What This Talk Covers
Lou Vega, a professional application security tester and former software developer of 10 years, delivers one of the more technically engaging talks at SimplyCyberCon. The premise is creative: when his coffee maker broke, he started thinking about how it actually works under the hood - power input, timer, heating element, thermal regulator. That same decomposition mindset is exactly what you need for application security.
The Core Framework: Input, Processing, Storage
The technical meat of the talk is a simple but powerful framework. All applications can be broken down into three components: input (your chance as an attacker to control logic), processing (what the application does with your input), and storage (where data lives). Lou references the book "24 Deadly Sins of Software Security" - at least 9 of those 24 sins map back to input validation, and another 4 to generic data processing.
The attack cycle is elegantly simple: craft your input, send it into the black box, observe the output, repeat until breach.
War Stories That Teach
The real value is in Lou's pentest examples. He describes finding a cookie-based timezone field that reflected user input without sanitization. Changing the timezone to his name "Lou" was not impressive to the client, but escalating it to a cross-site scripting payload that could make requests on behalf of logged-in users got their attention immediately.
The GraphQL exploitation story is a masterclass in patience - using the auto-suggestion feature in error messages to incrementally craft a payload that eventually returned administrator credentials. Game over.
The one-click account takeover is the crown jewel: a stored XSS vulnerability in an internal mail feature, combined with plaintext password storage in profile objects, allowed him to send a message to an admin that would silently scrape the admin's password, send it to an attacker-controlled server, and change the admin's password - all from a single message view.
Who Should Watch
Anyone interested in application security, web application pentesting, or transitioning from development to security. The skateboarder analogy at the start - where a pedestrian sees a boring loading dock but a skateboarder sees endless possibilities - perfectly captures the mindset shift required.
Practical Advice
Learn at least one programming language well. Test how applications handle negative values and integer overflows. Check URL parameters for IDOR vulnerabilities. Remember: cookies are user-controllable data. And crucially - you are paid for the report, not the hack.