Speaker: Andrey Plastunov
Language: English
Nowadays, one can find many many different web servers performing different kind of tasks: they may serve administrative requests on wifi hotspots (or any other embedded device), they may be used as gates to corporate intranet resources, etc. That's the logic part, but what do all these servers have under their hoods? Attentive people may note that the zoo of web servers is not limited to popular mainstream solutions. So how large the zoo is exactly? Do the developers, who creates their own servers, pay enough attention to security related problems? We will try to answer that questions.
The talk will cover methods of finding binary vulnerabilities in modern web server software using A fuzzing approach. As an example of this method, a custom fuzzing tool will be released. We will also demonstrate a bunch of vulnerabilities, found during the research.
CONFidence: http://confidence.org.pl/pl/
The document provides an overview of using Java to interact with MongoDB. It discusses connecting to MongoDB, working with collections, inserting and querying documents, using GridFS to store files, the object mapping library Morphia, and how Groovy and the Grails framework can simplify MongoDB development. The key topics covered include making connections, inserting and querying documents, GridFS for file storage, mapping objects with Morphia, dynamic queries in Groovy, and the MongoDB Grails plugin.
MongoDB + Java - Everything you need to know Norberto Leite
Learn everything you need to know to get started building a MongoDB-based app in Java. We'll explore the relationship between MongoDB and various languages on the Java Virtual Machine such as Java, Scala, and Clojure. From there, we'll examine the popular frameworks and integration points between MongoDB and the JVM including Spring Data and object-document mappers like Morphia.
phptek13 - Caching and tuning fun tutorialWim Godden
This document discusses caching and tuning techniques to improve scalability for web applications. It begins with an introduction and background on caching. It then covers different caching techniques including caching entire pages, parts of pages, SQL queries, and complex PHP results. It discusses various caching storage options such as the MySQL query cache, memory tables, opcode caching with APC, disk, memory disk, Memcache, and notes on each. The document provides code examples for using Memcache and discusses caching strategies such as updating cached data, cache stampeding, and cache warming scripts. It also covers performance benchmarks and moving to Nginx with PHP-FPM. The overall goal of the techniques discussed is to increase reliability, performance and scalability of a
The document provides information about a talk on Java persistence frameworks for MongoDB given at MongoDB Berlin 2013. It discusses MongoDB Java Driver, Spring Data MongoDB, Morphia, and Hibernate OGM as frameworks for connecting Java applications to MongoDB. The talk covers connecting to MongoDB from Java, mapping objects to documents, and repository support features of the frameworks.
As more and more alternative data stores come into use, the problem of being able to easily use and report on the data scattered across those data stores becomes increasingly difficult. PostgreSQL has a feature called Foreign Data Wrappers that allows external data sources to be queried from PostgreSQL and look like a standard table. Using Foreign Data Wrappers, users can create a report that joins data residing in Oracle, Hadoop and MongoDB all in a single query.
In this talk, we'll discuss how to set up a Foreign Data Wrapper for various data sources and the pros and cons using them. We'll also discuss the growing ecosystem of Foreign Data Wrapper and a little about how to write one.
Morphia: Simplifying Persistence for Java and MongoDBJeff Yemin
The document describes Morphia, an object document mapper for Java that simplifies working with MongoDB. It outlines Morphia's key features like model mapping with annotations, query and update APIs, and support for references and embedded objects. Examples are provided of defining entity classes with annotations, performing queries, updates, and indexing. The document recommends Morphia for working with MongoDB on the JVM and provides resources for learning more.
The document provides an overview of Jersey, an open source framework for developing RESTful web services in Java. It describes how Jersey implements JAX-RS and supports developing resources using Java annotations like @Path, @GET and @Produces. Resources are POJOs that handle HTTP requests at specific URI paths. Jersey also supports object injection, sub-resources, response building and common deployment options like using Grizzly HTTP server.
The document provides an overview of using Java to interact with MongoDB. It discusses connecting to MongoDB, working with collections, inserting and querying documents, using GridFS to store files, the object mapping library Morphia, and how Groovy and the Grails framework can simplify MongoDB development. The key topics covered include making connections, inserting and querying documents, GridFS for file storage, mapping objects with Morphia, dynamic queries in Groovy, and the MongoDB Grails plugin.
MongoDB + Java - Everything you need to know Norberto Leite
Learn everything you need to know to get started building a MongoDB-based app in Java. We'll explore the relationship between MongoDB and various languages on the Java Virtual Machine such as Java, Scala, and Clojure. From there, we'll examine the popular frameworks and integration points between MongoDB and the JVM including Spring Data and object-document mappers like Morphia.
phptek13 - Caching and tuning fun tutorialWim Godden
This document discusses caching and tuning techniques to improve scalability for web applications. It begins with an introduction and background on caching. It then covers different caching techniques including caching entire pages, parts of pages, SQL queries, and complex PHP results. It discusses various caching storage options such as the MySQL query cache, memory tables, opcode caching with APC, disk, memory disk, Memcache, and notes on each. The document provides code examples for using Memcache and discusses caching strategies such as updating cached data, cache stampeding, and cache warming scripts. It also covers performance benchmarks and moving to Nginx with PHP-FPM. The overall goal of the techniques discussed is to increase reliability, performance and scalability of a
The document provides information about a talk on Java persistence frameworks for MongoDB given at MongoDB Berlin 2013. It discusses MongoDB Java Driver, Spring Data MongoDB, Morphia, and Hibernate OGM as frameworks for connecting Java applications to MongoDB. The talk covers connecting to MongoDB from Java, mapping objects to documents, and repository support features of the frameworks.
As more and more alternative data stores come into use, the problem of being able to easily use and report on the data scattered across those data stores becomes increasingly difficult. PostgreSQL has a feature called Foreign Data Wrappers that allows external data sources to be queried from PostgreSQL and look like a standard table. Using Foreign Data Wrappers, users can create a report that joins data residing in Oracle, Hadoop and MongoDB all in a single query.
In this talk, we'll discuss how to set up a Foreign Data Wrapper for various data sources and the pros and cons using them. We'll also discuss the growing ecosystem of Foreign Data Wrapper and a little about how to write one.
Morphia: Simplifying Persistence for Java and MongoDBJeff Yemin
The document describes Morphia, an object document mapper for Java that simplifies working with MongoDB. It outlines Morphia's key features like model mapping with annotations, query and update APIs, and support for references and embedded objects. Examples are provided of defining entity classes with annotations, performing queries, updates, and indexing. The document recommends Morphia for working with MongoDB on the JVM and provides resources for learning more.
The document provides an overview of Jersey, an open source framework for developing RESTful web services in Java. It describes how Jersey implements JAX-RS and supports developing resources using Java annotations like @Path, @GET and @Produces. Resources are POJOs that handle HTTP requests at specific URI paths. Jersey also supports object injection, sub-resources, response building and common deployment options like using Grizzly HTTP server.
This document discusses integrating the Apache Lucene full-text search engine with CouchDB. It begins by explaining that while CouchDB supports basic search through MapReduce indexes, implementing a full search engine would require recreating existing work. Lucene is introduced as a high-performance search library that can be used with CouchDB through the couchdb-lucene integration. The document provides examples of Lucene index design documents, querying the index, and integrating search into a Ruby on Rails application with pagination.
MongoDB World 2016: Deciphering .explain() OutputMongoDB
The document discusses different explain modes for MongoDB queries and aggregations. It begins with an overview of explain() and query plans, then covers the default "queryPlanner" mode which shows the winning and rejected plans. It also mentions the "executionStats" and "allPlansExecution" modes which provide more runtime statistics. The document aims to help understand how queries and aggregations are executed and troubleshoot performance issues.
