The following presentation describes CVE-2018-5955 an unauthenticated action in GitStack that allows a remote attacker to add new users and then trigger remote code execution.
If you ask about API security, you will be most likely be told about OAuth2, may be OpenID Connect and of course TLS.
But in order to properly secure APIs, you will have to address many other aspects. This presentation cover key concepts related to API Security, as well as practical tools/solutions to address the overall issue, such as:
- Transport and message encryption.
- Digital Signatures
- Auditing and non-repudiation
- SecDevOps and security as code
- Coding best practices and how to enforce them
- Infrastructure Best Practices
Mining Malevolence: Cryptominers in the CloudCloudVillage
Speaker: Cheryl Biswas
Cloud. It's the land of opportunity. Enterprises are doing mass migrations from older and legacy systems to harness greater power and efficiency from innovative new tech. Following that money trail are opportunistic attackers, seeking the computing strength and near-invisibility afforded by enterprise cloud environments to mine bitcoin. Cryptominers are everywhere. And yes, Virginia, they are in the Cloud. These nebulous power-rich realms let attackers set up mining rigs to feast on enterprise resources, while flying below the detection of cloud or conventional security resources. The concern here is that once attackers gain access to our networks, they can pivot and move laterally, to find even greater reward in the vast amounts of data available.
The document discusses the OWASP API Security Top 10 project which aims to raise awareness of common API vulnerabilities. It highlights some frequent issues like input validation problems, insecure configurations, and data/exception leakage. The document also demonstrates examples of these vulnerabilities using a vulnerable demo API called Pixi.
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
This document discusses Opera Software's process for preventing secrets and sensitive information from being committed to code repositories. It describes the problem of secrets in codebases, various tools for identifying and managing secrets like HashiCorp Vault and detect-secrets, and Opera's implementation which uses Vault for secret storage and detect-secrets for identifying secrets in code. The process involves creating a secrets baseline, enabling detect-secrets hooks to prevent pushes with new secrets, auditing the codebase history, and updating the baseline over time.
Cloudfest 2018 - Secure Cloud Servers in a Nutshell. Quick overview of thre...Sergey Lystsev
The Night is Dark and Full of Terrors.
The year 2018 has started from a discovery that even CPU can be vulnerable. And yet a lot of website owners don't recognize the degree of threat. So let's assess the danger and see how can the one protect their server w/o investing 100s of hours in learning. Quick overview of Internet dangers and easy, practical ways to protect:
- be up2date
- establish network protection
- do malware scan
- properly isolate within
- do proper password protection
- protect your identity with valid SSL
- start caring about security!
In this presentation, we explain why OAuth and SSL are not enough when it comes to API Security, and that you should also think about addressing other aspects such as confidentiality, integrity, audit or compliance requirements. We expose the tactics to address each of those aspects, and a set of recommendations to apply immediately to your APIs development.
The vulnerability allows remote code execution through a malformed Content-Type header, requiring no authentication. It affects Apache Struts versions and can be exploited to gain full system privileges. Workarounds include upgrading to a fixed version or changing the multipart parser implementation. The vulnerability was exploited to breach Equifax's systems through a web application, potentially compromising sensitive personal data for over 140 million people.
If you ask about API security, you will be most likely be told about OAuth2, may be OpenID Connect and of course TLS.
But in order to properly secure APIs, you will have to address many other aspects. This presentation cover key concepts related to API Security, as well as practical tools/solutions to address the overall issue, such as:
- Transport and message encryption.
- Digital Signatures
- Auditing and non-repudiation
- SecDevOps and security as code
- Coding best practices and how to enforce them
- Infrastructure Best Practices
Mining Malevolence: Cryptominers in the CloudCloudVillage
Speaker: Cheryl Biswas
Cloud. It's the land of opportunity. Enterprises are doing mass migrations from older and legacy systems to harness greater power and efficiency from innovative new tech. Following that money trail are opportunistic attackers, seeking the computing strength and near-invisibility afforded by enterprise cloud environments to mine bitcoin. Cryptominers are everywhere. And yes, Virginia, they are in the Cloud. These nebulous power-rich realms let attackers set up mining rigs to feast on enterprise resources, while flying below the detection of cloud or conventional security resources. The concern here is that once attackers gain access to our networks, they can pivot and move laterally, to find even greater reward in the vast amounts of data available.
