Abstract:
Secure code practices, system hardening, due diligence and due care principles are paramount in mitigating application level DoS attacks. These attacks often result in significant damage against unprepared and vulnerable organisations.
The intent of this talk is to help organisations in strengthening their security posture against such attacks. The talk will explore most common application level DoS attacks and will provide recommendations for protecting applications, detecting attacks and how to react under stressful conditions.
Web browsers have become part of everyday life, and are relied upon by millions of internet citizens each day. The feature rich online world has turned the once simple web browser into a highly complex (and very often insecure) desktop application.
As browser vendors have extended functionality and support to new technologies, security researchers and hackers are continuously looking for new vulnerabilities. In this talk, Roberto and Scott will share results of their assiduous browser bug hunting. The talk will examine techniques used to discover critical and less severe vulnerabilities in some of the most popular browsers on the market.
This talk will focus heavily (but not exclusively) on the following areas:
- Memory corruption bugs;
- New approaches to DOM fuzzing;
- Old school techniques against new browser technology;
- Cross Context Scripting and injection attacks;
- SOP Bypass;
The presentation will conclude with a montage of on-stage demonstrations of previously unreleased vulnerabilities, including remote code execution, injections and other tailored browser exploits.
Cross Context Scripting (XCS) is a type of XSS (Cross Site Scripting) injection which occurs from an untrusted zone, typically a web page on the Internet into the context of a trusted browser zone.
XSS injection in a trusted browser zone can be 'lethal', as injected payload runs as privileged code. No SOP (Same-Origin Policy) restrictions are enforced and direct interfacing with the underlying OS is possible.
To exploit such bugs, there is no need to use ROP gadgets, spray the heap or attempt other complex techniques. At the opposite, only few elements are required for a successful exploit, such as the right injection point and a tailored exploit payload.
This presentation will examine XCS in details and will provide a demonstration of XCS exploits of both unpatched and patched vulnerabilities in Firefox, Opera, Maxthon and Avant browsers.
Hundreds of Firefox addons are created every week. Millions of users download them. Some addons are even recommended by the Mozilla community, and users implicitly trust them. We don't trust a single one, and we will show you why.
This talk details how we have abused some of the most popular and recommended Firefox addons, with previously unreleased vulnerabilities. From the Mozilla download statistics, over 15 million users are potentially affected. Demos will cover remote code execution, local file disclosure and other tailored Firefox Addon exploits.
Don't panic - the Addons manager can be found under the 'Tools' tab in your Firefox menu. We expect to see a lot of people clicking the "Uninstall" button after this presentation.
I got 99 trends and a # is all of them or How we found over 100 200+ RCE vulnerabilities in Trend Micro software.
Presentation released at Hack In The Box 2017 Amsterdam, by Roberto Suggi Liverani @malerisch and Steven Seeley @steventseeley.
For more information, please visit: http://blog.malerisch.net or http://srcincite.io
When you don't have 0days: client-side exploitation for the massesMichele Orru
Conference: InsomniHack (21 March 2014)
Talk speakers:
Michele Orru (@antisnatchor)
Krzysztof Kotowicz (@kkotowicz)
Talk abstract:
A bag of fresh and juicy 0days is certainly something you would love to get
as a Christmas present, but it would probably be just a dream you had one of those drunken nights.
Hold on! Not all is lost! There is still hope for pwning targets without 0days.
We will walk you through multiple real-life examples of client-side pwnage, from tricking the victim to take the bait, to achieving persistence on the compromised system.
The talk will be highly practical and will demonstrate how you can do proper client-side exploitation effectively, simply by abusing existing functionalities of browsers, extensions, legacy features, etc.
We'll delve into Chrome and Firefox extensions (automating various repetitive actions that you'll likely perform in your engagements), HTML applications, abusing User Interface expectations, (Open)Office macros and more. All the attacks are supposed to work on fully patched target software, with a bit of magic trickery as the secret ingredient.
You might already know some of these exploitation vectors, but you might need a way to automate your attacks and tailor them based on the victim language, browser, and whatnot. Either way, if you like offensive security, then this talk is for you.
This talk intends to demonstrate how to improve web application security testing by combining browser automation framework and web proxy API.
The goal of this research is to bring a web proxy as close as possible to a browser to achieve a better security testing coverage, especially when dealing with complex client-side technology.
