This document discusses HTTP Parameter Pollution (HPP), a technique for overriding or adding HTTP parameters by injecting query string delimiters. It can enable server-side attacks by modifying backend requests or bypassing web application firewalls. On the client-side, HPP can inject additional parameters into links and tags to enable attacks like anti-CSRF, UI redressing, or modifying POST requests. Real-world examples show HPP bypassing filters and accessing internal search results. The document categorizes HPP attacks and argues it is an underestimated issue affecting all web technologies.
HTTP Parameter Pollution (HPP) - SEaCURE.it presentation by Luca Carettoni and Stefano Di Paola
Throughout this presentation, we will present a new attack technique called HTTP Parameter Pollution (HPP). We will examine with a fresh perspective a newly discovered input validation flaw, while demonstrating new threats and possible attack scenarios. Such injection can be defined as the possibility to override the HTTP GET/POST parameters within the query string. In such situations, an attacker may replace existent values which are normally hardcoded and not accessible. In many cases it can be used to modify the behaviors of client-side and server-side applications, to exploit vulnerabilities in uncontrollable variables as well as bypassing web application firewalls. Some of the attacks covered in this talk have been discovered in real-world applications.
Although input validation vulnerabilities are a well-known subject in the web application security field and are extensively covered by several researchers, it is quite surprising that no formal definition of the HPP attack was previously published, as far as we know. Once again, it is a clear demonstration of how important is to develop comprehensive input validation filters in order to manage new incoming web application threats
Http Parameter Pollution, a new category of web attacksStefano Di Paola
On May 14th @ OWASP Appsec Poland 2009, Stefano Di Paola (Minded Security) and Luca Carettoni presented a new attack category called
Http Parameter Pollution (HPP).
HPP attacks can be defined as the possibility to override or add HTTP GET/POST parameters by injecting query string
delimiters.
It affects a building block of all web technologies thus server-side and client-side attacks exist.
Exploiting HPP vulnerabilities, it may be possible to:
* Override existing hardcoded HTTP parameters.
* Modify the application behaviors.
* Access and, potentially exploit, uncontrollable variables.
* Bypass input validation checkpoints and WAFs rules.
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
While input validation vulnerabilities such as XSS and SQL injection have been intensively studied, a new class of injection vulnerabilities called HTTP Parameter Pollution (HPP) has not received as much attention. HPP attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach.
In the talk we present the first automated system for the detection of HPP vulnerabilities in real web applications. Our approach consists of injecting fuzzed parameters into the web application and a set of tests and heuristics to determine if the pages that are generated contain HPP vulnerabilities. We used this system to conduct a large-scale experiment by testing more than 5,000 popular websites and discovering unknown HPP flaws in many important and well-known sites such as Microsoft, Google, VMWare, Facebook, Symantec, Paypal and others. These sites have been all informed and many of them have acknowledged or fixed the problems. We will explain in details how to efficiently detect HPP bugs and how to prevent this novel class of injection vulnerabilities in future web applications.
The document discusses securing an Apache web server. Key points include:
- Hardening the operating system and only running Apache on the server
- Restricting Apache modules and features to only those necessary
- Running Apache in a chroot jail to limit its access to the file system
- Configuring Apache, related modules like PHP/Perl, and prerequisites securely
This document discusses various tools and resources for exploiting vulnerabilities like injection and cross-site scripting (XSS). It summarizes the OWASP Top 10 list of most common web app vulnerabilities in 2013. It then provides information on tools like Kali Linux and browser extensions that can be used to find vulnerabilities. Finally, it describes some deliberately vulnerable web apps and training platforms that can be used to practice exploits, including WebGoat, DVWA, and Gruyere.
Setting up the Red5 environment, building sample applications and integrating with flash. We will look at how Red5 works within the flash IDE and build a sample chat application, video streaming, and multi-user environment.
The document discusses APIs and provides examples of RESTful APIs. It describes how RESTful APIs are built upon a domain model to provide resources that can be navigated through requests. This allows clients to construct custom requests to get precisely the data needed, rather than requiring multiple calls or getting excess data. The domain model also provides a unified framework for request and response semantics.
The document discusses PHP Tainted variables, a security feature for PHP that tracks tainted data through a program and detects vulnerabilities like code injection. It propagates taint status through operations and detects when tainted data reaches sensitive sinks like echo without sanitization. It has low 1-2% runtime overhead and supports configurable enforcement levels from logging to termination. The project aims to make taint tracking a realistic always-on option for PHP applications.
HTTP Parameter Pollution (HPP) - SEaCURE.it presentation by Luca Carettoni and Stefano Di Paola
Throughout this presentation, we will present a new attack technique called HTTP Parameter Pollution (HPP). We will examine with a fresh perspective a newly discovered input validation flaw, while demonstrating new threats and possible attack scenarios. Such injection can be defined as the possibility to override the HTTP GET/POST parameters within the query string. In such situations, an attacker may replace existent values which are normally hardcoded and not accessible. In many cases it can be used to modify the behaviors of client-side and server-side applications, to exploit vulnerabilities in uncontrollable variables as well as bypassing web application firewalls. Some of the attacks covered in this talk have been discovered in real-world applications.
Although input validation vulnerabilities are a well-known subject in the web application security field and are extensively covered by several researchers, it is quite surprising that no formal definition of the HPP attack was previously published, as far as we know. Once again, it is a clear demonstration of how important is to develop comprehensive input validation filters in order to manage new incoming web application threats
Http Parameter Pollution, a new category of web attacksStefano Di Paola
On May 14th @ OWASP Appsec Poland 2009, Stefano Di Paola (Minded Security) and Luca Carettoni presented a new attack category called
Http Parameter Pollution (HPP).
HPP attacks can be defined as the possibility to override or add HTTP GET/POST parameters by injecting query string
delimiters.
It affects a building block of all web technologies thus server-side and client-side attacks exist.
Exploiting HPP vulnerabilities, it may be possible to:
* Override existing hardcoded HTTP parameters.
* Modify the application behaviors.
* Access and, potentially exploit, uncontrollable variables.
* Bypass input validation checkpoints and WAFs rules.
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
While input validation vulnerabilities such as XSS and SQL injection have been intensively studied, a new class of injection vulnerabilities called HTTP Parameter Pollution (HPP) has not received as much attention. HPP attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach.
In the talk we present the first automated system for the detection of HPP vulnerabilities in real web applications. Our approach consists of injecting fuzzed parameters into the web application and a set of tests and heuristics to determine if the pages that are generated contain HPP vulnerabilities. We used this system to conduct a large-scale experiment by testing more than 5,000 popular websites and discovering unknown HPP flaws in many important and well-known sites such as Microsoft, Google, VMWare, Facebook, Symantec, Paypal and others. These sites have been all informed and many of them have acknowledged or fixed the problems. We will explain in details how to efficiently detect HPP bugs and how to prevent this novel class of injection vulnerabilities in future web applications.
