Content Security Policies are another tool we should have in our security toolbelt to help protect users of our sites. In this session you’ll learn what they are, why they’re needed, how they work and the limitations on what they can & cannot do to protect users.
You’ll see a demo of attacks a CSP will block, you’ll see a site broken by a CSP, show what the different CSP directives & options will do and be introduced to some of the tools available to help with implementing a CSP on your sites!
Content Security Policies are another tool we should have in our security toolbelt to help protect users of our sites. In this session you’ll learn what they are, why they’re needed, how they work and the limitations on what they can & cannot do to protect users.
You’ll see a demo of attacks a CSP will block, you’ll see a site broken by a CSP, show what the different CSP directives & options will do and be introduced to some of the tools available to help with implementing a CSP on your sites!
Content Security Policies: Let's Break Stuff for PHPSW at Bath DigitalMatt Brunt
Content Security Policies are another tool we should have in our security toolbelt to help protect users of our sites. In this session I’ll cover what they are, why they’re needed, how they work and the limitations on what they can & cannot do to protect users.
I’ll demo attacks a CSP will block, break things, show what the different CSP directives & options will do and introduce some of the tools available to help with implementing a CSP on your sites!
Content Security Policies are another tool we should have in our security toolbelt to help protect users of our sites. In this session I’ll cover what they are, why they’re needed, how they work and the limitations on what they can & cannot do to protect users.
I’ll demo attacks a CSP will block, break things, show what the different CSP directives & options will do and introduce some of the tools available to help with implementing a CSP on your sites!
Content Security Policies are another tool we should have in our security toolbelt to help protect users of our sites. In this session I’ll cover what they are, why they’re needed, how they work and the limitations on what they can & cannot do to protect users.
I’ll demo attacks a CSP will block, break things, show what the different CSP directives & options will do and introduce some of the tools available to help with implementing a CSP on your sites!
Content Security Policies are another tool we should have in our security toolbelt to help protect users of our sites. In this session I’ll cover what they are, why they’re needed, how they work and the limitations on what they can & cannot do to protect users.
I’ll demo attacks a CSP will block, break things, show what the different CSP directives & options will do and introduce some of the tools available to help with implementing a CSP on your sites!
Content Security Policies are another tool we should have in our security toolbelt to help protect users of our sites. In this session I'll cover what they are, why they're needed, how they work and the limitations on what they can & cannot do to protect users. I'll demo attacks a CSP will block, break things, show what the different CSP directives & options will do and introduce some of the tools available to help with implementing a CSP on your sites!
Zombilizing The Web Browser Via Flash Player 9thaidn
This paper talks about how hackers can exploit Flash Player 9's weaknesses to build a botnet to launch malicous attacks against the intranets and the Internet
Content Security Policies are another tool we should have in our security toolbelt to help protect users of our sites. In this session you’ll learn what they are, why they’re needed, how they work and the limitations on what they can & cannot do to protect users.
You’ll see a demo of attacks a CSP will block, you’ll see a site broken by a CSP, show what the different CSP directives & options will do and be introduced to some of the tools available to help with implementing a CSP on your sites!
Content Security Policies: Let's Break Stuff for PHPSW at Bath DigitalMatt Brunt
Content Security Policies are another tool we should have in our security toolbelt to help protect users of our sites. In this session I’ll cover what they are, why they’re needed, how they work and the limitations on what they can & cannot do to protect users.
I’ll demo attacks a CSP will block, break things, show what the different CSP directives & options will do and introduce some of the tools available to help with implementing a CSP on your sites!
Content Security Policies are another tool we should have in our security toolbelt to help protect users of our sites. In this session I’ll cover what they are, why they’re needed, how they work and the limitations on what they can & cannot do to protect users.
I’ll demo attacks a CSP will block, break things, show what the different CSP directives & options will do and introduce some of the tools available to help with implementing a CSP on your sites!
Content Security Policies are another tool we should have in our security toolbelt to help protect users of our sites. In this session I’ll cover what they are, why they’re needed, how they work and the limitations on what they can & cannot do to protect users.