This document summarizes options for using MongoDB with Java, including raw drivers, object mapping libraries like Morphia, and examples of common operations. It discusses using the MongoDB Java driver to directly encode data to BSON format, as well as higher-level libraries that allow working with Java objects like with Morphia annotations and queries. Examples demonstrate basic CRUD operations, embedding vs referencing relationships, and updating documents.
This document provides an overview of using MongoDB with Python. It introduces pymongo, the official Python driver for MongoDB, and covers connecting to MongoDB, performing CRUD operations, aggregation, GridFS for large files, indexing, and ODM frameworks. The presenter is Norberto Leite, a MongoDB Technical Evangelist based in Madrid, Spain.
This document summarizes an Apache Spark workshop that took place in September 2017 in Stockholm. It introduces the speaker's background and experience with Spark. It then provides an overview of the Spark ecosystem and core concepts like RDDs, DataFrames, and Spark Streaming. Finally, it discusses important Spark concepts like caching, checkpointing, broadcasting, and resilience.
This document provides an overview of MongoDB, Java, and Spring Data. It discusses how MongoDB is a document-oriented NoSQL database that uses JSON-like documents with dynamic schemas. It describes how the Java driver can be used to interact with MongoDB to perform CRUD operations. It also explains how Spring Data provides an abstraction layer over the Java driver and allows for object mapping and repository-based queries to MongoDB.
This document discusses MongoDB replication and replica sets. It begins with an overview of why replication is useful, including protecting against node failures, network latency, and having different uses for data. It then covers the lifecycle of a replica set from creation to recovery. It discusses the roles nodes can have in a replica set and how configurations are set. It explains how to develop applications using replica sets, including considerations for strong vs. delayed consistency, write concerns, tagging data, and read preferences. Finally, it discusses some operational considerations for replica sets like maintenance, upgrades, and deployment architectures for single vs. multiple data centers.
This talk will cover experiences from writing a FDW for Informix and will discuss differences between 9.1 and 9.2, as well as the new writable API with the upcoming 9.3 release, additionally data type mapping and conversion, optimizer support and performance related topics.
The talk tries to give the attendees an overall idea behind the techniques and pitfalls they may experience when they want to write their own.
Leveraging Hadoop in your PostgreSQL EnvironmentJim Mlodgenski
This talk will begin with a discussion of the strengths of PostgreSQL and Hadoop. We will then lead into a high level overview of Hadoop and its community of projects like Hive, Flume and Sqoop. Finally, we will dig down into various use cases detailing how you can leverage Hadoop technologies for your PostgreSQL databases today. The use cases will range from using HDFS for simple database backups to using PostgreSQL and Foreign Data Wrappers to do low latency analytics on your Big Data.
Terms of endearment - the ElasticSearch Query DSL explainedclintongormley
The document discusses the ElasticSearch query language. It provides examples of how to create indexes and mappings, add documents, perform searches using queries and filters, and examples of different query types like term, range and boolean filters. Key concepts covered include the differences between queries and filters, and using the query DSL versus the SearchBuilder.
The document discusses MongoDB, a document-oriented NoSQL database. It provides an overview of MongoDB, explaining that it uses documents (rather than tables and rows), has dynamic schemas, and allows for easy horizontal scaling. It also covers some basic MongoDB concepts and operations like collections, embedded documents, and CRUD functions like insert, find, update, and remove.
This document discusses MongoDB performance tuning. It emphasizes that performance tuning is an obsession that requires planning schema design, statement tuning, and instance tuning in that order. It provides examples of using the MongoDB profiler and explain functions to analyze statements and identify tuning opportunities like non-covered indexes, unnecessary document scans, and low data locality. Instance tuning focuses on optimizing writes through fast update operations and secondary index usage, and optimizing reads by ensuring statements are tuned and data is sharded appropriately. Overall performance depends on properly tuning both reads and writes.
[제1회 루씬 한글분석기 기술세미나] solr로 나만의 검색엔진을 만들어보자Donghyeok Kang
The document discusses building your own search engine using Solr. It provides an overview of Solr, explaining that it is based on Lucene and provides text analysis, scoring algorithms, and a web-based interface. It also covers installing and deploying Solr, configuring schemas and fields, indexing data, and performing basic searches and more advanced search types like dismax and more-like-this queries.
DBIx::Router is a DBI proxy that provides load balancing, failover, and sharding capabilities across multiple database servers. It uses a configuration file to define data sources and routing rules to map SQL queries to specific data sources. This allows databases to be scaled out in a transparent way without needing to modify application code. While it has made progress, DBIx::Router is still in development and lacks some features like auto-commit and streaming query results.
This document discusses centralized and unified logging. It describes how Fluentd provides a pluggable architecture for collecting, transporting, storing, analyzing, and alerting on logs from various sources in a centralized and scalable way. Examples are given of using Fluentd plugins to collect Apache logs, parse and enrich the data, forward to multiple outputs like Elasticsearch and Graphite, and more.
MongoDB is one of the most popular databases these days and there are a few reasons for such popularity. One of these reasons is the excellent integration with different programming languages and development frameworks.
In the case of Python we take it a few notches up (native use of dictionaries, integration with asynchronous libraries (twisted, gevent), good support for web frameworks like django, flask, bottle ... (mongoengine anyone?).
This talk is about the several different projects that we support, the way to effectively use Python and MongoDB together and a few other improvements and announcements.
Kenneth Truyers - Using Git as a NoSql database - Codemotion Milan 2018Codemotion
Git is not just a source control system. It's a content tracker we can (ab)use as a NoSQL database. Git has two features that traditional databases don't support: deduplicated storage and automatic history tracking. This talk discusses how to leverage it and what the benefits and drawbacks are. The goal of this talk is three fold: show attendees creative usage of existing tools, demonstrate the capabilities of Git and how to leverage its power and dive into Git's internals to gain a deeper understanding of a system a lot of developers use, but usually only know on a more superficial level.
Sasi, cassandra on the full text search ride At Voxxed Day Belgrade 2016Duyhai Doan
The document discusses Apache Cassandra's SASI (SSTable Attached Secondary Index). It provides a 5 minute introduction to Cassandra, introduces SASI and how it follows the SSTable lifecycle, describes how SASI works at the cluster level for distributed queries and indexing, and details the local read/write process including data structures and query planning. Some benchmarks are shown for full table scans on a large dataset using SASI with Spark. The key advantages and use cases for SASI are discussed along with its limitations compared to dedicated search engines.
The document provides an agenda and information about an Elasticsearch conference in Beijing, China on January 20, 2013. It includes details on the schedule, speakers, and topics to be covered such as Elasticsearch installation, indexing data, constructing queries, and architecture design.
CONFidence 2015: SCADA and mobile: security assessment of the applications th...PROIDEA
Speakers: Alexander Bolshev, Ivan Iushkevich
Language: English
The days when mobile technologies were just a rising trend have passed, and now mobile devices are an integral part of our life. As a result, you may find them in places where they probably shouldn't be. But convenience often wins over security. Nowadays, you can monitor (or even control!) your ICS (Industrial Control System) from a brand-new Android or iOS smartphone. Just type the words 'HMI', 'SCADA', or 'PLC' into Google Play Store or iTunes App Store, and a surprisingly large bunch of results will appear. Moreover, many of these applications are developed by serious vendors, like Siemens, GE, Omron, etc., and allow accessing, monitoring, or controlling the HMI, PLC, DCS, or SCADA systems in your ICS infrastructure. Are they secure? Could an attacker do something bad if they get access to an industrial engineer's tablet? What kind of vulnerabilities can exist in these applications? What attack vectors are possible?
To answer all these questions, we took a sample of "mobile apps for your SCADA, PLC, HMI" and assessed them. In these talk, found vulnerabilities, attack methods, and other potential risks will be shown. Two attack scenarios will be shown: attacking ICS infrastructure via a compromised smartphone and penetrating mobile devices out of a compromised ICS environment (bottom-to-top attacks). We will discuss whether it is SAFE to allow mobile applications to interact with your ICS infrastructure. Also, the detailed statistics of found flaws and security mechanisms usage will be shown.
