The document discusses various techniques for preventing attacks in ASP.NET Core applications, such as open redirect attacks, cross-site request forgery (CSRF), and cross-site scripting (XSS) attacks. It covers topics like the use of antiforgery tokens, data protection, cookie management, session management, and content security policy (CSP). The document is intended to provide an overview of built-in security features in ASP.NET Core and demonstrate how to correctly implement mechanisms to prevent common web application vulnerabilities.
This document discusses static analysis for beginners. It describes how to use techniques like deterministic finite automata (DFA) and parsing tools like Flex and Bison to detect issues in source code. It provides an example of using the Re2c tool to generate a lexer for rule-based detection. The document also introduces heap detective, a tool that maps heap memory usage in programs to find issues like memory leaks. Overall, it offers an overview of static analysis concepts and tools while showcasing examples from open source projects.
In this presentation, you can learn many practical resources about WAF, how you can create your WAF, and how you can bypass protections in common WAFs.
The document discusses vulnerabilities in JSON Web Tokens (JWT). It begins by introducing JWTs and their typical uses. It then covers the JWT format and components like the header, payload, and signature. Various signing algorithms are presented. Attacks like open redirects, header injection, and algorithm downgrades are demonstrated through abusing the "jku" and "x5u" parameters. Recommendations are provided like using strong keys, reviewing libraries, enforcing algorithms, and testing for vulnerabilities. In conclusion, JWTs are complex and insecure by design, so careful implementation and testing is needed.
Topic: Art of Web Backdoor
Speaker: Pichaya Morimoto
Event: 2600 Thailand Meeting #5
Date: September 6, 2013
Video: https://www.youtube.com/watch?v=QIXTPPBfLyI
This document summarizes security issues in PHP applications. It discusses three lesser known vulnerabilities: 1) PHP path normalization can be bypassed on Windows through special characters like double dots and pipes, allowing access to files outside the web root. 2) Double-byte character sets can be escaped to bypass input validation in SQL injection and XSS attacks. 3) Variables in double quotes undergo string evaluation, which can enable code injection through functions like phpinfo(). The document provides solutions like sanitizing special characters, proper UTF-8 encoding, and avoiding eval-like functions.
The document discusses various techniques for protecting Android content in Unity games, including authentication with Google Play Licensing, application tampering detection through signature and code checking, code obfuscation, and encryption of PlayerPrefs and other sensitive game data using encryption with a user-specific key. The agenda covers licensing, tamper detection through signature and code integrity checks, obfuscation, and encryption of game data in PlayerPrefs.
Louis Nyffenegger gave a talk about the recent vulnerabilities discovered in Ruby on Rails. Several vulnerabilities allowed remote code execution by injecting malicious YAML payloads that were parsed by Rails. These issues arose due to assumptions that Rails was secure, increased scrutiny as its popularity grew, and its flexible parsing of requests. Upgrades and removing unnecessary parsers can help mitigate risks going forward.
This document discusses static analysis for beginners. It describes how to use techniques like deterministic finite automata (DFA) and parsing tools like Flex and Bison to detect issues in source code. It provides an example of using the Re2c tool to generate a lexer for rule-based detection. The document also introduces heap detective, a tool that maps heap memory usage in programs to find issues like memory leaks. Overall, it offers an overview of static analysis concepts and tools while showcasing examples from open source projects.
In this presentation, you can learn many practical resources about WAF, how you can create your WAF, and how you can bypass protections in common WAFs.
The document discusses vulnerabilities in JSON Web Tokens (JWT). It begins by introducing JWTs and their typical uses. It then covers the JWT format and components like the header, payload, and signature. Various signing algorithms are presented. Attacks like open redirects, header injection, and algorithm downgrades are demonstrated through abusing the "jku" and "x5u" parameters. Recommendations are provided like using strong keys, reviewing libraries, enforcing algorithms, and testing for vulnerabilities. In conclusion, JWTs are complex and insecure by design, so careful implementation and testing is needed.
Topic: Art of Web Backdoor
Speaker: Pichaya Morimoto
Event: 2600 Thailand Meeting #5
Date: September 6, 2013
Video: https://www.youtube.com/watch?v=QIXTPPBfLyI
This document summarizes security issues in PHP applications. It discusses three lesser known vulnerabilities: 1) PHP path normalization can be bypassed on Windows through special characters like double dots and pipes, allowing access to files outside the web root. 2) Double-byte character sets can be escaped to bypass input validation in SQL injection and XSS attacks. 3) Variables in double quotes undergo string evaluation, which can enable code injection through functions like phpinfo(). The document provides solutions like sanitizing special characters, proper UTF-8 encoding, and avoiding eval-like functions.
