The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. The presentation also details a competing Amazon-style approach called HTTP Signatures and digs into the architectural differences of all three, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, “I could write this myself.”
2017 dev nexus_deconstructing_rest_securityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. The presentation also details a competing Amazon-style approach called HTTP Signatures and digs into the architectural differences of all three, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, “I could write this myself.”
2017 JavaOne Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architecturual impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
2017 Devoxx MA Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architecturual impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
2018 IterateConf Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architecturual impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
The document summarizes recent attacks involving server-side image conversion vulnerabilities and provides examples of how these vulnerabilities have been exploited in real-world scenarios. It discusses how malicious images can be uploaded to trigger memory dumps, file inclusion, and remote code execution. Specific examples are given targeting ImageMagick, Pillow, Ghostscript, AirBnB, Dropbox, and Yandex.Realty. The document advocates for automation and outsourcing of vulnerability research to maximize profits from discovered vulnerabilities.
2019 ITkonekt Stateless REST Security with MicroProfile JWTJean-Louis MONTEIRO
This document discusses stateless microservice security using JSON Web Tokens (JWT) with OAuth 2.0. It begins with an introduction to microservices architecture and its new security challenges compared to traditional monolithic systems. It then covers some common security options for microservices, including basic authentication, OAuth 2.0, and JWT. The document demonstrates how OAuth 2.0 token exchanges can be used to issue JWTs that are passed in authentication headers for microservice requests instead of sending passwords over the network. This improves scalability by eliminating network hops and allowing for stateless security checks of the signed JWTs.
Side-Channels on the Web: Attacks and DefensesTom Van Goethem
In this presentation we explore various side-channel attacks in the Web that can be used to leak information on cross-origin responses. These so-called XS-Leaks issues may allow an adversary to extract sensitive information from an unwitting visitor, ranging from personal information this victim shared with social media networks to CSRF tokens, which may lead to full account takeover.
Finally, we discuss the various defenses that can be used to harden web applications against the different types of attacks.
2018 colombia deconstruyendo y evolucionando la seguridad en servicios restCésar Hernández
La curva de aprendizaje para la seguridad es severa e implacable. Las especificaciones prometen una flexibilidad infinita y habitualmente dan nuevos nombres a los conceptos antiguos. Esta sesión profundiza el estado actual y evolución que la seguridad en arquitecturas basadas en servicios REST han requerido con conceptos competitivos como OAuth 2.0 en el mundo mobile y HTTP signatures utilizado por Amazon en API's B2B. Finalmente, se analiza un nuevo borrador de Internet lanzado este año que los combina a ambos en el sistema perfecto de dos factores que podría proporcionar una consolidación para los escenarios de REST mobile y de negocios.
2017 dev nexus_deconstructing_rest_securityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. The presentation also details a competing Amazon-style approach called HTTP Signatures and digs into the architectural differences of all three, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, “I could write this myself.”
2017 JavaOne Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architecturual impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
2017 Devoxx MA Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architecturual impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
2018 IterateConf Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architecturual impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
The document summarizes recent attacks involving server-side image conversion vulnerabilities and provides examples of how these vulnerabilities have been exploited in real-world scenarios. It discusses how malicious images can be uploaded to trigger memory dumps, file inclusion, and remote code execution. Specific examples are given targeting ImageMagick, Pillow, Ghostscript, AirBnB, Dropbox, and Yandex.Realty. The document advocates for automation and outsourcing of vulnerability research to maximize profits from discovered vulnerabilities.
2019 ITkonekt Stateless REST Security with MicroProfile JWTJean-Louis MONTEIRO
This document discusses stateless microservice security using JSON Web Tokens (JWT) with OAuth 2.0. It begins with an introduction to microservices architecture and its new security challenges compared to traditional monolithic systems. It then covers some common security options for microservices, including basic authentication, OAuth 2.0, and JWT. The document demonstrates how OAuth 2.0 token exchanges can be used to issue JWTs that are passed in authentication headers for microservice requests instead of sending passwords over the network. This improves scalability by eliminating network hops and allowing for stateless security checks of the signed JWTs.
Side-Channels on the Web: Attacks and DefensesTom Van Goethem
In this presentation we explore various side-channel attacks in the Web that can be used to leak information on cross-origin responses. These so-called XS-Leaks issues may allow an adversary to extract sensitive information from an unwitting visitor, ranging from personal information this victim shared with social media networks to CSRF tokens, which may lead to full account takeover.
Finally, we discuss the various defenses that can be used to harden web applications against the different types of attacks.
2018 colombia deconstruyendo y evolucionando la seguridad en servicios restCésar Hernández
La curva de aprendizaje para la seguridad es severa e implacable. Las especificaciones prometen una flexibilidad infinita y habitualmente dan nuevos nombres a los conceptos antiguos. Esta sesión profundiza el estado actual y evolución que la seguridad en arquitecturas basadas en servicios REST han requerido con conceptos competitivos como OAuth 2.0 en el mundo mobile y HTTP signatures utilizado por Amazon en API's B2B. Finalmente, se analiza un nuevo borrador de Internet lanzado este año que los combina a ambos en el sistema perfecto de dos factores que podría proporcionar una consolidación para los escenarios de REST mobile y de negocios.
1) The document proposes using Google Drive as an indirect communication channel between the BeEF command server and hooked browsers to avoid detection. BeEF normally requires direct communication but this could be tracked.
2) The approach works by having each hooked browser pull commands from and upload results to its own folder on Google Drive. The BeEF command server coordinates by updating files on Google Drive.
3) Authentication is required to access Google Drive via its API. The proposed system uses multiple API keys to allow the client and server to read/write to the shared Google Drive folder for each hooked browser.
Phreebird Suite 1.0: Introducing the Domain Key InfrastructureDan Kaminsky
Phreebird Suite 1.0 introduces the Domain Key Infrastructure through DNSSEC to enable easy and secure authentication across domains. It includes Phreebird, a zero configuration DNSSEC server that can sign responses in real-time without requiring offline key generation or zone signing. It also includes Phreeload, which integrates DNSSEC validation into OpenSSL using LD_PRELOAD to enable end-to-end security for applications. The suite aims to make DNSSEC easy to deploy and leverage its authentication capabilities to enable new secure cross-domain applications.