The presentation includes a montage of real case scenarios, showing how this approach can lead to the discovery of vulnerabilities which might otherwise go unnoticed.
Web browsers have become part of everyday life, and are relied upon by millions of internet citizens each day. The feature rich online world has turned the once simple web browser into a highly complex (and very often insecure) desktop application.
As browser vendors have extended functionality and support to new technologies, security researchers and hackers are continuously looking for new vulnerabilities. In this talk, Roberto and Scott will share results of their assiduous browser bug hunting. The talk will examine techniques used to discover critical and less severe vulnerabilities in some of the most popular browsers on the market.
This talk will focus heavily (but not exclusively) on the following areas:
- Memory corruption bugs;
- New approaches to DOM fuzzing;
- Old school techniques against new browser technology;
- Cross Context Scripting and injection attacks;
- SOP Bypass;
The presentation will conclude with a montage of on-stage demonstrations of previously unreleased vulnerabilities, including remote code execution, injections and other tailored browser exploits.
Cross Context Scripting (XCS) is a type of XSS (Cross Site Scripting) injection which occurs from an untrusted zone, typically a web page on the Internet into the context of a trusted browser zone.
XSS injection in a trusted browser zone can be 'lethal', as injected payload runs as privileged code. No SOP (Same-Origin Policy) restrictions are enforced and direct interfacing with the underlying OS is possible.
To exploit such bugs, there is no need to use ROP gadgets, spray the heap or attempt other complex techniques. At the opposite, only few elements are required for a successful exploit, such as the right injection point and a tailored exploit payload.
This presentation will examine XCS in details and will provide a demonstration of XCS exploits of both unpatched and patched vulnerabilities in Firefox, Opera, Maxthon and Avant browsers.
Hundreds of Firefox addons are created every week. Millions of users download them. Some addons are even recommended by the Mozilla community, and users implicitly trust them. We don't trust a single one, and we will show you why.
This talk details how we have abused some of the most popular and recommended Firefox addons, with previously unreleased vulnerabilities. From the Mozilla download statistics, over 15 million users are potentially affected. Demos will cover remote code execution, local file disclosure and other tailored Firefox Addon exploits.
Don't panic - the Addons manager can be found under the 'Tools' tab in your Firefox menu. We expect to see a lot of people clicking the "Uninstall" button after this presentation.
I got 99 trends and a # is all of them or How we found over 100 200+ RCE vulnerabilities in Trend Micro software.
Presentation released at Hack In The Box 2017 Amsterdam, by Roberto Suggi Liverani @malerisch and Steven Seeley @steventseeley.
For more information, please visit: http://blog.malerisch.net or http://srcincite.io
When you don't have 0days: client-side exploitation for the massesMichele Orru
Conference: InsomniHack (21 March 2014)
Talk speakers:
Michele Orru (@antisnatchor)
Krzysztof Kotowicz (@kkotowicz)
Talk abstract:
A bag of fresh and juicy 0days is certainly something you would love to get
as a Christmas present, but it would probably be just a dream you had one of those drunken nights.
Hold on! Not all is lost! There is still hope for pwning targets without 0days.
We will walk you through multiple real-life examples of client-side pwnage, from tricking the victim to take the bait, to achieving persistence on the compromised system.
The talk will be highly practical and will demonstrate how you can do proper client-side exploitation effectively, simply by abusing existing functionalities of browsers, extensions, legacy features, etc.
We'll delve into Chrome and Firefox extensions (automating various repetitive actions that you'll likely perform in your engagements), HTML applications, abusing User Interface expectations, (Open)Office macros and more. All the attacks are supposed to work on fully patched target software, with a bit of magic trickery as the secret ingredient.
You might already know some of these exploitation vectors, but you might need a way to automate your attacks and tailor them based on the victim language, browser, and whatnot. Either way, if you like offensive security, then this talk is for you.
This talk intends to demonstrate how to improve web application security testing by combining browser automation framework and web proxy API.
The goal of this research is to bring a web proxy as close as possible to a browser to achieve a better security testing coverage, especially when dealing with complex client-side technology.
The presentation includes a montage of real case scenarios, showing how this approach can lead to the discovery of vulnerabilities which might otherwise go unnoticed.