I’ll demo attacks a CSP will block, break things, show what the different CSP directives & options will do and introduce some of the tools available to help with implementing a CSP on your sites!
Content Security Policies are another tool we should have in our security toolbelt to help protect users of our sites. In this session I’ll cover what they are, why they’re needed, how they work and the limitations on what they can & cannot do to protect users.
I’ll demo attacks a CSP will block, break things, show what the different CSP directives & options will do and introduce some of the tools available to help with implementing a CSP on your sites!
Content Security Policies are another tool we should have in our security toolbelt to help protect users of our sites. In this session I'll cover what they are, why they're needed, how they work and the limitations on what they can & cannot do to protect users. I'll demo attacks a CSP will block, break things, show what the different CSP directives & options will do and introduce some of the tools available to help with implementing a CSP on your sites!
Zombilizing The Web Browser Via Flash Player 9thaidn
This paper talks about how hackers can exploit Flash Player 9's weaknesses to build a botnet to launch malicous attacks against the intranets and the Internet
Session slides from Future Insights Live, Vegas 2015:
https://futureinsightslive.com/las-vegas-2015/
Reliability and uptime are a critical aspect to any product. It doesn't matter how beautiful the user interface is, how amazing a feature is, or stunning a cutting edge product is if its down. We live in a world where our users expect the products we make to work anytime, every time, all the time. Chaos driven development is the discipline to start with failure scenarios and design our products with failure in mind. It forces us to understand our users, minimum viable product and what drives our businesses in order to architect the systems which we build our product's foundation on. Innovation is about navigating tradeoffs, chaos driven development helps us both understand and be intentional about the tradeoffs we make. Bruce takes a look at the radical strategies Netflix applies to ensure a reliable customer experience. Why chaos, how chaos, what chaos and the results.
Reliability and uptime are a critical aspect to any product. It doesn't matter how beautiful the user interface is, how amazing a feature is, or stunning a cutting edge product is if its down. We live in a world where our users expect the products we make to work anytime, every time, all the time. Chaos driven development is the discipline to start with failure scenarios and design our products with failure in mind. It forces us to understand our users, minimum viable product and what drives our businesses in order to architect the systems which we build our product's foundation on. Innovation is about navigating tradeoffs, chaos driven development helps us both understand and be intentional about the tradeoffs we make. Bruce takes a look at the radical strategies Netflix applies to ensure a reliable customer experience. Why chaos, how chaos, what chaos and the results.
Original talk was given at Future Insights Live 2015 in Las Vegas on June 4th, 2015.
Debezium vs. the World: An Overview of the CDC EcosystemHostedbyConfluent
"Change Data Capture (CDC) has become a commodity in data engineering, much in part due to the ever-rising success of Debezium [1]. But is that all there is? In this lightning talk, we’ll outline the current state of the CDC ecosystem, and understand why adopting a Debezium alternative is still a hard sell. If you’ve ever wondered what else is out there, but can’t keep up with the sprawling of new tools in the ecosystem; we’ll wrap it up for you!
[1] https://debezium.io/"
httpscreenshot is a tool developed internally over the past year and a half. It has become one of our go to tools for the reconnaissance phase of every penetration test. The tool itself takes a list of addresses, domains, URLs, and visits each in a browser, parses SSL certificates to add new hosts, and captures a screenshot/HTML of the browser instance. Similar tools exist but none met our needs with regards to speed (threaded), features (JavaScript support, SSL auto detection and certificate scraping), and reliability.
The cluster portion of the tool will go through and group "similar" websites together, where "similar" is determined by a fuzzy matching metric.
This tool can be used by both blue and red teams. The blue teams can use this tool to quickly create an inventory of applications and devices they have running in their environments. This inventory will allow them to quickly see if there is anything running in their environment that they may not know about which should be secured or in many cases removed.
The red teams can use this tool to quickly create the same inventory as part of our reconnaissance, which is often very effective in identifying potential target assets.
