January 2026 Event: Paywall Optional: Stream For Free with a New Technique — RRE

Date: 
Tuesday, January 20, 2026 - 5:30pm
RSVP: 
https://luma.com/d37df9le?utm_source=issa_website
Topic: 

Modern web applications don’t just expose APIs — they expose attack paths. Recursive Request Exploits (RRE) represent a new class of attack that chains interdependent web requests to bypass authentication, authorization, and even payment systems.

​This session introduces RRE as a repeatable methodology that uncovers hidden relationships between API and web calls, automates recursive discovery, and exploits business logic flaws that traditional testing overlooks. Through a real-world case study, you’ll see how this technique bypassed premium paywalls on a major streaming platform without breaking DRM or requiring authentication.

​More importantly, you’ll learn how RRE exposes fundamental weaknesses in checkout flows, subscription enforcement, and entitlement logic across modern digital platforms. This isn’t a one-off — it’s a shift in the threat landscape. Attendees will also receive a Burp Suite extension used to discover and weaponize these vulnerabilities for both offensive and defensive security.

This research was presented at DEFCON 33 and featured in WIRED Magazine (August 2025).

Key Topics Covered

  • ​How Recursive Request Exploits work and why they bypass traditional defenses
  • ​Mapping hidden request dependencies between web and API calls
  • ​Real-world case study: bypassing streaming paywalls without authentication or DRM tampering
  • ​How RRE exposes structural weaknesses in checkout, entitlement, and subscription logic
  • ​Demo + release of a Burp Suite extension for automated RRE discovery and exploitation
  • ​Defensive strategies for engineering, security, and product teams

Why Attend

  • ​Learn about a new exploit class shaping modern web security
  • ​See a real attack chain previously presented at DEFCON and featured in WIRED
  • ​Understand how attackers bypass payments, subscriptions, and entitlement logic
  • ​Receive open-source tooling to test your own systems
  • ​Connect with Silicon Valley’s cybersecurity community during networking, food, and refreshments

Agenda

​5:30–6:00 | In-Person Networking
5:55–6:00 | Virtual Session Opens
6:00–6:15 | ISSA Chapter Business
6:15–7:00 | Presentation
7:00–8:00 | Food & Refreshments

Speaker: 

Farzan Karimi
Senior Director of Attack Operations, Moderna
With 20 years of deep offensive security experience, Farzan has led high-impact red teams at Moderna, Google (Android Red Team), and Electronic Arts. His research has been featured by WIRED Magazine and highlighted on Ted Danson’s Advancements. He is a frequent speaker at DEFCON and Black Hat USA, known for his work on Pixel exploitation and cellular security.

Location: 

Register to See Address