CONFidence: http://confidence.org.pl/pl/
El documento describe varios temas relacionados con el gobierno electrónico y las tecnologías de la información aplicadas al sector público. Explica que el gobierno electrónico implica el uso de las TIC para mejorar la eficiencia de los procesos gubernamentales internos y la prestación de servicios a ciudadanos e industrias. También menciona algunos ejemplos de portales de gobiernos electrónicos de países de Latinoamérica.
This document discusses integrating the Apache Lucene full-text search engine with CouchDB. It begins by explaining that while CouchDB supports basic search through MapReduce indexes, implementing a full search engine would require recreating existing work. Lucene is introduced as a high-performance search library that can be used with CouchDB through the couchdb-lucene integration. The document provides examples of Lucene index design documents, querying the index, and integrating search into a Ruby on Rails application with pagination.
MongoDB World 2016: Deciphering .explain() OutputMongoDB
The document discusses different explain modes for MongoDB queries and aggregations. It begins with an overview of explain() and query plans, then covers the default "queryPlanner" mode which shows the winning and rejected plans. It also mentions the "executionStats" and "allPlansExecution" modes which provide more runtime statistics. The document aims to help understand how queries and aggregations are executed and troubleshoot performance issues.
This document summarizes options for using MongoDB with Java, including raw drivers, object mapping libraries like Morphia, and examples of common operations. It discusses using the MongoDB Java driver to directly encode data to BSON format, as well as higher-level libraries that allow working with Java objects like with Morphia annotations and queries. Examples demonstrate basic CRUD operations, embedding vs referencing relationships, and updating documents.
This document provides an overview of using MongoDB with Python. It introduces pymongo, the official Python driver for MongoDB, and covers connecting to MongoDB, performing CRUD operations, aggregation, GridFS for large files, indexing, and ODM frameworks. The presenter is Norberto Leite, a MongoDB Technical Evangelist based in Madrid, Spain.
This document summarizes an Apache Spark workshop that took place in September 2017 in Stockholm. It introduces the speaker's background and experience with Spark. It then provides an overview of the Spark ecosystem and core concepts like RDDs, DataFrames, and Spark Streaming. Finally, it discusses important Spark concepts like caching, checkpointing, broadcasting, and resilience.
This document provides an overview of MongoDB, Java, and Spring Data. It discusses how MongoDB is a document-oriented NoSQL database that uses JSON-like documents with dynamic schemas. It describes how the Java driver can be used to interact with MongoDB to perform CRUD operations. It also explains how Spring Data provides an abstraction layer over the Java driver and allows for object mapping and repository-based queries to MongoDB.
This document discusses MongoDB replication and replica sets. It begins with an overview of why replication is useful, including protecting against node failures, network latency, and having different uses for data. It then covers the lifecycle of a replica set from creation to recovery. It discusses the roles nodes can have in a replica set and how configurations are set. It explains how to develop applications using replica sets, including considerations for strong vs. delayed consistency, write concerns, tagging data, and read preferences. Finally, it discusses some operational considerations for replica sets like maintenance, upgrades, and deployment architectures for single vs. multiple data centers.
This talk will cover experiences from writing a FDW for Informix and will discuss differences between 9.1 and 9.2, as well as the new writable API with the upcoming 9.3 release, additionally data type mapping and conversion, optimizer support and performance related topics.
The talk tries to give the attendees an overall idea behind the techniques and pitfalls they may experience when they want to write their own.
Leveraging Hadoop in your PostgreSQL EnvironmentJim Mlodgenski
This talk will begin with a discussion of the strengths of PostgreSQL and Hadoop. We will then lead into a high level overview of Hadoop and its community of projects like Hive, Flume and Sqoop. Finally, we will dig down into various use cases detailing how you can leverage Hadoop technologies for your PostgreSQL databases today. The use cases will range from using HDFS for simple database backups to using PostgreSQL and Foreign Data Wrappers to do low latency analytics on your Big Data.
Terms of endearment - the ElasticSearch Query DSL explainedclintongormley
The document discusses the ElasticSearch query language. It provides examples of how to create indexes and mappings, add documents, perform searches using queries and filters, and examples of different query types like term, range and boolean filters. Key concepts covered include the differences between queries and filters, and using the query DSL versus the SearchBuilder.
The document discusses MongoDB, a document-oriented NoSQL database. It provides an overview of MongoDB, explaining that it uses documents (rather than tables and rows), has dynamic schemas, and allows for easy horizontal scaling. It also covers some basic MongoDB concepts and operations like collections, embedded documents, and CRUD functions like insert, find, update, and remove.
This document discusses MongoDB performance tuning. It emphasizes that performance tuning is an obsession that requires planning schema design, statement tuning, and instance tuning in that order. It provides examples of using the MongoDB profiler and explain functions to analyze statements and identify tuning opportunities like non-covered indexes, unnecessary document scans, and low data locality. Instance tuning focuses on optimizing writes through fast update operations and secondary index usage, and optimizing reads by ensuring statements are tuned and data is sharded appropriately. Overall performance depends on properly tuning both reads and writes.
[제1회 루씬 한글분석기 기술세미나] solr로 나만의 검색엔진을 만들어보자Donghyeok Kang
The document discusses building your own search engine using Solr. It provides an overview of Solr, explaining that it is based on Lucene and provides text analysis, scoring algorithms, and a web-based interface. It also covers installing and deploying Solr, configuring schemas and fields, indexing data, and performing basic searches and more advanced search types like dismax and more-like-this queries.
DBIx::Router is a DBI proxy that provides load balancing, failover, and sharding capabilities across multiple database servers. It uses a configuration file to define data sources and routing rules to map SQL queries to specific data sources. This allows databases to be scaled out in a transparent way without needing to modify application code. While it has made progress, DBIx::Router is still in development and lacks some features like auto-commit and streaming query results.
This document discusses centralized and unified logging. It describes how Fluentd provides a pluggable architecture for collecting, transporting, storing, analyzing, and alerting on logs from various sources in a centralized and scalable way. Examples are given of using Fluentd plugins to collect Apache logs, parse and enrich the data, forward to multiple outputs like Elasticsearch and Graphite, and more.
MongoDB is one of the most popular databases these days and there are a few reasons for such popularity. One of these reasons is the excellent integration with different programming languages and development frameworks.
In the case of Python we take it a few notches up (native use of dictionaries, integration with asynchronous libraries (twisted, gevent), good support for web frameworks like django, flask, bottle ... (mongoengine anyone?).
This talk is about the several different projects that we support, the way to effectively use Python and MongoDB together and a few other improvements and announcements.
Kenneth Truyers - Using Git as a NoSql database - Codemotion Milan 2018Codemotion
Git is not just a source control system. It's a content tracker we can (ab)use as a NoSQL database. Git has two features that traditional databases don't support: deduplicated storage and automatic history tracking. This talk discusses how to leverage it and what the benefits and drawbacks are. The goal of this talk is three fold: show attendees creative usage of existing tools, demonstrate the capabilities of Git and how to leverage its power and dive into Git's internals to gain a deeper understanding of a system a lot of developers use, but usually only know on a more superficial level.
Sasi, cassandra on the full text search ride At Voxxed Day Belgrade 2016Duyhai Doan
The document discusses Apache Cassandra's SASI (SSTable Attached Secondary Index). It provides a 5 minute introduction to Cassandra, introduces SASI and how it follows the SSTable lifecycle, describes how SASI works at the cluster level for distributed queries and indexing, and details the local read/write process including data structures and query planning. Some benchmarks are shown for full table scans on a large dataset using SASI with Spark. The key advantages and use cases for SASI are discussed along with its limitations compared to dedicated search engines.