The document discusses the OWASP API Security Top 10 project which aims to raise awareness of common API vulnerabilities. It highlights some frequent issues like input validation problems, insecure configurations, and data/exception leakage. The document also demonstrates examples of these vulnerabilities using a vulnerable demo API called Pixi.
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
This document discusses Opera Software's process for preventing secrets and sensitive information from being committed to code repositories. It describes the problem of secrets in codebases, various tools for identifying and managing secrets like HashiCorp Vault and detect-secrets, and Opera's implementation which uses Vault for secret storage and detect-secrets for identifying secrets in code. The process involves creating a secrets baseline, enabling detect-secrets hooks to prevent pushes with new secrets, auditing the codebase history, and updating the baseline over time.
Cloudfest 2018 - Secure Cloud Servers in a Nutshell. Quick overview of thre...Sergey Lystsev
The Night is Dark and Full of Terrors.
The year 2018 has started from a discovery that even CPU can be vulnerable. And yet a lot of website owners don't recognize the degree of threat. So let's assess the danger and see how can the one protect their server w/o investing 100s of hours in learning. Quick overview of Internet dangers and easy, practical ways to protect:
- be up2date
- establish network protection
- do malware scan
- properly isolate within
- do proper password protection
- protect your identity with valid SSL
- start caring about security!
In this presentation, we explain why OAuth and SSL are not enough when it comes to API Security, and that you should also think about addressing other aspects such as confidentiality, integrity, audit or compliance requirements. We expose the tactics to address each of those aspects, and a set of recommendations to apply immediately to your APIs development.
The vulnerability allows remote code execution through a malformed Content-Type header, requiring no authentication. It affects Apache Struts versions and can be exploited to gain full system privileges. Workarounds include upgrading to a fixed version or changing the multipart parser implementation. The vulnerability was exploited to breach Equifax's systems through a web application, potentially compromising sensitive personal data for over 140 million people.
Avoiding damage, shame and regrets data protection for mobile client-server a...Stanfy
Prepared by Anastasiia, iOS Engineer at Stanfy for speaking at do {iOS} Amsterdam 2015.
We will talk a bit about avoiding snake oil, getting rid of cognitive biases when planning application security, and how to avoid becoming cryptography professor when you only need to protect your app.
As the pace at which APIs are created, proper security requires automation. This presentation introduces top OWASP issues which are occurring today and a series of steps to better protect our APIs.
While it is quite common practice to do periodic security assessments of your local network, it is really rare to find a company who puts the same effort for testing the security in their cloud. We have to understand what new threats and risks appeared with the cloud and how should we change our attitude to testing cloud security. The goal of my presentation is to show how security assessment of cloud infrastructure it is different from testing environments in classic architecture. I'll demonstrate a hypothetical attack on a company which is fully deployed in the AWS environment. I’m going to show the whole kill chain starting from presenting cloud-applicable reconnaissance techniques. Then I’ll attack the web application server hosted on EC2 instance to access its metadata. Using the assigned role, I’ll access another AWS EC2 instance to escalate privileges to the administrator and then present how to hide fingerprints in CloudTrail service. Finally, I’ll demonstrate various techniques of silent exfiltrating data from AWS environment, setting up persistent access and describe another potential, cloud-specific threats, e.g. cryptojacking or ransomware in the cloud. The presentation shows practical aspects of attacking cloud services and each step of the kill chain will be presented in a form of an interactive, live demo. On the examples of presented attacks, I’ll show how to use AWS exploitation framework Pacu and other handy scripts.
concept of MITRE ATT&CK for connected cars and vehicles as presented at EU ATT&CK Workshop #8. Initiative to use Sigma rules for VSOC to proactively map out threats for connected cars.
Secure Development of Android App sometimes requires the use of third party libraries and external frameworks, often expensive or hard to quickly update if vulnerable.The Android SDK and Google Play Services provide security features and services, that allows a developer to take advantage of security enhancements in order to increase the security level of an application.The talk, starting from real common threats, will show how some of these features can be used into the different versions of Android, until the newest Nougat, to mitigate security risks that could afflict a mobile application.
