Philippe Arteau
Philippe is a security engineer at ServiceNow. He has an interest in software development, penetration testing and security code review. He also maintains Find Security Bugs, the open-source Java static analysis tool.
He discovered significant vulnerabilities in several popular applications like Google Chrome, DropBox, Runkeeper, Jira and more. He has presented at various conferences including Black Hat Arsenal, SecTor, AppSec USA, ATLSecCon, 44CON and JavaOne.
Sessions Montréal 2026
CSRF are back with Client-Side Path Traversal
Session en Anglais - Intermédiaire
CSRF vulnerabilities were thought to be a thing of the past thanks to automatic protections integrated into APIs, which require a token or header. Many client-side scripts automatically inject these tokens or headers. The "Client-Side Path Traversal" attack abuses this mechanism. Several examples of vulnerable code will be presented. This talk will also offer solutions to effectively mitigate this emerging risk.