Many companies are looking for "DevOps'' in many forms, but what kind of skills or experiences are actually needed? I’ll debunk some of the myths surrounding what recruiters or internet lurkers might tell you and find out if you might actually have an aptitude for Site Reliability or Infrastructure Engineering. If so, what might be good knowledge areas to get started with? And if learning leads to an interview, what might that look like?
Prometheus is a next-generation monitoring system. It lets you see you not just what your systems look like from the outside, but also gives visibility into the internals and business aspects of your systems. This allows everyone to benefit, including both operations and developers. This talk will look at the concepts behind monitoring with Prometheus, how it's designed, why it's suitable for Cloud Native environments and how you can get involved.
Short brief about some of the more important http headers that is directly or indirectly related to security and privacy both for the end user and the service provider.
Content Security Policy is a key part of Web Application Security that helps in mitigating Cross Site injections (such as XSS). The application (server-side) "informs" the client (browser) of the resources it uses; the client-side implementation whitelists these resources and bans everything else - thus providing the protection as designed.
This presentation was given at NULL & OWASP Chandigarh Chapter April Meet.
Protecting Web App users in today’s hostile environmentajitdhumale
Modern day web applications live and operate in a complex eco-system (Browser, Network/wifi, CDN, Cert Authorities, 3rd party sub resources and more). Securing the web server and web application business logic is not sufficient. The eco-system outside your direct control also contribute to the security risk posed to users of web applications. Security weaknesses and compromised elements in the eco-system would make , otherwise secure, applications risky for the users. We need to think of protecting your users in this un-trusted environment. The presentation describes such risks and options available to deal with them.
NOTE: The same talk was presented in Armsec2016 conference (http://armsec.org/) and in OWASP Pune chapter meetup (29th Sep, 2016)
Cassandra Summit 2014: Social Media Security Company Nexgate Relies on Cassan...DataStax Academy
Presenter: Harold Nguyen, Senior Data Scientist at Nexgate
In this talk, we focus on a use case by showing how Cassandra can detect spam and spammers on social media. We also show how we use Cassandra to train our 100+ social-media-security classifiers. The accuracy of any security product is directly tied to the breadth of the corpus of data upon which it is built. For Nexgate, this means that the success of our products is inextricably tied to our ability to save everything we've ever scanned, but in a way that is still readily accessible. In the days before NoSQL, this was hard. This talk is about how Datastax and Cassandra make it easy.
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
This talk is about methodologies and tools that we use or have coded that make our lives and pentest schedule a little easier, and why we do things the way we do. Of course, there will be a healthy dose of Metasploit in the mix.
How Chunky Do You Need To Be?: Adaptive Content Strategies For The Real WorldChristopher Grant Ward
Okay, we get it. No more blobs. Make things chunky. Separate content from code.
But this is easier said than done.
Most content professionals work with small budgets or cope with big bureaucracies. We can't move forward on ideals alone. We need practical approaches (and dare we say, compromises) for implementing adaptive content in our day-to-day jobs. Instead of discussing in vain how to build perfect solutions, let's look closely at real-world case studies of people who have made tough calls and tradeoffs to move toward adaptive content in ways that solved actual problems.
Adaptive content requires a cultural shift in thinking, and along the way, we need to be able to allow ourselves some tradeoffs. Many situations today cannot realistically support, or even require, the chunkiest solution possible. When could a little WYSIWYG sometimes be a good thing? Is it heresy to allow the errant blob into your content management system for a special use case? As we defend the purity of content, it's also our responsibility as strategists to empower content creators to do their jobs well. Sure, the larger theory is exciting to think about, we'd like to talk more about the things we can actually start doing when we arrive to work the next morning.
You've heard all about what microservices can do for you. You're convinced. So you build some. Reasoning about your functionality is way easier: these services are so simple! Then you get to the point where you have 35 microservices, and all the monitoring and alerting tactics you used for your monoliths are a complete disaster. Something needs to change and this talk will explain what and how.