This document discusses Dan Kaminsky's presentation on black ops of TCP/IP. It begins with an introduction of Kaminsky and what topics he plans to cover, including MD5 hashes, IP fragmentation, firewall/IPS fingerprinting, DNS poisoning, and scanning the internet. It then demonstrates how two webpages with different content can have the same MD5 hash due to collisions. It discusses using IP fragmentation and timing attacks to evade intrusion detection systems. It also describes techniques for fingerprinting firewalls and intrusion prevention systems based on their behavior in response to invalid traffic. Finally, it cautions against automatic shunning of IP addresses by security devices to avoid accidentally blocking critical infrastructure like root DNS servers.
This document discusses vulnerabilities in the design of the Domain Name System (DNS) and how those vulnerabilities can be exploited. Specifically, it describes how DNS caches, proxies, and routes can be used to map DNS servers and inject content into caches. It also summarizes methods for tunneling arbitrary content through DNS using techniques like modifying Time-To-Live values and encoding data in domain names or record types. Finally, it discusses some approaches for suppressing DNS tunnels, such as flagging unusually large or formatted traffic.
The document summarizes Dan Kaminsky's talk at Black Hat 2007 about exploiting the DNS rebinding vulnerability to bypass firewalls and access internal networks from external web browsers. It describes how DNS rebinding works by abusing the same-origin policy to treat websites with different domain names but the same IP address as coming from the same origin. It then outlines several ways an attacker can force a domain to resolve to different IP addresses and use this to tunnel network traffic over the browser.
This document discusses various techniques for manipulating TCP/IP packets to circumvent network restrictions or achieve otherwise impossible network feats. It proposes methods for instant port scanning, multicast transmission without multicast support, sharing a public IP address among multiple private hosts, and establishing connections between hosts both behind NATs. The techniques rely on creatively exploiting redundancy and flexibility in the TCP/IP protocol stack.
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyCrowdStrike
This document summarizes the analysis of a domain generating algorithm (DGA) malware family. Key points include:
- The malware uses inline code obfuscation and encrypted strings to hide its functionality and communication domains. Researchers were able to deobfuscate the code and decrypt the strings to analyze the malware.
- Clues in decrypted strings suggest the malware author is Romani, including references to Romani singers in template strings.
- The malware generates domain names by concatenating two randomly selected words from a dictionary and appending ".net". This allows it to generate many domain variations to communicate with its command and control servers.
- The DGA algorithm uses a 15-bit seed value derived from the
SnorGen is a tool that automatically generates signatures from network traffic data. It extracts content, packet, and flow signatures and converts them to Snort rule format. Content signatures identify unique substrings in packets, packet signatures identify sequences of content signatures in packets, and flow signatures identify sequences of packet signatures across an entire network flow. SnorGen analyzes captured network traffic and generates signatures that can then be used by the Snort intrusion detection system to monitor, block, and control network traffic.
Ville Lautanala describes different transport channels that allow pushing data from servers to clients in real time.
He also introduces a case study of Flowdock's experience with socket.io and WebSockets.
Presentation from Frontend Finland meetup, March 14th. A slightly modified version was presented at SFJS, April 3rd.
Presentation of a few mechanisms that can help to automate the bootstrap process in IoT environment.
This is the summary of my work done during an 8 weeks internship at red hat
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...OpenDNS
The document discusses analyzing domain generation algorithms (DGAs) used by malware to establish resilient command and control connections. It focuses on analyzing the DGA used by the Ramnit malware. The Ramnit DGA works by seeding a linear congruential generator with an unknown seed value, generating domain names of random lengths between 8-19 characters from an alphabet of letters, and appending ".com". The document aims to identify the seed values used by brute forcing all possible seeds and analyzing DNS query patterns to determine how many domain names each seed generates.
1) The document discusses DNS spoofing techniques including DNS cache poisoning, DNS ID spoofing, and exploiting the birthday paradox.
2) It describes two versions of a DNS ID spoofing tool called dnsspoof.py that either targets a specific victim or all victims on the network.
3) Examples are given using the Scapy Python library to build and sniff packets to demonstrate how the DNS spoofing tools could be implemented.
MD5 hashes are no longer secure due to the ability to create colliding files that have the same MD5 hash but different content and behavior. This allows an attacker to substitute a harmless file with a malicious one that cannot be detected by the MD5 hash. While auditing and other defenses make exploitation difficult, the failure of MD5 to detect differences means it cannot reliably verify file integrity and properties like executable behavior are preserved. The full attack details have not been released but are more powerful than just appending data, allowing arbitrary manipulation of file content while preserving the MD5 hash.
This document discusses the Python programming behind loltw.net, a website that provides League of Legends player stats and rankings. It begins with an introduction to the author and his background. It then explains what League of Legends is and how loltw.net allows users to look up player info, rankings, and stats even when not in-game. The rest of the document discusses the technical details behind building and maintaining loltw.net, including scraping player data, using Django as the web framework, MongoDB to store non-structured log data, and Twisted for network programming.
The document summarizes Dan Kaminsky's planned talks and demonstrations at Black Hat 2006. Some key points include:
- Enforcing network neutrality through detecting non-neutral networks using techniques like active network probing and analyzing TCP bandwidth.
- Findings from scanning over 2.4 million SSL servers, including many servers responding on port 443 without SSL enabled and variability in certificates served from the same IP.
- Demonstrating ways to securely login to online applications from an insecure home page using iframes to initialize SSL.
[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...CODE BLUE
There may be some logic bugs in the COM and RPC servers built in Windows OS.In order to find these bugs automatically, the commonly used algorithm is to search for the call chain between functions and Win32 APIs that perform sensitive operations, but if you only rely on the xrefs of the disassembler to generate the call chain, you cannot handle calls across process boundaries. To solve this problem to a certain extent, we propose "Cross-Server Xrefs" in COM and RPC and introduce an automated algorithm to search for this scenario, the key to this algorithm is to use the Backtrace function of Metasm(the Ruby assembly manipulation suite). We will also introduce other attack surfaces in "Cross-Server Xrefs" and use our methods to find examples. Finally, we release an open source tool to help researchers explore the things described in this presentation.
Dan Kaminsky introduces his new company Recursion Ventures and discusses session management on the web. He explains that the web was not designed for authenticated resources and credentials are easily accessible across sites due to issues with cookie-based session management. Kaminsky proposes using smarter string interpolation to allow developers to write code inline while preventing injections. He demonstrates a prototype called Interpolique that uses base64 encoding to sanitize variables before insertion into queries. This approach aims to make secure coding easier and mistakes immediately apparent.
