In English

• Automation tricks for Burp Suite Pro (workshop)
  1. NahamCon (June 2023 - Online - slides - video)
• Efficiency tricks for Burp Suite Pro
  1. Northsec (May 2023 - Montreal - CA - slides - vi deo)
• Web Race Conditions
  1. Warcon (June 2019 - Praha - PL)
• Nearly generic fuzzing of XML-based formats
  1. Nullcon (March 2017 - Goa - IN - slides - video)
• Server-side browsing considered harmful
  1. HackPra Allstars - OWASP AppSec EU (May 2015 - Amsterdam - NL - slides - video)
  2. Hack in Paris (June 2015 - Paris - FR)
• Hunting for top bounties
  1. Hacktivity (October 2014 - Budapest - HU - video)
  2. ZeroNights (November 2014 - Moscou - RU - slides)
  3. OWASP CZ (December 2014 - Prague - CZ)
• Easy hacks for complex apps
  1. Insomni'hack (March 2014 - Genève - CH - slides)
• Burp Pro: Real-life tips and tricks
  1. HackPra Allstars - OWASP AppSec EU (August 2013 - Hambourg - DE - video)
  2. HackInParis (June 2013 - Paris - FR - slides)
• Low-cost vulnerability research: XSLT fuzzing as a case study
  1. OHM (August 2013 - Noord-Scharwoude - NL)
• Dumb-fuzzing XSLT engines in a smart way
  1. NoSuchCon (May 2013 - Paris - FR - slides)
• That's why I love XML hacking!
  1. ZeroNights (November 2012 - Moscou - RU - Prezi & PDF)
• Attacking XML processing
  1. XML Amsterdam (September 2012 - Amsterdam - NL)
  2. HackPra (July 2012 - Bochum - DE - video)
  3. Hack in Paris (June 2012 - Paris - FR)
  4. Hack in The Box (May 2012 - Amsterdam - NL - slides & video)
• XML related tricks and hacks
  1. BerlinSides 0x7db - December 2011 - Berlin - DE)
• Offensive XSLT
  1. Hack in Paris (June 2011 - Paris - FR - Prezi)
  2. PH-Neutral 0x7db (May 2011 - Berlin - DE)

In French

• Server-side browsing considered harmful
  1. Hackfest (November 2015 - Quebec - CA - video)
• Optimiser ses attaques Web avec Burp Pro
  1. Application Security Forum (October 2013 - Yverdon-les-Bains - CH - video)
• MISC Mag #66
  1. Adobe Reader et XSLT
• XML et sécurité
  1. JSSI 2012 (March 2012 - Paris - FR)
• MISC Hors-série #4 "A l'assaut du Web"
  1. Webkit + XSLT = CVE-2011-1774
• Usages offensifs de XSLT
  1. SSTIC 2011 (Rennes - FR - Article - Slides Prezi ou PDF)
• Développement d'exploits Win32 fiables
  1. SSTIC 2007 (Rennes - FR)
• Faiblesse des claviers virtuels utilisés par les banques
  1. SSTIC 2005 (Rennes - FR)
• Recensement des attaques connues contre SAP/R3
  1. SSTIC 2004 (Rennes - FR)
• JAB: une backdoor utilisant Internet Explorer et les objets OLE
  1. SSTIC 2003 (Rennes - FR)
• Localisation et faux-négatifs
  1. SSTIC 2003 (Rennes - FR)

2017

• Adobe Reader: Multiple memory corruptions during XSLT processing (CVE-2017-3031 / APSB 17-11)
• Firefox: Multiple UAF during XSLT processing (CVE-2017-5438 / CVE-2017-5439 / CVE-2017-5440 / MFSA 2017-10)
• Revive Adserver: Arbitrary PHP deserialization (CVE-2017-5830 / REVIVE-SA-2017-001)
• Adobe Reader: Multiple memory corruptions during XSLT processing (CVE-2017-2948 / CVE-2017-2949 / CVE-2017-2962 / APSB 17-01)
• Firefox: UAF during XSLT processing (CVE-2017-5376 / MFSA 2017-01)

2016

• libxslt: Multiple memory corruption issues (CVE-2016-1683 / CVE-2016-1684 / CVE-2016-4608 / CVE-2016-4612)
• MSXML3: Type confusion during DTD processing (CVE-2016-0147 / MS16-040)
• Firefox: UAF during XSLT processing (CVE-2016-1964 / MFSA 2016-27)

