The Case for HTTP/2 - EpicFEL Sept 2015Andy Davies
HTTP/2 is here but why do we need it, and how is it different to HTTP/1.1?
Video - https://www.youtube.com/watch?v=ob-CnA9YmiI
These are the slides from my talk at Front-End London's one day conference, EpicFEL
Session: A Reference Architecture for Running Modern APIs with NGINX Unit and...NGINX, Inc.
Building and deploying cloud native APIs is a complex operation, and can require a multitude of components. In this workshop we focus on the fundamentals of deploying the runtime API code and publishing the API through an API gateway. To achieve this we use NGINX Unit as a polyglot application server and NGINX web server as an API gateway. With this combination we deliver a solution lightweight enough for dev and strong enough for production.
You will learn how to use NGINX Unit to run one or more apps and APIs in a variety of languages, including seamlessly deploying new versions. You will then see the best practices for how to configure NGINX to perform the common API gateway functions of request routing, rate limiting, and authentication for multiple APIs. We will also touch on advanced use cases such as HTTP method enforcement, and JSON validation.
No previous experience of NGINX or NGINX Unit is required, but a basic knowledge of HTTP and JSON/REST APIs is valuable.
The Case for HTTP/2 - EpicFEL Sept 2015Andy Davies
HTTP/2 is here but why do we need it, and how is it different to HTTP/1.1?
Video - https://www.youtube.com/watch?v=ob-CnA9YmiI
These are the slides from my talk at Front-End London's one day conference, EpicFEL
Session: A Reference Architecture for Running Modern APIs with NGINX Unit and...NGINX, Inc.
Building and deploying cloud native APIs is a complex operation, and can require a multitude of components. In this workshop we focus on the fundamentals of deploying the runtime API code and publishing the API through an API gateway. To achieve this we use NGINX Unit as a polyglot application server and NGINX web server as an API gateway. With this combination we deliver a solution lightweight enough for dev and strong enough for production.
You will learn how to use NGINX Unit to run one or more apps and APIs in a variety of languages, including seamlessly deploying new versions. You will then see the best practices for how to configure NGINX to perform the common API gateway functions of request routing, rate limiting, and authentication for multiple APIs. We will also touch on advanced use cases such as HTTP method enforcement, and JSON validation.
No previous experience of NGINX or NGINX Unit is required, but a basic knowledge of HTTP and JSON/REST APIs is valuable.
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example Anna Klepacka
Web Applications Hacking – Ruby on Rails example.
Attack web applications by using SQL attacks, CSRF, XSS. You will learn how to extract information by generating API json / xml and how to use cookies to code injection.
Introduction to Infrastructure as Code & Automation / Introduction to ChefNathen Harvey
Your customers expect you to continuously deliver delightful experiences. This means that you’ll need to continuously deliver application and infrastructure updates. Hand-crafted servers lovingly built and maintained by a system administrator are a thing of the past. Golden images are fine for initial provisioning but will quickly fail as your configuration requirements change over time.
It’s time for you to fully automate the provisioning and management of your infrastructure components. Welcome to the world of infrastructure as code! In this new world, you’ll be able to programmatically provision and configure the components of your infrastructure.
Disposable infrastructure whose provisioning, configuration, and on-going maintenance is fully automated allow you to change the way you build and deliver applications. Move your applications and infrastructure towards continuous delivery.
In this talk, we’ll explore the ideas behind “infrastructure as code” and, specifically, look at how Chef allows you to fully automate your infrastructure. If you’re brave enough, we’ll even let you get your hands on some Chef and experience the delight of using Chef to build and deploy some infrastructure components.
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
Many diligent security professionals take active steps to limit the amount of system specific information a publicly available system may yield to a remote user. These preventative measures may take the form of modifying service banners, firewalls, web site information, etc.
Software utilities such as NMap have given the security community an excellent resource to discover what type of Operating System and version is listening on a particular IP. This process is achieved by mapping subtle, yet, distinguishable nuances unique to each OS. But, this is normally where the fun ends, as NMap does not enable we user's to determine what version of services are listening. This is up to us to guess or to find out through other various exploits.
This is where we start our talk, fingerprinting Web Servers. These incredibly diverse and useful widespread services notoriously found listening on port 80 and 443 just waiting to be explored. Many web servers by default will readily give up the type and version of the web server via the "Server" HTTP response header. However, many administrators aware of this fact have become increasingly clever in recent months by removing or altering any and all traces of this telltale information.
