Content Security Policy (CSP) is a browser security mechanism against content injection. Using the CSP header, browsers can restrict content from just the domains whitelisted in the policy. This session shares lessons learned with deploying CSP at Yahoo.
Completing a transition to a microservices-based architecture makes every software engineer feel good. You can be proud of requests spanning multiple individual services, each with isolated single responsibility. Exactly as you dreamed it would be.
In the course of this transition however, you will have also created several new problems. Among these is a whole new level of complexity related to understanding the behavior of the application when troubleshooting a problem. If you have ever wrestled with pinpointing the exact root cause during a post-mortem, this talk is for you.
We will show you how capturing the runtime transparency of the distributed and dynamic architecture is possible. Better yet, we will cover both simple and advanced examples about how taking this route gives you an objective and evidence-based ability to zoom in to the problem.
After attending the talk you will understand how distributed tracing will help your team during incident response and post-mortems.
Register today to learn more:
What are distributed traces
Different ways to add distributed tracing to your production services
How the distributed traces expose the runtime architecture of your microservices in production.
Examples of how a distributed trace highlights a problem
Advanced examples of how distributed traces map root causes to real user impact
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
Completing a transition to a microservices-based architecture makes every software engineer feel good. You can be proud of requests spanning multiple individual services, each with isolated single responsibility. Exactly as you dreamed it would be.
In the course of this transition however, you will have also created several new problems. Among these is a whole new level of complexity related to understanding the behavior of the application when troubleshooting a problem. If you have ever wrestled with pinpointing the exact root cause during a post-mortem, this talk is for you.
We will show you how capturing the runtime transparency of the distributed and dynamic architecture is possible. Better yet, we will cover both simple and advanced examples about how taking this route gives you an objective and evidence-based ability to zoom in to the problem.
After attending the talk you will understand how distributed tracing will help your team during incident response and post-mortems.
Register today to learn more:
What are distributed traces
Different ways to add distributed tracing to your production services
How the distributed traces expose the runtime architecture of your microservices in production.
Examples of how a distributed trace highlights a problem
Advanced examples of how distributed traces map root causes to real user impact
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
Talk of Skip Duckwall and I at BlackHat 2014 USA / Defcon Wall of Sheep.
Kerberos, and new pass-the-* feature, like overpass-the-hash and the Golden Ticket
Malware analysis, threat intelligence and reverse engineeringbartblaze
In this presentation, I introduce the concepts of malware analysis, threat intelligence and reverse engineering. Experience or knowledge is not required.
Feel free to send me feedback via Twitter (@bartblaze) or email.
Blog post: https://bartblaze.blogspot.com/2018/02/malware-analysis-threat-intelligence.html
Labs: https://github.com/bartblaze/MaTiRe
Mind the disclaimer.
Access Control Models: Controlling Resource AuthorizationMark Niebergall
There are various access control models, each with a specific intent and purpose. Determining the ideal model for an application can help ensure proper authorization to application resources. Each of the primary models will be covered, including the MAC, DAC, RBAC, and ABAC Access Control models. Examples, challenges, and benefits of each will be discussed to provide a further insight into which solution may best serve an application. Application sensitivity, regulations, and privacy may drive which model is selected.
This session is focused on the Hashicorp vault which is a secret management tool. We can manage secrets for 2-3 environments but what if we have more than 10 environments, then it will become a very painful task to manage them when secrets are dynamic and need to be rotated after some time. Hashicorp vault can easily manage secrets for both static and dynamic also it can help in secret rotations.
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
The Log4Shell Vulnerability – explained: how to stay secureKaspersky
On December 9th, researchers uncovered a zero-day critical vulnerability in the Apache Log4j library used by millions of Java applications. CVE-2021-44228 or “Log4Shell” is a RCE vulnerability that allows attackers to execute arbitrary code and potentially take full control over an infected system. The vulnerability has been ranked a 10/10 on the CVSSv3 severity scale.