2015

• PyAMF: XXE during AMF processing (CVE-2015-8549 / oCERT #2015-011 / blog-post)
• Apache Batik: XXE during SVG processing (CVE-2015-0250 / Batik #1018 / PoC)

2014

• Apache Xalan-J: Bypass of "SECURE_PROCESSING" (CVE-2014-0107 / oCERT #2014-002)

2013

• Solr: Directory traversal, XSLT code exec (CVE-2013-6397 / Release Notes v4.6.0)
• Oracle: Stack buffer overflows during XML processing (CVE-2013-3751 / CPU July 2013)
• Microsoft MSXML: Memory corruption (CVE-2013-0007 / MS13-002)
• Acrobat Reader: Memory corruption during XSLT processing (CVE-2012-1530)

2012

• Inkscape: XXE during SVG processing (CVE-2012-5656 / #1025185)
• PostgreSQL: Write to arbitrary files during XSLT processing (CVE-2012-3488)
• Acrobat Reader: Heap buffer overflow during XSLT processing (CVE-2012-1525)
• Mozilla Firefox
  1.   Information leak via XSLT (CVE-2012-3972 aka MFSA-2012-65)
  2.   Crash when processing invalid XPath expressions (#748365)
  3.   Memory corruption during XSLT processing (CVE-2012-0449 aka MFSA-2012-08)
• libxslt (Chrome, PHP, ...)
  1.   Type confusion via "namespace::*" (CVE-2012-2871 aka Chromium #138673])
  2.   Memory corruption during XPath processing (CVE-2012-2870 aka Chromium #138672 and #140368)
  3.   Read arbitrary memery via DTD (CVE-2012-2825 aka Chromium #127417)
  4.   DoS via xsl:key and document() (CVE-2012-6139 aka Gnome #685328 and Gnome #685330)
• Restlet: XXE (CVE-2012-2656 / Restlet blog / XWiki Release Notes)
• MoinMoin: Read and write arbitrary files during XSLT processing (Moin Moin Security page)
• PHP: Write arbitrary files during XSLT processing (CVE-2012-0057)

2011

• VMware: Integer overflow in SFCB, affects only ESX 4.1 and ESXi 4.1 (CVE-2010-2054 / VMSA-2011-0013)
• HP SAN appliances: Backdoor account and command injection (iDefense / HP)
• HP SAN appliances: Stack buffer overflow (ZDI-11-111)
• OpenSLP: DoS impacting VMware ESX, Novell eDirectory and several Linux distributions (CVE-2010-3609)
• Apple Safari / iTunes / iOS, HP webOS and everything using WebKit: Write arbitrary files (CVE-2011-1774)
• DotNetNuke: XXE (no CVE but version 6 of the XML module is patched)
• Microsoft SharePoint: XXE MS11-074 (CVE-2011-1892)
• Liferay: XXE, remote code exec (CVE-2011-1502 and CVE-2011-1571)
• xmlsec: Write to arbitrary files (CVE-2011-1425)
• Microsoft Excel: Buffer overflow MS11-045 (CVE-2011-1276)

2010

• SBLIM-SFCB: Heap buffer and integer overflows (CVE-2010-1937 and CVE-2010-2054)
• Kojoney (SSH honeypot): DoS

2009

• Zabbix Server: Remote code exec, arbitrary SQL exec, DoS (CVE-2009-4498 to CVE-2009-4501)
• Zabbix Agent (Solaris and FreeBSD): Code exec despite "EnableRemoteCommands=0" (CVE-2009-4502)
• Multiple Symantec and Veritas products: Remote code exec (CVE-2009-3027)

2008

• BMC Patrol: Format string error (CVE-2008-5982)
• Novell eDirectory: Integer overflow, stack buffer overflow (CVE-2008-4478 and CVE-2008-4479)
• Novell eDirectory: DoS, anon access to the admin interface and XSS

2007

• SquirrelMail GPG Plugin: Code exec via malicious email (exploit)
• BMC Patrol: Code exec and read/write acces to the configuration (CVE-2007-1972)
• BMC Patrol: Integer overflow (CVE-2007-2136)
• Apache mod_jk: Stack buffer overflow (CVE-2007-0774)
• phpMyVisites: LFI, HTTP Response Splitting and XSS
• Kiwi CatTools: Directory traversal

2006

• SAP Web Application Server: Read arbitary files, privilege escalation, DoS
• Sygate Management Server: Auth bypass via SQL injection