Louis Nyffenegger discovered a SQL injection vulnerability in ActiveRecord, the ORM used in Ruby on Rails applications. He demonstrated how to exploit it locally by creating two states (true/false) based on the response time of SQL queries with sleep commands. This allowed him to extract data bit-by-bit to retrieve the database version. He then explained how to modify the exploit to send HTTP requests to a remote vulnerable application by properly encoding the injected SQL.
The document discusses preparing for and participating in the Defcon CTF qualifiers. It provides details on:
- Defcon CTF being one of the most prestigious CTF competitions, with only 10 teams qualifying. Teams get a FreeBSD box and must reverse, protect, and attack services. Points are earned through availability, reading other teams' keys, and overwriting keys.
- The qualifiers run from June 3rd to 6th, consisting of 5 categories with 5 progressively unlocked challenges each, over 53 non-stop hours. The scoreboard is a slow Java applet that can be bypassed by reversing the client class.
- One challenge involves a Ruby-based HTTP service with a vulnerable We
The article discusses two websites with opposing views on arming teachers with guns. One website includes a quote from a school board member arguing it is not a good idea for teachers to carry guns. The other website notes some schools are updating security policies but do not want teachers to have firearms on school grounds. The article poses the question of whether arming teachers will actually help prevent violence or make things worse.
- The document discusses optimization techniques for SQL injection attacks, including reducing injection length, improving data retrieval speed, leveraging data compression, and exploiting vulnerabilities through blind SQL injection.
- Specific techniques mentioned include using shorter SQL functions like SUBSTR() instead of SUBSTRING(), retrieving hashed data a byte at a time using logical AND operations, and ordering queries randomly to retrieve data in a non-sequential manner.
- The document provides examples of exploiting a blind SQL injection vulnerability through techniques like ordering results based on random number seeds and retrieving multi-byte values with a binary search approach.
This document provides an overview of the history of the island of Corfu, Greece. It describes the various civilizations and powers that have conquered and inhabited the island over time, from ancient cultures like the Phoenicians to more recent rulers like the Venetians. It notes that archaeological findings continue to uncover the long history of human settlement on Corfu dating back to Paleolithic era. The document also briefly profiles some important historical monuments and sites around the island that provide evidence of its rich and eventful past.
This document discusses monitoring software repositories to detect security issues. It introduces a tool called SANZARU that analyzes commits to repositories to identify potential bugs and vulnerabilities. SANZARU works by extracting vectors from commit data, training a classifier on past issues, and then classifying new commits. Its goals are to detect security fixes, new vulnerabilities, and interesting new features. The document provides examples of issues SANZARU has found and discusses challenges in commit classification.
Louis Nyffenegger discovered a SQL injection vulnerability in ActiveRecord, the ORM used in Ruby on Rails applications. He demonstrated how to exploit it locally by creating two states (true/false) based on the response time of SQL queries with sleep commands. This allowed him to extract data bit-by-bit to retrieve the database version. He then explained how to modify the exploit to send HTTP requests to a remote vulnerable application by properly encoding the injected SQL.
The document discusses preparing for and participating in the Defcon CTF qualifiers. It provides details on:
- Defcon CTF being one of the most prestigious CTF competitions, with only 10 teams qualifying. Teams get a FreeBSD box and must reverse, protect, and attack services. Points are earned through availability, reading other teams' keys, and overwriting keys.
- The qualifiers run from June 3rd to 6th, consisting of 5 categories with 5 progressively unlocked challenges each, over 53 non-stop hours. The scoreboard is a slow Java applet that can be bypassed by reversing the client class.
- One challenge involves a Ruby-based HTTP service with a vulnerable We
The article discusses two websites with opposing views on arming teachers with guns. One website includes a quote from a school board member arguing it is not a good idea for teachers to carry guns. The other website notes some schools are updating security policies but do not want teachers to have firearms on school grounds. The article poses the question of whether arming teachers will actually help prevent violence or make things worse.