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
Compiled some Open source and other tools that I that I have used for BEC/EAC protection, security, & training. I had a great time sitting on the panel with other members.
API security needs to be thought with agility and collaboration in mind. In this presentation, we explain why API security must be automated: explosion of endpoints, continuous change, human errors and early involvement of security teams in API dev process.
Speaker 1: Ashwin Vamshi
Speaker 2: Abhinav Singh
Cloud services are built for increased collaboration and productivity, and provide capabilities like auto sync and API level communication. This has led enterprises to exclusively use SaaS, PaaS and IaaS services for storing and sharing critical and confidential data. End users as well as security products tend to place implicit trust in cloud vendors such as Microsoft, AWS, Google, and SaaS app vendors such as Box, Salesforce, DropBox. As a result, cybercriminals have started launching their attacks from these trusted cloud services. This talk will focus on how attackers are abusing these trusted cloud services to create Phishing attacks that are highly effective and hard to detect.
ModSecurity is an open source web application firewall started in 2002 by Ivan Ristic. It can be embedded into web applications and servers to provide protection without introducing additional network components. As an embeddable WAF, ModSecurity offers low overhead, scalability, and avoids single points of failure. It monitors traffic in real-time, supports logging for auditing, and can help patch vulnerabilities without requiring application changes. ModSecurity works with Apache and other web servers, and a standalone version is in development.
This webinar includes insight into how cyber deception is implemented across an AWS hosted network environment. The webinar will show you how to secure your EC2 servers and S3 storage using MazeRunner's deception technology. Let's keep attackers out of your cloud!
Original broadcast date: March 21, 2018.
Secure Development of Android App sometimes requires the use of third party libraries and external frameworks, often expensive or hard to quickly update if vulnerable.The Android SDK and Google Play Services provide security features and services, that allows a developer to take advantage of security enhancements in order to increase the security level of an application.The talk, starting from real common threats, will show how some of these features can be used into the different versions of Android, until the newest Nougat, to mitigate security risks that could afflict a mobile application.
XPC is a well-known interprocess communication mechanism used on Apple devices. Abusing XPC led to many severe bugs, including those used in jailbreaks. While the XPC bugs in Apple's components are harder and harder to exploit, did we look at non-Apple apps on macOS? As it turns out, vulnerable apps are everywhere - Anti Viruses, Messengers, Privacy tools, Firewalls, and more.
This presentation:
1.Explain how XPC/NSXPC work
2.Present you some of my findings in popular macOS apps (e.g. local privilege escalation to r00t)
3.Abuse an interesting feature on Catalina allowing to inject an unsigned dylib
4.Show you how to fix that vulnz finally!
This document discusses sandboxing in the .NET CLR. It covers security architecture and application domains, as well as code access security, permissions, and the transparency model. The document also discusses sandbox implementation and partial trust applications in ASP.NET. It provides references for further exploring the .NET security model and testing for vulnerabilities.
LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and You...LF_APIStrat
This document discusses the need for a holistic approach to API security as APIs have become more widely used. It notes that API security needs to evolve from established perimeter security models to new models to account for blurred perimeters from APIs. The document advocates considering all aspects of API security including authentication, authorization, integrity, confidentiality, availability, auditability and more. It also stresses that the right infrastructure is needed and that a one-size-fits-all approach does not work given differences in APIs. The document promotes securing APIs through the entire development lifecycle from design to deployment using a Sec-Dev-Ops model with collaboration between teams.
Avoiding integration testing nightmares with Mule and PactsMichael Hyatt
Using Pact to avoid going through integration testing with Mule components. Based on http://docs.pact.io
Example code: https://github.com/michaelhyatt/mule-pact
This webinar discusses the Responder.py tool and how to use the Responder Monitor to detect its activity. The Responder Monitor works by issuing fake NBNS queries and detecting if Responder.py responds, indicating a poisoning attempt. If credentials are provided, it checks if they are stolen. Best practices include deploying decoys in each network segment and configuring the Responder Monitor service and endpoints to monitor that segment. SOC integration can detect any use of stolen credentials. A demo then showed the Responder Monitor in use.