The document discusses different types of denial of service (DoS) attacks against web servers, focusing on Slowloris, Slow Post, and Slow Read attacks. Slowloris keeps connections open by sending partial HTTP requests and headers. Slow Post sends complete headers but an incomplete message body. Slow Read maliciously throttles the receipt of large HTTP responses to tie up server resources. These low-bandwidth attacks can be effective at consuming connection pools and overloading servers. The document provides details on how each attack works and recommendations for detection and mitigation techniques.
Apache httpd v2.4 is well-suited for cloud environments due to improvements that increase performance, flexibility, and dynamic configuration capabilities. It has been enhanced as a reverse proxy with load balancing and support for additional protocols. Benchmark tests show that for transaction speed, the prefork MPM performs best, though other MPMs are on par for concurrency. Apache remains a robust and customizable web server option.
This document discusses OAuth as an authentication and authorization framework for REST APIs. It notes that while SOAP had standards like WS-Trust and WS-Security, REST lacked comparable standards, resulting in issues like websites asking for user passwords. OAuth 2.0 addresses these issues by defining authorization and authentication for RESTful APIs, mitigating the password anti-pattern and supporting mobile applications through token-based federated authentication.
Graal and Truffle: Modularity and Separation of Concerns as Cornerstones for ...Thomas Wuerthinger
Multi-language runtimes providing simultaneously high performance for several programming languages still remain an illusion. Industrial-strength managed language runtimes are built with a focus on one language (e.g., Java or C#). Other languages may compile to the bytecode formats of those managed language runtimes. However, the performance characteristics of the bytecode generation approach are often lagging behind compared to language runtimes specialized for a specific language. The performance of JavaScript is for example still orders of magnitude better on specialized runtimes (e.g., V8 or SpiderMonkey).
We present a solution to this problem by providing guest languages with a new way of interfacing with the host runtime. The semantics of the guest language is communicated to the host runtime not via generating bytecodes, but via an interpreter written in the host language. This gives guest languages a simple way to express the semantics of their operations including language-specific mechanisms for collecting profiling feedback. The efficient machine code is derived from the interpreter via automatic partial evaluation. The main components reused from the underlying runtime are the compiler and the garbage collector. They are both agnostic to the executed guest languages.
The host compiler derives the optimized machine code for hot parts of the guest language application via partial evaluation of the guest language interpreter. The interpreter definition can guide the host compiler to generate deoptimization points, i.e., exits from the compiled code. This allows guest language operations to use speculations: An operation could for example speculate that the type of an incoming parameter is constant. Furthermore, the guest language interpreter can use global assumptions about the system state that are registered with the compiled code. Finally, part of the interpreter's code can be excluded from the partial evaluation and remain shared across the system. This is useful for avoiding code explosion and appropriate for infrequently executed paths of an operation. These basic mechanisms are provided by the underlying language-agnostic host runtime and allow separation of concerns between guest and host runtime.
We implemented Truffle, the guest language runtime framework, on top of the Graal compiler and the HotSpot virtual machine. So far, there are prototypes for C, J, Python, JavaScript, R, Ruby, and Smalltalk running on top of the Truffle framework. The prototypes are still incomplete with respect to language semantics. However, most of them can run non-trivial benchmarks to demonstrate the core promise of the Truffle system: Multiple languages within one runtime system at competitive performance.
1) The document proposes using Google Drive as an indirect communication channel between the BeEF command server and hooked browsers to avoid detection. BeEF normally requires direct communication but this could be tracked.
2) The approach works by having each hooked browser pull commands from and upload results to its own folder on Google Drive. The BeEF command server coordinates by updating files on Google Drive.
3) Authentication is required to access Google Drive via its API. The proposed system uses multiple API keys to allow the client and server to read/write to the shared Google Drive folder for each hooked browser.
Phreebird Suite 1.0: Introducing the Domain Key InfrastructureDan Kaminsky
Phreebird Suite 1.0 introduces the Domain Key Infrastructure through DNSSEC to enable easy and secure authentication across domains. It includes Phreebird, a zero configuration DNSSEC server that can sign responses in real-time without requiring offline key generation or zone signing. It also includes Phreeload, which integrates DNSSEC validation into OpenSSL using LD_PRELOAD to enable end-to-end security for applications. The suite aims to make DNSSEC easy to deploy and leverage its authentication capabilities to enable new secure cross-domain applications.
This document discusses Dan Kaminsky's presentation on black ops of TCP/IP. It begins with an introduction of Kaminsky and what topics he plans to cover, including MD5 hashes, IP fragmentation, firewall/IPS fingerprinting, DNS poisoning, and scanning the internet. It then demonstrates how two webpages with different content can have the same MD5 hash due to collisions. It discusses using IP fragmentation and timing attacks to evade intrusion detection systems. It also describes techniques for fingerprinting firewalls and intrusion prevention systems based on their behavior in response to invalid traffic. Finally, it cautions against automatic shunning of IP addresses by security devices to avoid accidentally blocking critical infrastructure like root DNS servers.
This document discusses vulnerabilities in the design of the Domain Name System (DNS) and how those vulnerabilities can be exploited. Specifically, it describes how DNS caches, proxies, and routes can be used to map DNS servers and inject content into caches. It also summarizes methods for tunneling arbitrary content through DNS using techniques like modifying Time-To-Live values and encoding data in domain names or record types. Finally, it discusses some approaches for suppressing DNS tunnels, such as flagging unusually large or formatted traffic.
The document summarizes Dan Kaminsky's talk at Black Hat 2007 about exploiting the DNS rebinding vulnerability to bypass firewalls and access internal networks from external web browsers. It describes how DNS rebinding works by abusing the same-origin policy to treat websites with different domain names but the same IP address as coming from the same origin. It then outlines several ways an attacker can force a domain to resolve to different IP addresses and use this to tunnel network traffic over the browser.
This document discusses various techniques for manipulating TCP/IP packets to circumvent network restrictions or achieve otherwise impossible network feats. It proposes methods for instant port scanning, multicast transmission without multicast support, sharing a public IP address among multiple private hosts, and establishing connections between hosts both behind NATs. The techniques rely on creatively exploiting redundancy and flexibility in the TCP/IP protocol stack.
