This is the presentation from Null/OWASP/g4h December Bangalore MeetUp by Ahamed Nafeez.
technology.inmobi.com/events/null-owasp-g4h-december-meetup
Proxpective: Attacking Web Proxies like never before
Often, web developers keep hearing about "Same Origin Policy (SOP)" of browsers but live with half-knowledge or with several confusions. This session attempts to clear the misconceptions of SOP.
Cross site scripting (XSS) is a type of computer security vulnerability typically found in web applications, but in proposing defensive measures for cross site scripting the websites validate the user input and determine if they are vulnerable to cross site scripting. The major considerations are input validation and output sanitization.
There are lots of defense techniques introduced nowadays and even though the coding methods used by developers are evolving to counter attack cross site scripting techniques, still the security threat persist in many web applications for the following reasons:
• The complexity of implementing the codes or methods.
• Non-existence of input data validation and output sanitization in all input fields of the application.
• Lack of knowledge in identifying hidden XSS issues etc.
This proposed project report will briefly discuss what cross site scripting is and highlight the security features and defense techniques that can help against this widely versatile attack.
Often, web developers keep hearing about "Same Origin Policy (SOP)" of browsers but live with half-knowledge or with several confusions. This session attempts to clear the misconceptions of SOP.
Cross site scripting (XSS) is a type of computer security vulnerability typically found in web applications, but in proposing defensive measures for cross site scripting the websites validate the user input and determine if they are vulnerable to cross site scripting. The major considerations are input validation and output sanitization.
There are lots of defense techniques introduced nowadays and even though the coding methods used by developers are evolving to counter attack cross site scripting techniques, still the security threat persist in many web applications for the following reasons:
• The complexity of implementing the codes or methods.
• Non-existence of input data validation and output sanitization in all input fields of the application.
• Lack of knowledge in identifying hidden XSS issues etc.
This proposed project report will briefly discuss what cross site scripting is and highlight the security features and defense techniques that can help against this widely versatile attack.
Matt Johansen, White Hat - Online advertising networks can be a web hacker’s best friend. For mere pennies per thousand impressions (that means browsers) there are service providers who allow you to broadly distribute arbitrary javascript -- even malicious javascript! You are SUPPOSED to use this “feature” to show ads, to track users, and get clicks, but that doesn’t mean you have to abide. Absolutely nothing prevents spending $10, $100, or more to create a massive javascript-driven browser botnet instantly. The real-world power is spooky cool. We know, because we tested it… in-the-wild.
BsidesDelhi 2018: DomGoat - the DOM Security PlaygroundBSides Delhi
Presenter: Lavakumar Kuppan
Abstract: In a Mobile application pentest the tester focuses on identifying vulnerabilities on both the mobile app and the backend service the app talks to. However, in a web application pentest the client-side is usually ignored and the focus is placed entirely on security issues on the server-side. Modern browsers have several capabilities which make the JS code running in the browser almost as complex powerful as a mobile app and by extension also prone to serious security issues. Most pentesters remain unaware of these security issues and their severity. DOMGoat is an open source application that is developed primarily to help pentesters understand the various client-side security issues that can occur in the DOM. This includes everything from the several variants of DOM XSS to JavaScript cryptography to client-side data leakage and more. This talk will explain the various security issues that affect the DOM and also show how DOMGoat can be used to learn about these issues.
This talk is a generic but comprehensive overview of security mechanism, controls and potential attacks in modern browsers. The talk focuses also on new technologies, such as HTML5 and related APIs to highlight new attack scenario against browsers.
This presentation explores on how to test Cross site scripting Injection Vulnerabilities, prevention, Best practice, small lab(introduction to web
goat) etc.
Agenda:
- Introduction to Optimizer Hint
- Why Optimizer
- Hint Query
- Hint Statistics
- Hint Data
- Hint Drawback
By Kumar Rajiv Rastogi at India PG Day at InMobi.
http://technology.inmobi.com/events/india-postgresql-usergroup-meetup-bangalore
Matt Johansen, White Hat - Online advertising networks can be a web hacker’s best friend. For mere pennies per thousand impressions (that means browsers) there are service providers who allow you to broadly distribute arbitrary javascript -- even malicious javascript! You are SUPPOSED to use this “feature” to show ads, to track users, and get clicks, but that doesn’t mean you have to abide. Absolutely nothing prevents spending $10, $100, or more to create a massive javascript-driven browser botnet instantly. The real-world power is spooky cool. We know, because we tested it… in-the-wild.