- The document discusses optimization techniques for SQL injection attacks, including reducing injection length, improving data retrieval speed, leveraging data compression, and exploiting vulnerabilities through blind SQL injection.
- Specific techniques mentioned include using shorter SQL functions like SUBSTR() instead of SUBSTRING(), retrieving hashed data a byte at a time using logical AND operations, and ordering queries randomly to retrieve data in a non-sequential manner.
- The document provides examples of exploiting a blind SQL injection vulnerability through techniques like ordering results based on random number seeds and retrieving multi-byte values with a binary search approach.
This document provides an overview of the history of the island of Corfu, Greece. It describes the various civilizations and powers that have conquered and inhabited the island over time, from ancient cultures like the Phoenicians to more recent rulers like the Venetians. It notes that archaeological findings continue to uncover the long history of human settlement on Corfu dating back to Paleolithic era. The document also briefly profiles some important historical monuments and sites around the island that provide evidence of its rich and eventful past.
This document discusses monitoring software repositories to detect security issues. It introduces a tool called SANZARU that analyzes commits to repositories to identify potential bugs and vulnerabilities. SANZARU works by extracting vectors from commit data, training a classifier on past issues, and then classifying new commits. Its goals are to detect security fixes, new vulnerabilities, and interesting new features. The document provides examples of issues SANZARU has found and discusses challenges in commit classification.
Test-driven security involves writing security-focused test cases to test for vulnerabilities during the development process. This helps enable continuous deployment by ensuring new code does not introduce security bugs. The key aspects discussed are:
1) Having developers or security experts write test cases to validate common vulnerabilities like authentication failures, input validation, and authorization checks.
2) Involving non-technical team members like project managers in writing test cases using plain language to specify scenarios.
3) Integrating security testing into continuous integration pipelines to automatically catch issues during code reviews.
Louis Nyffenegger gave a talk about the recent vulnerabilities discovered in Ruby on Rails. Several vulnerabilities allowed remote code execution by injecting malicious YAML payloads that were parsed by Rails. These issues arose due to assumptions that Rails was secure, increased scrutiny as its popularity grew, and its flexible parsing of requests. Upgrades and removing unnecessary parsers can help mitigate risks going forward.
Students attended this presentation on the history of the integration of Jesuit High School of New Orleans, given by alumni director Mat Grau ’68 and director of student activities Michael Prados ’83.
The 50th Anniversary of the integration of Jesuit High School was celebrated Feb. 25-March 1 with a series of events, films, concerts, and panel discussions for students.
Read more: http://jesuitnola.org/cgi-bin/j.pl?i=207859
This document discusses various drugs that affect the nervous system, including local anesthetics, cholinergic drugs, and astringents. It provides details on:
- Local anesthetics like cocaine, benzocaine, tetracaine, and procaine and how they work differently for different types of anesthesia.
- How cholinergic drugs like acetylcholine and carbacholine act on muscarinic and nicotinic receptors to have stimulating or inhibiting effects.
- Anticholinesterase agents like physostigmine and neostigmine that inhibit the breakdown of acetylcholine, indirectly stimulating cholinergic receptors.
- The mechanisms of action and effects of stimulating different muscarinic and
This document discusses blood vessel pathology and blood pressure regulation. It covers the nervous and hormonal factors involved in both rapid and long-term blood pressure control. The renin-angiotensin-aldosterone system and its role in blood pressure regulation is explained. Causes, risk factors, pathogenesis and complications of both primary and secondary hypertension are described. Treatment involves controlling blood pressure to prevent target organ damage.
Classical liberalism emerged in the 19th century promoting individual freedom and laissez-faire economics with little government involvement. It allowed a free market system and the division of social classes. Utopian socialism developed in response, proposing that collective ownership could eliminate poverty and unemployment by having people work for the common good rather than personal gain. Robert Owen established a utopian community called New Harmony to test these ideas in the early 1800s.