While the Apache Foundation has already released a patch for this CVE, it can take weeks or months for vendors to update their software, and there are already widespread scans being conducted by malicious attackers to exploit Log4Shell.
What should companies or organizations do?
Join Marco Preuss, Head of Europe’s Global Research and Analysis (GReAT) team, Marc Rivero and Dan Demeter, Senior Security Researchers with GReAT, for an in-depth discussion on Log4Shell and a live Q&A session.
To see the full webinar, please visit: https://securelist.com/webinars/log4shell-vulnerability-how-to-stay-secure/?utm_source=Slideshare&utm_medium=partner&utm_campaign=gl_jespo_je0066&utm_content=link&utm_term=gl_Slideshare_organic_s966w1tou5a0snh
Presentation at NetPonto community: "We’re going to discuss gRPC, Google’s open-source RPC framework. I’ll dive a bit into the history of RPC as a protocol, and what its historical use has been. I’ll also highlight some benefits to adopt gRPC and how its possible to swap out parts of gRPC and still take advantage of gRPC’s benefits. Finally I’ll answer the question that has been on many lips since gRPC was announced — what does this mean for REST?"
gRPC in Golang presentation
In this talk, I introduced gRPC, Protocol buffer, and how to use them with golang.
Source code used in the presentation: http://github.com/AlmogBaku/grpc-in-go
The slides from the talk I gave in Java.IL's Apr 2019 session.
These slides describe Keycloak, OAuth 2.0, OpenID and SparkBeyond's integration with Keycloak
"CERT Secure Coding Standards" by Dr. Mark ShermanRinaldi Rampen
OWASP DC - November 2015 Talk
Abstract:
This presentation will start with an overview of CERT’s view of the tools, technologies and processes for building secure software from requirements to operational deployment, including architecture, design, coding and testing. After providing the context for building secure software, the discussion will focus on the current state of the CERT Coding Standards: what is available, how the rules evolve and how the rules are put into practice.
Bio:
Dr. Mark Sherman is the Technical Director of the Cyber Security Foundations group at CERT within CMU’s Software Engineering Institute. His team focuses on foundational research on the life cycle for building secure software and on data-driven analysis of cyber security. Before coming to CERT, Dr. Sherman was at IBM and various startups, working on a mobile systems, integrated hardware-software appliances, transaction processing, languages and compilers, virtualization, network protocols and databases. He has published over 50 papers on various topics in computer science.
Docker Networking with New Ipvlan and Macvlan DriversBrent Salisbury
Docker Networking presentation at ONS2016.
Docker Macvlan and Ipvlan Networking Drivers Experimental Readme:
github.com/docker/docker/blob/master/experimental/vlan-networks.md
Kernel requirements for Ipvlan mode is v4.2+, Macvlan mode is v3.19.
If using Virtualbox to test with, use NAT mode interfaces unless you have multiple MAC addresses working in your setup. Use the 172.x.x.x subnet and gateway used by the VBox NAT network. Vmware Fusion works out of the box.
Here is a screenshot of a VirtualBox NAT interface:
https://www.dropbox.com/s/w1rf61n18y7q4f1/Screenshot%202016-03-20%2001.55.13.png?dl=0
Introduction to gRPC: A general RPC framework that puts mobile and HTTP/2 fir...Codemotion
gRPC is a high performance, language-neutral, general RPC framework developed and open sourced by Google. Built on the HTTP/2 standard, gRPC brings many benefits such as bidirectional streaming, flow control, header compression, multiplexing and more. In this session, you will learn about gRPC and how you can use it in your applications.
Ce cours s'adresse aux débutants sur Internet.
Le but de ce cours est d'appréhender le droit sur internet, être capable de comprendre les différents cadres juridiques sur le web et être capable de se protéger.