BsidesDelhi 2018: DomGoat - the DOM Security PlaygroundBSides Delhi
Presenter: Lavakumar Kuppan
Abstract: In a Mobile application pentest the tester focuses on identifying vulnerabilities on both the mobile app and the backend service the app talks to. However, in a web application pentest the client-side is usually ignored and the focus is placed entirely on security issues on the server-side. Modern browsers have several capabilities which make the JS code running in the browser almost as complex powerful as a mobile app and by extension also prone to serious security issues. Most pentesters remain unaware of these security issues and their severity. DOMGoat is an open source application that is developed primarily to help pentesters understand the various client-side security issues that can occur in the DOM. This includes everything from the several variants of DOM XSS to JavaScript cryptography to client-side data leakage and more. This talk will explain the various security issues that affect the DOM and also show how DOMGoat can be used to learn about these issues.
This talk is a generic but comprehensive overview of security mechanism, controls and potential attacks in modern browsers. The talk focuses also on new technologies, such as HTML5 and related APIs to highlight new attack scenario against browsers.
This presentation explores on how to test Cross site scripting Injection Vulnerabilities, prevention, Best practice, small lab(introduction to web
goat) etc.
Agenda:
- Introduction to Optimizer Hint
- Why Optimizer
- Hint Query
- Hint Statistics
- Hint Data
- Hint Drawback
By Kumar Rajiv Rastogi at India PG Day at InMobi.
http://technology.inmobi.com/events/india-postgresql-usergroup-meetup-bangalore
New Features
● Developer and SQL Features
● DBA and Administration
● Replication
● Performance
By Amit Kapila at India PostgreSQL UserGroup Meetup, Bangalore at InMobi.
http://technology.inmobi.com/events/india-postgresql-usergroup-meetup-bangalore
Agenda:
- Spark on Yarn
- Auto scaling Spark Apps and Cluster management
- Hive Integration with Spark
- Persistent History Server
By Rajat Gupta and Bharath Bhushan at Big Data Meetup at InMobi.
http://technology.inmobi.com/events/big-data-may-meetup
Building ML Pipelines:
- What do ML Pipelines Look Like?
- Building one ML pipeline
- ML pipeline in code
- Why use ML pipeline?
By Debidatta Dwibedi, presented at Data Science Meetup at InMobi.
http://technology.inmobi.com/events/data-science-meetup
Agenda
• Technical cases in PostgreSQL
• Database Monitoring Methods
By Rohit Vyas at India PostgreSQL UserGroup Meetup, Bangalore at InMobi.
http://technology.inmobi.com/events/india-postgresql-usergroup-meetup-bangalore
8 Ways a Digital Media Platform is More Powerful than “Marketing”New Rainmaker
You may have heard that “media not marketing” is the future of online business … but what does that actually mean, what can it look like?
As you’ll see in this SlideShare, examples of a media-first approach done very well are all around us, it only takes a simple shift in thinking to see them.
Can this "media not marketing" approach to building an audience have an actual effect on the bottom line revenue of your business, or is it just more philosophical wordplay?
Let's find out ...
SlideShare now has a player specifically designed for infographics. Upload your infographics now and see them take off! Need advice on creating infographics? This presentation includes tips for producing stand-out infographics. Read more about the new SlideShare infographics player here: http://wp.me/p24NNG-2ay
This infographic was designed by Column Five: http://columnfivemedia.com/
No need to wonder how the best on SlideShare do it. The Masters of SlideShare provides storytelling, design, customization and promotion tips from 13 experts of the form. Learn what it takes to master this type of content marketing yourself.
10 Ways to Win at SlideShare SEO & Presentation OptimizationOneupweb
Thank you, SlideShare, for teaching us that PowerPoint presentations don't have to be a total bore. But in order to tap SlideShare's 60 million global users, you must optimize. Here are 10 quick tips to make your next presentation highly engaging, shareable and well worth the effort.