The document provides an agenda and information about an Elasticsearch conference in Beijing, China on January 20, 2013. It includes details on the schedule, speakers, and topics to be covered such as Elasticsearch installation, indexing data, constructing queries, and architecture design.
CONFidence 2015: SCADA and mobile: security assessment of the applications th...PROIDEA
Speakers: Alexander Bolshev, Ivan Iushkevich
Language: English
The days when mobile technologies were just a rising trend have passed, and now mobile devices are an integral part of our life. As a result, you may find them in places where they probably shouldn't be. But convenience often wins over security. Nowadays, you can monitor (or even control!) your ICS (Industrial Control System) from a brand-new Android or iOS smartphone. Just type the words 'HMI', 'SCADA', or 'PLC' into Google Play Store or iTunes App Store, and a surprisingly large bunch of results will appear. Moreover, many of these applications are developed by serious vendors, like Siemens, GE, Omron, etc., and allow accessing, monitoring, or controlling the HMI, PLC, DCS, or SCADA systems in your ICS infrastructure. Are they secure? Could an attacker do something bad if they get access to an industrial engineer's tablet? What kind of vulnerabilities can exist in these applications? What attack vectors are possible?
To answer all these questions, we took a sample of "mobile apps for your SCADA, PLC, HMI" and assessed them. In these talk, found vulnerabilities, attack methods, and other potential risks will be shown. Two attack scenarios will be shown: attacking ICS infrastructure via a compromised smartphone and penetrating mobile devices out of a compromised ICS environment (bottom-to-top attacks). We will discuss whether it is SAFE to allow mobile applications to interact with your ICS infrastructure. Also, the detailed statistics of found flaws and security mechanisms usage will be shown.
CONFidence: http://confidence.org.pl/pl/
El documento describe varios temas relacionados con el gobierno electrónico y las tecnologías de la información aplicadas al sector público. Explica que el gobierno electrónico implica el uso de las TIC para mejorar la eficiencia de los procesos gubernamentales internos y la prestación de servicios a ciudadanos e industrias. También menciona algunos ejemplos de portales de gobiernos electrónicos de países de Latinoamérica.
Dokumen ini berisi 32 tabel yang menampilkan data jumlah pohon di berbagai fakultas dan lokasi di Universitas Brawijaya beserta total stok karbon dan jumlah pohon di seluruh universitas.
Laporan ini merangkum kegiatan Pemetaan Pohon dan Perhitungan Emisi Kendaraan di Universitas Brawijaya yang dilaksanakan pada April-Mei 2015 sebagai bagian dari perayaan Hari Lingkungan Hidup Sedunia. Laporan ini berisi ucapan terima kasih kepada berbagai pihak yang telah membantu kegiatan ini, seperti rektor, wakil rektor, panitia, dan mahasiswa dari berbagai fakultas dan organisasi. Harapannya
The document discusses issues related to technology, power, and oppression in Eastern Europe. It notes that institutionalization of networks like Yandex and VKontakte allows greater control, and that starting in September 2015, personal data storage will be required to remain within nation-based systems, affecting companies like Facebook and Google. It also addresses how activists need to scale up their audiences as fast as the internet grows in their countries. International networks of trust between people should be nurtured to help determine who can be trusted. Encryption becoming a standard is suggested to help address these issues.
DNG Inspiratiesessie B2B Content - 17 juni 2015 - Introductiepresentatie Stef...Dutch Network Group
Introductiepresentatie tijdens de Inspiratiesessie B2B Content op 17 juni 2015 door Stefan Vermeul (Chief New and Happy Businesses bij Dutch Network Group).
Este documento describe los diferentes tipos de ventiladores, su historia, clasificación y aplicaciones. Existen ventiladores axiales, centrífugos y de disco. Los ventiladores axiales mueven el aire paralelo a su eje, mientras que los centrífugos lo impulsan hacia afuera desde el centro. Se usan en industrias, buques, textiles y más para mover aire y gases.
Spécial WWDC, nous ferons un retour sur les annonces de lundi et les impacts que cela aura pour nous autres développeurs. Karim-Pierre Maalej (Xcode), Benoit Capallere (WatchOS), Grégoire Lhotellier (Swift), Nicolas Lauquin (iOS&distribution) et Stéphane Sudre (OSX) interviendront sur les grands thèmes abordés et décrypteront ces nouveautés
Reversing Engineering a Web Application - For fun, behavior and detectionRodrigo Montoro
This document discusses reverse engineering a web application for web application firewall (WAF) detection. It describes analyzing application traffic and structure, including parameter matching, file structure analysis, and restricting access. Statistical analysis of traffic is also suggested to identify attacks and new trends for the WAF. Challenges include vulnerabilities in code, themes, plugins and handling multiple languages.
I would like to share my story about how our team was building an efficient testing process, how these changes affect the development process overall, how to solve common problems of BDD-style tests with DEMO on real examples. My story begins with several failures/problems, which every team meets at the beginning of involving BDD tools in automation tests.
The next topic is including several improvements such as universal step definitions, cucumber expressions, own parameter types, text localization testing, involving REGEXP to test special symbols, etc.
After, slides cover solving irritable problems of BDD tests such as: getting, remembering and reusing unique data during test run sessions, working with API to avoid repeatable steps, file verifications in headless mode, excel files content, hash, screenshot testing, etc.
OSDC 2015: Mitchell Hashimoto | Automating the Modern Datacenter, Development...NETWAYS
Physical, virtual, containers. Public cloud, private cloud, hybrid cloud. IaaS, PaaS, SaaS. These are the choices that we're faced with when architecting a datacenter of today. And the choice is not one or the other; it is often a combination of many of these. How do we remain in control of our datacenters? How do we deploy and configure software, manage change across disparate systems, and enforce policy/security? How do we do this in a way that operations engineers and developers alike can rejoice in the processes and workflow?
In this talk, I will discuss the problems faced by the modern datacenter, and how a set of open source tools including Vagrant, Packer, Consul, and Terraform can be used to tame the rising complexity curve and provide solutions for these problems.
FleetDB A Schema-Free Database in Clojureelliando dias
FleetDB is a schema-free database built in Clojure that aims to optimize for agile development. It implements databases as Clojure data structures and uses pure functions to handle reads and writes. The core library contains query planning and execution logic. FleetDB adds durability by storing databases in atoms and appending queries to a log. It also includes an embedded server that exposes a JSON client API. At around 1300 lines of code, it leverages Clojure's data structures to provide a full-featured but compact database system.
PuppetDB: A Single Source for Storing Your Puppet Data - PUG NYPuppet
James Sweeney presents on "PuppetDB: A Single Source for Storing Your Puppet Data" at Puppet User Group NYC.
Video: http://www.youtube.com/watch?v=HTr4b02aU7A
Puppet NYC: http://www.meetup.com/puppetnyc-meetings/
NYC* 2013 - "Advanced Data Processing: Beyond Queries and Slices"DataStax Academy
The ColumnFamily data model and wide-row support provides the ability to store and access data efficiently in a de-normalized state. Recent enhancements for CQL's spare tables and built-in indexing provide the capability to store data in a manner similar to that of relational databases. For many use cases hybrid approaches are needed, because complete de-normalization is appropriate for some access patterns whereas more structured data is appropriate for others. At times a single logical event becomes multiple insertions across multiple column families. Likewise a user request might require a several reads across different column families. This talk describes some of these scenarios and demonstrates how advanced operations such multiple step procedures, filtering, intersection, and paging can be implemented client side or server side with the help of the IntraVert plugin.
Intravert Server side processing for CassandraEdward Capriolo
The document provides examples of using CQL (Cassandra Query Language) to create and query tables in Cassandra. It shows how to create tables to store user and video data, insert sample records, and perform queries. It then discusses using the IntraVert library to execute more complex queries directly against Cassandra, such as joins, filters, and multi-table operations, in order to reduce network traffic and processing compared to doing everything on the client side.