The document discusses securing an Apache web server. Key points include:
- Hardening the operating system and only running Apache on the server
- Restricting Apache modules and features to only those necessary
- Running Apache in a chroot jail to limit its access to the file system
- Configuring Apache, related modules like PHP/Perl, and prerequisites securely
This document discusses various tools and resources for exploiting vulnerabilities like injection and cross-site scripting (XSS). It summarizes the OWASP Top 10 list of most common web app vulnerabilities in 2013. It then provides information on tools like Kali Linux and browser extensions that can be used to find vulnerabilities. Finally, it describes some deliberately vulnerable web apps and training platforms that can be used to practice exploits, including WebGoat, DVWA, and Gruyere.
Setting up the Red5 environment, building sample applications and integrating with flash. We will look at how Red5 works within the flash IDE and build a sample chat application, video streaming, and multi-user environment.
The document discusses APIs and provides examples of RESTful APIs. It describes how RESTful APIs are built upon a domain model to provide resources that can be navigated through requests. This allows clients to construct custom requests to get precisely the data needed, rather than requiring multiple calls or getting excess data. The domain model also provides a unified framework for request and response semantics.
The document discusses PHP Tainted variables, a security feature for PHP that tracks tainted data through a program and detects vulnerabilities like code injection. It propagates taint status through operations and detects when tainted data reaches sensitive sinks like echo without sanitization. It has low 1-2% runtime overhead and supports configurable enforcement levels from logging to termination. The project aims to make taint tracking a realistic always-on option for PHP applications.
Slides of my talk I gave @ PyRE.it in ReggioEmilia about developing a Rest Api in Python using a little bit of Flask and SqlAlchemy.
www.pyre.it
www.alessandrocucci.it/pyre/restapi
Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult CasesPositive Hack Days
A participant will acquire the following skills: detecting complex vulnerabilities in web applications, manually analyzing the results of scanning web application security, assessing efficiency of specialized means of protection, such as a web application firewall.
Burp Suite is an integrated platform for performing security testing of web applications. It is designed to support the methodology of a hands-on tester, and gives you complete control over the actions that it performs, and deep analysis of the results. Burp contains several tools that work together to carry out virtually any task you will encounter in your testing. It can automate all kinds of tasks in customizable ways, and lets you combine manual and automated techniques to make your testing faster, more reliable and more fun.
A linux mac os x command line interfaceDavid Walker
This document describes a Linux/Mac OS X command line interface for interacting with the AffiliateWindow API. It provides scripts that allow sending API requests via cURL or Wget from the command line. The scripts read an XML request file, send it to the AffiliateWindow API server, and write the response to an XML file. This provides an alternative to PHP for accessing the API from the command line for testing, auditing, or using other development tools.
This document discusses using Action Message Format (AMF) for integrating Flex applications via remoting and messaging. It provides an overview of AMF capabilities including remoting services that allow invoking Java methods and messaging services for real-time data push. Benefits of AMF are explained such as faster binary transfer and direct object parsing. Server-side AMF options and terminology are covered along with how to configure AMF in Flex applications using code, MXML, or configuration files. Simple examples of remoting and messaging are also presented.
Brief introduction into Padding Oracle attack vectorPayampardaz
Padding oracle attacks exploit vulnerabilities in systems that reveal whether padding is valid or invalid after decrypting encrypted data. An attacker can use this information to decrypt ciphertext by manipulating plaintext blocks and observing the oracle's responses. The document describes the Vaudenay padding oracle attack technique in detail, explaining how an attacker can use a padding oracle to decrypt individual blocks of ciphertext one byte at a time through a brute force approach.
The document provides an overview of Log4j, an open source logging library for Java. It discusses Log4j's core features including log levels, appenders, loggers, and layouts. Log levels determine which log messages are output, appenders define output destinations, loggers control which statements are logged, and layouts customize output formats. The document also provides configuration examples for common appenders like files, emails, and databases.
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!Priyanka Aash
"We propose a new exploit technique that brings a whole-new attack surface to defeat path normalization, which is complicated in implementation due to many implicit properties and edge cases. This complication, being under-estimated or ignored by developers for a long time, has made our proposed attack vector possible, lethal, and general. Therefore, many 0days have been discovered via this approach in popular web frameworks written in trending programming languages, including Python, Ruby, Java, and JavaScript.
Being a very fundamental problem that exists in path normalization logic, sophisticated web frameworks can also suffer. For example, we've found various 0days on Java Spring Framework, Ruby on Rails, Next.js, and Python aiohttp, just to name a few. This general technique can also adapt to multi-layered web architecture, such as using Nginx or Apache as a proxy for Tomcat. In that case, reverse proxy protections can be bypassed. To make things worse, we're able to chain path normalization bugs to bypass authentication and achieve RCE in real world Bug Bounty Programs. Several scenarios will be demonstrated to illustrate how path normalization can be exploited to achieve sensitive information disclosure, SMB-Relay and RCE.
Understanding the basics of this technique, the audience won't be surprised to know that more than 10 vulnerabilities have been found in sophisticated frameworks and multi-layered web architectures aforementioned via this technique."
SmartFrog is a framework for describing, deploying, and managing distributed service components across a network. It uses a declarative description language to specify configurations and templates that can be extended and combined. The SmartFrog deployment engine loads and instantiates components based on the descriptions, supplying the correct configuration to each one. Components implement a lifecycle and can be written to deploy specific services.
This document provides instructions for building a RESTful API with Flask that allows users to be created, viewed, updated, and deleted. It discusses installing Python, Flask, Flask-SQLAlchemy, and Flask-Marshmallow. It then demonstrates how to create a user model and schema, and build API endpoints to add a new user, retrieve all users, get a single user by ID, update a user, and delete a user. Finally, it provides instructions for running the application and testing the API with Postman.
This document provides an overview of Flask basics including:
- Setting up a basic Flask application with routes and templates
- Using decorators like @app.route to define routes
- Rendering templates and passing context between routes and templates
- Handling HTTP methods like GET and POST
- Using url_for to generate URLs and Jinja templates
- Testing Flask applications using the pytest framework
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Appsguestb0af15
The document discusses finding vulnerabilities in Flash applications through runtime analysis. It describes how uninitialized variables, external files, and dangerous native functions can be entry points for attacks. It then provides a recipe for analyzing a SWF at runtime to detect vulnerabilities, including using an analyzer framework that loads the SWF and implements resolution methods to detect undefined variables and inject attack patterns.
Burp Intruder is a tool for automating customized attacks against web applications. It modifies HTTP requests systematically and analyzes responses to identify interesting features. Common uses of Intruder include enumerating valid identifiers like usernames, harvesting useful data from responses, and fuzzing for vulnerabilities by submitting test strings and analyzing responses.
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Elvin Gentiles
This document provides an overview of buffer overflow exploits on Windows 32-bit systems. It discusses the lab environment that will be used, basic assembly concepts like registers and instructions, the Windows 32 memory layout, how the stack works, and the general steps for exploit development. These include causing a crash, identifying the offset, determining bad characters, locating space for shellcode, generating shellcode, and redirecting execution to the shellcode. The document concludes by listing some hands-on exercises that will be covered, and recommending additional learning materials on exploit writing.
Cross-site request forgery (also referred to as CSRF) is an internet safety vulnerability that enables an attacker to induce customers to carry out actions that they don’t intend to carry out.