“The call to kill Adobe’s Flash in favour of HTML5 is rising...” This and similar statements mean that many web applications might now contain old and vulnerable SWF files as their developers have to concentrate on developing non-Flash contents. We may all hope that we never have to see Flash files ever again! However, as long as web browsers continue their support for Flash, web applications can be vulnerable to client-side issues and it is important for a penetration tester or a bug bounty hunter to have the right skills to find vulnerable SWF files. This presentation aids eager testers to identify security issues in the SWF files manually and automatically using certain techniques and tools.
PowerPoint File:
https://soroush.secproject.com/downloadable/flash_it_baby_v2.0.pptx
Serverless Security: Defence Against the Dark ArtsYan Cui
Recording: https://www.youtube.com/watch?v=bnXp29kQIwU
Real-world serverless podcast: https://realworldserverless.com
Learn Lambda best practices: https://lambdabestpractice.com
Blog: https://theburningmonk.com
Consulting services: https://theburningmonk.com/hire-me
Production-Ready Serverless workshop: https://productionreadyserverless.com
AWS has taken over the responsibilities of patching the OS and securing the underlying physical infrastructure that runs your serverless application, so what’s left for you to secure? Quite a bit it turns out.
The OWASP top 10 is as relevant to you as ever; DOS attacks are still a threat even if you can probably brute force your way through it as AWS auto-scales Lambda functions automatically; and did you know attackers can easily steal your AWS credentials via your application dependencies?
In addition to the traditional threats, serverless applications have more granular deployment units and therefore there are more things to configure and secure, and the tools and practices are still catching up with this fast-changing world.
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
This talk is about methodologies and tools that we use or have coded that make our lives and pentest schedule a little easier, and why we do things the way we do. Of course, there will be a healthy dose of Metasploit in the mix.
I'm the butcher would you like some BeEFMichele Orru
Recently a lot of focus in BeEF has been towards developing cool new features that help the day to day job of a social engineer, hereafter known as “The Butcher”.
We have been working very hard and secretively in the last months to widen our range of meaty goods within the Browser Exploitation Framework. During this talk we will release new modules and extensions specifically aimed toward automating the technical parts of a social engineer attack.
Employing techniques that are currently used is great, however “The Butcher” wishes to impart knowledge upon the attendees regarding new techniques that employ successful vectors targeting different browser within different security contexts.
After introducing people to the project who may have never heard of it before, we will be sharing information about real social engineering / penetration testing work that we have done recently and how we have advanced BeEF to achieve maximum coverage. This includes:
Website Cloning: but you haven’t seen it like this before!
Email Spoofing: mass email, easy.
Browser Control / Pwnage Automation: control BeEF programmatically using the RESTful API.
“The call to kill Adobe’s Flash in favour of HTML5 is rising...” This and similar statements mean that many web applications might now contain old and vulnerable SWF files as their developers have to concentrate on developing non-Flash contents. We may all hope that we never have to see Flash files ever again! However, as long as web browsers continue their support for Flash, web applications can be vulnerable to client-side issues and it is important for a penetration tester or a bug bounty hunter to have the right skills to find vulnerable SWF files. This presentation aids eager testers to identify security issues in the SWF files manually and automatically using certain techniques and tools.
PowerPoint File:
https://soroush.secproject.com/downloadable/flash_it_baby_v2.0.pptx
Serverless Security: Defence Against the Dark ArtsYan Cui
Recording: https://www.youtube.com/watch?v=bnXp29kQIwU
Real-world serverless podcast: https://realworldserverless.com
Learn Lambda best practices: https://lambdabestpractice.com
Blog: https://theburningmonk.com
Consulting services: https://theburningmonk.com/hire-me
Production-Ready Serverless workshop: https://productionreadyserverless.com
AWS has taken over the responsibilities of patching the OS and securing the underlying physical infrastructure that runs your serverless application, so what’s left for you to secure? Quite a bit it turns out.
The OWASP top 10 is as relevant to you as ever; DOS attacks are still a threat even if you can probably brute force your way through it as AWS auto-scales Lambda functions automatically; and did you know attackers can easily steal your AWS credentials via your application dependencies?
In addition to the traditional threats, serverless applications have more granular deployment units and therefore there are more things to configure and secure, and the tools and practices are still catching up with this fast-changing world.
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
This talk is about methodologies and tools that we use or have coded that make our lives and pentest schedule a little easier, and why we do things the way we do. Of course, there will be a healthy dose of Metasploit in the mix.
I'm the butcher would you like some BeEFMichele Orru
Recently a lot of focus in BeEF has been towards developing cool new features that help the day to day job of a social engineer, hereafter known as “The Butcher”.