Retrouvez cette formation sur www.aat-s.com
General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
Talk of Skip Duckwall and I at BlackHat 2014 USA / Defcon Wall of Sheep.
Kerberos, and new pass-the-* feature, like overpass-the-hash and the Golden Ticket
Malware analysis, threat intelligence and reverse engineeringbartblaze
In this presentation, I introduce the concepts of malware analysis, threat intelligence and reverse engineering. Experience or knowledge is not required.
Feel free to send me feedback via Twitter (@bartblaze) or email.
Blog post: https://bartblaze.blogspot.com/2018/02/malware-analysis-threat-intelligence.html
Labs: https://github.com/bartblaze/MaTiRe
Mind the disclaimer.
Access Control Models: Controlling Resource AuthorizationMark Niebergall
There are various access control models, each with a specific intent and purpose. Determining the ideal model for an application can help ensure proper authorization to application resources. Each of the primary models will be covered, including the MAC, DAC, RBAC, and ABAC Access Control models. Examples, challenges, and benefits of each will be discussed to provide a further insight into which solution may best serve an application. Application sensitivity, regulations, and privacy may drive which model is selected.
This session is focused on the Hashicorp vault which is a secret management tool. We can manage secrets for 2-3 environments but what if we have more than 10 environments, then it will become a very painful task to manage them when secrets are dynamic and need to be rotated after some time. Hashicorp vault can easily manage secrets for both static and dynamic also it can help in secret rotations.
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
The Log4Shell Vulnerability – explained: how to stay secureKaspersky
On December 9th, researchers uncovered a zero-day critical vulnerability in the Apache Log4j library used by millions of Java applications. CVE-2021-44228 or “Log4Shell” is a RCE vulnerability that allows attackers to execute arbitrary code and potentially take full control over an infected system. The vulnerability has been ranked a 10/10 on the CVSSv3 severity scale.
While the Apache Foundation has already released a patch for this CVE, it can take weeks or months for vendors to update their software, and there are already widespread scans being conducted by malicious attackers to exploit Log4Shell.
What should companies or organizations do?
Join Marco Preuss, Head of Europe’s Global Research and Analysis (GReAT) team, Marc Rivero and Dan Demeter, Senior Security Researchers with GReAT, for an in-depth discussion on Log4Shell and a live Q&A session.
To see the full webinar, please visit: https://securelist.com/webinars/log4shell-vulnerability-how-to-stay-secure/?utm_source=Slideshare&utm_medium=partner&utm_campaign=gl_jespo_je0066&utm_content=link&utm_term=gl_Slideshare_organic_s966w1tou5a0snh
Presentation at NetPonto community: "We’re going to discuss gRPC, Google’s open-source RPC framework. I’ll dive a bit into the history of RPC as a protocol, and what its historical use has been. I’ll also highlight some benefits to adopt gRPC and how its possible to swap out parts of gRPC and still take advantage of gRPC’s benefits. Finally I’ll answer the question that has been on many lips since gRPC was announced — what does this mean for REST?"
gRPC in Golang presentation
In this talk, I introduced gRPC, Protocol buffer, and how to use them with golang.
Source code used in the presentation: http://github.com/AlmogBaku/grpc-in-go
The slides from the talk I gave in Java.IL's Apr 2019 session.
These slides describe Keycloak, OAuth 2.0, OpenID and SparkBeyond's integration with Keycloak
"CERT Secure Coding Standards" by Dr. Mark ShermanRinaldi Rampen
OWASP DC - November 2015 Talk
Abstract:
This presentation will start with an overview of CERT’s view of the tools, technologies and processes for building secure software from requirements to operational deployment, including architecture, design, coding and testing. After providing the context for building secure software, the discussion will focus on the current state of the CERT Coding Standards: what is available, how the rules evolve and how the rules are put into practice.
