This document discusses common JavaScript security vulnerabilities like cross-site scripting (XSS), cross-site request forgery (CSRF), and clickjacking. It defines these issues and provides examples of real attacks. The document also outlines solutions for developers, including sanitizing input, escaping output, minimizing the attack surface, and designing with the assumption of breaches. Overall it stresses the importance of a holistic, multi-layered approach to JavaScript security.
Keeping your web application secure is an ongoing process - new classes of vulnerabilities are discovered with surprising frequency, and if you don't keep on top of them you could be in for a nasty surprise. This talk will discuss both common and obscure vulnerabilities, with real-world examples of attacks that have worked against high profile sites in the past.
JavaScript, as it is today, is an insecure language. We need to understand it's shortcomings to improve the security of our applications to protect our users.
Keeping your web application secure is an ongoing process - new classes of vulnerabilities are discovered with surprising frequency, and if you don't keep on top of them you could be in for a nasty surprise. This talk will discuss both common and obscure vulnerabilities, with real-world examples of attacks that have worked against high profile sites in the past.
JavaScript, as it is today, is an insecure language. We need to understand it's shortcomings to improve the security of our applications to protect our users.
Web Unleashed '19 - Measuring the Adoption of Web Performance TechniquesPaul Calvano
Performance optimization is a cyclical process. We are constantly learning new ways to optimize, while simultaneously adopting new technologies and techniques that negatively impact performance. The HTTP Archive provides a great historical record of the technical side of the web, with almost 10 years of history and an ever growing dataset of sites.
During this session Paul will provide a brief overview of the HTTP Archive and then dive into some insights into the adoption of common web performance techniques and some of their measurable impacts.
https://fitc.ca/presentation/measuring-the-adoption-of-web-performance-techniques/
JS Fest 2019. Andrew Betts. Headers for hackersJSFestUA
HTTP has been gradually adding lots of new and exotic headers, and more are on the way. Learn about current best practices with Vary, Link, Content-Security-Policy, Referrer-Policy, Client-Hints, Clear-Site-Data and Alt-Svc, upcoming features such as Feature-Policy and proposals like Variants, Early-Hints and Origin-Policy. HTTP gives you incredibly powerful control over many aspects of the way a browser will process the page and is often a more effective or more secure option than trying to achieve the same effect with tags or script in the page.
O'Reilly Fluent 2014 talk on attacking web applications. Showing practical demos of attacking web assets, including XSS, CSRF, insecure cookie placement, traffic manipulation, and other tactics.
My talk at Hack in the Box 2010 - Kuala Lumpur
It has been a decade since I started talking about computer security. 10 years have witnessed a change in threat landscapes, attack targets, exploits, techniques and damage. Two eco-systems are slowly and surely converging into one. On one hand, we have the application layer. Much has been talked about it. There is a steady trickling flow of XSS, XSRF, SQL injection and the usual suspects. Some of them are under the guise of "Web 2.0", and some of them are as ancient as CGI attacks of 1999. On the other hand, we have the desktop. Dominating the desktop is the browser, with its horde of assistants. Exploitation in this space has accelerated in the last 3 years.
How will the threat landscape change with the advent of new technologies and services? New standards are emerging, and the darling child of the web is HTML 5. A closer look at standards reveals and awful mess. Are the standards mitigating any security concerns? More importantly, will browser vendors and web application developers really respect the standards? The browser wars taught us that "might is right". If everyone breaks the web, that becomes a new adopted standard. New technologies, coupled with popular online services make for some very interesting exploit delivery techniques.
This talk explores some innovative exploit delivery techniques that are born as a result of bloated standards and services designed without much thought towards security. We cover techniques where exploits can be delivered through URL shorteners and images. We take a look at some browser exploits. This talk ends with a discussion on exploit sophistication, ranging from highly polished and elegant techniques such as Return Oriented Programming to the downright crude and ugly techniques such as DLL Hijacking. How will we combine all this together? And will Anti-Virus still save us all?
Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)Nicholas Zakas
In the beginning, progressive enhancement was simple: HTML layered with CSS layered with JavaScript. That worked fine when there were two browsers, but in today's world of multiple devices and multiple browsers, it's time for a progressive enhancement reboot. At the core is the understanding that the web is not print - the same rules don't apply. As developers and consumers we've been fooled into thinking about print paradigms for too long. In this talk, you'll learn just how different the web is and how the evolution of progressive enhancement can lead to better user experiences as well as happier developers and users.