The document discusses various techniques for protecting Android content in Unity games, including authentication with Google Play Licensing, application tampering detection through signature and code checking, code obfuscation, and encryption of PlayerPrefs and other sensitive game data using encryption with a user-specific key. The agenda covers licensing, tamper detection through signature and code integrity checks, obfuscation, and encryption of game data in PlayerPrefs.
Louis Nyffenegger gave a talk about the recent vulnerabilities discovered in Ruby on Rails. Several vulnerabilities allowed remote code execution by injecting malicious YAML payloads that were parsed by Rails. These issues arose due to assumptions that Rails was secure, increased scrutiny as its popularity grew, and its flexible parsing of requests. Upgrades and removing unnecessary parsers can help mitigate risks going forward.
This document discusses security issues with Samsung Smart TVs from 2008-2014. It finds that the Smart TVs run apps in an insecure manner: 1) Apps can access and steal files from other apps due to lack of sandboxing. 2) Bugs like XSS have high impact as apps can access low-level device APIs. 3) Apps do not properly secure secret data due to using an insecure file:// protocol. The document encourages developers to design apps with security in mind and users to only install trusted apps.
Waf.js: How to Protect Web Applications using JavaScriptDenis Kolegov
The document discusses techniques for protecting web applications from client-side attacks using JavaScript (Waf.js). It covers the following key points in 3 sentences:
Waf.js provides defenses like CSRF prevention, DOM-based XSS prevention, and detection of unwanted applications. It utilizes parsers like Acorn and DOMPurify to parse and sanitize inputs to prevent injections. The document outlines approaches used by Waf.js to build the AST of an input and search for dangerous code like function calls to prevent attacks while minimizing false positives.
The purpose of this presentation is to explain the basic resources to understand how a programmer can create malware, insides about the theme, and brainstorms following practical codes and many exotic ideas for security mitigations for defense.
"If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle." ― Sun Tzu, The Art of War
Some old and new tips, tricks and tools for rapid web application security assessment (black and white box). They are useful in various situtations: pentest with very limited time or huge scope, competition, bugbounty program, etc.
Triển khai Modsecurity vào hệ thống NMS - Quan Minh TâmSecurity Bootcamp
The document discusses various techniques for web application security and traffic analysis using ModSecurity, including real-time application profiling, hacker traps, anomaly scoring, correlation of inbound and outbound events, detecting malicious links, unicode normalization, abnormal header ordering, detecting page title changes, device fingerprinting, and slowing down automated attacks. It also mentions using ELK (Elasticsearch, Logstash, Kibana) for real-time analysis of streaming log data.
● PHP and the OWASP Top Ten Security
Vulnerabilities
● Secure Programming With The Zend
Framework
● Apache HTTPD
Security
● MySQL Security
● PHP Security Tools
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Ivan Piskunov
Презентация к моему воркшопу на PHDays 2017 на тему "Современные технологии и инструменты анализа вредоносного ПО"
Ссылка на анонс https://www.phdays.ru/program/197805/
Ссылка с моего блога https://www.phdays.ru/program/197805/
This document summarizes recent trends in web application security vulnerabilities. Client-side attacks like XSS remain prominent along with emerging threats involving mobile and cloud technologies. Old vulnerabilities persist in widely used software like PHP and Apache. The growth of IoT and "smart" devices introduces many new insecure products. Overall, new technologies are often released without security testing, while older software houses long-standing flaws. The document concludes that as applications and networks grow more complex, so too will security issues, requiring continued research and vigilance.
Antonio Costa created the 0d1n tool to automate bruteforcing and fuzzing of web applications written in C for performance. The tool takes parameters like the target host, payload files, and custom request files to identify vulnerabilities like XSS. It can save responses and uses techniques like tampering to bypass defenses. The open source tool is still in beta but can find anomalies and vulnerabilities in parameters, files, directories and forms.
Внедрение SDLC в боевых условиях / Егор Карбутов (Digital Security)Ontico
РИТ++ 2017, секция ML + IoT + ИБ
Зал Белу-Оризонти, 5 июня, 12:00
Тезисы:
http://ritfest.ru/2017/abstracts/2758.html
Наш доклад на тему, которая практически не имеет подробного описания в интернете. Мы хотим рассказать, как мы (Digital Security) - компания, которая специализируется на анализе защищённости и исследованиях в области ИБ - внедрились в цикл разработки продуктов. Посвятим немного времени SDLC.