These countermeasures lead us to the obvious question; could it STILL possible to determine a web servers platform and version even after all known methods of information leakage prevention have been exhausted (either by hack or configuration)?
The simple answer is "yes"; it is VERY possible to still identify the web server. But, the even more interesting question is; just how much specific information can we obtain remotely?
Are we able to determine?
* Supported HTTP Request Methods.
* Current Service Pack.
* Patch Levels.
* Configuarations.
* If an Apache Server suffers from a "chunked" vulnerability.
Is really possible to determine this specific information using a few simple HTTP requests? Again, the simple answer is yes, the possibility exists.
Proof of concept tools and command line examples will be demonstrated throughout the talk to illustrate these new ideas and techniques. Various countermeasures will also be explored to protect your IIS or Apache web server from various fingerprinting techniques.
Prerequisites:
General understanding of Web Server technology and HTTP.
DDD Melbourne 2014 security in ASP.Net Web API 2Pratik Khasnabis
My presentation at DDD Melbourne 2014 Conference on Security in ASP.Net Web API 2. Includes a brief introduction to OWIN and Katana.
http://www.dddmelbourne.com/
RoR Workshop - Web applications hacking - Ruby on Rails exampleRailwaymen
Web Applications Hacking – Ruby on Rails example. Attack web applications by using SQL attacks, CSRF, XSS. You will learn how to extract information by generating API json / xml and how to use cookies to code injection.
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example Anna Klepacka
Web Applications Hacking – Ruby on Rails example.
Attack web applications by using SQL attacks, CSRF, XSS. You will learn how to extract information by generating API json / xml and how to use cookies to code injection.
Introduction to Infrastructure as Code & Automation / Introduction to ChefNathen Harvey
Your customers expect you to continuously deliver delightful experiences. This means that you’ll need to continuously deliver application and infrastructure updates. Hand-crafted servers lovingly built and maintained by a system administrator are a thing of the past. Golden images are fine for initial provisioning but will quickly fail as your configuration requirements change over time.
It’s time for you to fully automate the provisioning and management of your infrastructure components. Welcome to the world of infrastructure as code! In this new world, you’ll be able to programmatically provision and configure the components of your infrastructure.
Disposable infrastructure whose provisioning, configuration, and on-going maintenance is fully automated allow you to change the way you build and deliver applications. Move your applications and infrastructure towards continuous delivery.
In this talk, we’ll explore the ideas behind “infrastructure as code” and, specifically, look at how Chef allows you to fully automate your infrastructure. If you’re brave enough, we’ll even let you get your hands on some Chef and experience the delight of using Chef to build and deploy some infrastructure components.
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
Many diligent security professionals take active steps to limit the amount of system specific information a publicly available system may yield to a remote user. These preventative measures may take the form of modifying service banners, firewalls, web site information, etc.
Software utilities such as NMap have given the security community an excellent resource to discover what type of Operating System and version is listening on a particular IP. This process is achieved by mapping subtle, yet, distinguishable nuances unique to each OS. But, this is normally where the fun ends, as NMap does not enable we user's to determine what version of services are listening. This is up to us to guess or to find out through other various exploits.
This is where we start our talk, fingerprinting Web Servers. These incredibly diverse and useful widespread services notoriously found listening on port 80 and 443 just waiting to be explored. Many web servers by default will readily give up the type and version of the web server via the "Server" HTTP response header. However, many administrators aware of this fact have become increasingly clever in recent months by removing or altering any and all traces of this telltale information.
These countermeasures lead us to the obvious question; could it STILL possible to determine a web servers platform and version even after all known methods of information leakage prevention have been exhausted (either by hack or configuration)?
The simple answer is "yes"; it is VERY possible to still identify the web server. But, the even more interesting question is; just how much specific information can we obtain remotely?
Are we able to determine?
* Supported HTTP Request Methods.
* Current Service Pack.
* Patch Levels.
* Configuarations.
* If an Apache Server suffers from a "chunked" vulnerability.
Is really possible to determine this specific information using a few simple HTTP requests? Again, the simple answer is yes, the possibility exists.
Proof of concept tools and command line examples will be demonstrated throughout the talk to illustrate these new ideas and techniques. Various countermeasures will also be explored to protect your IIS or Apache web server from various fingerprinting techniques.
Prerequisites:
General understanding of Web Server technology and HTTP.