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
Derbycon 2011
This talk is about methodologies and tools that we use or have coded that make our lives and pentest schedule a little easier, and why we do things the way we do. Of course, there will be a healthy dose of Metasploit in the mix.
Stories? Scenarios? BDD? Are these just more words in the ever-growing list of jargon that developers have to know? Or are they something more important than new terms to memorise? In this session we'll look at how BDD fits into the software development work-flow, how to tell user stories through features, and how to automate them in Behat. These techniques will help to ensure you're writing well designed and tested software that focuses on what the users want from a system.
Stories? Scenarios? BDD? Are these just more words in the ever-growing list of jargon that developers have to know? Or are they something more important than new terms to memorise?
In this session we'll look at how BDD fits into the software development work-flow, how to tell user stories through features, and what makes a good feature file.
These techniques will help to ensure you're writing well designed and tested software that focuses on what the users really want from a system.
More Related Content
Similar to Content Security Policies: Let's Break Stuff for WordCamp London
Session slides from Future Insights Live, Vegas 2015:
https://futureinsightslive.com/las-vegas-2015/
Reliability and uptime are a critical aspect to any product. It doesn't matter how beautiful the user interface is, how amazing a feature is, or stunning a cutting edge product is if its down. We live in a world where our users expect the products we make to work anytime, every time, all the time. Chaos driven development is the discipline to start with failure scenarios and design our products with failure in mind. It forces us to understand our users, minimum viable product and what drives our businesses in order to architect the systems which we build our product's foundation on. Innovation is about navigating tradeoffs, chaos driven development helps us both understand and be intentional about the tradeoffs we make. Bruce takes a look at the radical strategies Netflix applies to ensure a reliable customer experience. Why chaos, how chaos, what chaos and the results.
Reliability and uptime are a critical aspect to any product. It doesn't matter how beautiful the user interface is, how amazing a feature is, or stunning a cutting edge product is if its down. We live in a world where our users expect the products we make to work anytime, every time, all the time. Chaos driven development is the discipline to start with failure scenarios and design our products with failure in mind. It forces us to understand our users, minimum viable product and what drives our businesses in order to architect the systems which we build our product's foundation on. Innovation is about navigating tradeoffs, chaos driven development helps us both understand and be intentional about the tradeoffs we make. Bruce takes a look at the radical strategies Netflix applies to ensure a reliable customer experience. Why chaos, how chaos, what chaos and the results.
Original talk was given at Future Insights Live 2015 in Las Vegas on June 4th, 2015.
Debezium vs. the World: An Overview of the CDC EcosystemHostedbyConfluent
"Change Data Capture (CDC) has become a commodity in data engineering, much in part due to the ever-rising success of Debezium [1]. But is that all there is? In this lightning talk, we’ll outline the current state of the CDC ecosystem, and understand why adopting a Debezium alternative is still a hard sell. If you’ve ever wondered what else is out there, but can’t keep up with the sprawling of new tools in the ecosystem; we’ll wrap it up for you!
[1] https://debezium.io/"
httpscreenshot is a tool developed internally over the past year and a half. It has become one of our go to tools for the reconnaissance phase of every penetration test. The tool itself takes a list of addresses, domains, URLs, and visits each in a browser, parses SSL certificates to add new hosts, and captures a screenshot/HTML of the browser instance. Similar tools exist but none met our needs with regards to speed (threaded), features (JavaScript support, SSL auto detection and certificate scraping), and reliability.
The cluster portion of the tool will go through and group "similar" websites together, where "similar" is determined by a fuzzy matching metric.
This tool can be used by both blue and red teams. The blue teams can use this tool to quickly create an inventory of applications and devices they have running in their environments. This inventory will allow them to quickly see if there is anything running in their environment that they may not know about which should be secured or in many cases removed.
The red teams can use this tool to quickly create the same inventory as part of our reconnaissance, which is often very effective in identifying potential target assets.
Many companies are looking for "DevOps'' in many forms, but what kind of skills or experiences are actually needed? I’ll debunk some of the myths surrounding what recruiters or internet lurkers might tell you and find out if you might actually have an aptitude for Site Reliability or Infrastructure Engineering. If so, what might be good knowledge areas to get started with? And if learning leads to an interview, what might that look like?
