OWASP Global AppSec EU 2026 Vienna

Last year at OWASP Global AppSec Barcelona, we showed how to break and defend LLM-integrated apps: (indirect) prompt injection, jailbreaks, data poisoning. And what practical controls actually worked in production. But the game has changed.

This follow-up talk picks up where we left off, focusing on the next generation of LLM-driven systems: agentic AI and e.g. MCP (Model Context Protocol) & A2A (Agent2Agent). These systems combine LLMs with tools, memory, plugins, APIs, and planning loops, making them far more powerful, and also far more fragile.

We’ll walk through how this new architecture has shifted the attack surface, and why last year’s defences (input validation, injection prevention) don’t hold up anymore. Expect real-world attack paths: memory poisoning, tool misuse, and agent goal hijacking. Then we’ll show you what works: “Zero Trust”-style isolation, sandboxing tool execution, runtime plan validation, and defence patterns that are actually deployable.

This is not a theoretical talk. It’s a two-speaker format - builder and breaker - based on real-world incidents, internal and external red teaming, and live demos. If you’re building, securing, or reviewing AI-driven systems that do more than just chat, this is the session to see what’s coming and how to stay ahead.

The OWASP Top Ten has been one of the most influential resources in application security for more than two decades — shaping training, security programs, and procurement decisions around the world. In this session, we’ll unveil the newest edition of the OWASP Top Ten Critical Risks to Web Applications, explain how it was built through community input and real-world data, and show what these changes mean for you.

We will cover all ten risks, focusing more time on the new and expanded items, as well as covering 3 ‘honourable mentions’ (#11, #12, and one that we do not have data to support). We’ll wrap up with practical guidance on how to use the Top Ten in your own programs (not as a compliance checklist, but as a strategic awareness tool).

Whether you’re an application security engineer, developer, or in management, this is your chance to get ahead of the curve and help shape the conversation: the writing is open for comment, and your feedback will make a difference.

Vulnerability scanners are everywhere. CVE databases are growing exponentially. Yet vulnerability exploitation has surpassed phishing as the leading initial access vector. What's going wrong?

The problem isn’t a lack of vulnerability data – it’s that defenders are solving last year’s problems. While teams drown in CVE backlogs, attackers use AI to rapidly weaponize exploit techniques that work across vulnerability classes. OS command injection, deserialization, and path traversal aren't just individual CVEs – they're attack patterns that persist regardless of patch status.

This session introduces the Application Attack Matrix, the first comprehensive, community-driven framework mapping tactics, techniques, and procedures used against modern applications. Built by contributors from Mandiant, Microsoft, AWS, and Meta, it does for application security what MITRE ATT&CK did for enterprise defense.

You’ll learn how to shift from reactive CVE remediation to proactive technique-based defense, understand which exploit patterns dominate real-world attacks, and prioritize security controls that protect against entire attack classes, not just individual CVEs.

As LLMs evolve from passive text generators to autonomous Agentic AI, the attack surface is shifting from simple prompt injection to Excessive Agency and Goal Hijacking. When we grant agents the power to execute shell commands, call sensitive APIs, or modify cloud infrastructure, we are essentially deploying "unattended administrators" into our environments.

This session moves past theoretical AI risks to provide a hands-on blueprint for securing autonomous actors.I will explore the newly released OWASP Top 10 for Agentic Applications 2026, focusing on critical vulnerabilities like ASI02 (Tool Misuse) and ASI05 (Unexpected Code Execution). Attendees will leave with a practical framework for implementing "Least-Agency" architecture, hardware-enforced sandboxing, and real-time intent validation.

This session is about latest defenses against Cross-Site Scritping (XSS), the most prevalent security issue of all times. We will showcase typical XSS bugs and how they can be avoided. We will also explain why previous mechanisms fall short of protecting web sites at scale and why we believe Trusted Types and the Sanitizer API can help closing this gap.
The presentation will also give hands-on advice to enable security and development teams adopting these new protections. We will close with a bit on security considerations and remainign risks.

People in your organization might have a living-breathing backdoor right now, and you don’t even know it.

EDR wouldn’t catch it - not because it employs a zero-day, but because it behaves harmlessly. It might be a malicious extension that wasn’t flagged yet that has excessive permissions, it might be an NPM package that reads .env files and sends them to a remote server, and it might be an Android application tracking your location.

During our research we detected two seemingly innocent Chrome extensions that add a sidebar with AI capabilities over any website, with a total of 900,000+ users. These extensions had a backdoor that exfiltrated both your browser history and your ChatGPT & DeepSeek conversations - none of them were flagged by anti-malware and EDR tools.

These extensions, together with almost any add-on, NPM package, or application you have installed have broad permissions, giving them the ability to execute code, read files, and basically do anything on your machine.

During our presentation we will present how we dissect a malicious Chrome extension, the techniques that it uses to avoid detection and how it reads and exfiltrates data. We’ll also show how actors think, from cloning legitimate extensions, adding their malicious code and bypassing store reviews in order to publish their malicious extensions into the official Chrome Web Store.

