Csrf / Xsrf Basics defines CSRF as a type of web application vulnerability that allows a malicious website to send unauthorized requests to a vulnerable website using active sessions of its authorized users. CSRF tricks the victim into loading a page that contains a malicious request, which inherits the victim's identity and privileges to perform an undesired function like changing passwords. CSRF attacks target functions that cause state changes on the server but can also access sensitive data. The synchronizer token pattern is a server-side prevention technique that establishes a token on the server to validate submissions through a corresponding token in a hidden form field, marking tokens as invalid after single use.
Explore the importance of matching escape functions properly. Learn more about how this impacts cross site scripting. Examples in EJS and JavaScript.
NOTE: There are animated gifs that add some fun. You'll get all the meat viewing online. Download it if you want to see the GIFs.
Csrf / Xsrf Basics defines CSRF as a type of web application vulnerability that allows a malicious website to send unauthorized requests to a vulnerable website using active sessions of its authorized users. CSRF tricks the victim into loading a page that contains a malicious request, which inherits the victim's identity and privileges to perform an undesired function like changing passwords. CSRF attacks target functions that cause state changes on the server but can also access sensitive data. The synchronizer token pattern is a server-side prevention technique that establishes a token on the server to validate submissions through a corresponding token in a hidden form field, marking tokens as invalid after single use.
Explore the importance of matching escape functions properly. Learn more about how this impacts cross site scripting. Examples in EJS and JavaScript.
NOTE: There are animated gifs that add some fun. You'll get all the meat viewing online. Download it if you want to see the GIFs.
The document discusses Domain-Driven Design (DDD). It explains that DDD focuses on properly modeling the problem domain and using this domain model to drive the software design. This involves developing a ubiquitous language within the bounded context of the domain model and ensuring consistency between this language, the domain model, and the software code. Patterns like entity, value object, aggregate, and repository can be used, but the domain model is the most important pattern in DDD.
The document describes the proxy pattern. The proxy pattern provides a surrogate or placeholder for another object to control access to it. A proxy can act as a local representative for real objects located elsewhere. Some key points:
- A proxy maintains a reference to a real subject and provides an interface identical to the real subject. This allows clients to access the real subject indirectly through the proxy.
- Proxies are useful when accessing heavy weight real subjects would result in performance issues. The proxy can allow lighter-weight access when the full functionality of the real subject is not needed.
- Common proxy types include remote proxies, virtual proxies that load lazily, and access control proxies that restrict access to the real subject.
Commands, events, queries - three types of messages that travel through your application. Some originate from the web, some from the command-line. Your application sends some of them to a database, or a message queue. What is the ideal infrastructure for an application to support this on-going stream of messages? What kind of architectural design fits best?
This talk provides answers to these questions: we take the *hexagonal* approach to software architecture. We look at messages, how they cross boundaries and how you can make steady communication lines between your application and other systems, like web browsers, terminals, databases and message queues. You will learn how to separate the technical aspects of these connections from the core behavior of your application by implementing design patterns like the *command bus*, and design principles like *dependency inversion*.
This document provides an introduction to domain-driven design (DDD). It defines DDD as an approach where the application's domain model reflects the real business domain and core domain is the primary focus. It discusses DDD principles like ubiquitous language, domain encapsulation, and technical simplicity. The benefits of DDD include improved communication through a shared language, a modular and extensible domain model, and the domain rules and logic being encapsulated in one place.
This document discusses DOM based cross-site scripting (XSS) and methods for detecting it. It begins by explaining what DOM and XSS are, and defines DOM based XSS as exploiting client-side script execution by modifying the DOM environment. Next, it provides examples of how DOM based XSS can work by manipulating DOM objects like document.location. The document concludes by outlining approaches for detecting DOM based XSS including general analysis, using the headless browser PhantomJS to programmatically interact with web pages, and leveraging a modified version of PhantomJS called Tainted PhantomJS that is designed specifically for DOM based XSS detection.
The document provides an introduction and overview of design patterns. It defines design patterns as common solutions to recurring problems in software design. The document discusses the origin of design patterns in architecture, describes the four essential parts of a design pattern (name, problem, solution, consequences), and categorizes patterns into creational, structural, and behavioral types. Examples of commonly used patterns like Singleton and State patterns are also presented.
ECMAScript is a scripting language standard maintained by Ecma International. ECMAScript versions 7, 8, 9, and 10 introduced several new features including array.includes(), Object.values(), async/await, rest/spread properties, Promise.finally(), and array flat mapping methods. New versions aim to improve performance, utility and stability of the JavaScript language.