We have been working very hard and secretively in the last months to widen our range of meaty goods within the Browser Exploitation Framework. During this talk we will release new modules and extensions specifically aimed toward automating the technical parts of a social engineer attack.
Employing techniques that are currently used is great, however “The Butcher” wishes to impart knowledge upon the attendees regarding new techniques that employ successful vectors targeting different browser within different security contexts.
After introducing people to the project who may have never heard of it before, we will be sharing information about real social engineering / penetration testing work that we have done recently and how we have advanced BeEF to achieve maximum coverage. This includes:
Website Cloning: but you haven’t seen it like this before!
Email Spoofing: mass email, easy.
Browser Control / Pwnage Automation: control BeEF programmatically using the RESTful API.
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
With the release of the OWASP TOP 10 2017 we saw new issues rise as contenders of most common issues in the web landscape. Much of the OWASP documentation displays issues, and remediation advice/code relating to Java, C++, and C#; however not much relating to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the popular use of NodeJS and its libraries/frameworks. This talk will introduce you to the OWASP Top 10 explaining JavaScript client and server-side vulnerabilities.
Since 2007 GOFORTUTION.coM is the search engine of tutors & Students in Delhi and all over India .It provides cheapest and best home tutors to students and it also helps to Tutors who are seeking students for home tution. We at Mentor Me provide highly qualified, result oriented, enthusiastic and responsible tutors for all classes, all subjects and in all locations across Delhi & all over India. Here we have tutors for all subjects of CBSE, ICSE,B.com, B.Sc, BBA, BCA,MBA,CA,CS,MCA,BCA,”O” Level, “A” Level etc.GOFORTUTION is a best portal for tutors and students it is not only a site.
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
Many diligent security professionals take active steps to limit the amount of system specific information a publicly available system may yield to a remote user. These preventative measures may take the form of modifying service banners, firewalls, web site information, etc.
Software utilities such as NMap have given the security community an excellent resource to discover what type of Operating System and version is listening on a particular IP. This process is achieved by mapping subtle, yet, distinguishable nuances unique to each OS. But, this is normally where the fun ends, as NMap does not enable we user's to determine what version of services are listening. This is up to us to guess or to find out through other various exploits.
This is where we start our talk, fingerprinting Web Servers. These incredibly diverse and useful widespread services notoriously found listening on port 80 and 443 just waiting to be explored. Many web servers by default will readily give up the type and version of the web server via the "Server" HTTP response header. However, many administrators aware of this fact have become increasingly clever in recent months by removing or altering any and all traces of this telltale information.
These countermeasures lead us to the obvious question; could it STILL possible to determine a web servers platform and version even after all known methods of information leakage prevention have been exhausted (either by hack or configuration)?
The simple answer is "yes"; it is VERY possible to still identify the web server. But, the even more interesting question is; just how much specific information can we obtain remotely?
Are we able to determine?
* Supported HTTP Request Methods.
* Current Service Pack.
* Patch Levels.
* Configuarations.
* If an Apache Server suffers from a "chunked" vulnerability.
Is really possible to determine this specific information using a few simple HTTP requests? Again, the simple answer is yes, the possibility exists.
Proof of concept tools and command line examples will be demonstrated throughout the talk to illustrate these new ideas and techniques. Various countermeasures will also be explored to protect your IIS or Apache web server from various fingerprinting techniques.
Prerequisites:
General understanding of Web Server technology and HTTP.
Public REST APIs have become mainstream. Now, almost every company that wants to expose services or an application programming interface does it using a publicly exposed REST API. This talk will give participants the skills they need to identify and understand REST vulnerabilities. The findings are a result of reviewing production REST applications as well as researching popular REST frameworks.
By Dinis Cruz, Abraham Kang and Alvaro Muñoz
Black Search Engine Optimisation (SEO), often referred as negative SEO, is a term that covers sabotage techniques aiming to reduce a web site's ranking in search engine results. Black SEO techniques are typically used in business and socio-political contexts, such as information warfare.
The presentation will focus on the use of these techniques to discredit a web site by making it vanish from the major search engine result pages. The discussion will also cover how to exploit common web application vulnerabilities such as Cross Site Scripting, SQL injection and other popular exploitation methods to leverage black SEO attacks. Examples will be included to demonstrate each method of exploitation, and how the vulnerabilities can be used to impact revenues and the reputation of business and political targets.