Расскажем историю внедрения своей команды для повышения общего уровня безопасности различных аспектов в уже существующий большой проект. Опишем, как строим свои процессы от общего выделения времени, разделения большого количества различных сервисов на компоненты, до отдельных уязвимостей и применяемых нами тулзов.
This document discusses monitoring software repositories to detect security issues. It introduces a tool called SANZARU that analyzes commits to repositories to identify potential bugs and vulnerabilities. SANZARU works by extracting vectors from commit data, training a classifier on past issues, and then classifying new commits. Its goals are to detect security fixes, new vulnerabilities, and interesting new features. The document provides examples of issues SANZARU has found and discusses challenges in commit classification.
In this presentation, we show how Intrigue Core helps scale the assessment automation process and how you can integrate into Elasticsearch to do deep attack surface analysis on organizations.
RIPS - static code analyzer for vulnerabilities in PHPSorina Chirilă
RIPS is a PHP static source code analyzer based on PIXY that detects vulnerabilities like SQL injection and cross-site scripting. It works by splitting code into tokens and tracing whether user-supplied data reaches sensitive sinks like vulnerable functions. RIPS has a simple web interface and detects vulnerabilities through case studies by preparing a local web site and running analysis. Future work includes improving support for object-oriented code and dynamic runtime analysis.
В последнее время все чаще происходят сложные целенаправленные атаки (APT) с использованием скрытой загрузки. Существующие системы автоанализа, как правило, не способны анализировать вредоносное ПО, используемое для APT-атак, и исследователи вредоносного ПО вынуждены анализировать его вручную. Докладчик представит новую систему автоанализа памяти в режиме реального времени (Malware Analyst). Данная система не генерирует дамп памяти при помощи LibVMI, а имеет непосредственный доступ в память для ускорения диагностики и четко распознает подозрительное поведение вредоносного ПО.
Egress-Assess and Owning Data ExfiltrationCTruncer
This talk discusses how Egress-Assess can be used to help attackers and defenders learn how to exfiltrate data outside of their network over a variety of protocols, describes how data is exfiltrated over different supported protocols, and demonstrates the weaponization of the tool!
RootedCON 2020 talk. In this talk, we showed the research about software dependencies that led us to rule the world for a day. Surprisingly, we could take control of more than 800 developer machines in less than 24 hours with the collusion of the most famous software dependency repositories... And with the "collaboraiton" of the developers ;)
Lie to Me: Bypassing Modern Web Application FirewallsIvan Novikov
The report considers analysis of modern Web Application Firewalls. The author provides comparison of attack detection algorithms and discusses their advantages and disadvantages. The talk includes examples of bypassing protection mechanisms. The author points out the necessity of discovering a universal method of masquerading for vectors of various attacks via WAFs for different algorithms.
[2014 CodeEngn Conference 10] 정광운 - 안드로이드에서도 한번 후킹을 해볼까 (Hooking on Android)GangSeok Lee
2014 CodeEngn Conference 10
앱의 라이브러리를 내맘대로~
후킹은 이미 분석이나 개발등 다양한 목적으로 많이 사용되고 있다. 기존의 함수 후킹을 ARM 아키텍처 환경인 안드로이드에서 어떻게 구현했는지에 대해 알아보고 구현된 도구를 통해 안드로이드 환경에서 후킹을 어떻게 활용할 수 있는지에 대해 알아본다.
http://codeengn.com/conference/10
http://codeengn.com/conference/archive
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...CODE BLUE
In this talk, we are going to disclose two unconventional Use-after-free kernel bugs on Android we found last year, and introduce the new techniques we used to make these exploits 100% reliable.
The first bug is CVE-2017-0403, which we used to gain root privilege on almost all devices shipped with 3.10 or earlier Linux kernel last year. So far more than 14 million users have successfully rooted their smartphones with this exploit. With this vulnerability, an attacker only can overwrite the freed object at a fixed offset with a pointer to object itself. How to achieve kernel code execution with this bug can be very challenging.To solve the problem, we propose a new method which is using iovec to re-fill the freed object and compromising the pipe subsystem in kernel.In this way we can covert this unusual memory corruption to arbitrary kernel memory overwriting.
The second bug is CVE-2016-6787. The bug is an UAF due to race condition, may corrupt a critical kernel structure, and lead to the kernel crash when scheduler switched context back to attacker's process. So we'll introduce a way to freeze the attacker's process soon after UAF happened ,stop kernel from crashing, and make the exploit reliable.