Modelling a complex domain with Domain-Driven DesignNaeem Sarfraz
Domain-Driven Design is an approach to modelling business complexity explicitly in your software. This deck of slides runs through the key concepts focusing on both the strategic and tactical aspects of DDD.
The document discusses Domain-Driven Design (DDD). It explains that DDD focuses on properly modeling the problem domain and using this domain model to drive the software design. This involves developing a ubiquitous language within the bounded context of the domain model and ensuring consistency between this language, the domain model, and the software code. Patterns like entity, value object, aggregate, and repository can be used, but the domain model is the most important pattern in DDD.
The document describes the proxy pattern. The proxy pattern provides a surrogate or placeholder for another object to control access to it. A proxy can act as a local representative for real objects located elsewhere. Some key points:
- A proxy maintains a reference to a real subject and provides an interface identical to the real subject. This allows clients to access the real subject indirectly through the proxy.
- Proxies are useful when accessing heavy weight real subjects would result in performance issues. The proxy can allow lighter-weight access when the full functionality of the real subject is not needed.
- Common proxy types include remote proxies, virtual proxies that load lazily, and access control proxies that restrict access to the real subject.
Commands, events, queries - three types of messages that travel through your application. Some originate from the web, some from the command-line. Your application sends some of them to a database, or a message queue. What is the ideal infrastructure for an application to support this on-going stream of messages? What kind of architectural design fits best?
This talk provides answers to these questions: we take the *hexagonal* approach to software architecture. We look at messages, how they cross boundaries and how you can make steady communication lines between your application and other systems, like web browsers, terminals, databases and message queues. You will learn how to separate the technical aspects of these connections from the core behavior of your application by implementing design patterns like the *command bus*, and design principles like *dependency inversion*.
This document provides an introduction to domain-driven design (DDD). It defines DDD as an approach where the application's domain model reflects the real business domain and core domain is the primary focus. It discusses DDD principles like ubiquitous language, domain encapsulation, and technical simplicity. The benefits of DDD include improved communication through a shared language, a modular and extensible domain model, and the domain rules and logic being encapsulated in one place.
This document discusses DOM based cross-site scripting (XSS) and methods for detecting it. It begins by explaining what DOM and XSS are, and defines DOM based XSS as exploiting client-side script execution by modifying the DOM environment. Next, it provides examples of how DOM based XSS can work by manipulating DOM objects like document.location. The document concludes by outlining approaches for detecting DOM based XSS including general analysis, using the headless browser PhantomJS to programmatically interact with web pages, and leveraging a modified version of PhantomJS called Tainted PhantomJS that is designed specifically for DOM based XSS detection.
The document provides an introduction and overview of design patterns. It defines design patterns as common solutions to recurring problems in software design. The document discusses the origin of design patterns in architecture, describes the four essential parts of a design pattern (name, problem, solution, consequences), and categorizes patterns into creational, structural, and behavioral types. Examples of commonly used patterns like Singleton and State patterns are also presented.
ECMAScript is a scripting language standard maintained by Ecma International. ECMAScript versions 7, 8, 9, and 10 introduced several new features including array.includes(), Object.values(), async/await, rest/spread properties, Promise.finally(), and array flat mapping methods. New versions aim to improve performance, utility and stability of the JavaScript language.
Modelling a complex domain with Domain-Driven DesignNaeem Sarfraz
Domain-Driven Design is an approach to modelling business complexity explicitly in your software. This deck of slides runs through the key concepts focusing on both the strategic and tactical aspects of DDD.
This document discusses using Java with DevOps in Azure. It provides an overview of Azure services that can be used with Java like SQL Database, blob storage, and App Services. It also discusses using Visual Studio Team Services (VSTS) for source control, building, testing, and deploying Java applications. Specific topics covered include connecting a Java app to SQL Database, storing images in blob storage, creating a build definition, and continuous integration/deployment using VSTS.
This document discusses how to deploy a Java web application to Windows Azure Cloud Services. It covers:
- Setting up the development environment with Java, Eclipse, and the Azure SDK.
- Creating a dynamic web project and adding the Azure deployment project.
- Configuring the deployment to include the JDK, Tomcat, and WAR files.
- Testing the application locally using the Azure emulator.
- Publishing the application to the Azure cloud.
- Additional topics like remote debugging, managing the cloud service, and using Azure services like SQL, storage, caching and CDN.