OWASP Global AppSec EU 2026 Vienna

People in your organization might have a living-breathing backdoor right now, and you don’t even know it.

EDR wouldn’t catch it - not because it employs a zero-day, but because it behaves harmlessly. It might be a malicious extension that wasn’t flagged yet that has excessive permissions, it might be an NPM package that reads .env files and sends them to a remote server, and it might be an Android application tracking your location.

During our research we detected two seemingly innocent Chrome extensions that add a sidebar with AI capabilities over any website, with a total of 900,000+ users. These extensions had a backdoor that exfiltrated both your browser history and your ChatGPT & DeepSeek conversations - none of them were flagged by anti-malware and EDR tools.

These extensions, together with almost any add-on, NPM package, or application you have installed have broad permissions, giving them the ability to execute code, read files, and basically do anything on your machine.

During our presentation we will present how we dissect a malicious Chrome extension, the techniques that it uses to avoid detection and how it reads and exfiltrates data. We’ll also show how actors think, from cloning legitimate extensions, adding their malicious code and bypassing store reviews in order to publish their malicious extensions into the official Chrome Web Store.

We will present how the permissions model works in different platforms, including the Chrome Web Store, the Android Play Store, and IDE marketplaces - allowing different malware on different platforms to perform bad activities.

Lastly, we will give our insights about how to best protect your personal browser at home and in your organization, to help you reduce the possibility of being infected from malware in official marketplaces. We’ll also discuss how a good permission model should look like, and what companies can do to return the power to the users over their private information in order to protect them from extensions and applications reading their data unknowingly.

The arrival of cryptographically relevant quantum computers (CRQC) is no longer a theoretical "if"—it is a question of "when." With the "Harvest Now, Decrypt Later" (HNDL) attack vector, adversaries are already stockpiling encrypted traffic today to decrypt it once quantum capability matures. In August 2024, NIST officially finalized the first set of Post-Quantum Cryptography (PQC) standards (FIPS 203, 204, and 205), marking the starting gun for the greatest cryptographic migration in history.

This session moves beyond the math of lattices and isogenies to focus on the immediate engineering reality. we will dissect the current state of PQC adoption across major tech giants and nation-states, analyzing how entities like Cloudflare, Google, and the US Federal Government are operationalizing these new algorithms. We will provide a technical primer on the finalized standards—ML-KEM (Kyber), ML-DSA (Dilithium), and SLH-DSA (SPHINCS+)—and expose the hidden performance pitfalls and "gotchas" in implementation.

Attendees will leave with a combat-tested roadmap for enterprise PQC migration. We will cover how to conduct a cryptographic inventory (discovery), the necessity of "hybrid" key exchange (mixing X25519 with Kyber), and how security teams can upskill rapidly. This talk bridges the gap between theoretical cryptography and the practical defense required to secure infrastructure against the quantum threat looming on the horizon.

Agentic browsers are quickly becoming one of the most powerful—yet dangerous—applications of agentic AI. By combining web navigation, content interpretation, and direct action taking, they act as a universal gateway to almost any service or application on the internet.

That power quietly reintroduces web security risks many teams assumed were behind us. Agentic browsers read and react to untrusted web content, follow instructions embedded in pages, images, and hidden text, and then execute actions inside real sessions.

The result is that classic web attack patterns made popular 20+ years ago when the first OWASP Top 10 was introduced may be back.

Things like injection manipulations, cross-site scripting payload delivery, CSRF-style action abuse, broken access control, and cross-origin boundary failures—now executed by autonomous agents instead of users.

This talk examines why current agentic browser designs break core web security assumptions around origins, cookies, and session boundaries, and why common mitigations such as human-in-the-loop controls introduce friction and fatigue without solving the underlying problem. We'll argue that unrestricted multi-site agents are fundamentally unsafe, and share better approaches based on domain-scoped agents, strict isolation, and secure multi-agent orchestration.

The need to isolate untrusted code or user-provided expressions is ubiquitous, even in backend systems, and there are many misconceptions around this practice. Workflow automation platforms allow users to provide complex constraints evaluated on the server, AI agents must securely execute synthesized code, and reused untrusted UI components might render on the server-side. In practice, many developers gravitate toward lightweight eval-based shortcuts instead of robust isolation primitives like OS-level or runtime-based sandboxing, often unaware of the security pitfalls. These dangerous language-features are still very prevalent across OSS ecosystems and they are the culprit of many recent vulnerabilities. While there exist legitimate use cases for eval-like APIs, developers continue to abuse them when attempting to isolate the execution of untrusted code, despite years of warnings from the security and programming language communities. If you really need to use these features, this talk can help you understand what can go wrong and how to mitigate these risks.

I will first motivate the need for lightweight, language-based isolation in scripting languages and highlight the fundamental challenges in this space, grounding the empirical work in several top-tier academic publications I co-authored on the topic. I will then present four misconceptions around language-based sandboxing, underlying more than 20 zero-day vulnerabilities I discovered in the past six months in popular projects across JavaScript and Python, revealing fundamental flaws in isolation approaches. We will examine why built-in isolation primitives like Node.js's vm module and Python's Pysandbox fail to provide adequate security, and explore the real-world consequences through case studies involving major platforms. The talk will then shift to practical solutions, covering best practices and emerging isolation features, including the permission model in modern runtimes like Deno. Attendees will gain a deeper understanding of the isolation landscape and leave with actionable guidance on how to safely handle untrusted code execution in their applications. While this talk is not an endorsement for using eval-like features in scripting languages, it is a guide about the things that work in practice and about the ones that fail spectacularly in production.

There is a common saying that "every problem in cryptography can be reduced to key management problem". OWASP's Cheat Sheet series even has a whole document dedicated to "Cryptographic Storage". What if we could make life easier for us in this area?

TPMs (Trusted Platform Modules) have been a fixed part of every standard PC for many years, providing all users with a "free" hardware that can be used for all kinds of cryptography.
They are already widely in use by most operating systems and firmwares, but haven't really found usage for userspace applications yet.

This talk elaborates why this is the case and how to change this fact. We are going to discuss the capabilities of a TPM and demonstrate them live with a sample application, a TOTP client which stores its secrets securely.