The document discusses a MuleSoft meetup event that included a presentation on tracing Mule flows with Zipkin and Opentracing. It describes how distributed systems debugging can be challenging due to latency issues, reuse complexity, and lack of proper debugging tools. The presentation promotes designing systems for traceability across technologies, components, and dynamic dependencies using OpenTracing and Zipkin standards. It demonstrates how spans represent flows and activities with parent-child relationships and how context is propagated between callers and callees.
Developer in a digital crosshair, 2022 edition - No cON NameSecuRing
The frequency of attacks on third-party libraries and tools used in software development has dramatically increased in recent years.
Typosquatting, dependency confusion, malicious changes in popular dependencies (UAParser.js, coa, node-ipc...), issues in popular dev tools (Codecov, Homebrew, npm...) or incidents (PHP, GitHub...). In this presentation, I will go over many fascinating, recent examples of these attacks, their causes and effects, and recommend to you how to stay secure when developing software.
Developer in a digital crosshair, 2022 editionSecuRing
This presentation takes you through recent attacks aimed at software developers and software companies. First it starts with attacks on libraries you install or have installed (typosquatting, pushing malicious library updates due to maintainer's credential takeover, protestware), even your private ones (dependency confusion). Second it shows attack on tools which are used in software development (package managers). Third, there are examples of attacks onto developer's infrastructure (PHP programming language git sever, GitHub OAuth incident with Heroku and Travis-CI).
Avoiding damage, shame and regrets data protection for mobile client-server a...Stanfy
Prepared by Anastasiia, iOS Engineer at Stanfy for speaking at do {iOS} Amsterdam 2015.
We will talk a bit about avoiding snake oil, getting rid of cognitive biases when planning application security, and how to avoid becoming cryptography professor when you only need to protect your app.
As the pace at which APIs are created, proper security requires automation. This presentation introduces top OWASP issues which are occurring today and a series of steps to better protect our APIs.
While it is quite common practice to do periodic security assessments of your local network, it is really rare to find a company who puts the same effort for testing the security in their cloud. We have to understand what new threats and risks appeared with the cloud and how should we change our attitude to testing cloud security. The goal of my presentation is to show how security assessment of cloud infrastructure it is different from testing environments in classic architecture. I'll demonstrate a hypothetical attack on a company which is fully deployed in the AWS environment. I’m going to show the whole kill chain starting from presenting cloud-applicable reconnaissance techniques. Then I’ll attack the web application server hosted on EC2 instance to access its metadata. Using the assigned role, I’ll access another AWS EC2 instance to escalate privileges to the administrator and then present how to hide fingerprints in CloudTrail service. Finally, I’ll demonstrate various techniques of silent exfiltrating data from AWS environment, setting up persistent access and describe another potential, cloud-specific threats, e.g. cryptojacking or ransomware in the cloud. The presentation shows practical aspects of attacking cloud services and each step of the kill chain will be presented in a form of an interactive, live demo. On the examples of presented attacks, I’ll show how to use AWS exploitation framework Pacu and other handy scripts.
concept of MITRE ATT&CK for connected cars and vehicles as presented at EU ATT&CK Workshop #8. Initiative to use Sigma rules for VSOC to proactively map out threats for connected cars.
Secure Development of Android App sometimes requires the use of third party libraries and external frameworks, often expensive or hard to quickly update if vulnerable.The Android SDK and Google Play Services provide security features and services, that allows a developer to take advantage of security enhancements in order to increase the security level of an application.The talk, starting from real common threats, will show how some of these features can be used into the different versions of Android, until the newest Nougat, to mitigate security risks that could afflict a mobile application.
FBI & Secret Service- Business Email Compromise WorkshopErnest Staats
Compiled some Open source and other tools that I that I have used for BEC/EAC protection, security, & training. I had a great time sitting on the panel with other members.
API security needs to be thought with agility and collaboration in mind. In this presentation, we explain why API security must be automated: explosion of endpoints, continuous change, human errors and early involvement of security teams in API dev process.