Black SEO attacks represent a unique class of threats and from a security perspective, any threat which can incur a potential loss should be considered a risk. So far, some of these techniques have only existed as a discussion topic in the SEO industry. Consequently, the intent of my presentation is to bring this complex topic to light to the security community.
When performing a security testing, I often sit in a room with other QA and Software testers.
During that time, it is likely I receive questions such as: "Roberto, are you hacking this? Are you breaking
this again? What exactly are you testing?"
Whi l e talking to them I realise there is an information gap between us, especially when they share
information which is essential for my testing and crucial to identify security vulnerabilities.
After a good number of security tests, I came to a conclusion that people in our industry do not realise that
software testing and security testing have a lot to share.
This talk intends to reduce that information gap and provides an introduction to security software testing,
methodologies, and most importantly offers some food for thought to stimulate synergy between security
and software testers
From the infection phase to the command & control functionalities, this talk is a 360 degrees analysis of a recent Russian botnet distribution package. Particular features of this botnet are communication over HTTP protocol and use of PHP and Mysql.
This presentation introduces some of the web spam techniques used against search engines. This talk is complimentary to the presentation "Black SEO Exposed". Some real examples are discussed and illustrated, including exploitation of web application vulnerabilities.
This talk highlights potential attacks against web application using Ajax and XHR technology. The first part of the talk introduces Ajax and related technologies. Second part of the talk focuses on potential attacks and consequences, including some scenario where SOP (Same of origin) policy is bypassed.
This talk is a generic but comprehensive overview of security mechanism, controls and potential attacks in modern browsers. The talk focuses also on new technologies, such as HTML5 and related APIs to highlight new attack scenario against browsers.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
2. Who am I?
Roberto Suggi Liverani
Senior Security Consultant - Security-Assessment.com
roberto.suggi@security-assessment.com
http://www.security-assessment.com
OWASP New Zealand Chapter Leader
robertosl@owasp.org
http://owasp.org/index.php/owasp_new_zealand
Previous research:
Black SEO
Firefox Extensions
Personal site:
http://malerisch.net
OWASP 2
3. Agenda
Layer 7 DoS Overview
Implications
Root Causes
Attacks and Defenses
Web Application
Web Server
Web Services
Database
Dealing with DDoS HTTP Attack
Before
During
Post - attack
Conclusion
OWASP 3
4. Introduction
Definition: ... an attack designed to render a computer or network
incapable of providing normal services.
Traditional DoS attack – layer 3 and 4
Target computer/network bandwidth
Consume all network resources
Deny resources to legitimate clients
Sold as a service...
Cost:
~ 80$ USD per day
OWASP 4
5. L7 DoS Attacks
Not easily detectable
Legitimate application traffic
HTTP, HTTPS
SOAP, XML
More efficient, less resources
Target a bug, insecure feature
Botnet is not required
DoS single request
Harder to trace
Chain-proxy
Tor
No Source IP address spoofing
HTTP requires complete TCP handshake
OWASP 5
6. Layer 7 DoS – Targets
3-tier
Web tier
Web application
Web server
Application tier
App framework
– JBoss
– SAP
Data tier
Database
– Oracle
– MS SQL
– MySQL
OWASP 6
7. L7 DoS - Implications
Memory
Invalid memory allocation/access/leak
Starvation
CPU
Starvation
Processes/Thread
Fork bomb
Resource starvation
Thread starvation
Deadlock
Race Condition
Disk
Disk overflow
Synptoms: crash, reboot, freeze, CPU runtime 100%
OWASP 7
8. Layer 7 DoS – Root Causes
Insecure feature/reasonable use expectation
Trusted input / action sequence
Human actions expected
Bug/implementation flaw
Poor input filtering and validation
Failing to supply required element/object
Application logic/environment
Application logic open to abuse
Time degrading application actions
Bottlenecks in application framework/environment
Session management
Limited connection pool
Expensive session generation/login process
OWASP 8
10. User Specified Object Allocation
Vulnerable PHP code
Attacker controls $num to generate a lot of items in $stack array
OWASP 10