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyCrowdStrike
This document summarizes the analysis of a domain generating algorithm (DGA) malware family. Key points include:
- The malware uses inline code obfuscation and encrypted strings to hide its functionality and communication domains. Researchers were able to deobfuscate the code and decrypt the strings to analyze the malware.
- Clues in decrypted strings suggest the malware author is Romani, including references to Romani singers in template strings.
- The malware generates domain names by concatenating two randomly selected words from a dictionary and appending ".net". This allows it to generate many domain variations to communicate with its command and control servers.
- The DGA algorithm uses a 15-bit seed value derived from the
SnorGen is a tool that automatically generates signatures from network traffic data. It extracts content, packet, and flow signatures and converts them to Snort rule format. Content signatures identify unique substrings in packets, packet signatures identify sequences of content signatures in packets, and flow signatures identify sequences of packet signatures across an entire network flow. SnorGen analyzes captured network traffic and generates signatures that can then be used by the Snort intrusion detection system to monitor, block, and control network traffic.
Ville Lautanala describes different transport channels that allow pushing data from servers to clients in real time.
He also introduces a case study of Flowdock's experience with socket.io and WebSockets.
Presentation from Frontend Finland meetup, March 14th. A slightly modified version was presented at SFJS, April 3rd.
Presentation of a few mechanisms that can help to automate the bootstrap process in IoT environment.
This is the summary of my work done during an 8 weeks internship at red hat
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...OpenDNS
The document discusses analyzing domain generation algorithms (DGAs) used by malware to establish resilient command and control connections. It focuses on analyzing the DGA used by the Ramnit malware. The Ramnit DGA works by seeding a linear congruential generator with an unknown seed value, generating domain names of random lengths between 8-19 characters from an alphabet of letters, and appending ".com". The document aims to identify the seed values used by brute forcing all possible seeds and analyzing DNS query patterns to determine how many domain names each seed generates.
1) The document discusses DNS spoofing techniques including DNS cache poisoning, DNS ID spoofing, and exploiting the birthday paradox.
2) It describes two versions of a DNS ID spoofing tool called dnsspoof.py that either targets a specific victim or all victims on the network.
3) Examples are given using the Scapy Python library to build and sniff packets to demonstrate how the DNS spoofing tools could be implemented.
MD5 hashes are no longer secure due to the ability to create colliding files that have the same MD5 hash but different content and behavior. This allows an attacker to substitute a harmless file with a malicious one that cannot be detected by the MD5 hash. While auditing and other defenses make exploitation difficult, the failure of MD5 to detect differences means it cannot reliably verify file integrity and properties like executable behavior are preserved. The full attack details have not been released but are more powerful than just appending data, allowing arbitrary manipulation of file content while preserving the MD5 hash.
This document discusses the Python programming behind loltw.net, a website that provides League of Legends player stats and rankings. It begins with an introduction to the author and his background. It then explains what League of Legends is and how loltw.net allows users to look up player info, rankings, and stats even when not in-game. The rest of the document discusses the technical details behind building and maintaining loltw.net, including scraping player data, using Django as the web framework, MongoDB to store non-structured log data, and Twisted for network programming.
The document summarizes Dan Kaminsky's planned talks and demonstrations at Black Hat 2006. Some key points include:
- Enforcing network neutrality through detecting non-neutral networks using techniques like active network probing and analyzing TCP bandwidth.
- Findings from scanning over 2.4 million SSL servers, including many servers responding on port 443 without SSL enabled and variability in certificates served from the same IP.
- Demonstrating ways to securely login to online applications from an insecure home page using iframes to initialize SSL.
[CB20]-U25 Automated Hunting for Cross-Server Xrefs in Microsoft RPC and COM ...CODE BLUE
There may be some logic bugs in the COM and RPC servers built in Windows OS.In order to find these bugs automatically, the commonly used algorithm is to search for the call chain between functions and Win32 APIs that perform sensitive operations, but if you only rely on the xrefs of the disassembler to generate the call chain, you cannot handle calls across process boundaries. To solve this problem to a certain extent, we propose "Cross-Server Xrefs" in COM and RPC and introduce an automated algorithm to search for this scenario, the key to this algorithm is to use the Backtrace function of Metasm(the Ruby assembly manipulation suite). We will also introduce other attack surfaces in "Cross-Server Xrefs" and use our methods to find examples. Finally, we release an open source tool to help researchers explore the things described in this presentation.
Dan Kaminsky introduces his new company Recursion Ventures and discusses session management on the web. He explains that the web was not designed for authenticated resources and credentials are easily accessible across sites due to issues with cookie-based session management. Kaminsky proposes using smarter string interpolation to allow developers to write code inline while preventing injections. He demonstrates a prototype called Interpolique that uses base64 encoding to sanitize variables before insertion into queries. This approach aims to make secure coding easier and mistakes immediately apparent.
The document discusses different types of denial of service (DoS) attacks against web servers, focusing on Slowloris, Slow Post, and Slow Read attacks. Slowloris keeps connections open by sending partial HTTP requests and headers. Slow Post sends complete headers but an incomplete message body. Slow Read maliciously throttles the receipt of large HTTP responses to tie up server resources. These low-bandwidth attacks can be effective at consuming connection pools and overloading servers. The document provides details on how each attack works and recommendations for detection and mitigation techniques.
Apache httpd v2.4 is well-suited for cloud environments due to improvements that increase performance, flexibility, and dynamic configuration capabilities. It has been enhanced as a reverse proxy with load balancing and support for additional protocols. Benchmark tests show that for transaction speed, the prefork MPM performs best, though other MPMs are on par for concurrency. Apache remains a robust and customizable web server option.
This document discusses OAuth as an authentication and authorization framework for REST APIs. It notes that while SOAP had standards like WS-Trust and WS-Security, REST lacked comparable standards, resulting in issues like websites asking for user passwords. OAuth 2.0 addresses these issues by defining authorization and authentication for RESTful APIs, mitigating the password anti-pattern and supporting mobile applications through token-based federated authentication.