Speaker 1: Ashwin Vamshi
Speaker 2: Abhinav Singh
Cloud services are built for increased collaboration and productivity, and provide capabilities like auto sync and API level communication. This has led enterprises to exclusively use SaaS, PaaS and IaaS services for storing and sharing critical and confidential data. End users as well as security products tend to place implicit trust in cloud vendors such as Microsoft, AWS, Google, and SaaS app vendors such as Box, Salesforce, DropBox. As a result, cybercriminals have started launching their attacks from these trusted cloud services. This talk will focus on how attackers are abusing these trusted cloud services to create Phishing attacks that are highly effective and hard to detect.
ModSecurity is an open source web application firewall started in 2002 by Ivan Ristic. It can be embedded into web applications and servers to provide protection without introducing additional network components. As an embeddable WAF, ModSecurity offers low overhead, scalability, and avoids single points of failure. It monitors traffic in real-time, supports logging for auditing, and can help patch vulnerabilities without requiring application changes. ModSecurity works with Apache and other web servers, and a standalone version is in development.
This webinar includes insight into how cyber deception is implemented across an AWS hosted network environment. The webinar will show you how to secure your EC2 servers and S3 storage using MazeRunner's deception technology. Let's keep attackers out of your cloud!
Original broadcast date: March 21, 2018.
Secure Development of Android App sometimes requires the use of third party libraries and external frameworks, often expensive or hard to quickly update if vulnerable.The Android SDK and Google Play Services provide security features and services, that allows a developer to take advantage of security enhancements in order to increase the security level of an application.The talk, starting from real common threats, will show how some of these features can be used into the different versions of Android, until the newest Nougat, to mitigate security risks that could afflict a mobile application.
XPC is a well-known interprocess communication mechanism used on Apple devices. Abusing XPC led to many severe bugs, including those used in jailbreaks. While the XPC bugs in Apple's components are harder and harder to exploit, did we look at non-Apple apps on macOS? As it turns out, vulnerable apps are everywhere - Anti Viruses, Messengers, Privacy tools, Firewalls, and more.
This presentation:
1.Explain how XPC/NSXPC work
2.Present you some of my findings in popular macOS apps (e.g. local privilege escalation to r00t)
3.Abuse an interesting feature on Catalina allowing to inject an unsigned dylib
4.Show you how to fix that vulnz finally!
This document discusses sandboxing in the .NET CLR. It covers security architecture and application domains, as well as code access security, permissions, and the transparency model. The document also discusses sandbox implementation and partial trust applications in ASP.NET. It provides references for further exploring the .NET security model and testing for vulnerabilities.
LF_APIStrat17_Beyond OAuth: A Holistic Approach to Securing Your APIs and You...LF_APIStrat
This document discusses the need for a holistic approach to API security as APIs have become more widely used. It notes that API security needs to evolve from established perimeter security models to new models to account for blurred perimeters from APIs. The document advocates considering all aspects of API security including authentication, authorization, integrity, confidentiality, availability, auditability and more. It also stresses that the right infrastructure is needed and that a one-size-fits-all approach does not work given differences in APIs. The document promotes securing APIs through the entire development lifecycle from design to deployment using a Sec-Dev-Ops model with collaboration between teams.
Avoiding integration testing nightmares with Mule and PactsMichael Hyatt
Using Pact to avoid going through integration testing with Mule components. Based on http://docs.pact.io
Example code: https://github.com/michaelhyatt/mule-pact
This webinar discusses the Responder.py tool and how to use the Responder Monitor to detect its activity. The Responder Monitor works by issuing fake NBNS queries and detecting if Responder.py responds, indicating a poisoning attempt. If credentials are provided, it checks if they are stolen. Best practices include deploying decoys in each network segment and configuring the Responder Monitor service and endpoints to monitor that segment. SOC integration can detect any use of stolen credentials. A demo then showed the Responder Monitor in use.
The document discusses a MuleSoft meetup event that included a presentation on tracing Mule flows with Zipkin and Opentracing. It describes how distributed systems debugging can be challenging due to latency issues, reuse complexity, and lack of proper debugging tools. The presentation promotes designing systems for traceability across technologies, components, and dynamic dependencies using OpenTracing and Zipkin standards. It demonstrates how spans represent flows and activities with parent-child relationships and how context is propagated between callers and callees.