The said coding with JavaScript is for toying also. There no way to do serious software engineering with JavaScript. The JS community proved that quote is wrong - this talk argues the same way.
Slides from a workshop I held on cryptography for web developers.
Part 1 is about cryptography in web applications and why you should not mix HTTP and HTTPS.
https://blog.hboeck.de/archives/849-Slides-from-cryptography-workshop-for-web-developers.html
Web Unleashed '19 - Measuring the Adoption of Web Performance TechniquesPaul Calvano
Performance optimization is a cyclical process. We are constantly learning new ways to optimize, while simultaneously adopting new technologies and techniques that negatively impact performance. The HTTP Archive provides a great historical record of the technical side of the web, with almost 10 years of history and an ever growing dataset of sites.
During this session Paul will provide a brief overview of the HTTP Archive and then dive into some insights into the adoption of common web performance techniques and some of their measurable impacts.
https://fitc.ca/presentation/measuring-the-adoption-of-web-performance-techniques/
JS Fest 2019. Andrew Betts. Headers for hackersJSFestUA
HTTP has been gradually adding lots of new and exotic headers, and more are on the way. Learn about current best practices with Vary, Link, Content-Security-Policy, Referrer-Policy, Client-Hints, Clear-Site-Data and Alt-Svc, upcoming features such as Feature-Policy and proposals like Variants, Early-Hints and Origin-Policy. HTTP gives you incredibly powerful control over many aspects of the way a browser will process the page and is often a more effective or more secure option than trying to achieve the same effect with tags or script in the page.
O'Reilly Fluent 2014 talk on attacking web applications. Showing practical demos of attacking web assets, including XSS, CSRF, insecure cookie placement, traffic manipulation, and other tactics.
My talk at Hack in the Box 2010 - Kuala Lumpur
It has been a decade since I started talking about computer security. 10 years have witnessed a change in threat landscapes, attack targets, exploits, techniques and damage. Two eco-systems are slowly and surely converging into one. On one hand, we have the application layer. Much has been talked about it. There is a steady trickling flow of XSS, XSRF, SQL injection and the usual suspects. Some of them are under the guise of "Web 2.0", and some of them are as ancient as CGI attacks of 1999. On the other hand, we have the desktop. Dominating the desktop is the browser, with its horde of assistants. Exploitation in this space has accelerated in the last 3 years.
How will the threat landscape change with the advent of new technologies and services? New standards are emerging, and the darling child of the web is HTML 5. A closer look at standards reveals and awful mess. Are the standards mitigating any security concerns? More importantly, will browser vendors and web application developers really respect the standards? The browser wars taught us that "might is right". If everyone breaks the web, that becomes a new adopted standard. New technologies, coupled with popular online services make for some very interesting exploit delivery techniques.
This talk explores some innovative exploit delivery techniques that are born as a result of bloated standards and services designed without much thought towards security. We cover techniques where exploits can be delivered through URL shorteners and images. We take a look at some browser exploits. This talk ends with a discussion on exploit sophistication, ranging from highly polished and elegant techniques such as Return Oriented Programming to the downright crude and ugly techniques such as DLL Hijacking. How will we combine all this together? And will Anti-Virus still save us all?
Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)Nicholas Zakas
In the beginning, progressive enhancement was simple: HTML layered with CSS layered with JavaScript. That worked fine when there were two browsers, but in today's world of multiple devices and multiple browsers, it's time for a progressive enhancement reboot. At the core is the understanding that the web is not print - the same rules don't apply. As developers and consumers we've been fooled into thinking about print paradigms for too long. In this talk, you'll learn just how different the web is and how the evolution of progressive enhancement can lead to better user experiences as well as happier developers and users.
The said coding with JavaScript is for toying also. There no way to do serious software engineering with JavaScript. The JS community proved that quote is wrong - this talk argues the same way.
Slides from a workshop I held on cryptography for web developers.
Part 1 is about cryptography in web applications and why you should not mix HTTP and HTTPS.
https://blog.hboeck.de/archives/849-Slides-from-cryptography-workshop-for-web-developers.html
It's the PPT of the presentation at Null Hyd June 2014 meet.
