February 25-27, 2026
Montreal, Canada

CSRF are back with Client-Side Path Traversal

  1. Home
  2. Montreal 2026
  3. Sessions

JavaScript Security

February 25, 2026 @ 13:00
ST-Laurent 7
English session - Intermediate

Share on Twitter Share on Facebook

CSRF vulnerabilities were thought to be a thing of the past thanks to automatic protections integrated into APIs, which require a token or header. Many client-side scripts automatically inject these tokens or headers. The "Client-Side Path Traversal" attack abuses this mechanism. Several examples of vulnerable code will be presented. This talk will also offer solutions to effectively mitigate this emerging risk.

View all 193 sessions

Philippe Arteau

Philippe Arteau

ServiceNow

Philippe is a security engineer at ServiceNow. He has an interest in software development, penetration testing and security code review. He also maintains Find Security Bugs, the open-source Java static analysis tool.
He discovered significant vulnerabilities in several popular applications like Google Chrome, DropBox, Runkeeper, Jira and more. He has presented at various conferences including Black Hat Arsenal, SecTor, AppSec USA, ATLSecCon, 44CON and JavaOne.

Read More

Sponsored by

Become a sponsor
© 2010-2026 ConFoo. All rights reserved. Code of Conduct