In summary, this presentation gives out the new techniques of exploiting use-after-free bugs we just found in Android kernel. The ideas of exploitation are fresh, detail of bugs is also never discussed before.
Veil-Ordnance is a new tool recently added into the Veil-Framework. It's designed to quickly generate shellcode for exploits or use inside backdoor executables.
.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET CoreNETFest
Посмотрим на новый веб-фреймворк Microsoft с точки зрения безопасности. ASP.NET Core является продолжением развития платформы ASP.NET и, в отличие от старшего брата, код его полностью открыт и поддерживается сообществом. Архитектура фреймворка была переосмыслена, появились новые security features, часть существующих сильно переписана.
В докладе поговорим об этих различиях и разберем как теперь работают встроенные механизмы защиты от XSS и CSRF, какие возможности криптографии доступны из коробки, как устроено управление сессиями.
Доклад будет интересен в первую очередь разработчикам, пишущим защищенные ASP.NET-приложения, специалистам, проводящим security review .NET-проектов, и всем желающим разобраться в реализации компонентов безопасности на примере этой платформы.
This document discusses advanced techniques used in modern banking trojans. It describes how trojans operate by hijacking browsers using techniques like hooking browser APIs and modifying encrypted network traffic. It also discusses how trojans evade detection from tools like BankGuard and how their command and control structures have evolved to use peer-to-peer and Tor networks.
This document discusses security issues with Samsung Smart TVs from 2008-2014. It finds that the Smart TVs run apps in an insecure manner: 1) Apps can access and steal files from other apps due to lack of sandboxing. 2) Bugs like XSS have high impact as apps can access low-level device APIs. 3) Apps do not properly secure secret data due to using an insecure file:// protocol. The document encourages developers to design apps with security in mind and users to only install trusted apps.
Waf.js: How to Protect Web Applications using JavaScriptDenis Kolegov
The document discusses techniques for protecting web applications from client-side attacks using JavaScript (Waf.js). It covers the following key points in 3 sentences:
Waf.js provides defenses like CSRF prevention, DOM-based XSS prevention, and detection of unwanted applications. It utilizes parsers like Acorn and DOMPurify to parse and sanitize inputs to prevent injections. The document outlines approaches used by Waf.js to build the AST of an input and search for dangerous code like function calls to prevent attacks while minimizing false positives.
The purpose of this presentation is to explain the basic resources to understand how a programmer can create malware, insides about the theme, and brainstorms following practical codes and many exotic ideas for security mitigations for defense.
"If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle." ― Sun Tzu, The Art of War
Some old and new tips, tricks and tools for rapid web application security assessment (black and white box). They are useful in various situtations: pentest with very limited time or huge scope, competition, bugbounty program, etc.
Triển khai Modsecurity vào hệ thống NMS - Quan Minh TâmSecurity Bootcamp
The document discusses various techniques for web application security and traffic analysis using ModSecurity, including real-time application profiling, hacker traps, anomaly scoring, correlation of inbound and outbound events, detecting malicious links, unicode normalization, abnormal header ordering, detecting page title changes, device fingerprinting, and slowing down automated attacks. It also mentions using ELK (Elasticsearch, Logstash, Kibana) for real-time analysis of streaming log data.
● PHP and the OWASP Top Ten Security
Vulnerabilities
● Secure Programming With The Zend
Framework
● Apache HTTPD
Security
● MySQL Security
● PHP Security Tools
Современные технологии и инструменты анализа вредоносного ПО_PHDays_2017_Pisk...Ivan Piskunov
Презентация к моему воркшопу на PHDays 2017 на тему "Современные технологии и инструменты анализа вредоносного ПО"
Ссылка на анонс https://www.phdays.ru/program/197805/
Ссылка с моего блога https://www.phdays.ru/program/197805/
This document summarizes recent trends in web application security vulnerabilities. Client-side attacks like XSS remain prominent along with emerging threats involving mobile and cloud technologies. Old vulnerabilities persist in widely used software like PHP and Apache. The growth of IoT and "smart" devices introduces many new insecure products. Overall, new technologies are often released without security testing, while older software houses long-standing flaws. The document concludes that as applications and networks grow more complex, so too will security issues, requiring continued research and vigilance.
