Aleksa Zatezalo
Aleksa is a passionate security engineer, software developer, and aspiring open sorcerer. He enjoys writing and publishing software that provides elegant solutions to offensive security problems. He has contributed to multiple projects, including Metasploit. In April of 2022, Aleksa graduated from the University of Toronto with a bachelor’s degree in computer science and a Certificate of Ethical Hacking (CEHv10). He began working as a Cloud Security consultant and hacker. He also began attending Defcon as an attendee and a volunteer for the Blue Team Village (BTV). One of Aleksa’s fondest cybersecurity memories is playing the Pros Versus Joes CTF during BSides Las Vegas. By April 2024, Aleksa had obtained his OSCP and begun working as a security engineer at Praetorian. He is currently pursuing his OSCE3. He enjoys Brazilian Jiu-Jitsu, running long distances, and reading in his free time. He currently holds a blue belt in Brazilian Jiu-Jitsu. The book Mastery by Robert Greene is a big inspiration for Aleksa.
Sessions
SQL injection and broken authentication remain persistent threats in modern web applications, yet many developers continue to assume that new technologies are immune to classic attacks. This presentation examines a real-world penetration test where we discovered critical SQL injection and authentication bypass vulnerabilities in a production GraphQL API backed by PostgreSQL—proving that architectural shifts don't eliminate fundamental security flaws.
The talk will cover common techniques to upload client-side logs to AWS S3 buckets, integrations with third-party database services like Supabase, and server technologies commonly used for financial data processing, all of which result in leaked API keys when misconfigured. Three distinct vulnerabilities will be demonstrated, each showcasing different variations of the core anti-patterns in multiple contexts. Attendees can expect to receive a structured framework for understanding how these flaws manifest across different technologies. The session will conclude with a comprehensive discussion of targeted fixes that address the root causes of the anti-pattern. It will move beyond surface-level patches to implement architectural solutions that prevent entire classes of similar vulnerabilities. These remediation strategies will include both immediate tactical fixes and longer-term architectural improvements that strengthen overall system security posture.