Bio:
Dr. Mark Sherman is the Technical Director of the Cyber Security Foundations group at CERT within CMU’s Software Engineering Institute. His team focuses on foundational research on the life cycle for building secure software and on data-driven analysis of cyber security. Before coming to CERT, Dr. Sherman was at IBM and various startups, working on a mobile systems, integrated hardware-software appliances, transaction processing, languages and compilers, virtualization, network protocols and databases. He has published over 50 papers on various topics in computer science.
Docker Networking with New Ipvlan and Macvlan DriversBrent Salisbury
Docker Networking presentation at ONS2016.
Docker Macvlan and Ipvlan Networking Drivers Experimental Readme:
github.com/docker/docker/blob/master/experimental/vlan-networks.md
Kernel requirements for Ipvlan mode is v4.2+, Macvlan mode is v3.19.
If using Virtualbox to test with, use NAT mode interfaces unless you have multiple MAC addresses working in your setup. Use the 172.x.x.x subnet and gateway used by the VBox NAT network. Vmware Fusion works out of the box.
Here is a screenshot of a VirtualBox NAT interface:
https://www.dropbox.com/s/w1rf61n18y7q4f1/Screenshot%202016-03-20%2001.55.13.png?dl=0
Introduction to gRPC: A general RPC framework that puts mobile and HTTP/2 fir...Codemotion
gRPC is a high performance, language-neutral, general RPC framework developed and open sourced by Google. Built on the HTTP/2 standard, gRPC brings many benefits such as bidirectional streaming, flow control, header compression, multiplexing and more. In this session, you will learn about gRPC and how you can use it in your applications.
Ce cours s'adresse aux débutants sur Internet.
Le but de ce cours est d'appréhender le droit sur internet, être capable de comprendre les différents cadres juridiques sur le web et être capable de se protéger.
Retrouvez cette formation sur www.aat-s.com
http://blog.whitehatsec.com/top-ten-web-hacking-techniques-of-2012/
Recorded Webinar: https://www.whitehatsec.com/webinar/whitehat_webinar_march2713.html
Every year the security community produces a stunning amount of new Web hacking techniques that are published in various white papers, blog posts, magazine articles, mailing list emails, conference presentations, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and their mobile platform equivilents. Beyond individual vulnerabilities with CVE numbers or system compromises, here we are solely focused on new and creative methods of Web-based attack. Now it its seventh year, The Top Ten Web Hacking Techniques list encourages information sharing, provides a centralized knowledge-base, and recognizes researchers who contribute excellent work. Past Top Tens and the number of new attack techniques discovered in each year:
A Scalable Client Authentication & Authorization Service for Container-Based ...Binu Ramakrishnan
This session presents a novel way of role based identity that provides both authentication and authorization to clients in a fully automated, easy to configure, scalable fashion.
Securing application deployments in multi-tenant CI/CD environmentsBinu Ramakrishnan
The goal of the talk is to introduce you to, the security risks and challenges associated with operating or using a multi-tenant CI/CD platform, and offers security patterns and best practices to harden it.
Video: http://oreil.ly/2hVCilH
Getting Browsers to Improve the Security of Your WebappFrancois Marier
Most web developers have some knowledge of input sanitization and encryption, but what happens when you forget an edge case or when users are connected to a rogue access point?
Through the use of technologies like strict transport security, content security policy, sub-resource integrity, and the referrer policy, web developers can instruct browsers to add a second layer of defenses against the most common attacks.
DrupalCamp London 2017 - Web site insecurity George Boobyer
Common threats to web security with real world case studies of compromised sites,
- A 'dissection' of a typical common exploit tool and how it operates,
- Simple approaches to mitigating common threats/vulnerabilities,
- Defence in depth – an overview of the various components of web security,
- Drupal specific measures that standard penetration testing often does not account for.