It permits an attacker to partially circumvent the identical origin coverage, which is designed to forestall completely different web sites from interfering with one another.
https://cybersecurityresearch.tech/cross-site-request-forgery-csrf-impact-construction-prevention/
Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...Edureka!
This document provides an overview of Flask, a Python-based web application framework. It begins with an introduction to Flask, explaining what Flask is and its advantages like being open source with a large community. It then covers topics like installing Flask, creating Flask applications, routing, templates, static files, the request object, cookies, redirects and errors. It concludes by mentioning some popular Flask extensions that add additional functionality for tasks like email, forms, databases and AJAX. The document appears to be from an online training course on Flask and aims to teach the basics of how to use the Flask framework to build web applications.
This document provides an overview of the Phalcon PHP framework. It discusses why frameworks are important for PHP development and how traditional frameworks work. It then explains how Phalcon is different as it is implemented as a PHP extension written in C, making it faster than traditional frameworks. The document demonstrates how to install Phalcon, create a basic project structure, define controllers and models, and connect to a database.
This document discusses integrating the Tomcat application server with the Apache HTTP server using the mod_jk connector. It explains that mod_jk allows Tomcat and Apache to work together by enabling communication between Apache and Tomcat's worker processes. The document provides instructions on installing Tomcat, mod_jk, and configuring the necessary files to set up the integration and forwarding of requests from Apache to Tomcat.
AppSec EU 2011 - An Introduction to ZAP by Simon BennettsMagno Logan
ZAP (Zed Attack Proxy) is an open source web application penetration testing tool that is easy to use, cross-platform, and has been downloaded over 6,300 times. It includes features like an intercepting proxy, active and passive scanners, a spider, and report generation that allow it to test web applications for vulnerabilities. ZAP has an active international development community, is improving rapidly with new releases, and has the potential to introduce more people to application security best practices.
AppSec Latam 2011 - Segurança em Sites de Compras ColetivasMagno Logan
O documento discute vulnerabilidades e ataques comuns em sites de compras coletivas, como senhas fracas, XSS, SQL injection e falhas no protocolo HTTPS. Também apresenta contramedidas como uso de HTTPS, não salvar dados do cartão e não fornecer muitos dados pessoais.
Slides of my talk I gave @ PyRE.it in ReggioEmilia about developing a Rest Api in Python using a little bit of Flask and SqlAlchemy.
www.pyre.it
www.alessandrocucci.it/pyre/restapi
Positive Hack Days. Goltsev. Web Vulnerabilities: Difficult CasesPositive Hack Days
A participant will acquire the following skills: detecting complex vulnerabilities in web applications, manually analyzing the results of scanning web application security, assessing efficiency of specialized means of protection, such as a web application firewall.
Burp Suite is an integrated platform for performing security testing of web applications. It is designed to support the methodology of a hands-on tester, and gives you complete control over the actions that it performs, and deep analysis of the results. Burp contains several tools that work together to carry out virtually any task you will encounter in your testing. It can automate all kinds of tasks in customizable ways, and lets you combine manual and automated techniques to make your testing faster, more reliable and more fun.
A linux mac os x command line interfaceDavid Walker
This document describes a Linux/Mac OS X command line interface for interacting with the AffiliateWindow API. It provides scripts that allow sending API requests via cURL or Wget from the command line. The scripts read an XML request file, send it to the AffiliateWindow API server, and write the response to an XML file. This provides an alternative to PHP for accessing the API from the command line for testing, auditing, or using other development tools.
This document discusses using Action Message Format (AMF) for integrating Flex applications via remoting and messaging. It provides an overview of AMF capabilities including remoting services that allow invoking Java methods and messaging services for real-time data push. Benefits of AMF are explained such as faster binary transfer and direct object parsing. Server-side AMF options and terminology are covered along with how to configure AMF in Flex applications using code, MXML, or configuration files. Simple examples of remoting and messaging are also presented.
Brief introduction into Padding Oracle attack vectorPayampardaz
Padding oracle attacks exploit vulnerabilities in systems that reveal whether padding is valid or invalid after decrypting encrypted data. An attacker can use this information to decrypt ciphertext by manipulating plaintext blocks and observing the oracle's responses. The document describes the Vaudenay padding oracle attack technique in detail, explaining how an attacker can use a padding oracle to decrypt individual blocks of ciphertext one byte at a time through a brute force approach.
The document provides an overview of Log4j, an open source logging library for Java. It discusses Log4j's core features including log levels, appenders, loggers, and layouts. Log levels determine which log messages are output, appenders define output destinations, loggers control which statements are logged, and layouts customize output formats. The document also provides configuration examples for common appenders like files, emails, and databases.
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!Priyanka Aash
"We propose a new exploit technique that brings a whole-new attack surface to defeat path normalization, which is complicated in implementation due to many implicit properties and edge cases. This complication, being under-estimated or ignored by developers for a long time, has made our proposed attack vector possible, lethal, and general. Therefore, many 0days have been discovered via this approach in popular web frameworks written in trending programming languages, including Python, Ruby, Java, and JavaScript.
Being a very fundamental problem that exists in path normalization logic, sophisticated web frameworks can also suffer. For example, we've found various 0days on Java Spring Framework, Ruby on Rails, Next.js, and Python aiohttp, just to name a few. This general technique can also adapt to multi-layered web architecture, such as using Nginx or Apache as a proxy for Tomcat. In that case, reverse proxy protections can be bypassed. To make things worse, we're able to chain path normalization bugs to bypass authentication and achieve RCE in real world Bug Bounty Programs. Several scenarios will be demonstrated to illustrate how path normalization can be exploited to achieve sensitive information disclosure, SMB-Relay and RCE.
Understanding the basics of this technique, the audience won't be surprised to know that more than 10 vulnerabilities have been found in sophisticated frameworks and multi-layered web architectures aforementioned via this technique."
SmartFrog is a framework for describing, deploying, and managing distributed service components across a network. It uses a declarative description language to specify configurations and templates that can be extended and combined. The SmartFrog deployment engine loads and instantiates components based on the descriptions, supplying the correct configuration to each one. Components implement a lifecycle and can be written to deploy specific services.
This document provides instructions for building a RESTful API with Flask that allows users to be created, viewed, updated, and deleted. It discusses installing Python, Flask, Flask-SQLAlchemy, and Flask-Marshmallow. It then demonstrates how to create a user model and schema, and build API endpoints to add a new user, retrieve all users, get a single user by ID, update a user, and delete a user. Finally, it provides instructions for running the application and testing the API with Postman.
This document provides an overview of Flask basics including:
- Setting up a basic Flask application with routes and templates
- Using decorators like @app.route to define routes
- Rendering templates and passing context between routes and templates
- Handling HTTP methods like GET and POST
- Using url_for to generate URLs and Jinja templates
- Testing Flask applications using the pytest framework
Owasp Wasc App Sec2007 San Jose Finding Vulnsin Flash Appsguestb0af15
The document discusses finding vulnerabilities in Flash applications through runtime analysis. It describes how uninitialized variables, external files, and dangerous native functions can be entry points for attacks. It then provides a recipe for analyzing a SWF at runtime to detect vulnerabilities, including using an analyzer framework that loads the SWF and implements resolution methods to detect undefined variables and inject attack patterns.
