Our findings underscore the need for better tooling and awareness around securing GitHub workflows. Finally, we make our tool available to open-source for both blue and red team security researchers to benefit from.

Track 2