An overview of how to benefit from:
- Security monitoring and log analysis
- Intrusion Detection Systems & Firewalls
- Security headers and Content Security Policies (CSP).
see Drupal Camp London for full details:
http://drupalcamp.london/session/web-site-insecurity-how-your-cms-site-will-get-hacked-and-how-prevent-it
Web Security Automation: Spend Less Time Securing your ApplicationsAmazon Web Services
As attackers become more sophisticated, web application developers need to constantly update their security configurations. Static firewall rules are no longer good enough. Developers need a way to deploy automated security that can learn from the application behavior and identify bad traffic patterns to detect bad bots or bad actors on the Internet. This session showcases some of the real-world customer use cases that use machine learning and AWS WAF (a web application firewall) with automated incident response and machine learning to automatically identify bad actors. We also present tutorials and code samples that show how customers can analyze traffic patterns and deploy new AWS WAF rules on the fly.
This presentation presentated by Mohd Shamir B Hasyim, Vice President Government and Multilateral Engagement, Cyber Security Malaysia, 10th September 2013 on #IISF2013
An Integrated Approach For Cyber Security And Critical Information Infrastructure Protection
BAROMETRE 2016 | Les pratiques numériques et la maîtrise des données personne...CNIL ..
19/09/2016 - Synthèse de résultats de la seconde vague du baromètre réalisé avec Médiamétrie sur les pratiques numériques des français relatives à leur vie privée. La CNIL s’intéresse plus spécifiquement aux pratiques numériques concrètes concernant la maîtrise et la diffusion des contenus et données personnelles.
Intervention CNIL : droit des internautes et obligations des e-marchandsNet Design
Support de M. Jean-Paul Amoudry, vice-président de la CNIL, utilisé lors de sa présentation "droit des internautes et obligations des responsables de sites web et e-marchands" lors de l'évènement Work'n Coffee organisé par Net Design en novembre 2011.
Short brief about some of the more important http headers that is directly or indirectly related to security and privacy both for the end user and the service provider.
Rails security: above and beyond the defaultsMatias Korhonen
In a world with increasingly sophisticated adversaries employing both targeted and automated attacks, what can we do to keep our users and our web apps safe?
While Rails provides pretty decent security options straight out of the box, we can go further and make attacks more difficult to accomplish.
For example, why and how to implement a Content Security Policy. Should you use HTTP Public Key Pinning? How do you know if you've configured HTTPS correctly?
While application security will always be an application space problem that's ultimately up to programmers to solve, new techniques in modern browsers can help mitigate vulnerability surface area when bugs enter the playing field unnoticed. Besides the obvious transport level security provided by HTTPS, CSP and Sandboxed Iframes provide solid mechanisms for setting rules to help the browser help you.
Developer's Guide to JavaScript and Web CryptographyKevin Hakanson
The increasing capabilities and performance of the web platform allow for more feature-rich user experiences. How can JavaScript based applications utilize information security and cryptography principles? This session will explore the current state of JavaScript and Web Cryptography. We will review some basic concepts and definitions, discuss the role of TLS/SSL, show some working examples that apply cryptography to real-world use cases and take a peek at the upcoming W3C WebCryptoAPI. Code samples will use CryptoJS in the browser and the Node.js Crypto module on the server. An extended example will secure the popular TodoMVC project using PBKDF2 for key generation, HMAC for data integrity and AES for encryption.
Threat Modeling for Web Applications (and other duties as assigned)Mike Tetreault
This presentation provides an overview of the OWASP Top Ten Web Application Security Risks, approaches to mitigate them, and a framework for addressing the inherent risk.