My talk at FullStackFest, 4.9.2017. Become more familiar with managing infrastructure using Terraform, Packer and deployment pipeline. Code repository - https://github.com/antonbabenko/terraform-deployment-pipeline-talk
FleetDB is a schema-free database built in Clojure that aims to optimize for agile development. It implements a declarative query planner and executor to operate over database representations as Clojure data structures. The core database functions are wrapped by additional layers that provide identity, durability, and a JSON client API. The source code is relatively small at around 1300 lines thanks to Clojure's powerful data structures and functional programming model.
12 core technologies you should learn, love, and hate to be a 'real' technocratlinoj
Presentation at PodCamp New Hampshire 2009
A "dim sum" (light sampling) of core technologies which everyone who considers themselves a "technocrat" should have some understanding and appreciation. Since there's a lot to cover, each topic will move pretty quickly, keeping the descriptions at a conceptual level.
RESTing with the new Yandex.Disk API, Clemens АuerYandex
- Yandex Disk is a cloud storage service with 26 million users storing 6 billion files totaling 14 million added per day. It offers 10GB of free storage that can be increased through invites or partner offers.
- It has clients for web, desktop, mobile, and 3rd parties via SDKs, WebDAV, and a REST API. The REST API allows more functionality than WebDAV like managing public files and the trash.
- The document provides code examples for implementing a Disk class in Swift to interface with the Yandex Disk REST API, including uploading and deleting files. It emphasizes best practices like test-driven development.
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...Fedir RYKHTIK
Slides from "Web Applications Automated Security Testing in a Continuous Delivery Pipeline" workshop, made during Drupal Developers Days 2017 at Seville, Spain
How to ensure Presto scalability in multi use case Kai Sasaki
This document discusses how to ensure Presto scalability in multi-use case environments. It describes how Treasure Data uses Prestobase Proxy, a Finagle-based RPC proxy, to provide a scalable interface for BI tools. It also discusses Presto's node scheduler for distributing query stages across nodes and Treasure Data's use of resource groups to limit resource usage and isolate queries. The document advocates for approaches like dependency injection, VCR testing, and multi-dimensional resource scheduling to make Presto and its components reliable in distributed systems.
Suricata is an open source intrusion detection and prevention system. It can perform network security monitoring by analyzing network traffic and detecting threats through signatures. Suricata supports offline analysis of PCAP files, traffic recording, automatic protocol detection, and JSON output of events and alerts. It is configured through a YAML file and rules files, and can output logs to files, databases like MySQL, or syslog. Signatures use keywords to detect threats based on payload, HTTP, DNS, flow, file, and IP reputation attributes.
This is a presentation about Z-Ray technology made by Zend Technologies. It allows capturing tracing and debug information during PHP script execution.
Test any (yes, any) website using NightwatchJS - selenium based JavaScript test runner. We will cover
- prerequisites
- configuration
- writing tests
- reading reports
- continuous integration and services
You're stuck on a basic Windows estate, you can't pull the data out, there's no SIEM, and you have 20GB of logs you've been tasked to turn into actionable intelligence. Powershell brings not just in-built tools for querying Windows event logs, but also extremely powerful text processing tools. This talk will give you a quick overview of these features and its notable quirks, allowing you to pull off tricks that are often thought to be only for *NIX environments.
Performance Optimization and JavaScript Best PracticesDoris Chen
Performance optimization and JavaScript best practices tips are discussed in the talk. Here are some of the tips:
Put stylesheets at the top (css)
Move scripts to the bottom (javascript)
Provide a clean separation of content, CSS, and JavaScript
De-reference unused objects
Think Asynchronous
Working with Objects
Defer Loading Resources
Use JSLint -- Code Quality Tool
Reduce the size of JavaScript file
gzip
General JavaScript Coding Best Practices
Use === Instead of ==
Eval = Bad
Don’t Use Short-Hand
Reduce Globals: Namespace
Don't Pass a String to "SetInterval" or "SetTimeOut"
Use {} Instead of New Object()
Use [] Instead of New Array()
GraphConnect 2014 SF: From Zero to Graph in 120: ScaleNeo4j
The document discusses various techniques for scaling Neo4j applications to handle increased load. It covers strategies for scaling reads, such as optimizing Cypher queries, modeling data more efficiently, and using unmanaged extensions. For scaling writes, it discusses reducing locking contention by delaying locks and batching/queueing write operations. Hardware considerations are also briefly mentioned.
Similar to CONFidence 2015: Fuzz your way into the web server's zoo - Andrey Plastunov (20)
WhatsApp offers simple, reliable, and private messaging and calling services for free worldwide. With end-to-end encryption, your personal messages and calls are secure, ensuring only you and the recipient can access them. Enjoy voice and video calls to stay connected with loved ones or colleagues. Express yourself using stickers, GIFs, or by sharing moments on Status. WhatsApp Business enables global customer outreach, facilitating sales growth and relationship building through showcasing products and services. Stay connected effortlessly with group chats for planning outings with friends or staying updated on family conversations.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Crescat
Crescat is industry-trusted event management software, built by event professionals for event professionals. Founded in 2017, we have three key products tailored for the live event industry.
Crescat Event for concert promoters and event agencies. Crescat Venue for music venues, conference centers, wedding venues, concert halls and more. And Crescat Festival for festivals, conferences and complex events.
With a wide range of popular features such as event scheduling, shift management, volunteer and crew coordination, artist booking and much more, Crescat is designed for customisation and ease-of-use.
Over 125,000 events have been planned in Crescat and with hundreds of customers of all shapes and sizes, from boutique event agencies through to international concert promoters, Crescat is rigged for success. What's more, we highly value feedback from our users and we are constantly improving our software with updates, new features and improvements.
If you plan events, run a venue or produce festivals and you're looking for ways to make your life easier, then we have a solution for you. Try our software for free or schedule a no-obligation demo with one of our product specialists today at crescat.io
Graspan: A Big Data System for Big Code AnalysisAftab Hussain
We built a disk-based parallel graph system, Graspan, that uses a novel edge-pair centric computation model to compute dynamic transitive closures on very large program graphs.
We implement context-sensitive pointer/alias and dataflow analyses on Graspan. An evaluation of these analyses on large codebases such as Linux shows that their Graspan implementations scale to millions of lines of code and are much simpler than their original implementations.
These analyses were used to augment the existing checkers; these augmented checkers found 132 new NULL pointer bugs and 1308 unnecessary NULL tests in Linux 4.4.0-rc5, PostgreSQL 8.3.9, and Apache httpd 2.2.18.
- Accepted in ASPLOS ‘17, Xi’an, China.
- Featured in the tutorial, Systemized Program Analyses: A Big Data Perspective on Static Analysis Scalability, ASPLOS ‘17.
- Invited for presentation at SoCal PLS ‘16.
- Invited for poster presentation at PLDI SRC ‘16.
Flutter is a popular open source, cross-platform framework developed by Google. In this webinar we'll explore Flutter and its architecture, delve into the Flutter Embedder and Flutter’s Dart language, discover how to leverage Flutter for embedded device development, learn about Automotive Grade Linux (AGL) and its consortium and understand the rationale behind AGL's choice of Flutter for next-gen IVI systems. Don’t miss this opportunity to discover whether Flutter is right for your project.
Measures in SQL (SIGMOD 2024, Santiago, Chile)Julian Hyde
SQL has attained widespread adoption, but Business Intelligence tools still use their own higher level languages based upon a multidimensional paradigm. Composable calculations are what is missing from SQL, and we propose a new kind of column, called a measure, that attaches a calculation to a table. Like regular tables, tables with measures are composable and closed when used in queries.
SQL-with-measures has the power, conciseness and reusability of multidimensional languages but retains SQL semantics. Measure invocations can be expanded in place to simple, clear SQL.