11. Failure To Release Resources
Vulnerable Database Connection Routine
catch() statement fails to close thisConnection
OWASP 11
12. Session Related DoS
Storing lot of session objects for
caching/performance instead of re-querying
data from other sources (e.g. database)
Consuming session token/login process
Examples
Web tracking, multiple session parameters in use
Large database records are stored in user session for later use
Session created even if user did not register
Session created following user login but registration open to
everyone
OWASP 12
13. User Input As A Loop Counter
Vulnerable Loop Counter
Attacker can tamper with $loop, which is used in a loop counter
involving fopen() operation
OWASP 13
14. RegEx DoS or ReDoS
Exponential RegEx algorithm
2003, Crosby/Wallach - 2009, Alex Roichman / Adar Weidman
Deterministic algorithm will try all paths before returning a match or
no match result
Regex in this case: ^(a+)+$
Payload: aaaaX ->
will go through 16 paths
OWASP 14
15. Web Application DoS Amplifiers
XSS
HTML element pointing to a site/page/request
XSRF
Force a resource consuming login process
Performing a resource consuming POST request
SQLi
Generate exception, leave database connection open
SQL Wildcard attacks
LFI
Request a large file in the internal host
Point to drives such as PRN: CON:
RFI
Request large size resource from a remote host
Request a resource which result in network timeout
OWASP 15
16. Recommendations
Input strict validation and filtering
Handle exceptions and properly release resources
Set limits for:
Session related objects and memory allocated
Token expiration
Object allocation
Loop counters
User registration – captcha
Concurrent session tokens per IP address
Testing your web app
Test RegEx, database queries
DoS and Stress testing
Security testing
OWASP 16
18. XML Parser DoS
XML Parser DOM loads entire XML stream into memory
Nesting and recursive capability with no defined limits
Reiterated elements
Recursive elements
OWASP 18
19. XML Attribute Blowup
Large number of attributes
10000 attributes ~= 90K XML payload ~= 5.000.000 XML parser
operations
Results in non-linear runtime
OWASP 19
20. XML Entity DoS Attacks
XML Exponential Entity
Expansion
Forced recursive
entity expansion
Many laughs
Quadratic blowup
OWASP 20
21. XML External Entity Injection
www.attacker.com may point to:
Nonexistent resource
Network timeout during parsing, might block the process
Large size resource
OWASP 21
23. SOAP Other attacks
SOAP Body
Valid, but very large SOAP body request matching web service
schema
SOAP Attachment
Over sized SOAP attachment referred from the SOAP body
SOAP request resulting in heavy database query
Amplifiers
HTTP/1.1 pipeline
Multiple fragmented SOAP requests
OWASP 23
24. Schema With No Restrictions
No restrictions on the maximum size of the data that can be
embedded in any of the elements
OWASP 24
25. Recommendations
No customised XML parser
Define input type restrictions on web service schema
Validation and filtering (XML FW):
XML “well-formatted” checks
SOAP header/body/attachment checks
Buffer overrun checks
XML schema validation
XML filtering
Limit size of:
XML message
Expanded entities
Attributes
Do not process inline and external DTD references
OWASP 25
27. Low bandwidth DoS Attacks
Slowloris – RSnake (tool)
Technique from Adrian Ilarion Ciobanu – apkill tool
http://www.securityfocus.com/archive/1/455833/100/0/threaded
Fingerprint web server timeout
Change http headers to simulate multiple connections/browsers
Exhaust all threads available
HTTP POST DoS – Wong Onn Chee (identified in honeypot)
No delay in sending HTTP Headers (!= Slowloris)
Content-Length = 1000 bytes
HTTP message body is sent 1 byte each 110 seconds till the
last byte
Require a good number of threads per each machine
– <10k connections to bring down Apache
– ~60k connections for IIS (if rapid fail protection is on)
OWASP 27
28. HTTP POST DoS
A simple bash script
Sleep 110 seconds before sending next byte
y determines number of threads
OWASP 28
29. HTTP Flooders/DDoS Attack
Most common L7 attack
Typically launched from botnets
Black Energy botnet C&C interface
Frequencies, thread and command option
OWASP 29
30. Apache - Recommendations
Key Directives
Maxclients, Timeout, KeepAlive and KeepAlive Timeout
Traffic Shaping
mod_throttle - limit the frequency of requests allowed from a
single client within a window of time
mod_bwshare - bandwidth throttling by HTTP client IP address
mod_limitipconn - limit the number of simultaneous downloads