I tried to make it as simple as i can :)
Share if you like and please let me know your suggestions :)
SQL Injection
Project for lecture "Computer Systems Security"
You can find a SQL Injection Attack with sqlmap here: http://www.youtube.com/watch?v=wAwUv5dzwLk
It was performed for educational purposes ONLY.
The presentation has a quick preamble on SQL injection definition, sqlmap and its key features.
I will then illustrate into details common and uncommon problems and respective solutions with examples that a penetration tester faces when he wants to take advantage of any kind of web application SQL injection flaw on real world web applications, for instance SQL injection in ORDER BY and LIMIT clauses, single entry UNION query SQL injection, specific web application technologies IDS bypasses and more.
These slides have been presented at the 2nd Digital Security Forum in Lisbon on June 27, 2009.
Updated version of http://www.slideshare.net/inquis/sql-injection-not-only-and-11.
The most massive crime of identity theft in history was perpetrated in 2007 by exploiting an SQL Injection vulnerability. This issue is one of the most common and most serious threats to web application security. In this presentation, you'll see some common myths busted and you'll get a better understanding of defending against SQL injection.
Cross Site Request Forgery (CSRF) Scripting ExplainedValency Networks
Key Points
What is Cross Site Request Forgery (CSRF)?
How Attack Can Happen?
Damages caused by CSRF?
Mitigations
What is Cross Site Request Forgery (CSRF)?
CSRF is an attack in which attacker forges the request as a trusted user. The request is essentially made to send unintended data to the site. A vulnerable web application assumes that the data is coming from a trusted user.
The root cause is – request coming from browser is trusted by server blindly, if CSRF protection is not implemented.
This “blind trust” lets attacker create a forged request, and make the victim perform that request.
How Attack Can Happen?
Attacker knows about target application, on which the attack is to be performed
Attacker forges request and sends it to victim who may be logged into the website by embedding that forged request into a hyperlink
Victim clicks on it, and unknowingly sends malicious request to website
Website accepts it and processes it. Thus the attacker is successful in performing the attack.
Damages caused by CSRF?
In Net-banking attacker can forge the request and send it to victim to steal money from Victim’s account
Personal health information can be stolen or modified in a hospital database
Attacker force victim to perform unwanted action which affect their profile
Mitigation Techniques
Can be mitigate by two ways
CSRF token (a cookie which is introduced in each form and validated by web app)
Captcha (implemented to ensure that the request is being performed by a human interaction)
The basics to start developing Rich Internet applications.
This presentation talks about some of the important stuff to follow to make the web application both interactive and robust
Comet: an Overview and a New Solution Called JabbifyBrian Moschel
Brian Moschel delivered this talk at the JS.Chi() April 2009 meetup. This talk provides an overview of Comet, also known as HTTP Push, covering how it works on the server and client, several implementation options, and using a new Comet API called Jabbify in an interactive demo.
In-depth list of attacks against various crypto implementations. Developers seem to have gotten the message not to design their own ciphers. Now, we're trying to get the message out that you shouldn't be implementing your own crypto protocols or constructions, using low-level crypto libraries. Instead, developers should work at a higher level, using libraries like GPGME, Keyczar, or cryptlib. If you do end up designing/implementing your own construction, getting it reviewed by a third party is an expensive but vital task.
In this presentation I have tried to figure out common loop holes through which web applications may fall prey to the attackers, common tools used in the trade and some preventive security measures to put us on a safer side.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
4. Cross Site Scripting: MySpace
How Samy became very popular
Samy’s script made everyone who viewed his profile:
• Add him as a friend
• Embed the script in their profiles
10. Cross Site Scripting: MySpace
How did it work?
<div id=quot;mycodequot; style=quot;background:url('java
script:eval(document.all.mycode.expr)')quot; expr=quot;...lots of JS here...quot; >
• JS inside CSS URL
• Line break in the word “javascript”
• Evaluation of a expression
11. Cross Site Scripting
What is Cross Site Scripting?
• Untrusted data enters the system
– URL, Form or Cookie data
– HTTP Header
– Syndicated feed
– other offline system
• Data then presented to the user & executed in their browser
• Interferes with the intended interaction between a user and a site
12. Cross Site Scripting
How is it possible?