To define the evaluation semantics for measures, we introduce context-sensitive expressions (a way to evaluate multidimensional expressions that is consistent with existing SQL semantics), a concept called evaluation context, and several operations for setting and modifying the evaluation context.
A talk at SIGMOD, June 9–15, 2024, Santiago, Chile
Authors: Julian Hyde (Google) and John Fremlin (Google)
https://doi.org/10.1145/3626246.3653374
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesQuickdice ERP
Explore the seamless transition to e-invoicing with this comprehensive guide tailored for Saudi Arabian businesses. Navigate the process effortlessly with step-by-step instructions designed to streamline implementation and enhance efficiency.
OpenMetadata Community Meeting - 5th June 2024OpenMetadata
The OpenMetadata Community Meeting was held on June 5th, 2024. In this meeting, we discussed about the data quality capabilities that are integrated with the Incident Manager, providing a complete solution to handle your data observability needs. Watch the end-to-end demo of the data quality features.
* How to run your own data quality framework
* What is the performance impact of running data quality frameworks
* How to run the test cases in your own ETL pipelines
* How the Incident Manager is integrated
* Get notified with alerts when test cases fail
Watch the meeting recording here - https://www.youtube.com/watch?v=UbNOje0kf6E
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemPeter Muessig
Learn about the latest innovations in and around OpenUI5/SAPUI5: UI5 Tooling, UI5 linter, UI5 Web Components, Web Components Integration, UI5 2.x, UI5 GenAI.
Recording:
https://www.youtube.com/live/MSdGLG2zLy8?si=INxBHTqkwHhxV5Ta&t=0
Odoo ERP software
Odoo ERP software, a leading open-source software for Enterprise Resource Planning (ERP) and business management, has recently launched its latest version, Odoo 17 Community Edition. This update introduces a range of new features and enhancements designed to streamline business operations and support growth.
The Odoo Community serves as a cost-free edition within the Odoo suite of ERP systems. Tailored to accommodate the standard needs of business operations, it provides a robust platform suitable for organisations of different sizes and business sectors. Within the Odoo Community Edition, users can access a variety of essential features and services essential for managing day-to-day tasks efficiently.
This blog presents a detailed overview of the features available within the Odoo 17 Community edition, and the differences between Odoo 17 community and enterprise editions, aiming to equip you with the necessary information to make an informed decision about its suitability for your business.
Revolutionizing Visual Effects Mastering AI Face Swaps.pdfUndress Baby
The quest for the best AI face swap solution is marked by an amalgamation of technological prowess and artistic finesse, where cutting-edge algorithms seamlessly replace faces in images or videos with striking realism. Leveraging advanced deep learning techniques, the best AI face swap tools meticulously analyze facial features, lighting conditions, and expressions to execute flawless transformations, ensuring natural-looking results that blur the line between reality and illusion, captivating users with their ingenuity and sophistication.
Web:- https://undressbaby.com/
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppGoogle
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-fusion-buddy-review
AI Fusion Buddy Review: Key Features
✅Create Stunning AI App Suite Fully Powered By Google's Latest AI technology, Gemini
✅Use Gemini to Build high-converting Converting Sales Video Scripts, ad copies, Trending Articles, blogs, etc.100% unique!
✅Create Ultra-HD graphics with a single keyword or phrase that commands 10x eyeballs!
✅Fully automated AI articles bulk generation!
✅Auto-post or schedule stunning AI content across all your accounts at once—WordPress, Facebook, LinkedIn, Blogger, and more.
✅With one keyword or URL, generate complete websites, landing pages, and more…
✅Automatically create & sell AI content, graphics, websites, landing pages, & all that gets you paid non-stop 24*7.
✅Pre-built High-Converting 100+ website Templates and 2000+ graphic templates logos, banners, and thumbnail images in Trending Niches.
✅Say goodbye to wasting time logging into multiple Chat GPT & AI Apps once & for all!
✅Save over $5000 per year and kick out dependency on third parties completely!
✅Brand New App: Not available anywhere else!
✅ Beginner-friendly!
✅ZERO upfront cost or any extra expenses
✅Risk-Free: 30-Day Money-Back Guarantee!
✅Commercial License included!
See My Other Reviews Article:
(1) AI Genie Review: https://sumonreview.com/ai-genie-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
#AIFusionBuddyReview,
#AIFusionBuddyFeatures,
#AIFusionBuddyPricing,
#AIFusionBuddyProsandCons,
#AIFusionBuddyTutorial,
#AIFusionBuddyUserExperience
#AIFusionBuddyforBeginners,
#AIFusionBuddyBenefits,
#AIFusionBuddyComparison,
#AIFusionBuddyInstallation,
#AIFusionBuddyRefundPolicy,
#AIFusionBuddyDemo,
#AIFusionBuddyMaintenanceFees,
#AIFusionBuddyNewbieFriendly,
#WhatIsAIFusionBuddy?,
#HowDoesAIFusionBuddyWorks
8 Best Automated Android App Testing Tool and Framework in 2024.pdfkalichargn70th171
Regarding mobile operating systems, two major players dominate our thoughts: Android and iPhone. With Android leading the market, software development companies are focused on delivering apps compatible with this OS. Ensuring an app's functionality across various Android devices, OS versions, and hardware specifications is critical, making Android app testing essential.
Unveiling the Advantages of Agile Software Development.pdfbrainerhub1
Learn about Agile Software Development's advantages. Simplify your workflow to spur quicker innovation. Jump right in! We have also discussed the advantages.
Takashi Kobayashi and Hironori Washizaki, "SWEBOK Guide and Future of SE Education," First International Symposium on the Future of Software Engineering (FUSE), June 3-6, 2024, Okinawa, Japan
What is Augmented Reality Image Trackingpavan998932
Augmented Reality (AR) Image Tracking is a technology that enables AR applications to recognize and track images in the real world, overlaying digital content onto them. This enhances the user's interaction with their environment by providing additional information and interactive elements directly tied to physical images.
58. Web
Server
(Fuzzer)
Client
HTTP REQUEST
(FUZZ) HTTP RESPONSE
[Reverse fuzzing]
Difficulties:
➢There is no possibility to check the
client’s health by directly
communicating with it
➢Additional tweaks needed to re-run
the client after each request
Hi guys. Today i will talk about fuzzing modern web servers
My name is Andrey Plastunov. I am a penetration tester at Digital Security, a company from Saint-Petersburg, Russia.
Mostly i do penetration testing/security code review of modern web/mobile applications and related infrastructure.
So let’s start
Performing the lovely penetration testing tasks, there is a huge chance to run into some totally unknown http-based software, most likely - web proxies. Or at least it happened to me the first time i performed such a task: a Web proxy that worked on top of IIS 7, and acting as an ssl tunneling software. After that, i asked myself, how to quickly check such software for flaws in http parsers? Some googling gave me a couple solutions:
- Famous sulley framework (with its built-in description for generic http requests).
- A tool named phatod/pathoc
- A couple of commercial fuzzers (but actually, i am not rich enough to buy one)
Not as much as i hoped to find. But maybe my googling skills just suck. Anyway, the tools don't meet my requirements for the http fuzzer (I'll try to cover the reasons later) so the only solution that came to my mind was to create yet another crunchy fuzzing tool.
Okaaay
There is a truly great number of different web servers used in different ecosystems for different kind of tasks
On this slide i will try to cover some of them.
As i told in introduction, for me, it all started with an opaque http proxy
So, the first kind of web servers will be proxies
What does it do?
http proxy acts as an intermediary between a client and an actual server.