Burp Intruder is a tool for automating customized attacks against web applications. It modifies HTTP requests systematically and analyzes responses to identify interesting features. Common uses of Intruder include enumerating valid identifiers like usernames, harvesting useful data from responses, and fuzzing for vulnerabilities by submitting test strings and analyzing responses.
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Elvin Gentiles
This document provides an overview of buffer overflow exploits on Windows 32-bit systems. It discusses the lab environment that will be used, basic assembly concepts like registers and instructions, the Windows 32 memory layout, how the stack works, and the general steps for exploit development. These include causing a crash, identifying the offset, determining bad characters, locating space for shellcode, generating shellcode, and redirecting execution to the shellcode. The document concludes by listing some hands-on exercises that will be covered, and recommending additional learning materials on exploit writing.
Cross-site request forgery (also referred to as CSRF) is an internet safety vulnerability that enables an attacker to induce customers to carry out actions that they don’t intend to carry out.
It permits an attacker to partially circumvent the identical origin coverage, which is designed to forestall completely different web sites from interfering with one another.
https://cybersecurityresearch.tech/cross-site-request-forgery-csrf-impact-construction-prevention/
Python Flask Tutorial For Beginners | Flask Web Development Tutorial | Python...Edureka!
This document provides an overview of Flask, a Python-based web application framework. It begins with an introduction to Flask, explaining what Flask is and its advantages like being open source with a large community. It then covers topics like installing Flask, creating Flask applications, routing, templates, static files, the request object, cookies, redirects and errors. It concludes by mentioning some popular Flask extensions that add additional functionality for tasks like email, forms, databases and AJAX. The document appears to be from an online training course on Flask and aims to teach the basics of how to use the Flask framework to build web applications.
This document provides an overview of the Phalcon PHP framework. It discusses why frameworks are important for PHP development and how traditional frameworks work. It then explains how Phalcon is different as it is implemented as a PHP extension written in C, making it faster than traditional frameworks. The document demonstrates how to install Phalcon, create a basic project structure, define controllers and models, and connect to a database.
This document discusses integrating the Tomcat application server with the Apache HTTP server using the mod_jk connector. It explains that mod_jk allows Tomcat and Apache to work together by enabling communication between Apache and Tomcat's worker processes. The document provides instructions on installing Tomcat, mod_jk, and configuring the necessary files to set up the integration and forwarding of requests from Apache to Tomcat.
AppSec EU 2011 - An Introduction to ZAP by Simon BennettsMagno Logan
ZAP (Zed Attack Proxy) is an open source web application penetration testing tool that is easy to use, cross-platform, and has been downloaded over 6,300 times. It includes features like an intercepting proxy, active and passive scanners, a spider, and report generation that allow it to test web applications for vulnerabilities. ZAP has an active international development community, is improving rapidly with new releases, and has the potential to introduce more people to application security best practices.
AppSec Latam 2011 - Segurança em Sites de Compras ColetivasMagno Logan
O documento discute vulnerabilidades e ataques comuns em sites de compras coletivas, como senhas fracas, XSS, SQL injection e falhas no protocolo HTTPS. Também apresenta contramedidas como uso de HTTPS, não salvar dados do cartão e não fornecer muitos dados pessoais.
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...Magno Logan
O documento discute sobre web spiders e fornece exemplos de código em C para criar um web spider simples. Também aborda casos de uso comuns de web spiders, como mineração de dados e autenticação em sites, e menciona ferramentas como Selenium para automação no navegador.
1) O documento apresenta uma palestra sobre as principais vulnerabilidades de segurança em aplicações web, focando no OWASP Top 10, e demonstra como explorá-las e protegê-las utilizando ferramentas e boas práticas de programação.
2) São discutidas vulnerabilidades como injeção de SQL, cross-site scripting, falhas na autenticação e controle de sessão e referências inseguras a objetos.
3) Também são apresentadas demonstrações práticas de como explorar essas vulnerabilidades e como evitá-
Katana Security - Consultoria em Segurança da InformaçãoMagno Logan
A Katana Security é uma empresa de consultoria em segurança da informação da Paraíba, fundada por Magno Rodrigues. Ela oferece serviços como análises de segurança, auditoria PCI, testes de segurança em aplicações e infraestrutura, revisão de código, e treinamentos em segurança da informação. A empresa também fornece licenças de ferramentas de teste de segurança como Syhunt, Netsparker e Acunetix.
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMagno Logan
The document discusses various web application vulnerabilities from the OWASP Top 10 list, including cross-site scripting (XSS), SQL injection, remote file inclusion, insecure direct object references, and cross-site request forgery (CSRF). It provides examples of each vulnerability type and recommendations for prevention. It also introduces Mutillidae, a deliberately vulnerable web application that can be used to demonstrate these vulnerabilities in a controlled environment.
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015CODE BLUE
The number of corporations establishing bug bounty programs in order to accomplish early discovery of vulnerabilities is increasing. So far, I have reported vulnerabilities in Firefox and received 45,000 USD (5,400,000 JPY) in bounties from the developer, which is the Mozilla Foundation. As a matter of fact, the vulnerabilities discovered in Firefox have a trend however, the awareness of the trend has not being raised among the Firefox developers and every time a new feature is implemented, a similar vulnerability is repeatedly created in the code. In this session, based on the vulnerabilities I have discovered in the past, I will introduce the patterns of vulnerabilities frequently observed in Firefox and delineate the root cause of those vulnerabilities. In addition, I will introduce my practical method that will allow you to effectively discover bugs in Firefox. This method is actually applicable not only to Firefox but any other open source software as it is based on an issue particular to open source software.
PyCon Canada 2015 - Is your python application secureIMMUNIO
In today’s world, it's easier than ever to innovate and create great web applications. You release often, but let’s be honest, if you're like most developers out there, you don't spend your days worrying about security. You know it’s important, but you aren’t security savvy. So ask yourself, is your Python application secure? Come learn some of the different ways a hacker (cracker) can attack your code, and some of the best practices out there. In the end, your security is your users’ security.
The document discusses identity management in the cloud and APIs. It notes that provisioning is essentially the same across cloud services, so the APIs should be similar as well. It introduces the Simple Cloud Identity Management specification, which aims to standardize user and group provisioning across cloud providers using a common RESTful API. The document also discusses the growth of APIs and how developers are driving adoption by building applications and mashups that integrate multiple services. It contrasts SOAP and REST approaches, noting that REST and JSON are now more common as they map better to typical programming models. OAuth is mentioned as the preferred approach for authentication in APIs.
Web application penetration testing lab setup guideSudhanshu Chauhan
This document provides guidance on setting up a basic environment for conducting web application penetration testing. It outlines both hardware and software requirements, including recommended tools. It then walks through installing a base OS, browsers, programming languages, web servers, and various security tools. It also provides an overview of the testing process, including information gathering, automated scanning, manual testing, and reporting.
