Vanguard Security & Compliance

Speaking Session

Keynote

What a long and weird journey it has been. Come learn about the short history of the last 10 years of mainframe hacking pen testing, the advances in research and how a rag-tag group of like-minded individuals are working together to make mainframe security testing more open and available than ever before.

A brilliant mind recently discovered that what was once thought impossible is now possible. For decades the myth in this community was that they weren’t susceptible to buffer overflows, therefore making them safer than their Linux/Windows counterparts. 

Well, it turns out that’s not true. This talk will walk through how this was discovered, how to hunt for overflows, especially in APF authorized libraries, and how to exploit them using HLASM and the IBM assembler to make the shellcode for us.  

This is an exciting discovery in the mainframe hacker community and we can’t wait to share it with you. Attendees will also be given a docker container where they can learn how to write mainframe buffer overflows. 

In early 2023 a new mainframe attack tool was discussed: hack3270. The creators of this tool spoke about it but did not release it. Then in mid 2023 it was released as an opensource tool. This tool was designed (with support from the speaker) to ease and accelerate the testing of CICS applications, specifically targeting TN 3270 weaknesses and common CICS application pitfalls.

Attendees will learn some of the common security weaknesses we find in CICS applications, how we can target those weaknesses and how to automate some of their testing. Specifically, this talk will walk through various transactions in the Damn Vulnerable CICS Application (freely available as an open-source CICS application) using the hack3270 tool, demonstrating the types of attacks used during penetration testing. The presentation will also go over some of the code that leads to these weaknesses and how they can be prevented.

Come witness the bleeding edge of application security research.

Over the years, mainframe developers have seen fit to make almost everything a web app. From Abend Aid to z/OSMF, there’s no avoiding web apps on your mainframe. Even internally as companies modernize their mainframe, they’re opening up web APIs and web pages for other systems to consume. With the growing presence of web applications on mainframes comes new risks. Unfortunately the threats that exist for these web-based environments may be lurking in the shadows of the unexamined mainframe. 

The purpose of this talk is to walk through some examples of vulnerable web applications, exploring well-established approaches to web application penetration testing methodology, covering several of the most frequently seen vulnerabilities, and how these vulnerabilities can potentially lead to a compromise of your z/OS environment. Vulnerabilities covered in this talk will be based on OWASP top 10 vulnerabilities but with a z/OS twist.