BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//pretalx.com//hack-lu-2025//speaker//CXDSFQ
BEGIN:VTIMEZONE
TZID:CET
BEGIN:STANDARD
DTSTART:20001029T040000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10
TZNAME:CET
TZOFFSETFROM:+0200
TZOFFSETTO:+0100
END:STANDARD
BEGIN:DAYLIGHT
DTSTART:20000326T030000
RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3
TZNAME:CEST
TZOFFSETFROM:+0100
TZOFFSETTO:+0200
END:DAYLIGHT
END:VTIMEZONE
BEGIN:VEVENT
UID:pretalx-hack-lu-2025-R8FMHK@pretalx.com
DTSTART;TZID=CET:20251023T093000
DTEND;TZID=CET:20251023T100000
DESCRIPTION:There is a widespread belief that services that are only bound 
 to localhost are not accessible from the outside world. Developers for con
 venience sake will run services they are developing configured in a less s
 ecure way compared to how they would (hopefully!) do in higher environment
 s.\nBy compromising websites developers use\, just injecting JS into adver
 ts served on those sites or just a phishing attack that gets the developer
  to open a web browser on a compromised page\, it is possible to reach out
  via non pre-flighted http requests to those services bound to localhost\,
  by exploiting common misconfigurations in Spring\, or known vulnerabiliti
 es found by myself and others. I’ll demonstrate during the talk\, it is 
 possible to generate a RCE on the developer’s machine or other services 
 on their private network.\nAs developers have write access to codebases\, 
 AWS keys\, server creds etc.\, access to the developer’s machine gives a
 n attacker a great deal of scope to pivot to other resources on the networ
 k\, modify or just steal the codebase.
DTSTAMP:20260618T104349Z
LOCATION:Europe
SUMMARY:Attacking The Developer Environment Through Drive-by Localhost Atta
 cks - Joseph Beeton
URL:https://pretalx.com/hack-lu-2025/talk/R8FMHK/
END:VEVENT
END:VCALENDAR