Is your python application secure? - PyCon Canada - 2015-11-07Frédéric Harper
In today’s world, it's easier than ever to innovate and create great web applications. You release often, but let’s be honest, if you're like most developers out there, you don't spend your days worrying about security. You know it’s important, but you aren’t security savvy. So ask yourself, is your Python application secure? Come learn some of the different ways a hacker (cracker) can attack your code, and some of the best practices out there. In the end, your security is your users’ security.
Application Note APLX-LMW-0403: Interfacing the Apache Web ...webhostingguy
This document describes how to interface the Apache web server with APLX applications to serve dynamic web content. It involves setting up Apache with static pages, then configuring it to call scripts or programs in the cgi-bin directory to handle requests, passing environment variables. These programs can call an APLX application via named pipes to retrieve data, which is returned and output within HTML. The summary provides an overview of the key steps and techniques involved in the Apache-APLX integration.
The document discusses building serverless applications with Python 3 on AWS Lambda. It begins with introductions and background on serverless computing. It then covers how to create and deploy simple "Hello World" functions with Lambda and API Gateway. It discusses the Chalice framework for Python serverless development and demonstrates deploying a books API. Later sections cover running Python 3 code from Python 2, limits of Lambda, and examples using OpenCV with Lambda.
Apache Eagle: Architecture Evolvement and New FeaturesHao Chen
Apache Eagle is a distributed real-time monitoring framework for Hadoop clusters. It analyzes data activities, applications, metrics, and logs to identify security breaches, performance issues, and provide insights. The architecture uses streaming ingestion of data, processing, alerting through complex event processing and machine learning, and storage and dashboards for insights. New features include support for additional data sources, applications for specific use cases, and evolving the architecture for improved scalability and flexibility.
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
With the release of the OWASP TOP 10 2017 we saw new issues rise as contenders of most common issues in the web landscape. Much of the OWASP documentation displays issues, and remediation advice/code relating to Java, C++, and C#; however not much relating to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the popular use of NodeJS and its libraries/frameworks. This talk will introduce you to the OWASP Top 10 explaining JavaScript client and server-side vulnerabilities.
Table Of Content
The OWASP Top Ten
Invalidated Redirect and Forwards
Security Misconfiguration
Application Fingerprint
Error handling And Logging
Noise
PHP Guidelines
The document discusses validating all inputs to prevent cross-site scripting (XSS) attacks. It introduces the OWASP HTML Sanitizer Project, which is a Java library that sanitizes HTML to allow untrusted user input to be safely embedded in web pages. The sanitizer removes malicious code while keeping desired markup, through a policy-based approach. Sample usages demonstrated validate specific elements like images and links. The project aims to protect against XSS while allowing third-party content through a tested, securely-designed library.
The OWASP Top Ten Proactive Controls v2 introduces new proactive controls to the Top Ten list. It includes more practical examples and contributions from the OWASP community and non-OWASP community. It also includes some best practices to consider when building mobile apps, such as secure storage, authentication, etc. The document then lists 10 proactive controls, including verifying for security early and often, parameterizing queries, encoding data, validating all inputs, implementing identity and authentication controls, implementing appropriate access controls, protecting data, implementing logging and intrusion detection, leveraging security frameworks and libraries, and handling errors and exceptions.
The document provides an overview of client-server technology, networking concepts like sockets and remote procedure calls, XML, web services, SOAP, and RESTful architectures. It defines key terms like web services, SOAP, WSDL, UDDI, and REST. It describes how SOAP uses XML to define an envelope and headers to package messages and how REST relies on lightweight HTTP to perform CRUD operations on resources identified by URIs.
Simple REST-API overview for developers. An newer version is here: https://www.slideshare.net/patricksavalle/super-simple-introduction-to-restapis-2nd-version-127968966
The document provides an overview of using Swift to connect to networked APIs. It defines what a networked API is and describes two common API styles: RPC and REST. It then discusses REST APIs in more detail, covering the Richardson Maturity Model, HATEOAS, and Fielding's requirements for REST. The document demonstrates making HTTP requests in Swift, including preparing URLs and requests, performing requests, and handling authorization. It also briefly discusses Protocol Buffers and building gRPC services in Swift.
Beyond OWASP Top 10 - TASK October 2017Aaron Hnatiw
The OWASP Top 10 is the standard first reference we give web developers who are interested in making their applications more secure. It is also the categorization scheme we give to web vulnerabilities on our security assessment reports. And finally, and perhaps most frighteningly, it is the most common framework used by organizations for securing their web applications. But what if there was more to web application security than the OWASP Top 10? In this talk, we will discuss vulnerabilities that don't fit into the OWASP Top 10 categories, but are just as dangerous if present in a web application. Developers and pentesters will benefit from this talk, as both exploits and mitigations will be covered for each of the vulnerabilities.
The OWASP Top Ten Proactive Controls v2 introduces new proactive controls to the Top Ten list, provides more practical examples and case studies, and has contributions from a large number of non-OWASP community members, while also including some best practices for building secure mobile applications. It outlines 10 proactive controls for application security including verifying for security early and often, parameterizing queries, encoding data before use in a parser, validating all inputs, implementing identity and authentication controls, implementing appropriate access controls, protecting data, implementing logging and intrusion detection, leveraging security frameworks and libraries, and handling errors and exceptions.
The OWASP Top Ten Proactive Controls 2.0 document introduces new proactive controls to the Top Ten list and provides more practical examples and contributions from the community. It includes some best practices for building secure mobile apps. The document then describes 10 proactive controls addressing common vulnerabilities like injection, XSS, access control issues etc. It provides details on each control with examples and references.
An Introduction to Websphere sMash for PHP Programmersjphl
IBM® WebSphere® sMash is an agile Web application platform for developing and running modern Web applications. It introduces a simple environment for creating, assembling and running applications based on popular Web technologies.
This presentation was delivered at the Dutch PHP Conference 2009. It shows how the PHP support in sMash can be used to easily integrate with Java assets.
For more information, see http://projectzero.org
Similar to AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di Paola (20)
DevSecOps - Integrating Security in the Development Process (with memes) - Ma...Magno Logan
The document discusses shifting security left in the software development lifecycle using an agile approach and automation tools. It recommends planning security from the beginning of the development process. Automation is key to continuously test for vulnerabilities during integration and development. Tools mentioned include an open source CI server to detect errors, Zed Attack Proxy to automatically find web application vulnerabilities, and various resources on securing the DevOps pipeline.
OWASP Top 10 2010 para JavaEE (pt-BR)
Versão traduzida e atualizada do OWASP Top 10 2007 for JavaEE
Traduzida por: Magno Logan (OWASP Paraíba Chapter Leader)
The document discusses a new web security technique called cross-site tracing (XST) that can bypass the HTTP-only security feature in Internet Explorer 6 SP1 and perform cross-site scripting attacks. XST exploits the TRACE HTTP request method, which echoes request information to the client, to obtain authentication cookies from other domains over HTTP and HTTPS. While HTTP-only helps prevent cookie access via JavaScript, XST can still access cookies through TRACE requests.