The proxies may be used for
- content-filtering
Such proxies provide functionality to control what client should and should not see. It may filter content based on URLs, MIME types, actual content in requests or responses (all these terms will be discussed later). So, as we can see, there is quite a lot of ways to affect content-filtering proxies
Tunneling (таннелинг) proxies (as i call them)
these kind of proxies are mostly used to tunnel plain http traffic inside an encrypted protocol (for example, tls/ssl). And may allow access, for example, from the internet to the corporate intranet
The list is definitely not complete, but gives quite an idea on what proxy servers are
The second group of servers i like to examine is web servers used on embedded systems
Servers of this category are basically used to perform administrative, monitoring or other system-related tasks
And the first group to mention in this category, of course, will be web servers on network devices (for example routers from simple dlink dir-300 to monsters like junipers)
You can find such devices almost everywhere. For example, in your favorite starbucks cafe, the wifi access point is managed via web gui. Imagine how cool it would be to find an RCE zero-day on one of these.
Following the latest fashion, industrial controller manufacturers also embed web servers into their software stack in the name of simplifying administrative tasks for network engineers
And so forth and so on
The next category of servers is actually not an independent category at all. i’d like to use this category for any custom or experimental module in all the mainstream servers (for example lighttpd, nginx, apache and so on) (remember the bugs in the experimental module ngx_http_spdy_module in the NGINX server - CVE-2014-0133 and CVE-2014-0088?)
And finally, other. I put in this category any other types of web servers which you may find on the internet
For example:
Most SIEM systems use their own web servers for users to perform any kind of monitoring or administrative tasks
Another example of such a server will be:
- A server for streaming video developed by some famous video adapter manufacturer
Thats all with web servers for now. But as a small easter egg, i want to add a very different category - The Clients!
For example, we can fuzz some curious security scanners =) Actually - it is my dream, to penetrate the penetration testers.
Well, i thought i should give a brief description on the protocol we actually want to fuzz.
As all of us know, http is a plaintext (usually) protocol usually based on simple request - response mechanism.
A standard http request consists of the following segments:
The first line includes method definition(for example: GET POST HEAD OPTIONS TRACE PUT DELETE etc), relative uri to the target resource (well, not always. In case of proxies, uri will be represented by its fully qualified value) and protocol version specification (for example, it may be either 0.9, 1.0 or 1.1)
The next segment is the header segment. It consists of several colon separated name:value pairs each occupying a separate line.
Common request headers included in such requests are Host (target's host name), User-Agent (some information on browser version), Accept (supported MIME types of documents), Referrer (represents originating page of request) or Cookie (some session information or other logical related stuff)
This segment is terminated by a single empty line, which may be followed by any payload the client wants to transmit to the server. The length of which must be specified in an additional header - The Content-Length header
Each line of the request is separated from the others by a single CRLF delimiter
Next we will look at each segment in detail
Let’s examine the first line of http request
POST /do/not/touch?my=server\r\n HTTP/1.1
The first thing to mention is a method definition.
As already mentioned, The method may be one of the following: GET POST HEAD OPTIONS TRACE PUT DELETE. But this list is not complete, we can add a large variety of webDAV methods (for example: COPY MOVE LOCK UNLOCK etc). And even some custom methods, the variety of which depends only on the imagination of the developers
While web servers definitely parse this methods to decide what they should do, there is always a non zero possibility of bugs during such parsing.
So, i think, fuzzing method definition will be useful and may give us some profit
Next, we can see a relative path to some resource.
What can happen while the server parses this path? It may contain bugs while parsing extremely large paths, or path consisting of a large number of separate directories (separated by slashes).
So, path is also a fuzzable thing
List of parameter=value pairs separated by & (ampersand) follows after path. These parameters definitely needs some fuzzing as they may lead to very different functionality, not available by any other means. For example, some API of some random binary may be accessed VIA this parameters
So...fuzzable!
There is also a value representing http protocol version to be used
It may be one of 0.9 1.0 or 1.1
Some servers parse this values in one or another way. But it really not so often that incorrect http versions may lead the software to crash
So its up to you, fuzz or not to fuzz the protocol version
...
There is another notable part of the first line, that appears only in case if the http client connects to the server using http proxy
The part is: protocol scheme plus server name
Both may be fuzzed, due the proxy servers often to analyze such names for example in regard of content filtering
...
Let's move on to the header section
As i said before, header is a name:value pair separated with colon
Header values may be of different types, for example: integers (both signed and unsigned), strings, list of strings or even complex types,
such as cookies, which in turn consist of name=(equal)value pairs separated from each other with a semicolon. Each value of each cookie may also consist of such pairs and so on and so on
Each value of each header should be fuzzed as incorrect values of headers may lead to security bugs. For example - putting a negative decimal into a unsigned integer field may cause an integer overflow
And this is not all about the headers.
Also, servers may encounter problems parsing large number of headers or duplicate headers, so the pairs themselves should be fuzzed as a single entity too. And do not forget to modify header names by some fuzzy values since it may lead to additional bugs.
...
The next section is data section
Here we are gonna look at a couple of different types of post data
First of all - default data type - application/x-www-form-urlencoded
In this type of post message, the data is constructed the same way as for GET but is transmitted in the Request payload instead, so it may be used with URL parameters simultaneously.
So as data construction is exactly the same as for GET request, the fuzzed entities are also the same
Same as URL data
The next type of post data is multipart/form-data
This type of data is mostly used to send content of some random file (including binary data)
The resulting request payload consists of a series of short MIME messages corresponding to every parameter of a request. These messages are delimited with a client-selected random, a unique boundary token that should otherwise not appear in the encapsulated data
So there are plenty of things to examine
first, the content-disposition header value. It may be one of the predefined values such as inline, attachment, form-data et cetera. Also it may be a custom defined value. That is up to the developers
The parser will definitely analyze the header
, so it must be fuzzed
Second, each MIME message may have a number of parameters, for example, name or filename or whatever else
These parameters will be analyzed by the server too.
So, fuzzable
The last thing worth mentioning in this type of request is the data of each mime message. It may be represented as plaintext or, for example, an integer,
That, of course, may be fuzzed
but it also may be binary data,
which should be fuzzed a little differently
Do not forget to fuzz all types of Delimiters encountered in your request
A generic request may consist of the following Delimiters: crlf, colons, semicolons, equals, question marks, ampersands
Multiplying, removing and manipulating all this delimiters may cause the parser to interpret the given request in a wrong way. For example, multiplying the Delimiters in a single header, e.g. Accept-Language tells the server that there are N supported languages. If N exceeds the maximum value specified by the developer, it may cause an overflow
Fuzzable!
The next part of my talk is about choosing the approach to testing web servers
Now we will discuss approaches that, i think, suit perfectly to the task of fuzzing such different kinds of web servers
The first approach is simple and straight client-originating fuzzing
In this approach, the fuzzer pretends to be a simple web-client, thus (фас) sending a single request to the server, one at a time, probing if it fails to parse the request, and if it does not, generating the next fuzzing request
So the scheme is quite simple
Client sends a fuzzing request to the server and waits for the answer.
If the server answers with a proper response - everything seems ok. If the server fails to answer a request or refuses any connections, there might be a bug
Second approach is used mostly to test clients or proxies. We call that approach - reverse fuzzing.
THe main concept of reverse fuzzing is to send a fuzzing message only in response to a request, which comes from the target. Therefore, the approach of reverse fuzzing may apply to testing web clients (for example, curl or wget) or web proxies from the perspective of the server.
The scheme describing this approach is a little bit more complicated than in straight fuzzing and looks as follows:
First, target (attention, it is a target client not a fuzzer) sends a request to the fuzzing server,
server then generates a fuzzing response and sends it back to the client.
The only possible way to determine if the client is dead or not - is to run a monitoring process to check the target’s health. In addition, we will need some tweaks to force our target to send another request again and again.
As a culmination of this two approaches, a monstrous method arises to test web proxies. And proxies only. i call it double fuzzing testing.