• Browser environment is insecure by design
– Multiple contexts, multiple parsers
– XML, HTML, CSS, JavaScript, DOM, Cookie, URI, VBScript
– All interacting in semi-structured ways
• This makes AJAX and Web 2.0 Mash ups so powerful
13. Cross Site Scripting
Context Switching
• HTML to JS
<script>alert(‘XSS’)</script>
<body onload=alert(‘XSS’)>
• URL to JS
<iframe src=javascript:alert(‘XSS’)>
• CSS to JS
background:url(javascript:alert(‘XSS’))
14. Cross Site Scripting
Same-origin Policy
• Prevents document from one site setting or getting properties of a document
from another
• Same origin means same protocol, port and host
• So if I frame another site - I can’t modify or read it
15. Cross Site Scripting
But...
• Included JS runs in the context of the current page
• Scripts running in the page context have “root” access to a site
16. Cross Site Scripting
What can happen if an attacker gets a script on your page?
• Perform action against website as if they are the user
• Read the contents of pages and cookies
• Control the display & show fake content to user
• Send information to any server in the world
• Request additional scripts from anywhere
17. Cross Site Scripting
What can happen if an attacker gets a script on your page?
• SSL is no protection
• Logins are no protection
34. Cross Site Scripting: Demo
What happened?
• Cookies stolen
• Interface vandalised
• Users prompted to download malware
• DB poisoned - other users affected
36. Cross Site Request Forgery: GMail
GMail vulnerability used to steal a domain
• Visits evil site while logged into GMail
• Evil site POSTs to GMail creating a new filter
• Filter forwards all mail to attacker and deletes mail
• Attacker initiates domain
transfer process
37. Cross Site Request Forgery
Session riding
• Uses persistent sessions to execute actions against a service
• Many Web 2.0 services are vulnerable
39. Clickjacking
UI Redressing
• User is tricked into inadvertent
actions
– A dummy button is shown, then
target page is loaded over the top
in a transparent iframe
– User thinks they are clicking the
dummy button, but are interacting
with a site they can’t see
40. Clickjacking: Twitter
Don’t Click
• Mischievous page loads transparent
iframe containing Twitter post
• User shown a button saying “Don’t
Click”
• Click takes place in iframe and
results in tweet being sent
• Grows exponentially
• Twitter implements frame buster
42. Solutions
Sanitise Input
• Whitelists
– Allow <strong>, <em> and <br> only
– Does help, but not 100%
• Blacklists
– Block <script> and friends
– Extremely common attack vector
– Extremely difficult to block most attacks
– Coldfusion’s XSS protection = FAIL!
43. Solutions
Escape Output
• HTML Entity Encoding - HTMLEditFormat()
• Doesn’t always work
– In <script>
– In onmouseover=
– In CSS
– In URLs
• Need to be aware of your context
44. Solutions
The OWASP ESAPI
• 5 Rules for escaping output
#1 - HTML Escape before inserting into element content
#2 - Attribute Escape before inserting into attributes
#3 - JavaScript Escape before inserting into JavaScript data values
#4 - CSS Escape before inserting into style property values
#5 - URL Escape before inserting into URL attributes
• Java API that implements these rules
• 100% safe?
46. Solutions
Minimise Attack Surface
• Don’t allow GET to modify data
• Strict server-side validation of all input
• Check referrer
• Use transaction tokens or “crumbs” - derived from timestamp & user id
• Double submit cookies
• Use frame busting scripts
• Short session timeouts / in-memory cookies
47. Solutions
Design for a breach
• Assume some portion of your users’ accounts will be hijacked at some point
• What if a users email account is hacked?
• Forgotten password functions should use secret question
• Two factor authentication where appropriate
• Can you rollback or recover?
• Do you have an audit trail?
48. Solutions
Think very carefully about 3rd party scripts
• Google Analytics
• Hosted Libraries
• Digg
• AddThis
Would you give Telstra the keys to your house?
What about your cleaner?
50. Solutions
Browsers are getting better
• Many exploits depend on bugs in browser parsers
• Holes are being rapidly closed
• IE6 is still horribly broken and has market share
51. Using Flash and PDF?
They each have their own issues to consider
• Certain version of the Acrobat Reader have serious vulnerabilities
http://path/to/pdf/file.pdf#foo=javascript:code_here
• Flash is also some potential weak points:
<cross-domain-policy>
<allow-access-from domain=quot;*quot;/>
</cross-domain-policy>
52. Conclusion
• A lot of responsibility lies with developers
• Use a holistic, multi-pronged approach