permitted from a single IP address
mod_dosevasive - detects too many connections and
temporaribly block offending IP address
mod_security – WAF, filtering, monitoring, logging
Load/Stressing testing
http_load
Jmeter
Slowloris + DoS tools OWASP 30
31. IIS - Recommendations
IIS Extensions:
URLScan or Webknight
MaxAllowedContentLength, MaxUrl and MaxQueryString
attributes
Dynamic IP Restrictions
Dynamically blocking of requests from IP address based on:
– The number of concurrent requests
– The number of requests over a period of time
ISA Server Network Protection
Act as load balancer and WAF at the same time
Multiple options for HTTP DoS attacks
HTTP requests per minute, per IP address
Check Application pool health monitoring
IIS worker threads status
OWASP 31
33. SQL Wildcard Attacks
Ferruh Mavituna – 2008
Affect MS SQL and other databases (MySQL, PostsgreSQL,
Access)
Query should return few or no results – it must go through the
entire data on the database
OR combinations should be different otherwise db performance
algorithms may optimise query
Longer query, longer time to execute
Avoids caching in the database, so every query would be
different
OWASP 33
34. Recommendations
Perform input validation and filtering based on whitelist
Discard wildcards and other potential characters
Limit number of characters on the query
Input type strict validation (e.g. number must be a number)
Implement CAPTCHA for advanced searches/queries
Search/Query Limits
Set limit of searches/queries per user per day
Only authenticated users can run consuming search/queries
Limit SQL query execution time
Limit number of records/rows returned by database
Memcached
High performance, memory object caching system
OWASP 34
35. Dealing with an HTTP DDoS Attack
Part I - Before the Attack
OWASP 35
36. Generic Principles
Business continuity planning
Business impact analysis
Classify critical assets based on MTD (Max Tolerable
Downtime)
Develop a 3 phases plan
Protection
ISP agreements, insurance and trade off strategy
Systems, devices and application hardening
Design network for attacks
Detection
Monitoring and analysing
Reaction
Incident Plan
OWASP 36
37. Protection And Prevention
ISP agreements
DoS protection included in agreements
Insurance policy
Establish trade-off strategies/tactics
Absorbe attack
Degrade service
Shut down service
Systems Hardening
Perform regular host reviews against CIS and NIST standards
Perform application reviews
Network Hardening
Load and stress testing network
OWASP 37
38. Segmentation And Overprovision
Segmentation
Redundancy for critical services
Critical services with dedicated server
Overprovision
Hardware and network
Monitoring
Host and Network Intrusion Detection System
Centralised log system
Incident planning
What to do during in incident
Escalation line
Action items
Test your incident plan regularly!
OWASP 38
39. Dealing with an HTTP DDoS Attack
Part II – During the attack
OWASP 39
40. Under attack or not?
Establish if it is a real attack
Check unusual spikes/anomalies compared to baseline traffic
Multiple IP addresses requesting a large number of connections
in a relative short time
In case of attack, what is the target?
IP address, domain, multiple services
Is target critical? How much can you lose ?
Communication
Everyone on the same page
Internal staff may know the reason why they are attacked
Document everything
Logs, graphs and reports
Correlation and timeline
OWASP 40
41. External collaboration
Contact ISPs
Provide detailed information
Triangulation software helps
identifying botnet C&C server
Uncooperative hosting providers can be declared to press
Security Community/Botnet Researcher
Attack fingerprint may help in detecting type of botnet and C&C
Contact Law Enforcement – CCIP, NZCERT
Set a “we are down” web page
OWASP 41
42. Reacting
Slowing the attack
Tarpitting
Delays incoming connections for as long as possible
Deflection
IP Hopping: IP address changed at “random” intervals within a
specified set of IP addresses range
Dropping
Dropping connections for a determined time
Escalation (law/legal implications)
Identify C&C and track down botnet C&C server
Report C&C to authorities
…
Look at the botnet
…
OWASP 42
43. Dealing with an HTTP DDoS Attack
Part III – The day after
OWASP 43
44. Recovering
Lesson learnt analysis
Meet the day after (everything still fresh)
Go over what worked and what didn’t
Update incident plan
Root causes
Was attack targeting a specific and vulnerable system?
Was just a standard flooding attack?
What if it happens again?