This document provides an overview of the top 10 most critical web application security vulnerabilities for Java EE applications. It discusses each vulnerability in detail, including cross-site scripting (XSS), injection flaws, malicious file execution, insecure direct object references, cross-site request forgery (CSRF), information leakage, broken authentication, insecure cryptographic storage, insecure communications, and failure to restrict URL access. For each issue, it explains how attackers exploit the vulnerability and provides recommendations for protecting against the risk. The goal is to educate developers on common security risks and how to build more secure Java EE applications.
XPath injection occurs when user-supplied input is used to construct an XPath query without sanitization, allowing an attacker to access unauthorized XML data or elevate privileges. Like SQL injection, malicious XPath can expose sensitive information or take control of authentication by modifying the query. The WebCruiser tool can scan for and prove XPath injection vulnerabilities by modifying queries and observing the results.
The document discusses SQL injection, including forms of vulnerability like incorrectly filtered escape characters and incorrect type handling. It describes preventing SQL injection through parameterized statements, escaping user input, and using a web vulnerability scanner. Parameterized statements are the preferred method, binding user input to parameters in the SQL query rather than embedding it. Enforcement can occur at the database or coding level. Escaping user input is an alternative but not as robust as parameterized statements.
This document provides a tutorial on SQL injection, including:
- Explaining what SQL injection is and how it works by exploiting vulnerabilities in database queries
- Steps to test for SQL injection vulnerabilities like determining the database type and getting environment information
- Methods for extracting data through SQL injection like getting database, table, and column names and record data
- Recommending the use of automated SQL injection scanning tools like WebCruiser to more efficiently test for and exploit SQL injection vulnerabilities
- Instructions for setting up sample PHP/MySQL and ASP/SQL Server testing environments to practice SQL injection techniques
1) O documento discute os riscos de segurança mais críticos em aplicações web, conhecidos como OWASP Top 10.
2) A lista dos 10 riscos foi atualizada para 2010 com a adição de dois novos itens e remoção de dois itens anteriores.
3) O objetivo do Top 10 é educar sobre como avaliar e mitigar esses riscos nas aplicações, melhorando assim a segurança.
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner EliasMagno Logan
Este documento apresenta as dez vulnerabilidades mais críticas em aplicações web de acordo com o OWASP Top 10 de 2007, fornecendo uma breve descrição de cada uma delas e dicas de como tratá-las em PHP. O palestrante discute XSS, falhas de injeção, execução maliciosa de arquivos, referência direta a objetos, CSRF, vazamento de informações, furos de autenticação e outras ameaças comuns.
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...Magno Logan
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataques e Contra-medidas
Maio de 2011 em SP
http://garoa.net.br/wiki/O_Outro_Lado
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...Magno Logan
O documento discute o uso da biblioteca OWASP ESAPI para fornecer segurança em aplicações web. Apresenta os objetivos e roteiro do curso, que inclui uma introdução às vulnerabilidades comuns e à arquitetura da ESAPI, com exemplos em Java. Também aborda conceitos como injeção de código e OWASP Top 10.
AppSec DC 2009 - Learning by breaking by Chuck WillisMagno Logan
Chuck Willis proposes a new OWASP project called the "OWASP Broken Web Applications Project" that would provide a virtual machine containing intentionally vulnerable web applications. The virtual machine would contain various vulnerable versions of applications like WebGoat, WordPress, and phpBB to allow testing of vulnerability scanning, code analysis, and other security tools. Willis is seeking help expanding and maintaining the project.
ENSOL 2011 - OWASP e a Segurança na WebMagno Logan
O documento apresenta uma palestra sobre segurança na web e ferramentas de teste de vulnerabilidades. Resume as principais vulnerabilidades do OWASP Top 10, como injeção de SQL, XSS e falhas de autenticação. Demonstra exemplos e explica como evitar essas falhas. Também apresenta ferramentas open source como OWASP ZAP, Mantra e SQLmap para teste de aplicações.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Things to Consider When Choosing a Website Developer for your Website | FODUUFODUU
Choosing the right website developer is crucial for your business. This article covers essential factors to consider, including experience, portfolio, technical skills, communication, pricing, reputation & reviews, cost and budget considerations and post-launch support. Make an informed decision to ensure your website meets your business goals.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceIndexBug
Imagine a world where machines not only perform tasks but also learn, adapt, and make decisions. This is the promise of Artificial Intelligence (AI), a technology that's not just enhancing our lives but revolutionizing entire industries.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
CAKE: Sharing Slices of Confidential Data on BlockchainClaudio Di Ciccio
Presented at the CAiSE 2024 Forum, Intelligent Information Systems, June 6th, Limassol, Cyprus.
Synopsis: Cooperative information systems typically involve various entities in a collaborative process within a distributed environment. Blockchain technology offers a mechanism for automating such processes, even when only partial trust exists among participants. The data stored on the blockchain is replicated across all nodes in the network, ensuring accessibility to all participants. While this aspect facilitates traceability, integrity, and persistence, it poses challenges for adopting public blockchains in enterprise settings due to confidentiality issues. In this paper, we present a software tool named Control Access via Key Encryption (CAKE), designed to ensure data confidentiality in scenarios involving public blockchains. After outlining its core components and functionalities, we showcase the application of CAKE in the context of a real-world cyber-security project within the logistics domain.
Paper: https://doi.org/10.1007/978-3-031-61000-4_16
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfTechgropse Pvt.Ltd.
In this blog post, we'll delve into the intersection of AI and app development in Saudi Arabia, focusing on the food delivery sector. We'll explore how AI is revolutionizing the way Saudi consumers order food, how restaurants manage their operations, and how delivery partners navigate the bustling streets of cities like Riyadh, Jeddah, and Dammam. Through real-world case studies, we'll showcase how leading Saudi food delivery apps are leveraging AI to redefine convenience, personalization, and efficiency.
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
2. OWASP AppSecEU09 Poland 2
About us
Luca “ikki” Carettoni
Penetration Testing Specialist in a worldwide financial institution
Security researcher for fun (and profit)
OWASP Italy contributor
I blog @ http://blog.nibblesec.org
Keywords: web application security, ethical hacking, Java security
Stefano “wisec” Di Paola
CTO @ Minded Security Application Security Consulting
Director of Research @ Minded Security Labs
Lead of WAPT & Code Review Activities
OWASP Italy R&D Director
Sec Research (Flash Security, SWFIntruder...)
WebLogs http://www.wisec.it, http://blog.mindedsecurity.com
5. OWASP AppSecEU09 Poland
Consequence
Different input validation vulnerabilities exist
SQL Injection
LDAP Injection
XML Injection
XPath Injection
Command Injection
All input validation flaws are caused by unsanitized data
flows between the front-end and the several back-ends of a
web application
Anyway, we still miss something here !?!