CONFidence 2018: Defense-in-depth techniques for modern web applications and ...PROIDEA
In this presentation, we show promising new defense-in-depth techniques to protect modern web applications from old and new classes of bugs: Suborigins to have finer-grained control over origin boundaries, Site Isolation and XSDB against Spectre and Meltdown attacks, and last but not least Origin and Feature Policy. In addition to that, we explain new features of the upcoming CSP 3 specification like 'unsafe-hashed-attributes' and give an overview of how we were able to enforce CSP as a strong mitigation against cross-site scripting on over 50% of production web traffic at Google. With increased adoption new challenges arise: dealing with CSP report noise - generated by buggy browsers, extensions, malware and security software - devising an effective monitoring infrastructure, and keeping on top of bypassing techniques. In this presentation we reveal how our internal CSP infrastructure works and how we solved problems, share our experience, show real-world examples, best practices and common pitfalls. Finally, we hint at a new promising web mitigation technique, which we hope to see gaining traction in the near future: Suborigins.
BP101 - Can Domino Be Hacked? Lessons We Can Learn From the Security Community from MWLUG-2017 with Howard Greenberg and Andrew Pollack
The Open Web Application Security Project (OWASP) is an open source community dedicated to improving software security. OWASP publishes a Top 10 list of common security issues in web applications with suggestions on how to alleviate them. This session will examine the OWASP Top Ten list of security suggestions and relate them to the Domino world and how you can better secure your Notes and Domino applications. Both administrators and developers will gain valuable insights into how to best protect sensitive information we maintain in our Domino environments!
Browser Wars 2019 - Implementing a Content Security PolicyGeorge Boobyer
A brief look at the history of the implementation of secure web headers and an overview of creating and monitoring a content security policy (CSP).
It used to be that browsers were something we fought against to get our sites viewed the way we wanted; now they are our allies.
Far from being dumb proprietary clients that just parse our HTML the way they want, they have evolved into complex software applications.
They provide powerful security controls to make decisions about what to display and debugging tools to enable us to investigate their actions.
It is increasingly common to find malicious exploits targeting web pages within the browser; running crypto-miners, stealing credentials and forging requests.
By implementing a set of headers to be delivered alongside our web pages, we can now work with browsers to protect our site visitors from malicious content
and control what is displayed and included on our pages.
In this session we will touch on what threats face our web pages out in the wild and what measures we can employ to work with browsers to protect them.
We will focus on implementing security headers and building a Content Security Policy, and will cover
- implementation of essential security headers;
- the initial investigation and building of a Content Security Policy (CSP);
- implementation and observation of the CSP in the wild;
- monitoring of the CSP once live;
- evidence of its effectiveness (threats thwarted).
Hopefully attendees will be convinced as to why security headers and CSP are invaluable and why projects should build in time and resources to implement them.
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Divyanshu
Browser exploitation| Reporting vulnerability in top browsers and finding CVE.
Session in Null Bangalore Meet 23 November 2019 Null/OWASP/G4H combined meetup
Thanks to respective researchers for their work.
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
The open source TodoMVC project implements a Todo application using popular JavaScript MV* frameworks. Some of the implementations add support for compile to JavaScript languages, module loaders and real time backends. This presentation will demonstrate a TodoMVC implementation which adds support for the forthcoming W3C Web Cryptography API, as well as review some key cryptographic concepts and definitions.
Instead of storing the Todo list as plaintext in localStorage, this "secure" TodoMVC implementation encrypts Todos using a password derived key. The PBKDF2 algorithm is used for the deriveKey operation, with getRandomValues generating a cryptographically random salt. The importKey method sets up usage of AES-CBC for both encrypt and decrypt operations. The final solution helps address item "A6-Sensitive Data Exposure" from the OWASP Top 10.
With the Web Cryptography API being a recommendation in 2014, any Q&A time will likely include browser implementations and limitations, and whether JavaScript cryptography adds any value.
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers Lewis Ardern
With the release of the OWASP TOP 10 2017 we saw new issues rise as contenders of most common issues in the web landscape. Much of the OWASP documentation displays issues, and remediation advice/code relating to Java, C++, and C#; however not much relating to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the popular use of NodeJS and its libraries/frameworks. This talk will introduce you to the OWASP Top 10 explaining JavaScript client and server-side vulnerabilities.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
2. https://cwe.mitre.org/data/definitions/79.html
http://bit.ly/1ZK9COc
Cross-site Scripting
● Execution of malicious code injected by an attacker
on victim’s web page
● Leads to credentials and data theft, malware
distribution, site defacement etc.