Antonio Costa created the 0d1n tool to automate bruteforcing and fuzzing of web applications written in C for performance. The tool takes parameters like the target host, payload files, and custom request files to identify vulnerabilities like XSS. It can save responses and uses techniques like tampering to bypass defenses. The open source tool is still in beta but can find anomalies and vulnerabilities in parameters, files, directories and forms.
Внедрение SDLC в боевых условиях / Егор Карбутов (Digital Security)Ontico
РИТ++ 2017, секция ML + IoT + ИБ
Зал Белу-Оризонти, 5 июня, 12:00
Тезисы:
http://ritfest.ru/2017/abstracts/2758.html
Наш доклад на тему, которая практически не имеет подробного описания в интернете. Мы хотим рассказать, как мы (Digital Security) - компания, которая специализируется на анализе защищённости и исследованиях в области ИБ - внедрились в цикл разработки продуктов. Посвятим немного времени SDLC.
Расскажем историю внедрения своей команды для повышения общего уровня безопасности различных аспектов в уже существующий большой проект. Опишем, как строим свои процессы от общего выделения времени, разделения большого количества различных сервисов на компоненты, до отдельных уязвимостей и применяемых нами тулзов.
This document discusses monitoring software repositories to detect security issues. It introduces a tool called SANZARU that analyzes commits to repositories to identify potential bugs and vulnerabilities. SANZARU works by extracting vectors from commit data, training a classifier on past issues, and then classifying new commits. Its goals are to detect security fixes, new vulnerabilities, and interesting new features. The document provides examples of issues SANZARU has found and discusses challenges in commit classification.
In this presentation, we show how Intrigue Core helps scale the assessment automation process and how you can integrate into Elasticsearch to do deep attack surface analysis on organizations.
RIPS - static code analyzer for vulnerabilities in PHPSorina Chirilă
RIPS is a PHP static source code analyzer based on PIXY that detects vulnerabilities like SQL injection and cross-site scripting. It works by splitting code into tokens and tracing whether user-supplied data reaches sensitive sinks like vulnerable functions. RIPS has a simple web interface and detects vulnerabilities through case studies by preparing a local web site and running analysis. Future work includes improving support for object-oriented code and dynamic runtime analysis.
В последнее время все чаще происходят сложные целенаправленные атаки (APT) с использованием скрытой загрузки. Существующие системы автоанализа, как правило, не способны анализировать вредоносное ПО, используемое для APT-атак, и исследователи вредоносного ПО вынуждены анализировать его вручную. Докладчик представит новую систему автоанализа памяти в режиме реального времени (Malware Analyst). Данная система не генерирует дамп памяти при помощи LibVMI, а имеет непосредственный доступ в память для ускорения диагностики и четко распознает подозрительное поведение вредоносного ПО.
Egress-Assess and Owning Data ExfiltrationCTruncer
This talk discusses how Egress-Assess can be used to help attackers and defenders learn how to exfiltrate data outside of their network over a variety of protocols, describes how data is exfiltrated over different supported protocols, and demonstrates the weaponization of the tool!
RootedCON 2020 talk. In this talk, we showed the research about software dependencies that led us to rule the world for a day. Surprisingly, we could take control of more than 800 developer machines in less than 24 hours with the collusion of the most famous software dependency repositories... And with the "collaboraiton" of the developers ;)
Lie to Me: Bypassing Modern Web Application FirewallsIvan Novikov
The report considers analysis of modern Web Application Firewalls. The author provides comparison of attack detection algorithms and discusses their advantages and disadvantages. The talk includes examples of bypassing protection mechanisms. The author points out the necessity of discovering a universal method of masquerading for vectors of various attacks via WAFs for different algorithms.
[2014 CodeEngn Conference 10] 정광운 - 안드로이드에서도 한번 후킹을 해볼까 (Hooking on Android)GangSeok Lee
2014 CodeEngn Conference 10
앱의 라이브러리를 내맘대로~
후킹은 이미 분석이나 개발등 다양한 목적으로 많이 사용되고 있다. 기존의 함수 후킹을 ARM 아키텍처 환경인 안드로이드에서 어떻게 구현했는지에 대해 알아보고 구현된 도구를 통해 안드로이드 환경에서 후킹을 어떻게 활용할 수 있는지에 대해 알아본다.
http://codeengn.com/conference/10
http://codeengn.com/conference/archive
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...CODE BLUE
In this talk, we are going to disclose two unconventional Use-after-free kernel bugs on Android we found last year, and introduce the new techniques we used to make these exploits 100% reliable.