DDD Melbourne 2014 security in ASP.Net Web API 2Pratik Khasnabis
My presentation at DDD Melbourne 2014 Conference on Security in ASP.Net Web API 2. Includes a brief introduction to OWIN and Katana.
http://www.dddmelbourne.com/
RoR Workshop - Web applications hacking - Ruby on Rails exampleRailwaymen
Web Applications Hacking – Ruby on Rails example. Attack web applications by using SQL attacks, CSRF, XSS. You will learn how to extract information by generating API json / xml and how to use cookies to code injection.
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Web-MaxUriIdentifier
1. URI size: Web
Server Identifier
By Maurice LAMBERT <mauricelambert434@gmail.com>
https://github.com/mauricelambert/
https://github.com/mauricelambert/WebServerIdentifier
3. Vulnerabilities, intrusion and Web
• Web usage increases every year
• The number of web servers
increases every year
• The number of vulnerabilities and
their criticalities have increased
• Major vulnerabilities affect the
most used web servers
• The number of scanners testing
public IPs to find critical
vulnerabilities increases
• The number of intrusions going
through web services is increasing
4. Identifying Web
Servers
• Headers (Server, realm, …)
• Specific content (title, comments, text…)
• Specific path/URI (icon, default path, …)
• HTTP status
• Signatures (favicon, default index and error
pages, …)
• Whatweb
• Google dorks
5. HTTP – URI size
https://www.rfc-editor.org/rfc/rfc1945
https://www.rfc-editor.org/rfc/rfc2068#page-63
6. Identifying Web
Servers – URI size
• Request the target with large URI
• Random query string
• Analyze the response
• If the server responds or the error
code is specific, relaunch a request
with a smaller query string
• Else relaunch a request with a greater
query string
• The maximum size of URLs is specific to
each server
Max URI: 8045
7. Identifying
Web Servers –
URI size
• Some servers that shouldn't be in production have the same
maximum URI size but have different code errors
• In the case where the maximum URI sizes and the statuses are
identical, it is possible to compare the signatures of the contents
• In some cases it is possible to identify a web server located behind a
web proxy
• Prerequisite: The maximum URI size of the web server must
be less than that of the web proxy
HTTP/1.1 200 OK
Server: Apache
…
HTTP/1.1 200 OK
Server: IIS
…
8. Examples
• In these examples, the web server is an Apache HTTPD
(maximum URI size: 6133), the web proxy is an IIS
(maximum URI size: 12241[status: 400]-12284[status:
414]) with a configuration to change the HTTP Server
header to "NGINX".
• Scenarios:
1. Detect the Apache Web Server to exploit CVE-
2021-42013
2. Detect the IIS Web Proxy to exploit CVE-2021-
31166
9. Configuration:
ServerHeader=NGINX
IIS Proxy
Apache
Web Server
GET /? + « a » * 6131 HTTP/1.1
GET /? + « a » * 6131 HTTP/1.1
HTTP/1.1 200 OK
Server: Apache
…
HTTP/1.1 200 OK
Server: NGINX
…
GET /? + « a » * 6134 HTTP/1.1
HTTP/1.1 414 Request-URI Too Long
Server: Apache
…
<Apache 414 error page>
HTTP/1.1 414 Request-URI Too Long
Server: NGINX
…
<Apache 414 error page>
GET /? + « a » * 6134 HTTP/1.1
10. Configuration:
ServerHeader=NGINX
IIS Proxy
Apache
Web Server
GET /? + « a » * 12239 HTTP/1.1
GET /? + « a » * 12239 HTTP/1.1
GET /? + « a » * 12240 HTTP/1.1
HTTP/1.1 414 Request-URI Too Long
Server: Apache
…
HTTP/1.1 414 Request-URI Too Long
Server: NGINX
…
HTTP/1.1 400 Bad Request
Server: NGINX
…
<IIS 400 error page>
12. Limits
• If the Web Proxy have a smaller
maximum URI size you cannot identify
the Web Server
• If the server uses a framework or
language, developers can implement a
custom maximum URI size, status and
page
• Firewalls can easily block your large
and random URI
13. Conclusion
• It is important to protect your web servers and
preventing your server from being identified can
discourage attackers from attacking you.
• HTTP does not define all protocol properties,
making it easy to identify different
implementations
• It’s possible to identify Web Servers and Web Proxy
with URI size precisely and easily
• Some configurations can protect your web servers
from "in depth" detection (detection of a web
server behind a Web Proxy)
• It is possible to protect your Web servers with
firewalls or development