● Primary reason: Improper neutralization of user input
when it gets rendered on a web page
● Remained as a top threat on OWASP top ten list
since its first publication in 2004
3. Common Remedies
● Input validation and output encoding
● Whitelist trusted contents and tags
● Isolation - e.g. safe iframes
http://bit.ly/1VRI1Gb
6. So what is CSP?
● Content Security Policy is a browser based mechanism that allow you to
whitelist locations from which your web application can load resources.
You can specify a policy on a web page with a CSP HTTP header like
below:
will allow resources to be only loaded from example.com
● Policy Delivery
○ content-security-policy
○ content-security-policy-report-only - for experimenting & monitoring
○ HTML meta tag
content-security-policy: default-src https://example.com
11. <html>
<head>
<base href="https://example.com/" target="_blank">
</head>
<body>
<form action='https://form-sub-example.com' id='theform'
method='post'>
<input type='text' name='fieldname' value='fieldvalue'>
<input type='submit' id='submit' value='submit'>
</form>
</body>
</html>
frame-ancestors - controls who is allowed to frame your page (iframe,
object, embed tags)
plugin-types - whitelist MIME types for object and embed tags. e.g.
application/pdf
sandbox - similar to iframe sandbox attribute. supports allow-forms allow-
same-origin allow-top-navigation
report-uri - specifies a URL to which the user agent sends reports
about policy violation
base-uri
form-action
More directives
12. Directive keywords
● ‘none’ - content-security-policy: default-src ‘none’;
○ Disallows any urls
○ Helpful when you are building a CSP policy
● ‘self’ - content-security-policy: default-src ‘self’;
○ Restricts access to application’s own origin
○ Protocol and port must match as well
● ‘unsafe-inline’ - content-security-policy: script-src ‘unsafe-
inline’;
○ allows inline scripts/style
● ‘unsafe-eval’ - content-security-policy: script-src ‘unsafe-
eval’;
○ allows eval(untrusted_input), setTimeout(untrusted_string) and setInterval
(untrusted_string) and Function constructor
● ‘*’ - wildcard to allow all - content-security-policy: default-src *;
13. CSP versions & browser support
CSP 1.0 http://www.w3.org/TR/CSP1/
○ Available since 2012
○ Directives: connect-src, default-src, font-src, frame-src, img-src, media-
src, objects-src, report-uri, script-src, and style-src
CSP 2.0 http://www.w3.org/TR/CSP2/ (CSP 1.1)
○ Mid 2015
○ New directives: base-uri, child-src, form-action, frame-ancestors, plugin-
types.
○ Deprecates frame-src
Browser support status
○ CSP 1.0 is supported by all modern browsers
○ CSP 2.0 is supported by latest Chrome (v.40+), FireFox (v.35+) and Opera (v27+)
14. Let’s look at some examples….
On https://csp.example.com
content-security-policy: default-src ‘self’;
● https://csp.example.com/campaign.js
● https://csp.example.com/reporting/report.js
● http://csp.example.com/campaign.js
● https://test.csp.com/campaign.js
● https://csp.example.com:8443/campaign.js
15. Why inline Javascript is bad?
Content-Type: text/html; charset=utf-8
<script>console.log("Legitimate javascript code as part of the page");</script>
<div> Welcome, <script>alert("Attack!");</script></div>
https://trusted.example.com/welcome.php?username=<script>alert("Attack!");</script>
<?php
echo '<script>console.log("This is a legitimate javascript code as part of the
page");</script>'
echo '<div class="header"> Welcome, ' . $_GET['username']; . '</div>';
?>
It is hard for the browser to distinguish trusted javascript with a malicious script
16. Mitigation for inline scripts
● Solution 1: Externalizing inline javascript and CSS
○ May involve significant effort for existing applications
○ In addition, there are cases that require inline Javascript, notably for performance.