For more content marketing tips: http://www.oneupweb.com/blog/
Are you new to SlideShare? Are you looking to fine tune your channel plan? Are you using SlideShare but are looking for ways to enhance what you're doing? How can you use SlideShare for content marketing tactics such as lead generation, calls-to-action to other pieces of your content, or thought leadership? Read more from the CMI team in their latest SlideShare presentation on SlideShare.
Each month, join us as we highlight and discuss hot topics ranging from the future of higher education to wearable technology, best productivity hacks and secrets to hiring top talent. Upload your SlideShares, and share your expertise with the world!
Not sure what to share on SlideShare?
SlideShares that inform, inspire and educate attract the most views. Beyond that, ideas for what you can upload are limitless. We’ve selected a few popular examples to get your creative juices flowing.
Many notable and new web hacking techniques, discoveries and compromises were uncovered in 2008. During his session, the top 10 vulnerabilities present in 2008, as well as some of the prevalent security issues emerging in 2009. Attendees will virtually be able to walk through the vulnerabilities appearing on today’s corporate websites, learning real-world solutions to today’s web application security issues.
Moderator: Mike Stephenson, SC lab manager, SC Magazine
- Jeremiah Grossman, founder and chief technology officer, WhiteHat Security
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
Contents :
- Introduction
- Description as A Widely Used Hacking Technique
- How it is used in Hacking
- What can be done with XSS
#XSS, #Hacking, #Security, #CookieStealing, #InternetBug, #HTMLInjection
Sincerely,
Irfad Imtiaz
Short brief about some of the more important http headers that is directly or indirectly related to security and privacy both for the end user and the service provider.
Using Proxies To Secure Applications And MoreJosh Sokol
The last Austin OWASP presentation of the year is a must see for anyone responsible for the security of a web application. It is a demonstration of the various types of proxy software and their uses. We've all heard about WebScarab, BurpSuite, RatProxy, or Paros but how familiar are you with actually using them to inspect for web security issues? Did you know that you can use RatProxy for W3C compliance validation? By the time you leave this presentation, you will be able to go back to your office and wow your co-workers with the amazing new proxy skills that you've acquired.
Basic overview, testing, mitigation plan for popular web application vulnerabilities such as: XSS, CSRF, SQLi etc.
Updated "Web Security - Introduction" presentation.
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Divyanshu
Browser exploitation| Reporting vulnerability in top browsers and finding CVE.
Session in Null Bangalore Meet 23 November 2019 Null/OWASP/G4H combined meetup
Thanks to respective researchers for their work.
Toro DB- Open-source, MongoDB-compatible database, built on top of PostgreSQLInMobi Technology
Toro DB- Open-source, MongoDB-compatible database, built on top of PostgreSQL
By Álvaro Hernández at India PostgreSQL UserGroup Meetup, Bangalore
at InMobi.
http://technology.inmobi.com/events/india-postgresql-usergroup-meetup-bangalore
Ensemble methods of algorithmic trading, it's background and other details.
By Abhijit Sharang, presented at Data Science Meetup at InMobi
http://technology.inmobi.com/events/data-science-meetup
Backbone and Graphs, why we need them and how it works.
By Ashutosh Agrawal, presented at Bangalore JS Meetup at InMobi
http://technology.inmobi.com/events/bangalore-js-meetup
The digital universe is huge and is growing at a stellar rate and along with it grows the data generated every second. By 2020, there will be nearly as many digital bits as there are stars in this universe. That effectively means infinite as per the reports published by IDC in 2014. InMobi has grown leaps and bounds globally in past few years and that has only caused the data here to grow exponentially. There are thousands of advertisers and publishers on InMobi network, handling the OLTP ( 200-300 GB ) and OLAP ( 14TB ) demands high availability and the best performance. To ensure the smoothness and 24/7 availability of our production database servers, we are using a lot of open source technologies to keep an eye on all the Postgresql servers running across different data centres. We have one of the biggest Postgresql Master-Slave Streaming Replication production setup and it is very important for us to monitor the database performance, production traffic and some analytics on top of each and every database server @InMobi.