Graal and Truffle: Modularity and Separation of Concerns as Cornerstones for ...Thomas Wuerthinger
Multi-language runtimes providing simultaneously high performance for several programming languages still remain an illusion. Industrial-strength managed language runtimes are built with a focus on one language (e.g., Java or C#). Other languages may compile to the bytecode formats of those managed language runtimes. However, the performance characteristics of the bytecode generation approach are often lagging behind compared to language runtimes specialized for a specific language. The performance of JavaScript is for example still orders of magnitude better on specialized runtimes (e.g., V8 or SpiderMonkey).
We present a solution to this problem by providing guest languages with a new way of interfacing with the host runtime. The semantics of the guest language is communicated to the host runtime not via generating bytecodes, but via an interpreter written in the host language. This gives guest languages a simple way to express the semantics of their operations including language-specific mechanisms for collecting profiling feedback. The efficient machine code is derived from the interpreter via automatic partial evaluation. The main components reused from the underlying runtime are the compiler and the garbage collector. They are both agnostic to the executed guest languages.
The host compiler derives the optimized machine code for hot parts of the guest language application via partial evaluation of the guest language interpreter. The interpreter definition can guide the host compiler to generate deoptimization points, i.e., exits from the compiled code. This allows guest language operations to use speculations: An operation could for example speculate that the type of an incoming parameter is constant. Furthermore, the guest language interpreter can use global assumptions about the system state that are registered with the compiled code. Finally, part of the interpreter's code can be excluded from the partial evaluation and remain shared across the system. This is useful for avoiding code explosion and appropriate for infrequently executed paths of an operation. These basic mechanisms are provided by the underlying language-agnostic host runtime and allow separation of concerns between guest and host runtime.
We implemented Truffle, the guest language runtime framework, on top of the Graal compiler and the HotSpot virtual machine. So far, there are prototypes for C, J, Python, JavaScript, R, Ruby, and Smalltalk running on top of the Truffle framework. The prototypes are still incomplete with respect to language semantics. However, most of them can run non-trivial benchmarks to demonstrate the core promise of the Truffle system: Multiple languages within one runtime system at competitive performance.
This document provides an overview of Graal, a high-performance dynamic compiler for Java written in Java. It discusses key features such as support for speculative optimizations and deoptimization. It also covers Graal's intermediate representation, optimization phases, and how it can be used for custom compilations and static analysis. The document aims to provide insight into Graal and its capabilities as a research compiler.
Graal is a dynamic meta-circular research compiler for Java that is designed for extensibility and modularity. One of its main distinguishing elements is the handling of optimistic assumptions obtained via profiling feedback and the representation of deoptimization guards in the compiled code. Truffle is a self-optimizing runtime system on top of Graal that uses partial evaluation to derive compiled code from interpreters. Truffle is suitable for creating high-performance implementations for dynamic languages with only moderate effort. The presentation includes a description of the Truffle multi-language API and performance comparisons within the industry of current prototype Truffle language implementations (JavaScript, Ruby, and R). Both Graal and Truffle are open source and form themselves research platforms in the area of virtual machine and programming language implementation (http://openjdk.java.net/projects/graal/).
2018 JavaLand Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, "I could write this myself."
As a bonus at the end, well peak into a new IETF Internet Draft launched this year that combines JWT and HTTP Signatures into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios. Come to this session if you want to go from novice to expert with a bit of humor, a big picture perspective and wire-level detail.
2018 Denver JUG Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, "I could write this myself."
As a bonus at the end, well peak into a new IETF Internet Draft launched this year that combines JWT and HTTP Signatures into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios. Come to this session if you want to go from novice to expert with a bit of humor, a big picture perspective and wire-level detail.
2018 jPrime Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, "I could write this myself."
As a bonus at the end, well peak into a new IETF Internet Draft launched this year that combines JWT and HTTP Signatures into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios. Come to this session if you want to go from novice to expert with a bit of humor, a big picture perspective and wire-level detail.
2018 SDJUG Deconstructing and Evolving REST SecurityDavid Blevins
The document discusses various approaches for securing REST APIs, including basic authentication and its limitations, OAuth 2.0 protocols, and using hashing and signing techniques like HMAC and RSA. It provides examples of basic authentication, OAuth 2.0 password and refresh grants, and generating and verifying hashes and signatures of data. The presentation aims to explore standards for REST security beyond basic authentication and improving statelessness.
The document discusses various approaches to securing REST APIs, including basic authentication and its limitations, OAuth 2.0 tokens and refresh tokens, hashing, and signing. It notes that while standards provide options, they do not ensure security and proper implementation is important. The presentation evaluates approaches based on performance and security, noting tradeoffs between the two goals.
2018 Boulder JUG Deconstructing and Evolving REST SecurityDavid Blevins
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, "I could write this myself."
As a bonus at the end, well peak into a new IETF Internet Draft launched this year that combines JWT and HTTP Signatures into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios. Come to this session if you want to go from novice to expert with a bit of humor, a big picture perspective and wire-level detail.
2018 ecuador deconstruyendo y evolucionando la seguridad en servicios restCésar Hernández
La curva de aprendizaje para la seguridad es severa e implacable. Las especificaciones prometen una flexibilidad infinita y habitualmente dan nuevos nombres a los conceptos antiguos. Esta sesión profundiza el estado actual y evolución que la seguridad en arquitecturas basadas en servicios REST han requerido con conceptos competitivos como OAuth 2.0 en el mundo mobile y HTTP signatures utilizado por Amazon en API's B2B. Finalmente, se analiza un nuevo borrador de Internet lanzado este año que los combina a ambos en el sistema perfecto de dos factores que podría proporcionar una consolidación para los escenarios de REST mobile y de negocios.
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, offer endless extensions, and almost seem designed to deliberately confuse. With an eye on architectural impact, actual HTTP messages, and aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. It then explores a competing Amazon-style approach called HTTP Signatures, ideal for B2B APIs. Finally, it discusses a new internet draft launched this year that combines them both into the perfect two-factor system that could provide a one-stop shop for business as well as mobile REST scenarios.
Stateless Microservice Security via JWT and MicroProfile - MexicoOtávio Santana
The learning curve for REST API security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, and almost seem designed to deliberately confuse. With an aggressive distaste for fancy terminology, the first half of this session delves into OAuth 2.0 with and without JWTs and shows how it falls into two camps: stateful and stateless. Starting at Basic Auth and walking forward, we'll compare each with heavy focus on the wire, showing actual HTTP messages and analyzing their impact on load and security against a baseline Microservice architecture.