Business Recovery
Recover services as soon as possible
Provide incident data to law enforcement agencies
OWASP 44
45. Conclusions
No generic anti-DoS solution
Each organisation = different environment
Harden systems, applications and networks
Perform regular DoS testing and audits
Continuous monitoring and alerting
Don’t trust anti-DDoS vendors
Carefully evaluate anti-DDoS related products/services
Networking and cooperation
Good relationships with security community, ISP and law
enforcement agencies
OWASP 45
47. References
Slowloris - http://ha.ckers.org/slowloris/
Apache HTTP DoS tool mitigation -
http://isc.sans.edu/diary.html?storyid=6613
Mitigating the Slowloris HTTP DoS Attack -
http://threatpost.com/en_us/blogs/mitigating-slowloris-http-
dos-attack-062209
Regular Expression DoS -
http://www.owasp.org/index.php/Regular_expression_Denial_of
_Service_-_ReDoS
Testing for Storing too much data in session -
http://www.owasp.org/index.php/Testing_for_Storing_too_Muc
h_Data_in_Session_(OWASP-DS-008)
Testing for writing user provided data to disk -
http://www.owasp.org/index.php/Testing_for_Writing_User_Pro
vided_Data_to_Disk_(OWASP-DS-006)
OWASP 47
48. References
Testing for user input as loop counter -
http://www.owasp.org/index.php/Testing_for_User_Input_as_a_
Loop_Counter_(OWASP-DS-005)
Testing for DoS User Specified Object allocation -
http://www.owasp.org/index.php/Testing_for_DoS_User_Specifi
ed_Object_Allocation_(OWASP-DS-004)
Testing for Denial of Service -
http://www.owasp.org/index.php/Testing_for_Denial_of_Service
HTTP DDoS Attack mitigation using tarpitting -
http://www.secureworks.com/research/threats/ddos/
Guest Blog: Defending against DDoS -
http://www.sectechno.com/2009/12/06/guest-blog-defending-
against-ddos/
A cheesy Apache / IIS DoS vul (+a question) -
http://www.securityfocus.com/archive/1/456339/30/0/threaded
OWASP 48
49. References
The top 10 things to do while under ddos attack -
http://www.blyon.com/blog/index.php/2010/01/24/ddos_top_10/
Apache httpd server denial of service attack example -
http://pub.mud.ro/~cia/computing/apache-httpd-denial-of-
service-example.html
Distributed Denial of Service (DDoS) attack tools -
http://staff.washington.edu/dittrich/misc/ddos/
Help defeat distributed denial of service attacks: steps by steps
- http://www.sans.org/dosstep/
Intentando detener un DDoS -
http://foro.elhacker.net/tutoriales_documentacion/intentando_d
etener_un_ddos-t137442.0.html
Using squid to fight ddos -
http://www.blyon.com/blog/index.php/2009/07/24/using-squid-
proxy-to-fight-ddos/
OWASP 49
50. References
Surviving DDoS Attacks -
http://research.corsaire.com/whitepapers/040211-surviving-
ddos-attacks.pdf
Application Denial of Service attacks -
http://research.corsaire.com/whitepapers/040405-application-
level-dos-attacks.pdf
Denial of service attack – wikipedia -
http://en.wikipedia.org/wiki/Denial-of-service_attack
DDoS A&D International Workshop on DDoS Attacks and
Defenses - http://caislab.kaist.ac.kr/77ddos/Program.html
DDoS Self Defense -
http://caislab.kaist.ac.kr/77ddos/DDoS%20Self-Defense.pdf
DDoS Traceback and Beyond -
http://caislab.kaist.ac.kr/77ddos/DDoS%20Attack%20Traceback
%20and%20Beyond.pdf
OWASP 50
51. References
DoS Attacks Using Sql Wildcards - http://www.portcullis-
security.com/uplds/wildcard_attacks.pdf
Anyone interested in the details of latest HTTP POST DDOS
attack technique? - https://lists.owasp.org/pipermail/owasp-
leaders/attachments/20100308/bc2a1777/attachment-0001.pdf
CERT – Managing the threat of denial-of-service attacks -
http://www.cert.org/archive/pdf/Managing_DoS.pdf
O’Reilly, 2005 - Apache SecurityBy Ivan Ristic
OWASP Guide 2.0, denial of service attacks
RESPONDING TO A DISTRIBUTED DENIAL OF SERVICE
ATTACK WITH A SELECTIVE TARPIT
http://psifertex.com/download/Jordan_Wiens_GCIH.pdf
Attacking Web Services -
http://www.owasp.org/index.php/File:AppSec2005DC-
Alex_Stamos-Attacking_Web_Services.ppt
OWASP 51