The idea is simple:
First - send a fuzzing request to a server via target proxy,
The proxy processes the request and transmits it to the server
Server totally ignores the request and sends a fuzzing response from its own queue
This allows us to kill all the birds in one shot:
Fuzz the proxy server from the client perspective
Fuzz the proxy server from the end-point server perspective
Now a few words on the process of detecting crashes and anomalous activities (such as memory consumption) on the target system
The first thing to mention is traffic analysis
In my fuzzer i didn’t perform any traffic analysis in the context of fuzzing, but this detection method should be mentioned anyway
Performing the traffic analysis, one could search for such anomalies as:
TCP RST packets without any actual data being sent
Timeouts in the responses
and so on
(можно немного нагуглить)
The second approach on bugs detection is to use a local monitoring process
The way to perform such detection is to install a monitoring process on target system
The installed process should then do the following:
Watch for system calls called by the target process
Watch for file system and other resource activities
Watch for unusual signals sent to or by the process (for example, segmentation fault)
Watch for memory allocations (malloc/calloc functions for example)
In this method, i places such techniques as
Analyzing http error codes received from the web server (for example, 502 or 503 error codes)
Analyzing socket errors (for example, CONNECTION REFUSED, CONNECTION RESET BY PEER, SOFTWARE CAUSED CONNECTION ABORT and so on)
There is one more approach on monitoring the target while directly interacting with it. Just before perform the fuzz testing You may try to harvest requests and responses (including error responses(e.g. 404)) typical for the analyzed software.
THe approach i’d like to mention is to compare each response on each fuzzing request with a reference(эталонный) response. If the responses differ, that may be a sign of some bug that needs further manual inspection. my bad, for now, my wuzzer is unable to perform such comparison, but i’m working on it
In this part of my presentation i will introduce my own tool (which is for now still in alpha version and has a very limited functionality), or better to say, not the tool, but the concepts i'm trying to put into the tool
First of all Which modules should a typical fuzzer have?
of course
1. Generator module
2. Transmitter module
3. Monitoring module
4. Some logging module
Now a closer look at each part
Generator - the main purpose of a generator is to generate data! isn’t it obvious?=)
In my own generator module i used some fuzzing primitives from the famous sulley framework. For example, they are: integer generator, string generator, delimiter generator
Next, to mutate binary data (for example, images sent to the server), i used a tool named pyZZuf (by @nezlooy) which is a python implementation of the general purpose fuzzer Zzuf. Now, i’ll show some advertisement to honor the developer of that tool
as already mentioned, to fuzz binary data, i used a tool named pyZZuf (by @nezlooy) which is a python implementation of Zzuf - a general purpose fuzzer
FOr now i assume (короче типа считаю что пока достаточно) that the given fuzzing primitives are enough to describe generators for more complex data, for example - headers.
I created some headers generators: Accept-Encoding, Content-Encoding (which is similar), Accept-Language, Accept-charset, Authorization, Range et cetera
each generator takes a valid header value as input and fuzzes it in all possible ways (fuzzing all the int's and strings, adding new values and cloning existing ones if a header supports multiple values to be used)
In the bottom line i have the following generators: fuzzing primitives generators (including integers, strings, Delimiters and blob types),
complex header generators (the ones that may take multiple values at a time or even multiple values of different types, for example - Cache-control or Cookies), URL path generator which in turn consists of:
- path to resource (for example /path/to/resource). Each part of the path acts as a string here and each slash acts as a delimiter
- set of parameters (for example a=hello&b=world). Here, each parameter is a name:value pair with equal sign as a delimiter, each pair is separated from the others by an ampersand (&)
POST-DATA generators which for now include the following types of generators:
applications/x-url-form-ulrencoded- is one line consisting of name:value pairs with equals as Delimiters - just like in URL parameters
binary objects - which may be used as a complete independent value or as a part of a multipart/ request used to upload some binary data
I also use a so called whole-request-generator which is used to fuzz the whole request at once. That generator tries to play with each kind of Delimiters included in a request (slashes, crlf's, question marks, ampersands, colons et cetera) duplicating them or removing them, to duplicate existing headers, to extend post data or URL paths and so on and so forth.
Transmitter is the core module of the fuzzer. The Transmitter has three roles:
- To receive fuzzing requests from the generator and then send them to the target, get back the answer or receive a socket error.
- To analyze the response from the target trying to determine if the target is out of health. So the transmitter is somewhat similar to the monitor module as it watches for the target to be alive
- To log all requests being sent and, especially, the requests that caused an error or an unusual response
The Monitor’s primary role is to watch the target's health without interacting with it directly.
There are two solutions for this task
1. Monitoring the target process, so the monitor (or its agent) need to be on the same physical machine with the target. For that purpose, i mostly use stack trace and a custom wrapper, which follows syscalls of the targets process and, if something is not ok, sends the Transmitter a message.
2. Monitoring the network flow. A monitor of this kind simply watches for anomalous network activity and sends a message to the transmitter if it detects something bad.
Some other features
fuzzing modes:
Header fuzzing
url-data fuzzing
post-data fuzzing
whole-request fuzzing
Method to fuzz
…
Possibility of using proxy servers, for example, to monitor http traffic, or to fuzz the proxy in a double fuzzing approach
some other options:
multithreading
delay - As i discovered, some web servers, especially ones deployed on embedded devices, lack the ability to handle multiple simultaneous connections due to a limited number of socket descriptors
whatever else
Right now i'm in a middle of my research of web server vulnerabilities and today i want to show you some results of that research. Of course, as soon as the research is completed, i will publish it on the internet
First of all, i would like to mention the bug that i've found on most web servers i fuzzed. And the bug is - improper validation of content-length header. For example:
Some parsers allow content-length to be a negative integer which may cause integer overflows
Other parsers will gladly accept extremely large values so the buffer, which is prepared to store given post data, may be overflowed, which causes the data to be written outside of a specified buffer.
Moreover, the problem lies not only in the process of validation, but also in the incorrect handling of http requests. In the case of content-length, a large number of servers will accept and parse the content-length header even if the request method is GET.
This bug was found in one popular streaming service, which, sadly, i cannot name right now due to a responsible dicslosure, but i will in the paper. An attacker could send a request with the content-length header set to minus two. While processing such a value, the server converts the negative number into a unsigned int, causing an integer overflow (give the value here). THereafter, server tries to allocate this amount of memory, which, in turn, causes a memory consumption vulnerability
Next, here is a bug, again on content-length processing.
The funny thing - the developers used a secure strcpy_s function, which is triggering an exception if something is going wrong. That is the good part
The bad part - developers forgot to handle these exceptions properly, so. when an exception occurs, the web server crashes immediately
The bug makes even the doge sad
Skip in 1-2 secs
The bug was found in one of third-party plugins for IIS, developed in the name of some secure tunnelling software which is kinda popular on the local market.
An attacker could send a request with the content-length header set to minus two. While processing such a value, the server converts the negative number into a unsigned int, causing an integer overflow (give the value here). THereafter, server tries to use strcpy function to writeextremily large value to a limited buffer wchich casues an stack buffer overflow
The bug appears in a router’s software
And it arises while parsing a Basic Authorization header with the login length of sixteen kilobytes
Unfortunately, i am unable to debug the bug, as it appears on a router web server and i simply do not know how to run that thing under debugger. But if I have to guess, i think it must be a buffer overflow
So this bug appears on router software two, so, as already mentioned, i could only guess the reasons why web server crashes
This bug arises while processing a large number of supported languages provided in the header.
And finally some bugs actually not founded by me, but anyway they may give additional point of view for http software fuzzing
First of all is famous bug in HTTP.sys - microsoft’s driver level web server MS15-034
Parsing such a range values causes the integer overflow vulnerability
The last bug appears if a long URL is passed to the Kolibri web server in a POST request.
The bug is a stack buffer overflow bug and may lead to Remote Code Execution
Also, yesterday guys from OWASP track also mentioned a vulnerability in AllegroSoft RomPager 4.34 which occurs during parsing of the oversized cookie which is causing memory corruption