Prometheus is a next-generation monitoring system. It lets you see you not just what your systems look like from the outside, but also gives visibility into the internals and business aspects of your systems. This allows everyone to benefit, including both operations and developers. This talk will look at the concepts behind monitoring with Prometheus, how it's designed, why it's suitable for Cloud Native environments and how you can get involved.
Short brief about some of the more important http headers that is directly or indirectly related to security and privacy both for the end user and the service provider.
Content Security Policy is a key part of Web Application Security that helps in mitigating Cross Site injections (such as XSS). The application (server-side) "informs" the client (browser) of the resources it uses; the client-side implementation whitelists these resources and bans everything else - thus providing the protection as designed.
This presentation was given at NULL & OWASP Chandigarh Chapter April Meet.
Protecting Web App users in today’s hostile environmentajitdhumale
Modern day web applications live and operate in a complex eco-system (Browser, Network/wifi, CDN, Cert Authorities, 3rd party sub resources and more). Securing the web server and web application business logic is not sufficient. The eco-system outside your direct control also contribute to the security risk posed to users of web applications. Security weaknesses and compromised elements in the eco-system would make , otherwise secure, applications risky for the users. We need to think of protecting your users in this un-trusted environment. The presentation describes such risks and options available to deal with them.
NOTE: The same talk was presented in Armsec2016 conference (http://armsec.org/) and in OWASP Pune chapter meetup (29th Sep, 2016)
Cassandra Summit 2014: Social Media Security Company Nexgate Relies on Cassan...DataStax Academy
Presenter: Harold Nguyen, Senior Data Scientist at Nexgate
In this talk, we focus on a use case by showing how Cassandra can detect spam and spammers on social media. We also show how we use Cassandra to train our 100+ social-media-security classifiers. The accuracy of any security product is directly tied to the breadth of the corpus of data upon which it is built. For Nexgate, this means that the success of our products is inextricably tied to our ability to save everything we've ever scanned, but in a way that is still readily accessible. In the days before NoSQL, this was hard. This talk is about how Datastax and Cassandra make it easy.
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
This talk is about methodologies and tools that we use or have coded that make our lives and pentest schedule a little easier, and why we do things the way we do. Of course, there will be a healthy dose of Metasploit in the mix.
How Chunky Do You Need To Be?: Adaptive Content Strategies For The Real WorldChristopher Grant Ward
Okay, we get it. No more blobs. Make things chunky. Separate content from code.
But this is easier said than done.
Most content professionals work with small budgets or cope with big bureaucracies. We can't move forward on ideals alone. We need practical approaches (and dare we say, compromises) for implementing adaptive content in our day-to-day jobs. Instead of discussing in vain how to build perfect solutions, let's look closely at real-world case studies of people who have made tough calls and tradeoffs to move toward adaptive content in ways that solved actual problems.
Adaptive content requires a cultural shift in thinking, and along the way, we need to be able to allow ourselves some tradeoffs. Many situations today cannot realistically support, or even require, the chunkiest solution possible. When could a little WYSIWYG sometimes be a good thing? Is it heresy to allow the errant blob into your content management system for a special use case? As we defend the purity of content, it's also our responsibility as strategists to empower content creators to do their jobs well. Sure, the larger theory is exciting to think about, we'd like to talk more about the things we can actually start doing when we arrive to work the next morning.
You've heard all about what microservices can do for you. You're convinced. So you build some. Reasoning about your functionality is way easier: these services are so simple! Then you get to the point where you have 35 microservices, and all the monitoring and alerting tactics you used for your monoliths are a complete disaster. Something needs to change and this talk will explain what and how.
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
Derbycon 2011
This talk is about methodologies and tools that we use or have coded that make our lives and pentest schedule a little easier, and why we do things the way we do. Of course, there will be a healthy dose of Metasploit in the mix.
