Finding log4shell with CodeQL

Feb 24, 2022 · Bristol, United Kingdom


* OWASP Updates
* Talk: Rise of captain hindsight: Finding Log4Shell with CodeQL with Alvaro Munoz
* Open discussion

Title: Rise of captain hindsight: Finding Log4Shell with CodeQL

Abstract: In this talk, Alvaro Muñoz of the GitHub Security Lab will use Log4Shell to demonstrate CodeQL, a free and powerful static analysis tool, in action. He will review Log4Shell’s root cause, how it manifests in code and how it could have been discovered using CodeQL.

In CI/CP pipelines, CodeQL is configured to operate in a developer-first mode to reduce false positives to a minimum and return the most accurate results. However for security researchers, CodeQL can also be configured to operate in a less conservative mode which results in more false positives but also less false negatives.

In this process, Alvaro will review root cause, how it manifests in code, and how it could have been discovered using CodeQL.

Bio: Alvaro Muñoz works as Principal Security Researcher with GitHub Security Lab team. Previously he worked as an Application Security Consultant helping top enterprises to deploy their application security programs. He is passionate about Web Application security where he has focused most of his research. Muñoz has presented at many Security conferences including BlackHat, DEFCON, RSA, OWASP AppSec EU and US, JavaOne, etc, and holds several infosec certifications, including OSCP, GWAPT, and CISSP.

The talk will be streamed on YouTube at:

Alternatively you can dial in Zoom

* Zoom Meeting: [](
* Meeting ID:[masked]
* Passcode:[masked]

Event organizers
  • OWASP Bristol (UK) Chapter

    The Open Web Application Security Project (OWASP) is a not-for-profit, worldwide organization focused on improving the security of application software. Our mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. Everyone is free to participate in OWASP and all of our materials are available under a free and open software license.  OWASP Bristol chapter typically meets on the 3rd Thursday every two months for great

    Recent Events

Are you organizing Finding log4shell with CodeQL?

Claim the event and start manage its content.

I am the organizer

based on 0 reviews