_ _ _ Injection
6. OWASP AppSecEU09 Poland
An unbelievable story…
There is no formal definition of an injection triggered by
query string delimiters
As far as we know, no one has never formalized an
injection based attack against delimiters of the most used
protocol on the web: HTTP
HPP is surely around since many years, however it is
definitely underestimated
As a result, several vulnerabilities have been discovered in
real-world applications
7. OWASP AppSecEU09 Poland
Introduction 1/2
The term Query String is commonly used to
refer to the part between the “?” and the end of
the URI
As defined in the RFC 3986, it is a series of field-
value pairs
Pairs are separated by “&” or “;”
The usage of semicolon is a W3C
recommendation in order to avoid escaping
RFC 2396 defines two classes of characters:
Unreserved: a-z, A-Z, 0-9 and _ . ! ~ * ' ( )
Reserved: ; / ? : @ & = + $ ,
8. OWASP AppSecEU09 Poland
Introduction 2/2
GET and POST HTTP request
Query String meta characters are &, ?, #, ; , =
and equivalent (e.g. using encoding)
In case of multiple parameters with the same
name, HTTP back-ends behave in several ways
GET /foo?par1=val1&par2=val2 HTTP/1.1
User-Agent: Mozilla/5.0
Host: Host
Accept: */*
POST /foo HTTP/1.1
User-Agent: Mozilla/5.0
Host: Host
Accept: */*
Content-Length: 19
par1=val1&par2=val2c
10. OWASP AppSecEU09 Poland
Server enumeration - Summing up
Different web servers manage multiple
occurrences in several ways
Some behaviors are quite bizarre
Whenever protocol details are not strongly
defined, implementations may strongly differ
Unusual behaviors are a usual source of security
weaknesses (MANTRA!)
11. OWASP AppSecEU09 Poland
Additional considerations 1/2
As mentioned, ASP and ASP.NET concatenate the values
with a comma in between
This applies to the Query String and form parameters in
ASP and ASP.NET
Request.QueryString
Request.Form
Cookies have similar property in ASP.NET
Request.Params[“par”]
par = 1,2,3,4,5,6
POST /index.aspx?par=1&par=2 HTTP/1.1
User-Agent: Mozilla/5.0
Host: Host
Cookie: par=5; par=6
Content-Length: 19
par=3&par=4
12. OWASP AppSecEU09 Poland
Additional considerations 2/2
Unfortunately, application behaviors in case of multiple occurrences
may differ as well
This is strongly connected with the specific API used by our code
In Java, for example:
javax.servlet.ServletRequest Interface (Query String direct parsing)
java.lang.String getParameter(java.lang.String name)
Returns the value of a request parameter as a String, or null if the
parameter does not exist
java.lang.String[] getParameterValues(java.lang.String name)
Returns an array of String objects containing all of the values the given
request parameter has, or null if the parameter does not exist
As a result, the applications may react in unexpected ways…as you
will see!
16. OWASP AppSecEU09 Poland
A bizarre behavior 4/4 - HPPed !
Since this error generates
~100 lines in the log file, it
may be used to obfuscate
other attacks
17. OWASP AppSecEU09 Poland
HPP in a nutshell
HTTP Parameter Pollution (HPP) is a quite simple
but effective hacking technique
HPP attacks can be defined as the feasibility to override
or add HTTP GET/POST parameters by injecting query
string delimiters
It affects a building block of all web technologies thus
server-side and client-side attacks exist
Exploiting HPP vulnerabilities, it may be possible to:
Override existing hardcoded HTTP parameters
Modify the application behaviors
Access and, potentially exploit, uncontrollable variables
Bypass input validation checkpoints and WAFs rules
18. OWASP AppSecEU09 Poland
HPP Categories
We are not keen on inventing yet another buzzword.
However, the standard vulnerability nomenclature seems
lacking this concept
Classification:
Client-side
1. First order HPP or Reflected HPP
2. Second order HPP or Stored HPP
3. Third order HPP or DOM Based HPP
Server-side
1. Standard HPP
2. Second order HPP
According to our classification, Flash Parameter Injection*
may be considered as a particular subcategory of the HPP
client-side attack
* http://blog.watchfire.com/FPI.ppt
19. OWASP AppSecEU09 Poland
Encoding & GET/POST/Cookie precedence
Several well-known
encoding techniques may
be used to inject
malicious payloads
The precedence of
GET/POST/Cookie may
influence the application
behaviors and it can also
be used to override
parameters
Apache Tomcat/6.0.18
POST /foo?par1=val1&par1=val2 HTTP/1.1
Host: 127.0.0.1
par1=val3&par1=val4
FIRST occurrence, GET parameter first
20. OWASP AppSecEU09 Poland
HPP Server Side Attacks 1/2
Suppose some code as the following:
Which is the attack surface?
void private executeBackendRequest(HTTPRequest request){
String amount=request.getParameter("amount");
String beneficiary=request.getParameter("recipient");
HttpRequest("http://backendServer.com/servlet/actions","POST",
"action=transfer&amount="+amount+"&recipient="+beneficiary);
}
21. OWASP AppSecEU09 Poland
HPP Server Side Attacks 2/2
A malicious user may send a request like:
Then, the frontend will build the following back-end request:
Obviously depends on how the application will manage the
occurrence
http://frontendHost.com/page?amount=1000&recipient=Mat%26action%
3dwithdraw
action=transfer&amount=1000&recipient=Mat&action=withdraw
HttpRequest("http://backendServer.com/servlet/actions","POST",
"action=transfer&amount="+amount+"&recipient="+beneficiary);
22. OWASP AppSecEU09 Poland
HPP Server Side - WebApp Firewalls
What would happen with WAFs that do Query String parsing before
applying filters?
HPP can be used even to bypass WAFs ☺
Some loose WAFs may analyze and validate a single parameter
occurrence only (first or last one)
Whenever the devel environment concatenates multiple occurrences
(e.g. ASP, ASP.NET, AXIS IP Cameras, DBMan, …), an aggressor can
split the malicious payload.
http://mySecureApp/db.cgi?par=<Payload_1>&par=<Payload_2>
par=<Payload_1>~~<Payload_2>
23. OWASP AppSecEU09 Poland
HPP Server Side – URL Rewriting
URL Rewriting could be affected as well if
regexp are too permissive:
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9} .+page.php.* HTTP/
RewriteRule ^page.php.*$ - [F,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([^/]+)$ page.php?action=view&page=$1&id=0 [L]
http://host/abc
becomes:
http://host/page.php?action=view&page=abc&id=0
24. OWASP AppSecEU09 Poland
HPP Server Side – URL Rewriting issues
An attacker may try to inject:
http://host/abc%26action%3dedit
and the url will be rewritten as:
http://host/page.php?action=view&page=abc&action=edit&id=0
Obviously, the impact depends on the
functionality exposed
24
26. OWASP AppSecEU09 Poland
Google Search Appliance - HPPed !
Once upon a time, during an assessment for XXX…
GSA was the LAN search engine exposed for public search as well,
with only three controllable values
The parameter named “afilter” is used unencoded
By polluting GSA parameters, appending %23 (“#”), we got full
access to internal results
27. OWASP AppSecEU09 Poland
ModSecurity - HPPed !
ModSecurity SQL Injection filter bypass
While the following query is properly detected
Using HPP, it is possible to bypass the filter
Other vendors may be affected as well
This technique could potentially be extended to
obfuscate attack payloads
Lavakumar Kuppan is credited for this finding
/index.aspx?page=select 1,2,3 from table where id=1
/index.aspx?page=select 1&page=2,3 from table where id=1
28. OWASP AppSecEU09 Poland
HPP Client Side attacks 1/2
HPP Client Side is about injecting additional
parameters to links and other src attributes
Suppose the following code:
There's no XSS, but what about HPP?