The second half of this presentation we'll deep dive into MicroProfile JWT, which offers a clean Java API and standard configuration for consuming JWTs in Java Microservices. Code and demo focused, we'll see a complete MicroProfile JWT, TomEE and AngularJS app running on Oracle Cloud that issues JWTs with custom backend-data, performs server-side verification and injection of claims, and client-side login and refresh. All code in Github, you'll leave ready to bootstrap your next truly secure full-stack project.
Stateless Microservice Security via JWT and MicroProfile - ES Otavio Santana
This document summarizes Otavio Santana's presentation on stateless microservice security using JWT and MicroProfile. The presentation covered the limitations of Basic Auth and OAuth 2.0, and introduced JSON Web Tokens (JWT) as an alternative token-based authentication approach. It demonstrated how JWT can be used to securely transmit user authentication and authorization information in HTTP requests to microservices.
Stateless Microservice Security via JWT and MicroProfile - GuatemalaOtávio Santana
The learning curve for REST API security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, and almost seem designed to deliberately confuse. With an aggressive distaste for fancy terminology, the first half of this session delves into OAuth 2.0 with and without JWTs and shows how it falls into two camps: stateful and stateless. Starting at Basic Auth and walking forward, we'll compare each with heavy focus on the wire, showing actual HTTP messages and analyzing their impact on load and security against a baseline Microservice architecture.
The second half of this presentation we'll deep dive into MicroProfile JWT, which offers a clean Java API and standard configuration for consuming JWTs in Java Microservices. Code and demo focused, we'll see a complete MicroProfile JWT, TomEE and AngularJS app running on Oracle Cloud that issues JWTs with custom backend-data, performs server-side verification and injection of claims, and client-side login and refresh. All code in Github, you'll leave ready to bootstrap your next truly secure full-stack project.
2018 Madrid JUG Deconstructing REST SecurityBruno Baptista
The learning curve for security is severe and unforgiving. Specifications promise infinite flexibility, habitually give old concepts new names, are riddled with extensions, and almost seem designed to deliberately confuse. For a back-end REST developer, choking all this down for the first time is mission impossible. With an aggressive distaste for fancy terminology, this session delves into OAuth 2.0 as it pertains to REST and shows how it falls into two camps: stateful and stateless. We then detail a competing Amazon-style approach called HTTP Signatures, ideal for B2B scenarios and similar to what is use to secure all Amazon AWS API calls. Each approach will be explored analyzing the architectural differences, with a heavy focus on the wire, showing actual HTTP messages and enough detail to have you thinking, “I could write this myself.”
Jwt with flask slide deck - alan swensonJeffrey Clark
JWTs are a compact way to securely transmit information between parties as a JSON object that can be digitally signed and verified. A JWT contains a header, payload, and signature. The payload contains claims about an entity that are used to generate the signature. Flask JWT extensions make it easy to generate and verify JWTs to authenticate users and restrict access to protected routes in Flask applications. Access tokens are short-lived JWTs that grant access to resources, while refresh tokens allow new access tokens to be generated after expiration. Blacklists are used to revoke compromised tokens before expiration.
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
This talk will show esoteric web application vulnerabilities in detail, these vulnerabilities would be missed in a quick review by most security consultants, but could lead to remote code execution, authentication bypass and purchasing items in merchants using Paypal as their payment gateway without actually paying. SQL injections are dead, and I don’t care: let's explore the world of null, nil and NULL; noSQL injections; host header injections that lead to phone call audio interception; paypal’s double spent and Rails’ MessageVerifier remote code execution.
--- Andres Riancho
Andrés Riancho is an application security expert that currently leads the community driven, Open Source, w3af project and provides in-depth Web Application Penetration Testing services to companies around the world.
In the research field, he discovered critical vulnerabilities in IPS appliances from 3com and ISS, contributed with SAP research performed at one of his former employers and reported vulnerabilities in hundreds of web applications.
His main focus has always been the Web Application Security field, in which he developed w3af, a Web Application Attack and Audit Framework used extensively by penetration testers and security consultants.
Andrés has spoken and hold trainings at many security conferences around the globe, like BlackHat (USA and Europe), SEC-T (Sweden),DeepSec (Austria), PHDays (Moscow), SecTor (Toronto), OWASP (Poland),CONFidence (Poland), OWASP World C0n (USA), CanSecWest (Canada),PacSecWest (Japan), T2 (Finland) and Ekoparty (Buenos Aires).
Andrés founded Bonsai Information Security, a web security focused consultancy firm, in 2009 in order to further research into automated Web Application Vulnerability detection and exploitation.
This document discusses REST (REpresentational State Transfer) and how to implement RESTful services on Android. It begins by defining REST and describing its core concepts like client-server architecture, statelessness, uniform interface, and CRUD (create, read, update, delete) operations. It then covers how to make HTTP requests in Android using libraries like HttpURLConnection and Apache HTTP Client. Helpful libraries for working with REST APIs are also presented, including Gson for JSON parsing and CRest for declarative REST clients. The document emphasizes best practices like performing HTTP calls in a background thread, persisting data to content providers, and minimizing network usage.
This document discusses tools for testing web services over HTTP in Python. It introduces HTTPie, a command line tool for making HTTP requests, and Behave, a behavior-driven development tool that uses the Gherkin language to write human-readable test cases. The document provides examples of using HTTPie to debug services and Behave steps to test authentication on a sample API.
Dublin JUG Stateless Microservice Security via JWT, TomEE and MicroProfileJean-Louis MONTEIRO
Microservices based architecture seems to be the common convergence point in the industry. But when it comes to security we are still struggling to evolve from monolithic systems or people oriented architecture. This presentation will be focusing on this landscape and explain how to leverage the quickly evolving MicroProfile JWT specification to secure Microservices and in a fully stateless and scalable manner. We’ll introduce the specification in a quick and no nonsense fashion and move on to several code examples that show how to setup JWT verification and obtain trusted claims via lookup or dependency injection. For our playground, we’ll be using Apache TomEE, fully open source lightweight Java EE server and MicroProfile implementation.
This document provides an overview and comparison of XML-RPC and SOAP, which are two RPC systems that use open internet standards. XML-RPC implements RPC using open web standards by encoding data in XML and making RPC calls over HTTP. SOAP attempts to overcome limitations of XML-RPC by supporting user-defined data types and object introspection. While SOAP is more full-featured, XML-RPC remains simpler and more lightweight. Examples are provided of making XML-RPC calls from Python.
