2026-05-07 –, Workshops and Stage - Design Space (C1.05.12)
The talk will cover common techniques to upload client-side logs to AWS S3 buckets, integrations with third-party database services like Supabase, and server technologies commonly used for financial data processing, all of which result in leaked API keys when misconfigured. Three distinct vulnerabilities will be demonstrated, each showcasing different variations of the core anti-patterns in multiple contexts. Attendees can expect to receive a structured framework for understanding how these flaws manifest across different technologies. The session will conclude with a comprehensive discussion of targeted fixes that address the root causes of the anti-pattern. It will move beyond surface-level patches to implement architectural solutions that prevent entire classes of similar vulnerabilities. These remediation strategies will include both immediate tactical fixes and longer-term architectural improvements that strengthen overall system security posture.
The talk will cover common techniques to upload client-side logs to AWS S3 buckets, integrations with third-party database services like Supabase, and server technologies commonly used for financial data processing, all of which result in leaked API keys when misconfigured. Three distinct vulnerabilities will be demonstrated, each showcasing different variations of the core anti-patterns in multiple contexts. Attendees can expect to receive a structured framework for understanding how these flaws manifest across different technologies. The session will conclude with a comprehensive discussion of targeted fixes that address the root causes of the anti-pattern. It will move beyond surface-level patches to implement architectural solutions that prevent entire classes of similar vulnerabilities. These remediation strategies will include both immediate tactical fixes and longer-term architectural improvements that strengthen overall system security posture.
Aleksa is a passionate security engineer, software developer, and aspiring open sorcerer. He enjoys writing and publishing software that provides elegant solutions to offensive security problems. He has contributed to multiple projects, including Metasploit. In April of 2022, Aleksa graduated from the University of Toronto with a bachelor’s degree in computer science and a Certificate of Ethical Hacking (CEHv10). He began working as a Cloud Security consultant and hacker. He also began attending Defcon as an attendee and a volunteer for the Blue Team Village (BTV). One of Aleksa’s fondest cybersecurity memories is playing the Pros Versus Joes CTF during BSides Las Vegas. By April 2024, Aleksa had obtained his OSCP and begun working as a security engineer at Praetorian. He is currently pursuing his OSCE3. He enjoys Brazilian Jiu-Jitsu, running long distances, and reading in his free time. He currently holds a blue belt in Brazilian Jiu-Jitsu. The book Mastery by Robert Greene is a big inspiration for Aleksa.