It’s just necessary to send a request like
To obtain
<? $val=htmlspecialchars($_GET['par'],ENT_QUOTES); ?>
<a href="/page.php?action=view&par='.<?=$val?>.'">View Me!</a>
http:/host/page.php?par=123%26action=edit
<a href="/page.php?action=view&par=123&action=edit">View Me!</a>
29. OWASP AppSecEU09 Poland
HPP Client Side attacks 2/2
Once again, it strongly depends on the
functionalities of a link
It's more about
Anti-CSRF
Functional UI Redressing
It could be applied on every tag with
Data, src, href attributes
Action forms with POST method
30. OWASP AppSecEU09 Poland
HPP Client Side - DOM based
It's about parsing unexpected parameters
It's about the interaction between IDSs and the application
It's about the generation of client side HPP via JavaScript
It's about the use of (XMLHttp)Requests on polluted parameters
// First Occurrence
function gup( name )
{
name = name.replace(/[[]/,"[").replace(/[]]/,"]");
var regexS = "[?&]"+name+"=([^&#]*)";
var regex = new RegExp( regexS );
var results = regex.exec( window.location.href );
if( results == null )
return "";
else
return results[1];
}
// Last Occurrence
function argToObject () {
var sArgs = location.search.slice(1).split('&');
var argObj={};
for (var i = 0; i < sArgs.length; i++) {
var r=sArgs[i].split('=')
argObj[r[0]]=r[1]
}
return argObj
}
31. OWASP AppSecEU09 Poland
HPP Client Side - FPI, the HPP way
As mentioned, an interesting case of HPP is the
Flash Parameter Injection by Ayal Yogev and
Adi Sharabani @ Watchfire
FPI is about including FlashVars in the html itself
when the vulnerable flash is directly dependent
on the page itself
A FPI will result in the injection of additional
parameters in the param tag
E.g. Piggybacking FlashVars
http://myFlashApp/index.cgi?language=ENG%26globalVar=<HPP>
34. OWASP AppSecEU09 Poland
Excite - HPPed !
Features:
Several parameters could be HPPed
Anti XSS using htmlEntities countermeasures
DOM HPP + Client Side HPP friendly!
http://search.excite.it/image/
?q=dog&page=1%26%71%
3d%66%75%63%6b%6f%
66%66%20%66%69%6e%
67%65%72%26%69%74%
65%6d%3d%30
35. OWASP AppSecEU09 Poland
Excite - HPPed !
35
Sweet dogs? Click anywhere on an image...
This is a kind of content pollution
Even if the example seems harmless, it may help to
successfully conduct social engineering attacks
36. OWASP AppSecEU09 Poland
MS IE8 XSS Filter Bypass - HPPed !
IE8 checks for XSS regexp in the query string
parameters, as well as it searches for them in the
output
When there's a .NET application, multiple
occurrences of a parameter are joined using “,”
So param=<script¶m=src=”....”> becomes
<script,src=”...”> in HTML
As you can imagine, it bypasses the IE8 XSS filter
Alex Kuza is credited for this finding
37. OWASP AppSecEU09 Poland
Yahoo! Mail Classic - HPPed !
Features
Check antiCSRF
Dispatcher View
Html Entities filtering, antiXSS
HPP compliant!
The dispatcher pattern helps the attacker
%26DEL=1%26DelFID=Inbox%26cmd=fmgt.delete
%2526cmd=fmgt.emptytrash
Attack payload: http://it.mc257.mail.yahoo.com/mc/showFolder?
fid=Inbox&order=down&tt=245&pSize=25&sta
rtMid=0%2526cmd=fmgt.emptytrash%26DEL=
1%26DelFID=Inbox%26cmd=fmgt.delete
39. OWASP AppSecEU09 Poland
PTK Forensic - HPPed !
PTK, an alternative Sleuthkit Interface
PTK is a forensic tool with a web based frontend
written in PHP, included in the SANS SIFT
The investigator can mount a DD image and
then inspect files, using the Web2.0 UI
Here, HPP is the key to exploit a critical
vulnerability*
* http://www.ikkisoft.com/stuff/LC-2008-07.txt
“...Once the investigator selects a specific file from the image filesystem, PTK
invokes the following script:
/ptk/lib/file_content.php?arg1=null&arg2=107533&arg3=<FILENAME>&arg4=1
...”
40. OWASP AppSecEU09 Poland
PTK Forensic - HPPed !
Vulnerable
code:
Since filenames are
contained within
the DD image, they
should be
considered as user-
supplied values
$offset = $_GET['arg1'];
$inode = $_GET['arg2'];
$name = $_GET['arg3']; //filename
$partition_id = $_GET['arg4'];
$page_offset = 100;
...
$type = get_file_type($_SESSION['image_path'], $offset, $inode);
...
function get_file_type($path, $offset, $inode){
include("../config/conf.php");
if($offset == 'null'){
$offset = '';
}else{
$offset = "-o $offset";
}
if($inode == 'null') $inode = '';
$result = shell_exec("$icat_bin -r $offset $path $inode | $file_bin
-zb -");
if(preg_match("/(image data)|(PC bitmap data)/", $result)){
$_SESSION['is_graphic'] = 1;
} return $result;}
41. OWASP AppSecEU09 Poland
PTK Forensic - HPPed !
Crafting a filename as
Confidential.doc&arg1=;EvilShell;...
It is actually possible to tamper the link, leading to code
execution since PHP considers the last occurrence
.../file_content.php?arg1=null&arg2=107533&arg3=Confidentia
l.doc&arg1=;EvilShell;...&arg4=1
Demonstration video of the attack: http://www.vimeo.com/2161045
As a result… …Stored HPP!
42. OWASP AppSecEU09 Poland
PHPIDS - HPPed !
PHPIDS is a state-of-the-art security layer for
PHP web applications
When dealing with DOM based HPP, PHPIDS
could be fooled
If the DOM based location parsing gets the first
occurrence, then PHPIDS will consider only PHP
behavior
It means the last occurrence, thus no alert and
XSS attacks still possible!
43. OWASP AppSecEU09 Poland
Countermeasures
Speaking about HPP, several elements should be
considered:
Application business logic
Technology used
Context
Data validation (as usual!)
Output encoding
Filtering is the key to defend our systems!
Don't use HtmlEntities. They're out of context!
Instead, apply URL Encoding
Use strict regexp in URL Rewriting
Know your application environment!
44. OWASP AppSecEU09 Poland
Conclusion
HPP is a quite simple but effective hacking technique
HPP affects server side as well client side components
The impact could vary depending on the affected
functionality
We are going to release a whitepaper about these and
other issues, including all technical details. Stay tuned!
HPP requires further researches in order to deeply
understand threats and risks. Several applications are
likely vulnerable to HPP
Standard and guidelines on multiple occurrences of a
parameter in the QueryString should be defined
Awareness for application developers is crucial
45. OWASP AppSecEU09 Poland
Q&A
Time is over! Thanks!
If you have further inquiries, please contact us:
luca.carettoni@ikkisoft.com
stefano.dipaola@mindedsecurity.com