This presentation is from Null/OWASP/G4H November Bangalore MeetUp 2014.
technology.inmobi.com/events/null-owasp-g4h-november-meetup
Talk Outline:-
A) Reflective-(Non-Persistent Cross-site Scripting)
- What is Reflective Cross-site scripting.
- Testing for Reflected Cross site scripting
How to Test
- Black Box testing
- Bypass XSS filters
- Gray Box testing
Tools
Defending Against Reflective Cross-site scripting.
Examples of Reflective Cross-Site Scripting Attacks.
B) Stored -(Persistent Cross-site Scripting)
What is Stored Cross-site scripting.
How to Test
- Black Box testing
- Gray Box testing
Tools
Defending Against Stored Cross-site scripting.
Examples of Stored Cross-Site Scripting Attacks.
This is the presentation from Null/OWASP/g4h November Bangalore MeetUp by Shivendra Saxena.
technology.inmobi.com/events/null-owasp-g4h-november-meetup
This topic would deal with the introduction to threat modeling. We'll discuss about the process of brainstorming about the issues which might appear when the product gets built. Will discuss about the STRIDE model and about the importance of the eraky detection of the security issues.
This is the presentation from Null/OWASP/g4h December Bangalore MeetUp by Akash Mahajan.
technology.inmobi.com/events/null-owasp-g4h-december-meetup
Abstract:
This will cover the basics of Hyper Text Transfer Protocol. You will learn how to send HTTP requests like GET, POST by crafting them manually and using a command line tool like CURL. You will also see how session management using cookies happens using the same tools.
To practice along please install curl (http://curl.haxx.se/download.html).
The Synapse IoT Stack: Technology Trends in IOT and Big DataInMobi Technology
This is the presentation from Big Data November Bangalore Meetup 2014.
http://technology.inmobi.com/events/bigdata-meetup
Talk Outline:
- What does THE HIVE provide?
- Goals of Synapse Tech Stack
- THE HIVE Startups
- Demystifying IoT Market
- Synapse Stack for IoT
- Big Data Challenge
- Synapse Lambda Architecture
- Synapse Components
- Synapse Internals
- AKILI – Synapse Machine Learning
This presentation is from BigData November Bangalore MeetUp by Varun Vasudev.
technology.inmobi.com/events/bigdata-meetup
Talk Outline:
- Overview of YARN
- New YARN Innovation in Hadoop 2.6
- Rolling upgrades
- Added fault tolerance
- CPU scheduling in Capacity Scheduler
- C-Group isolation
- Node labels
- Support for long running services
This is the presentation from Null/OWASP/g4h Bangalore December MeetUp by Vandana Verma.
technology.inmobi.com/events/null-owasp-g4h-december-meetup
Outline:
Security news from November and December 2014.
This is the presentation from Null/OWASP/g4h Bangalore October MeetUp by Narayanan Subramaniam.
technology.inmobi.com/events/null-october-meetup
Matriux is a GNU/Linux, Debian based security distribution designed for penetration testing and cyber forensic investigations. It is a distribution designed for security enthusiasts and professionals, can also be used normally as your default OS.
In the presentation , we will see how we can turn any system into a powerful penetration testing toolkit, without having to install any software into your hardisk. Matriux is designed to run from a Live environment like a CD / DVD or USB stick or it can easily be installed to your hard disk in a few steps.
This is the presentation from Null/OWASP/g4h Bangalore October MeetUp by Manasdeep.
http://technology.inmobi.com/events/null-october-meetup
This talk will focus on the general overview of the PCI-DSS standard and how does it help to protect the cardholder data. Changes introduced in the new PCI DSS v3.0 standard will further explore how it safeguards the Cardholder data environment for the various entities.
Talk Outline:
- PCI DSS v3 : An Overview
- PCI DSS: How it is different from other similar standards?
- PCI DSS vs ISO 27001
- Protecting Cardholder data through PCI DSS v3
- Common Myths regarding PCI DSS
- Security vs Compliance
This is the presentation from Bangalore Big Data November Meetup given by Davin Chaiken, AltiScale.
technology.inmobi.com/events/bigdata-meetup
Talk Outline:
- Altiscale Company Introduction and Perspective
- Altiscale Architecture
- Use Cases: Performance, Job Analysis, Scheduling
- Infinite Hadoop
- Challenges to the Hadoop Community
What is Shodan?