Stories? Scenarios? BDD? Are these just more words in the ever-growing list of jargon that developers have to know? Or are they something more important than new terms to memorise? In this session we'll look at how BDD fits into the software development work-flow, how to tell user stories through features, and how to automate them in Behat. These techniques will help to ensure you're writing well designed and tested software that focuses on what the users want from a system.
Stories? Scenarios? BDD? Are these just more words in the ever-growing list of jargon that developers have to know? Or are they something more important than new terms to memorise?
In this session we'll look at how BDD fits into the software development work-flow, how to tell user stories through features, and what makes a good feature file.
These techniques will help to ensure you're writing well designed and tested software that focuses on what the users really want from a system.
Stories? Scenarios? BDD? Are these just more words in the ever-growing list of jargon that developers have to know? Or are they something more important than new terms to memorise?
In this session we'll look at how BDD fits into the software development work-flow, how to tell user stories through features, and what makes a good feature file.
These techniques will help to ensure you're writing well designed and tested software that focuses on what the users really want from a system.
Stories? Scenarios? BDD? Are these just more words in the ever-growing list of jargon that developers have to know? Or are they something more important than new terms to memorise?
In this session we'll look at how BDD fits into the software development work-flow, how to tell user stories through features, and what makes a good feature file.
These techniques will help to ensure you're writing well designed and tested software that focuses on what the users really want from a system.
Stories? Scenarios? BDD? Are these just more words in the ever-growing list of jargon that developers have to know? Or are they something more important than new terms to memorise?
In this session we'll look at how BDD fits into the software development work-flow, how to tell user stories through features, and how to automate them in Behat.
These techniques will help to ensure you're writing well designed and tested software that focuses on what the users want from a system.
Stories? Scenarios? BDD? Are these just more words in the ever-growing list of jargon that developers have to know? Or are they something more important than new terms to memorise?
In this session we'll look at how BDD fits into the software development work-flow, how to tell user stories through features, and how to automate them in Behat.
These techniques will help to ensure you're writing well designed and tested software that focuses on what the users want from a system.
BDD - telling stories through code for PHPemMatt Brunt
Stories? Scenarios? BDD? Are these just more words in the ever-growing list of jargon that developers have to know? Or are they something more important than new terms to memorise?
In this session we'll look at how BDD fits into the software development work-flow, how to tell user stories through features, and what makes a good feature file.
These techniques will help to ensure you're writing well designed and tested software that focuses on what the users really want from a system.
BDD: Telling stories through code [For TechNotts]Matt Brunt
Stories? Scenarios? BDD? Are these just more words in the ever-growing list of jargon that developers have to know? Or are they something more important than new terms to memorise?
In this session we'll look at how BDD fits into the software development work-flow, how to tell user stories through features, and what makes a good feature file.
These techniques will help to ensure you're writing well designed and tested software that focuses on what the users really want from a system.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
2. @BruntyCSP: Let’s Break Stuff
Because you all totally care about this, right?!
About me
▸ Senior Software Engineer at Viva IT
(those folks in orange hoodies at some conferences & events
you may have been to)
▸ @Brunty
▸ @PHPem
▸ mfyu.co.uk
▸ matt@mfyu.co.uk
3. @BruntyCSP: Let’s Break Stuff
Blah blah… just get on with the talk
Things I do
▸ Dungeon master for D&D campaigns
▸ Mentor, lead & teach apprentices & junior developers
▸ Run & organise PHP East Midlands
▸ Speak at user groups and conferences
▸ Break production sites with incorrectly configured content
security policies
7. @BruntyCSP: Let’s Break Stuff
First, some background
What is Cross-Site-Scripting (XSS)?
▸ XSS enables an attacker to inject client-side scripts into non-
malicious web pages viewed by other users
▸ In 2016 there was a 61% likelihood of a browser-based
vulnerability being found in a web application
▸ Of those browser based vulnerabilities, 86% were found to be
XSS related
▸ That’s just over 52% of all web application vulnerabilities
https://www.edgescan.com/assets/docs/reports/2016-edgescan-stats-report.pdf
8. @BruntyCSP: Let’s Break Stuff
I mean, it’s just a joke vulnerability, right?!