The first bug is CVE-2017-0403, which we used to gain root privilege on almost all devices shipped with 3.10 or earlier Linux kernel last year. So far more than 14 million users have successfully rooted their smartphones with this exploit. With this vulnerability, an attacker only can overwrite the freed object at a fixed offset with a pointer to object itself. How to achieve kernel code execution with this bug can be very challenging.To solve the problem, we propose a new method which is using iovec to re-fill the freed object and compromising the pipe subsystem in kernel.In this way we can covert this unusual memory corruption to arbitrary kernel memory overwriting.
The second bug is CVE-2016-6787. The bug is an UAF due to race condition, may corrupt a critical kernel structure, and lead to the kernel crash when scheduler switched context back to attacker's process. So we'll introduce a way to freeze the attacker's process soon after UAF happened ,stop kernel from crashing, and make the exploit reliable.
In summary, this presentation gives out the new techniques of exploiting use-after-free bugs we just found in Android kernel. The ideas of exploitation are fresh, detail of bugs is also never discussed before.
Veil-Ordnance is a new tool recently added into the Veil-Framework. It's designed to quickly generate shellcode for exploits or use inside backdoor executables.
.NET Fest 2017. Михаил Щербаков. Механизмы предотвращения атак в ASP.NET CoreNETFest
Посмотрим на новый веб-фреймворк Microsoft с точки зрения безопасности. ASP.NET Core является продолжением развития платформы ASP.NET и, в отличие от старшего брата, код его полностью открыт и поддерживается сообществом. Архитектура фреймворка была переосмыслена, появились новые security features, часть существующих сильно переписана.
В докладе поговорим об этих различиях и разберем как теперь работают встроенные механизмы защиты от XSS и CSRF, какие возможности криптографии доступны из коробки, как устроено управление сессиями.
Доклад будет интересен в первую очередь разработчикам, пишущим защищенные ASP.NET-приложения, специалистам, проводящим security review .NET-проектов, и всем желающим разобраться в реализации компонентов безопасности на примере этой платформы.
This document discusses advanced techniques used in modern banking trojans. It describes how trojans operate by hijacking browsers using techniques like hooking browser APIs and modifying encrypted network traffic. It also discusses how trojans evade detection from tools like BankGuard and how their command and control structures have evolved to use peer-to-peer and Tor networks.
The document discusses how browser helper objects (BHOs) can be used maliciously to hack websites. It provides an overview of the attack, demonstrations modifying website content and JavaScript, an analysis of the scope and advantages, technical details on how BHOs work and access browser interfaces, and potential defenses including disabling BHOs or improving how browsers handle them. The presentation aims to teach how to hack websites using BHOs and ends with contact information and a question/answer section.
Vawtrak Trojan, also known as Neverquest or Snifula, has been an enduring banking Trojan for a long time and is still one of the most prevalent banking Trojans in the wild today.
This report forms part of Blueliv’s investigation into the Vawtrak group. Reversing the Trojan was a mandatory element of this investigation in order to understand and track the cybercriminal groups and malicious actors behind the Vawtrak malware technical security researchers and reverse engineers can use this report to increase their understanding of how the banking Trojan works.
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
The open source TodoMVC project implements a Todo application using popular JavaScript MV* frameworks. Some of the implementations add support for compile to JavaScript languages, module loaders and real time backends. This presentation will demonstrate a TodoMVC implementation which adds support for the forthcoming W3C Web Cryptography API, as well as review some key cryptographic concepts and definitions.
Instead of storing the Todo list as plaintext in localStorage, this "secure" TodoMVC implementation encrypts Todos using a password derived key. The PBKDF2 algorithm is used for the deriveKey operation, with getRandomValues generating a cryptographically random salt. The importKey method sets up usage of AES-CBC for both encrypt and decrypt operations. The final solution helps address item "A6-Sensitive Data Exposure" from the OWASP Top 10.
With the Web Cryptography API being a recommendation in 2014, any Q&A time will likely include browser implementations and limitations, and whether JavaScript cryptography adds any value.
The document discusses 57 zero-day exploits detected in the wild in 2021. Most involved memory corruption bugs, with 17 use-after-free vulnerabilities. Browser bugs made up the majority, with 14 in Chromium and 7 in WebKit. There was also 1 notable zero-click iMessage bug and 4 iOS/1 macOS bugs. Detection of zero-days remains a challenge, as the actual number exploited is likely much higher than what is detected.