- Search engine for the Internet connected devices by John Matherly (@achillean).
- Probes devices on specific ports, aggregates the output and indexes aka Google for TCP banners
- Has a powerful API, Python & Ruby libraries
- Integration with Maltego, Metasploit & Armitage.
Today's world, Big Data seems to be buzz word and enabling BI seems to be the dream come true. In traditional world, all BI systems have run on RDBMS and embraced Star Model to enable DWH queries. Imagine, enabling the same for data lying in Hadoop clusters along with RDBMS and bringing down the barrier for business to be able to play with this data. The slides essentially covers around this theme.
This presentation presents the common challenges in building an analytics platform (audience platform is chosen as the use case) and provides a few guidelines and recommendations on how to address them. The presentation starts with motivating the need for such a platform and the components that make it up. It then provides common design options for these components and suggests alternatives for them. The presentation concludes with a design proposal that is being evaluated for the audience platform in Inmobi.
In these slides, we explore the unique challenges that mobile data present. The high cardinality, low signal to noise ratio and realtime needs have significant system implications. We outline how InMobi tackles these challenges. A specific Data Science use case is also presented. We outline our approach to user segmentation. A brief description of the challenges faced and our attempts to address them is also included.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
2. About me
Software Security Engineer
Defending & building secure stuff is more fun.
Been talking about stuff that break the web @
BlackHat, HITB, Nullcon, C0c0n
6. How does a web based
proxy work?
1. User requests site.com inside the Web Proxy
page.
2. The Proxy downloads the web content and
pushes its own HTML alongside the
downloaded content.
3. User finally gets to see site.com under the Web
Proxy page.
7. Why use web proxies?
Widely used for anonymous surfing and identity
cloaking on the Internet.
Also used in traffic filtering, traffic management,
log auditing, access policies and surfing
restricted sites.
8. Past attacks on web proxies
De-anonymization, exfiltrating data, logs …
Usually revolves around, the Proxy itself being malicious.
9. Those are old threats
Lets talk about owning an user when he is ready to
click on links!
20. Do not allow other websites to directly control your
proxified URL
21. Proxy Hot-linking
This feature prevents users from hot-linking
directly to a proxied page and forces all users to
visit the index page first.
22. Proxy Hot-linking
This feature is like the achilles-heel of any web
proxy security.
If any website can directly get themselves being
IFRAME + Proxied by a web proxy then attacks
like the SOP bypass and other attacks are easily
possible.
28. The bypass
Just add the whitelisted name to the path of your
referrer.
Just do a location.reload() from,
http://attacker.com/localhost/
http://attacker.com/whitelisted-domain/
29. Practical aspects
What if the target website prevents IFraming using
X-Frame-options?
What if the target website has set httpOnly
cookies?
30. True Story
Web based proxies don’t respect target website’s
HTTP Response Headers!
Web based proxies have their own Cookie Jar
implementation.
34. Cookie Jars on Proxy
Proxies under-estimate the complexity of Cookie
management.
Things like various cookie flags, handling of
secure channels, limit of cookies etc
36. They work by searching for Javascript patterns
and possibly removing them.
They cannot completely disable Javascript
because they are not the same as browser!
37. For a web attacker, this situation is like a XSS filter
bypass.
38. Most proxies don’t restrict
JS execution from
SVG, Complex JS Event handlers.
An attacker can also send chunked encoded
responses.
39. A certain bypass
//inputHTML = ‘<img src=“PLACEHOLDER”>’;
input = filterChars(input); // Filters ‘, “
final = inputHTML.replace(PLACEHOLDER, input)
document.write(final);
42. Little bit of EcmaScript 5
helps as well!
Overriding and Freezing DOM properties using
ES5 Object locking mechanisms to completely
subvert any defences placed by the proxied
website against Proxy based attacks.
43. Proxies should adopt CSP
Content security policy helps extensively in locking
down proxy based attacks, since its enforced by
the browser.