SecAppDev 2026 - Web security

This workshop explores modern web application security through the lens of recent real-world CVEs. Instead of focusing on theory, we analyze how vulnerabilities such as path traversal, JWT handling flaws, authorization bypasses, and command injection appear in practice. By dissecting real incidents, we uncover common patterns, root causes, and exploitation techniques. The workshop connects these findings to concrete defensive strategies, helping you understand not just what goes wrong, but how to prevent it in modern applications.

Learning goal: Learn core web application security concepts and how they manifest in real-world vulnerabilities, using recent CVEs as context to understand and prevent common issues.

A practical and up-to-date overview of OAuth 2.1, covering core concepts, modern security best practices, and key extensions like PAR and DPoP, with guidance on applying them in real-world architectures and preparing for what’s coming next.

Key takeaway: Learn how to apply OAuth 2.1 best practices and supporting technologies to build secure applications and stay aligned with evolving standards.

An up-to-date look at the browser security model, new browser features, and how mechanisms like the Sanitizer API, cookie prefixes, and script integrity help build more secure web applications.

Key takeaway: Understand how browsers think about security, and how to leverage modern browser features in your applications.

XS-Leaks bypass the same-origin policy to infer sensitive user data via browser side-channels. Learn how these invisible attacks work, what browser vendors are doing, and the simple steps you can take to secure your applications.

Key takeaway: XS-Leaks bypass SOP through side channels and native browser features; learn how SameSite and Fetch Metadata help defend your apps.

Learn the problems and solutions of combining "trusted" and "untrusted" JavaScript. We introduce secure dialects of JavaScript and practical tools that help to prevent supply-chain attacks from third-party modules.

Key takeaway: Learn how to get "trusted" and "untrusted" JavaScript to safely co-exist in your app.

CSP is often seen as complex and frustrating. This session explains why most policies fail, how to fix them, and how to apply CSP effectively in modern applications, including single page apps.

Key takeaway: Understand why CSP often fails and learn how to implement it correctly with practical, actionable guidance.