Browser hijacking malware uses various techniques to modify users' browser settings and inject malicious code or modify webpage content without permission. Examples provided include SilentBanker, Sinowal, and Wnspoem which employ real-time HTML injection, configuration files, and HTTP forwarding to target banking websites, steal login credentials and other private data, and spread further. The malware can install browser helper objects, modify registry settings, and hijack common API calls to achieve their aims.
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceFelipe Prado
The document discusses various ways that authentication tokens can be abused to bypass security protections. It describes how some implementations of token parsing and signature verification are vulnerable to arbitrary code execution or information disclosure attacks due to inconsistencies in how signing keys and security tokens are resolved from token metadata. Specific attacks are demonstrated against Windows Communication Foundation, Windows Identity Foundation, and SharePoint Server due to differences in how key and token resolution are handled for signature verification versus token authentication.
The document discusses various methods for writing secure code, including defending against memory issues like buffer overflows, arithmetic errors, cross-site scripting, SQL injection, canonicalization issues, cryptography weaknesses, Unicode issues, and denial of service attacks. It provides examples of these vulnerabilities and recommendations for mitigating each risk, such as input validation, output encoding, access control, key management practices, and using secure coding standards.
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE
FIWARE Wednesday Webinar - How to Secure IoT Devices (22nd April 2020)
Corresponding webinar recording: https://youtu.be/_87IZhrYo3U
Live coding session and commentary, demonstrating various techniques and methods for securing the interactions between Devices, IoT Agents and the Context Broker
Chapter: Security
Difficulty: 3
Audience: Any Technical
Presenter: Jason Fox (Senior Technical Evangelist, FIWARE Foundation)
Application and Website Security -- Fundamental EditionDaniel Owens
The document provides an agenda for a course on application and website security. The agenda covers common input validation flaws like SQL injection and cross-site scripting, access control flaws like session hijacking, encryption flaws, security tools, and concludes with additional resources for further information. The document uses examples to demonstrate various security vulnerabilities and how they can be exploited.
We're very thrilled to announce 🚨
🛡 We have successfully completed our #securityaudit with #hacksafe
Browse full audit report : https://hacksafe.io/blockchain-land-token/
🌐 https://blockchain.land
#Metaverse #blockchainland #VR #AR #cryptocurrency #blockchain
Cisco forecasts that by 2020 there will be 50 billion connected devices on the planet spanning everything from entertainment and information to the industrial and medical markets. The benefits are obvious. The risks are significant with catastrophic consequences. Internet of Things (IoT) security is a broad issue with many dimensions.
Security experts from RTI, Texas Instruments, Thingworx, and Wibu-Systems describe risks and solutions for securing IoT devices.
Topics include:
• Secure software updates via integrity protection
• Data centric security for the IoT
• Protecting Internet communications in IoT devices
• Secure IoT deployments
Watch webinar recording: https://youtu.be/ra0Ii7Y2EyA
Some basic security controls you can (and should) implement in your web apps. Specifically this covers:
1 - Beyond SQL injection
2 - Cross-site Scripting
3 - Access Control
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...ufpb
This document provides biographical information about João Matos Figueiredo and discusses server-side code injection vulnerabilities. It begins with Matos Figueiredo's background and experience reporting vulnerabilities in major companies. It then covers the prevalence of injection flaws, examples of different types of injections, and how tainted data can flow to vulnerable sinkholes. One section analyzes the 2017 Struts vulnerability CVE-2017-5638 in detail. Another section examines a 2018 RichFaces vulnerability (CVE-2018-14667) that allowed remote code execution via deserialization or expression language injection. The document emphasizes the importance of input validation and taint tracking to prevent such vulnerabilities.
The document summarizes a presentation given by Fabio Mannis on secure coding practices for .NET developers. It discusses the Open Web Application Security Project (OWASP) Top 10 security risks, including injection, broken authentication, sensitive data exposure, and cross-site scripting. It provides examples of each risk and techniques for avoiding common vulnerabilities like validating and sanitizing untrusted user input, implementing secure password policies, encrypting sensitive data, and using anti-XSS libraries when updating pages with user-supplied content. The presentation aims to help developers write more secure code and avoid vulnerabilities.
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfacesmichelemanzotti
The document discusses security vulnerabilities found in the web interfaces of security gateways. The author details how they used automated scanners, manual testing with Burp, and SSH access to root to find over 35 exploits in various security gateway products since 2011. Common vulnerabilities included input validation issues, predictable URLs and parameters enabling CSRF, excessive privileges, and session management flaws. The author provides examples of compromising ClearOS and Websense gateways, and demonstrates OSRF through Proofpoint's email system. They conclude many techniques are older but there remains a knowledge gap between secure web and UI development.