Seguridad en microservicios via micro profile jwtCésar Hernández
La curva de aprendizaje para la seguridad es severa e implacable. Esta sesión profundiza el estado actual y evolución que la seguridad en arquitecturas basadas en servicios REST han requerido con conceptos competitivos como OAuth 2.0 en el mundo mobile y HTTP signatures utilizado por Amazon en API's B2B. Finalmente se presenta el proyecto Eclipse MicroProfile JWT que provee un API Java Empresarial optimizado para arquitecturas orientadas a Microservicios. Se presentará un caso práctico en el que se desarrollará una aplicación segura con MicroProfile JWT, Apache TomEE y AngularJS. Demostrando de esta forma las capacidades de configuración, CDI, autenticación y autorización avanzadas que ofrece Eclipse MicroProfile JWT. Durante esta sesión los asistentes podrán ver los conceptos básicos de seguridad REST con Oauth 2.0, JWT y Http signatures. El caso práctico será presentado utilizando Eclipse Microprofile sobre una aplicación con un Front-End AngularJS y Java EE en Apache TomEE.
Nordic APIs - Automatic Testing of (RESTful) API DocumentationRouven Weßling
Learn how to automatically test your API's documentation by using API Blueprints and dredd.
Presented at the Nordic APIs Platform Summit on October 25, 2016
Similar to 2016 JavaOne Deconstructing REST Security (20)
DevNexus 2020 - Jakarta Messaging 3.x, Redefining JMSDavid Blevins
The document discusses plans for Jakarta Messaging 3.x, which will serve as the basis for the JMS API in Jakarta EE 9 and beyond. It outlines the timeline of JMS specifications and their inclusion in Java EE and Jakarta EE. Ideas for Jakarta Messaging 3.x include incorporating unreleased features from JMS 2.1, improving support for CDI, adding property conversion and JSON-B message support, and developing a MessagingClient similar to MicroProfile Rest Client. The presentation encourages involvement in the Jakarta Messaging and sample code projects on GitHub.
2019 JJUG CCC Stateless Microservice Security with MicroProfile JWTDavid Blevins
In this presentation we'll deep dive into MicroProfile JWT, which offers a clean Java API and standard configuration for consuming JWTs in Java Microservices. Code and demo focused, we'll see a complete MicroProfile JWT, TomEE and AngularJS app that issues JWTs with custom backend-data, performs server-side verification and injection of claims, and client-side login and refresh. All code in Github, you'll leave ready to bootstrap your next truly secure full-stack project.
The document discusses the Java Configuration API JSR, which allows applications to be configured through Java properties. It allows mixing internal and external configuration sources, supports dependency injection and lookup of configuration values, and runtime changes to the configuration. Various built-in and third-party configuration sources are listed, such as environment variables, YAML files, databases, and Kubernetes variables. The history of the JSR is discussed, including influences from DeltaSpike Config, Apache Tamaya, and other projects.
The days of EJB’s being the center of the Java EE universe are coming to an end. CDI is increasingly becoming the de facto component framework, due to its flexibility and lack of legacy. Starting in Java EE 7 and continuing in 8, the Java EE platform is migrating to enable all of EJB’s best features to be usable in the CDI world. In this session, you’ll learn implementation-level details on how they relate to each other, where we are in the EJB/CDI alignment story, what trade-offs you might need to make, and what you have to gain from making the transition. You will walk out with runnable examples and vendor-level insights. This is the perfect session for heavy EJB users looking to keep up with Java EE’s transition to CDI.
JavaOne 2013 - Apache TomEE, Java EE Web Profile {and more} on TomcatDavid Blevins
Having made its Java EE 6 Web Profile certification debut at JavaOne 2011 and having won a JavaOne Rock Star award in 2012, Apache TomEE combines the simplicity of Tomcat with the power of Java EE. This updated presentation traverses the world of TomEE and shows how Tomcat applications leveraging Java EE technologies can become simpler and lighter with a Java EE–certified solution built right on Tomcat. The first part jumps right into action and gives a coding tour of TomEE, including quickly bootstrapping projects, doing proper testing with Arquillian, and setting up environments. The second part gives insight into how TomEE was created and explores the budding TomEE ecosystem of tools, platforms, and the latest community advancements.
The document discusses the evolution of metadata in Java EE applications from XML configuration to annotations on classes to meta-annotations. It describes how meta-annotations that define common annotations in XML avoids redundancy and makes configuration more logical and administrator-friendly by separating the application structure from its needs. The presentation concludes with a demo and Q&A.
2011 JavaOne Apache TomEE Java EE 6 Web ProfileDavid Blevins
Apache TomEE is a Java EE 6 Web Profile certified application server built on top of Tomcat. It includes Apache components like MyFaces, OpenWebBeans, OpenEJB, OpenJPA, and Bean Validation. The entire Web Profile is only 24MB in size and has a small memory footprint. It aims to prove that a certified Java EE stack can be lightweight and agile. Future goals include further optimizations to reduce size and improve performance.
2011 JavaOne Fun with EJB 3.1 and OpenEJBDavid Blevins
This document summarizes the history and philosophy of OpenEJB, an open source embeddable EJB container. Some key points include:
- OpenEJB started in 1999 and has evolved through various organizations to become an Apache project.
- OpenEJB has always focused on being an embeddable EJB container rather than a traditional application server.
- The document argues that EJB has been misunderstood and that implementations, not the specification itself, were the source of complexity.
- It presents some ideas for the future of EJB and Java EE, such as improving annotations and interceptors.
Do you want Software for your Business? Visit Deuglo
Deuglo has top Software Developers in India. They are experts in software development and help design and create custom Software solutions.
Deuglo follows seven steps methods for delivering their services to their customers. They called it the Software development life cycle process (SDLC).
Requirement — Collecting the Requirements is the first Phase in the SSLC process.
Feasibility Study — after completing the requirement process they move to the design phase.
Design — in this phase, they start designing the software.
Coding — when designing is completed, the developers start coding for the software.
Testing — in this phase when the coding of the software is done the testing team will start testing.
Installation — after completion of testing, the application opens to the live server and launches!
Maintenance — after completing the software development, customers start using the software.