What can be done with XSS?
▸ Put pictures of cats in web pages
▸ alert(‘💩’);
▸ Rickroll a user
▸ Twitter self-retweeting tweet
https://www.youtube.com/watch?v=zv0kZKC6GAM
▸ Samy worm
https://en.wikipedia.org/wiki/Samy_(computer_worm)
9. @BruntyCSP: Let’s Break Stuff
Well… maybe it’s not a joke vulnerability
What can be done with XSS?
▸ Make modifications to the DOM
▸ Load additional scripts, resources, styles, images etc
▸ Access HTML5 APIs - webcam, microphone, geolocation
▸ Steal cookies (and therefore steal session cookies)
11. @BruntyCSP: Let’s Break Stuff
It’s really not a joke vulnerability
What can be done with XSS?
https://www.wired.com/2008/03/hackers-assault-epilepsy-patients-via-computer/
12. @BruntyCSP: Let’s Break Stuff
Types of XSS attack
Stored XSS (AKA Persistent or Type I)
▸ Occurs when input is stored - generally in a server-side
database, but not always
▸ This could also be within a HTML5 database, thus never being
sent to the server at all
▸ who.is was a site Rickrolled by a TXT record in the DNS of a
website (yes, really)
13. @BruntyCSP: Let’s Break Stuff
Types of XSS attack
Reflected XSS (AKA Non-persistent or Type II)
▸ Occurs when user input provided in the request is immediately
returned - such as in an error message, search string etc
▸ Data is not stored, and in some instances, may not even reach
the server (see the next type of XSS)
14. @BruntyCSP: Let’s Break Stuff
Types of XSS attack
DOM-Based XSS (AKA Type-0)
▸ The entire flow of the attack takes place within the browser
▸ For example, if JavaScript in the site takes input, and uses
something like document.write based on that input, it can be
vulnerable to a DOM-based XSS attack
15. @BruntyCSP: Let’s Break Stuff
Types of XSS attack
Self XSS
▸ Social-engineering form of XSS
▸ Requires the user to execute code in the browser
▸ Doing so via the console can’t be protected by a lot of methods
▸ Not considered a ‘true’ XSS attack due to requiring the user to
execute the code
24. @BruntyCSP: Let’s Break Stuff
CSP to the rescue!
What can we protect?
▸ default-src
▸ script-src
▸ style-src
▸ img-src
▸ form-action
▸ update-insecure-requests
25. @BruntyCSP: Let’s Break Stuff
Full reference:https://content-security-policy.com
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
28. @BruntyCSP: Let’s Break Stuff
style-src ‘self'
Allow loading from same scheme,
host and port
29. @BruntyCSP: Let’s Break Stuff
script-src 'unsafe-inline'
Allows use of inline source
elements such as style attribute,
onclick, or script tag bodies
44. @BruntyCSP: Let’s Break Stuff
Ways to make dealing with a CSP easier
Tips
▸ Have an easy and quick way to disable the CSP in production if
required
▸ Better yet, have a way to switch it from enforced to report only
so you can get violations reported to help you debug
▸ Add the CSP at an application level if you need a nonce
45. @BruntyCSP: Let’s Break Stuff
Ways to make dealing with a CSP easier
Multiple policies
▸ They complicate things
▸ For a resource to be allowed, it must be allowed by all policies
declared (problematic if an enforced policy)
▸ I tend to avoid them where possible on enforced policies
▸ But with report-only mode they can be very useful to deploy
and test multiple policies at the same time (as nothing breaks
for the user)
46. @BruntyCSP: Let’s Break Stuff
Ways to remove barriers in development
Cryptographic nonces
▸ Don’t generate multiple nonces in the same request (but do
generate a new nonce on each separate request)
▸ If using a templating engine (such as twig) - add the nonce as a
global so it’s available in every template by default
▸ Write a helper in your template engine to generate script tags
with a nonce if it’s available