● Solution 2: use unsafe-inline
○ Reduce the effectiveness of CSP
● Solution 3: CSP 2.0 script whitelisting features - nonce-source and hash-source:
○ nonce whitelisting: nonce-$random - Requires modification to CSP header for every req
○ hash whitelisting - hashAlgorithm-base64hash
○ Hash computation:
% echo -n "alert('Hello, world');" | openssl dgst -sha1 -binary | openssl enc -base64
content-security-policy: script-src 'nonce-random01'
<script nonce="random01"> alert('Hello, world'); </script>
content-security-policy: script-src 'sha1-RgO/D2C8PM9lERhYHMbiSllxM4g='
<script> alert('Hello, world'); </script>
17. Cross-site Scripting
○ CSP prevents XSS from being exploited. How ever it does NOT fix XSS
Unapproved third party beacons, tags and contents
○ Using CSP, restrict the resources to just the whitelisted domains
Packet Sniffing
○ Using CSP, servers can enforce all content be loaded using HTTPS
○ e.g. Content-Security-Policy: default-src https://
Clickjacking - “Look before you click”
○ Use frame-ancestors to specify valid parents
○ Alternate to x-frame-options
Block unwanted plugins
○ Use plugin-types to allow only valid plugins
What are some of the most common attacks and how
can CSP help mitigate?
19. CSP deployment
● Identify domains you trust and start with with a restrictive policy
● Initial policy sample:
● Use HTTPS and enable reporting
● Test this policy using a browser based CSP testing tool (e.g. caspr)
● Rinse and repeat!
content-security-policy-report-only: default-src 'none';
script-src 'self';
connect-src 'self';
img-src 'self';
style-src 'self';
font-src 'self';
report-uri https://csp.example.com
22. Post deployment
● In theory, fully compliant CSP
implementation can leverage reports to
detect injection attacks; however..
● Reports are noisy due to browser
extension violations
● Detect malicious extensions in user
browser
27. Browser extensions - To sum-up
● Extensions are considered as part of Trusted
Computing Base
● They can
○ Interfere with our web pages
○ Alter and inject javascripts to our page
■ Ad injection
■ Malware, exfiltrate user information
■ Alter CSP header itself!
● May contain security vulnerabilities
● Generate large volume of CSP reports
● Make injection attack detection extremely hard
http://bit.ly/1kbsLbp
28.
29. ● Not a solution for all content injection problems
○ E.g. SQL, Shell and other server side injections
● Loose policies
○ Render CSP less effective
● Browser extensions can override CSP policies,
○ Less effective against malicious extensions
● Whitelisted locations are fully trusted
○ CDN scenario
Not so good side of CSP
30. ● Maintain code hygiene
○ Keep HTML, CSS and Javascript separate
○ Use Javascript event handlers
● Automation
○ csp-validator.js protects against CSP misconfigurations and HTTPS
enforcement
● Use stricter policies
○ Always use https:
○ Avoid the use of unsafe-inline and unsafe-eval
○ Use paths https://cdn.example.com/asset/path/ (CSP 2.0 feature)
○ Avoid wildcards if possible - *.example.com
● Enable reporting even on enforce mode
○ Help in detecting content injection in near real time
CSP best practices
31. CSP - What else?
● Scan violation URLs for malwares
● Detect injection attacks in near real time by
analyzing CSP violation reports
● Threat intelligence - IP and URL reputation
based on blocked links
https://www.flickr.com/photos/drp/34988312
32. CSP testing tools
● csptester.io - Open source tool
● csp-validator.js for CICD - PhantomJS headless script to audit CSP policy
for the given URL
● GitHub: https://github.com/yahoo/csptester
● Chrome browser plugin - caspr