Secure Software: Action, Comedy or Drama? (2017 edition)Peter Sabev
If they made movies about the most important software security issues, they could be put into five titles: Insecure Interface, Insufficient Authentication, Security Misconfiguration, Lack of Transport Encryption and Privacy Concerns. What are the action, comedy and drama parts in software security nowadays? A talk presented on IT-Weekend event in Ruse, Bulgaria (2017)
Это будет 6 живых демо взлома. Идея не обсудить сухую теория, а увидеть на практике, как не всегда очевидные ошибки являются источником серьезных уязвимостей в твоем JavScript приложении.
Выступление Дениса Колегова, посвященное методам защиты веб-приложений, применяемым в межсетевых экранах, на встрече PDUG Meetup: J'adore hardcore 20 декабря 2016 года.
Выступление Валерия Боронина, посвященное внедрению безопасной разработки с точки зрения руководителя, на встрече PDUG Meetup: SSDL for Management 25 ноября 2016 года.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
2. Who am I
Independent Developer and Consultant
Co-organizer of .NET meetups http://dotnet.ru
Public Speaker at DotNext, DotNetConf, ITGM, .NET meetups
Former Product Manager at Cezurity, R&D Developer at Positive
Technologies and Team Lead at Acronis, Luxoft, Boeing
#2
3. What you can expect
We’re going to talk about preventing Open Redirect, CSRF, XSS
attacks, using and architecture of cookies, Data Protection,
Session Management, CSP.
We’re not going to discuss authentication and authorization.
#3
4. Microsoft .NET Core and ASP.NET Core
Bug Bounty Program
https://aka.ms/corebounty
#4
12. Overview
No machine keys
High level cryptography out-of-the-box
Key stores out-of-the-box
Supports key rotation automatically
Provides isolation based on purposes automatically
#12
13. Protect / Unprotect
public class HomeController : Controller
{
private readonly IDataProtector protector;
public HomeController(IDataProtectionProvider provider)
{
protector = provider.CreateProtector("isolation-purpose");
}
public IActionResult Index(string input)
{
var protectedPayload = protector.Protect(input);
var unprotectedPayload = protector.Unprotect(protectedPayload);
return View();
}
}
#13
14. Protect / Unprotect
public IActionResult Index(string input)
{
var timeLimitedProtector = protector.ToTimeLimitedDataProtector();
var protectedData = timeLimitedProtector.Protect(input,
lifetime: TimeSpan.FromMinutes(30));
return View();
}
#14
15. Password Hashing
public void StorePassword(SecureString password)
{
var salt = new byte[128 / 8];
using (var rng = RandomNumberGenerator.Create())
{
rng.GetBytes(salt);
}
var hash = Convert.ToBase64String(KeyDerivation.Pbkdf2(
password: password,
salt: salt,
prf: KeyDerivationPrf.HMACSHA512,
iterationCount: 10000,
numBytesRequested: 256 / 8));
// store salt and hash to DB...
}
#15
18. Under the hood
The default payload protection algorithm used is AES-256-CBC
for confidentiality and HMACSHA256 for authenticity. A 512-bit
master key, rolled every 90 days
Protected payload format
32-bit magic header
128-bit key id
the part of specific to the encryptor
#16
21. Why do we talk about it?
Official documentation was published on 27 March
and it has inaccuracies
https://docs.microsoft.com/ru-ru/aspnet/core/security/anti-
request-forgery
This is an excellent example how to work with cookies!
#19
29. AJAX, WebAPI, SPAs…
Do you use authentication cookies?
No cookies, no problems… except for stealing a token by XSS
For example, you may use JSON Web Token (JWT)
Yes, I do… Go next page
#27
42. Why do we talk about it?
The current implementation has a weakness that can be the
cause of Session Fixation attack.
The Session Fixation took 2th prize in OWASP Top 10.
#40
47. Why do we talk about it?
The XSS is the most popular attack to web applications
https://github.com/OWASP/Top10/tree/master/2017/datacall
https://twitter.com/kochetkov_v/status/857575220160462850
This is a good entry point for other attacks with more impact
Only some people know and correctly use built-in XSS
prevention mechanisms
#45
58. Summary
Michal Zalewski “Tangled Web. A Guide to Securing Modern
Web Applications”
Stan Drapkin “Security Driven .NET”
OWASP Testing Guide v4
#56