We will present how the permissions model works in different platforms, including the Chrome Web Store, the Android Play Store, and IDE marketplaces - allowing different malware on different platforms to perform bad activities.

Lastly, we will give our insights about how to best protect your personal browser at home and in your organization, to help you reduce the possibility of being infected from malware in official marketplaces. We’ll also discuss how a good permission model should look like, and what companies can do to return the power to the users over their private information in order to protect them from extensions and applications reading their data unknowingly.

The arrival of cryptographically relevant quantum computers (CRQC) is no longer a theoretical "if"—it is a question of "when." With the "Harvest Now, Decrypt Later" (HNDL) attack vector, adversaries are already stockpiling encrypted traffic today to decrypt it once quantum capability matures. In August 2024, NIST officially finalized the first set of Post-Quantum Cryptography (PQC) standards (FIPS 203, 204, and 205), marking the starting gun for the greatest cryptographic migration in history.

This session moves beyond the math of lattices and isogenies to focus on the immediate engineering reality. we will dissect the current state of PQC adoption across major tech giants and nation-states, analyzing how entities like Cloudflare, Google, and the US Federal Government are operationalizing these new algorithms. We will provide a technical primer on the finalized standards—ML-KEM (Kyber), ML-DSA (Dilithium), and SLH-DSA (SPHINCS+)—and expose the hidden performance pitfalls and "gotchas" in implementation.

Attendees will leave with a combat-tested roadmap for enterprise PQC migration. We will cover how to conduct a cryptographic inventory (discovery), the necessity of "hybrid" key exchange (mixing X25519 with Kyber), and how security teams can upskill rapidly. This talk bridges the gap between theoretical cryptography and the practical defense required to secure infrastructure against the quantum threat looming on the horizon.

Agentic browsers are quickly becoming one of the most powerful—yet dangerous—applications of agentic AI. By combining web navigation, content interpretation, and direct action taking, they act as a universal gateway to almost any service or application on the internet.

That power quietly reintroduces web security risks many teams assumed were behind us. Agentic browsers read and react to untrusted web content, follow instructions embedded in pages, images, and hidden text, and then execute actions inside real sessions.

The result is that classic web attack patterns made popular 20+ years ago when the first OWASP Top 10 was introduced may be back.

Things like injection manipulations, cross-site scripting payload delivery, CSRF-style action abuse, broken access control, and cross-origin boundary failures—now executed by autonomous agents instead of users.

This talk examines why current agentic browser designs break core web security assumptions around origins, cookies, and session boundaries, and why common mitigations such as human-in-the-loop controls introduce friction and fatigue without solving the underlying problem. We'll argue that unrestricted multi-site agents are fundamentally unsafe, and share better approaches based on domain-scoped agents, strict isolation, and secure multi-agent orchestration.

The need to isolate untrusted code or user-provided expressions is ubiquitous, even in backend systems, and there are many misconceptions around this practice. Workflow automation platforms allow users to provide complex constraints evaluated on the server, AI agents must securely execute synthesized code, and reused untrusted UI components might render on the server-side. In practice, many developers gravitate toward lightweight eval-based shortcuts instead of robust isolation primitives like OS-level or runtime-based sandboxing, often unaware of the security pitfalls. These dangerous language-features are still very prevalent across OSS ecosystems and they are the culprit of many recent vulnerabilities. While there exist legitimate use cases for eval-like APIs, developers continue to abuse them when attempting to isolate the execution of untrusted code, despite years of warnings from the security and programming language communities. If you really need to use these features, this talk can help you understand what can go wrong and how to mitigate these risks.

I will first motivate the need for lightweight, language-based isolation in scripting languages and highlight the fundamental challenges in this space, grounding the empirical work in several top-tier academic publications I co-authored on the topic. I will then present four misconceptions around language-based sandboxing, underlying more than 20 zero-day vulnerabilities I discovered in the past six months in popular projects across JavaScript and Python, revealing fundamental flaws in isolation approaches. We will examine why built-in isolation primitives like Node.js's vm module and Python's Pysandbox fail to provide adequate security, and explore the real-world consequences through case studies involving major platforms. The talk will then shift to practical solutions, covering best practices and emerging isolation features, including the permission model in modern runtimes like Deno. Attendees will gain a deeper understanding of the isolation landscape and leave with actionable guidance on how to safely handle untrusted code execution in their applications. While this talk is not an endorsement for using eval-like features in scripting languages, it is a guide about the things that work in practice and about the ones that fail spectacularly in production.

There is a common saying that "every problem in cryptography can be reduced to key management problem". OWASP's Cheat Sheet series even has a whole document dedicated to "Cryptographic Storage". What if we could make life easier for us in this area?

TPMs (Trusted Platform Modules) have been a fixed part of every standard PC for many years, providing all users with a "free" hardware that can be used for all kinds of cryptography.
They are already widely in use by most operating systems and firmwares, but haven't really found usage for userspace applications yet.

This talk elaborates why this is the case and how to change this fact. We are going to discuss the capabilities of a TPM and demonstrate them live with a sample application, a TOTP client which stores its secrets securely.