Flutter is a popular open source, cross-platform framework developed by Google. In this webinar we'll explore Flutter and its architecture, delve into the Flutter Embedder and Flutter’s Dart language, discover how to leverage Flutter for embedded device development, learn about Automotive Grade Linux (AGL) and its consortium and understand the rationale behind AGL's choice of Flutter for next-gen IVI systems. Don’t miss this opportunity to discover whether Flutter is right for your project.
Revolutionizing Visual Effects Mastering AI Face Swaps.pdfUndress Baby
The quest for the best AI face swap solution is marked by an amalgamation of technological prowess and artistic finesse, where cutting-edge algorithms seamlessly replace faces in images or videos with striking realism. Leveraging advanced deep learning techniques, the best AI face swap tools meticulously analyze facial features, lighting conditions, and expressions to execute flawless transformations, ensuring natural-looking results that blur the line between reality and illusion, captivating users with their ingenuity and sophistication.
Web:- https://undressbaby.com/
Utilocate offers a comprehensive solution for locate ticket management by automating and streamlining the entire process. By integrating with Geospatial Information Systems (GIS), it provides accurate mapping and visualization of utility locations, enhancing decision-making and reducing the risk of errors. The system's advanced data analytics tools help identify trends, predict potential issues, and optimize resource allocation, making the locate ticket management process smarter and more efficient. Additionally, automated ticket management ensures consistency and reduces human error, while real-time notifications keep all relevant personnel informed and ready to respond promptly.
The system's ability to streamline workflows and automate ticket routing significantly reduces the time taken to process each ticket, making the process faster and more efficient. Mobile access allows field technicians to update ticket information on the go, ensuring that the latest information is always available and accelerating the locate process. Overall, Utilocate not only enhances the efficiency and accuracy of locate ticket management but also improves safety by minimizing the risk of utility damage through precise and timely locates.
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxrickgrimesss22
Discover the essential features to incorporate in your Winzo clone app to boost business growth, enhance user engagement, and drive revenue. Learn how to create a compelling gaming experience that stands out in the competitive market.
Mobile App Development Company In Noida | Drona InfotechDrona Infotech
Looking for a reliable mobile app development company in Noida? Look no further than Drona Infotech. We specialize in creating customized apps for your business needs.
Visit Us For : https://www.dronainfotech.com/mobile-application-development/
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j
Dr. Jesús Barrasa, Head of Solutions Architecture for EMEA, Neo4j
Découvrez les dernières innovations de Neo4j, et notamment les dernières intégrations cloud et les améliorations produits qui font de Neo4j un choix essentiel pour les développeurs qui créent des applications avec des données interconnectées et de l’IA générative.
Takashi Kobayashi and Hironori Washizaki, "SWEBOK Guide and Future of SE Education," First International Symposium on the Future of Software Engineering (FUSE), June 3-6, 2024, Okinawa, Japan
E-commerce Application Development Company.pdfHornet Dynamics
Your business can reach new heights with our assistance as we design solutions that are specifically appropriate for your goals and vision. Our eCommerce application solutions can digitally coordinate all retail operations processes to meet the demands of the marketplace while maintaining business continuity.
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j
Dr. Jesús Barrasa, Head of Solutions Architecture for EMEA, Neo4j
Découvrez les dernières innovations de Neo4j, et notamment les dernières intégrations cloud et les améliorations produits qui font de Neo4j un choix essentiel pour les développeurs qui créent des applications avec des données interconnectées et de l’IA générative.
Odoo ERP software
Odoo ERP software, a leading open-source software for Enterprise Resource Planning (ERP) and business management, has recently launched its latest version, Odoo 17 Community Edition. This update introduces a range of new features and enhancements designed to streamline business operations and support growth.
The Odoo Community serves as a cost-free edition within the Odoo suite of ERP systems. Tailored to accommodate the standard needs of business operations, it provides a robust platform suitable for organisations of different sizes and business sectors. Within the Odoo Community Edition, users can access a variety of essential features and services essential for managing day-to-day tasks efficiently.
This blog presents a detailed overview of the features available within the Odoo 17 Community edition, and the differences between Odoo 17 community and enterprise editions, aiming to equip you with the necessary information to make an informed decision about its suitability for your business.
What is Augmented Reality Image Trackingpavan998932
Augmented Reality (AR) Image Tracking is a technology that enables AR applications to recognize and track images in the real world, overlaying digital content onto them. This enhances the user's interaction with their environment by providing additional information and interactive elements directly tied to physical images.
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Łukasz Chruściel
No one wants their application to drag like a car stuck in the slow lane! Yet it’s all too common to encounter bumpy, pothole-filled solutions that slow the speed of any application. Symfony apps are not an exception.
In this talk, I will take you for a spin around the performance racetrack. We’ll explore common pitfalls - those hidden potholes on your application that can cause unexpected slowdowns. Learn how to spot these performance bumps early, and more importantly, how to navigate around them to keep your application running at top speed.
We will focus in particular on tuning your engine at the application level, making the right adjustments to ensure that your system responds like a well-oiled, high-performance race car.
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsPeter Muessig
The UI5 tooling is the development and build tooling of UI5. It is built in a modular and extensible way so that it can be easily extended by your needs. This session will showcase various tooling extensions which can boost your development experience by far so that you can really work offline, transpile your code in your project to use even newer versions of EcmaScript (than 2022 which is supported right now by the UI5 tooling), consume any npm package of your choice in your project, using different kind of proxies, and even stitching UI5 projects during development together to mimic your target environment.
46. JavaOne
#RESTSecurity @dblevins @tomitribe
Access Token Now
• header (JSON > Base64 URL Encoded)
• describes how the token signature can be checked
• payload (JSON > Base64 URL Encoded)
• Basically a map of whatever you want to put in it
• Some standard keys such as expiration
• signature (Binary > Base64 URL Encoded
• The actual digital signature
• made exclusively by the /oauth2/token endpoint
• If RSA, can be checked by anyone
79. JavaOne
#RESTSecurity @dblevins @tomitribe
Observations
• HTTP Signatures the only HTTP friendly approach
• Signatures does not solve the “Identity Load” problem
• OAuth 2 with JWT significantly improves IDP load
• Plain OAuth 2
• HTTP Session-like implications
• OAuth 2 with JWT
• Signed cookie
• Signing key to the future