This content originally appeared on DEV Community and was authored by Emilien Devos
Conference presentation
GreHack is a conference on IT security held in Grenoble. The first day is dedicated to talks in English by various speakers, as well as workshops at the end of the day. The second day is specifically devoted to CTF, which brings together several hundred people.
This year, the following topics were presented:
- Network security / Hardware security
- Enterprise application security
- Physical security / Red team
- Reverse engineering / Program analysis
- IoT security
- Web security / Browsers
- Protocol security / Databases / Authentication
- DevOps security / CI-CD / Supply chain
- Advanced network analysis / Network forensics
- Radio security / SDR
All of the talks are available for replay here: https://www.youtube.com/live/X-ZJH4d2tuE and the talk schedule is here: https://grehack.fr/program/
Interesting presentations
One does not simply walk into a building… or do they?
PDF of the presentation: https://blog.volkercarstein.com/grehack_2025_one_does_not_simply_walk_into_a_building.pdf
The presenter recounts a week spent physically infiltrating a company’s premises without being caught or seen. The aim was to test the physical security of the company’s premises.
This is quite interesting, as it highlights the fact that physical security depends heavily on the conditioning of employees, who are often the weakest link.
Exploring Browser Permissions and Exploiting Permission Hijacking
PDF of the presentation: https://albertofdr.github.io/web-security-class/browser/browser.permissions
Presentation on managing permissions (e.g. camera) in the browser, which also apply to malicious components that may be found on the site, such as an iframe. This could be the case if the iframe was injected following a website hack or a poorly configured website.
The presentation highlights the importance of defining HTTP headers in order to more finely manage the browser permissions authorised on a website. Similar to a Content Security Policy (CSP) but for browser permissions.
From YAML to Root: CI/CD Pipeline Attacks and Countermeasures
Video of the presentation: https://www.youtube.com/watch?v=YUbN6MuiuFM
The presenter explains the potential exploitation and recovery of secrets via compromised CI/CD. With different types of access, how it is possible to exfiltrate secrets each time. Focused mainly on Azure DevOps but also applies to GitHub actions.
Workshops and CTF
I was unable to participate in the workshops or the CTF because I bought my tickets at the last minute.
There were 12 workshops where participants had to solve exercises while being guided by the organiser. The exercises ranged from application exploitation to hardware.
List here: https://grehack.fr/workshops/
The CTF took place in a large room at ENSIMAG, where participants formed groups of up to eight people. The groups had to solve challenges in the following categories:
- Cryptography
- Reverse Engineering
- Exploit
- Web
- Forensics
- Hardware
Mood
The atmosphere was very student-oriented, and it was nice to discuss security issues with students and young workers.
Many French companies were present, including Synacktiv (a branch in Lyon), Orange, DGSE, EDF and many others: https://grehack.fr/sponsors/.
Conclusion
I was personally very pleased to have participated in this conference.
Although many of the talks did not apply to Camptocamp’s field of activity, some of them still provided me with additional knowledge that I can apply in my work (see the list of presentations above).
Bonus
At the end of the day, participants in the audience can give short presentations, in the style of ‘Lightning talks’. It was almost exclusively students, and the atmosphere was rather light-hearted, with everyone laughing about the intrusions they had each managed to pull off.
These talks are called ‘Rump session’.
The one that made me laugh the most was a student who began his presentation with:
I need to eat and I don’t have any money. So it’s either work at Burger King or hack Burger King.
He then explained how he abused the Burger King app’s coupon system to get free burgers (in very large quantities).
This content originally appeared on DEV Community and was authored by Emilien Devos