Developer in a digital crosshair, 2022 edition - No cON NameSecuRing
The frequency of attacks on third-party libraries and tools used in software development has dramatically increased in recent years.
Typosquatting, dependency confusion, malicious changes in popular dependencies (UAParser.js, coa, node-ipc...), issues in popular dev tools (Codecov, Homebrew, npm...) or incidents (PHP, GitHub...). In this presentation, I will go over many fascinating, recent examples of these attacks, their causes and effects, and recommend to you how to stay secure when developing software.
Developer in a digital crosshair, 2022 editionSecuRing
This presentation takes you through recent attacks aimed at software developers and software companies. First it starts with attacks on libraries you install or have installed (typosquatting, pushing malicious library updates due to maintainer's credential takeover, protestware), even your private ones (dependency confusion). Second it shows attack on tools which are used in software development (package managers). Third, there are examples of attacks onto developer's infrastructure (PHP programming language git sever, GitHub OAuth incident with Heroku and Travis-CI).
Secure coding is the practice of developing software securely by avoiding security vulnerabilities. It involves understanding the application's attack surface and using techniques like input validation, secure authentication, access control, and encrypting sensitive data. The OWASP organization provides free tools and guidelines to help developers code securely, such as their Top 10 security risks and cheat sheets on issues like injection, authentication, and access control. Developers should use static and dynamic application security testing tools to identify vulnerabilities and continuously learn about secure coding best practices.
Affrontare la sicurezza di una web application è uno dei compiti più difficili che uno sviluppatore deve considerare durante le fasi di sviluppo ed integrazione di un software o di un semplice sito web.
Le minacce presenti sul web sono sempre più numerose e ricercare vulnerabilità e metodi di attacco diventa sempre più semplice, anche per i meno esperti.
Il talk mira a fornire indicazioni utili per cercare di evitare al massimo attacchi sulle proprie applicazioni, analizzando le principali vulnerabilità dei più famosi progetti Open Source.
XSS / HTML Injection
Authorization and Authentication
Sensitive information disclosure
CORS Misconfiguration
API's over HTTP
CSRF
HTTP Verb tampering
Fuzzing / Boundary Checks
API Rate limiting
API Key Compromise
A Novel Mutual Authentication Algorithm using Visual Cryptography with Novel ...IRJET Journal
The document proposes a novel mutual authentication algorithm using visual cryptography. It aims to provide stronger authentication security compared to traditional text-based passwords. The algorithm uses two registered images per user - a security image and password image. During registration, the server generates shares of the images and mails one share to the user. During login, the user uploads their share to authenticate the server, while the server generates a random session share of the password image to authenticate the user by reconstructing and hashing the image. The algorithm provides mutual authentication without third party involvement by using visual cryptography techniques on user-registered images.
Developer in a digital crosshair, 2023 edition - 4DevelopersSecuRing
Recent years show a significant increase in attacks against libraries, tools, and infrastructure used in application development, as well as directly against developers and software companies. From fake libraries and malicious changes to popular libraries or programming languages to vulnerabilities in CI/CD infrastructure components.
During the presentation, you will discover a handful of interesting, fresh examples and attack techniques and, perhaps most importantly, learn how to work safely as a programmer. You will find out about typosquatting, dependency confusion, protestware and discover stories of attacks on PHP, Codecov, Homebrew, npm, Ruby Gems, or GitHub.
A penetration testing report submitted during internship at ICT Academy, IIT Kanpur. This report contains a basic flow how to perform penetration testing, from reconnaissance to finding vulnerability. This should be helpful for security researchers who are looking to write a penetration testing for their project.
1) The document discusses software supply chain security and examples of known attacks, including typosquatting, project takeovers, account takeovers, and inserting malware or backdoors into dependencies.
2) It provides details on specific past attacks, such as those on the event-stream, eslint, and electron-native-notify packages, how they were carried out, and their goals.
3) The presentation recommends steps developers can take to help protect their software supply chains, such as carefully managing dependencies, setting up a SECURITY.md file, enabling GitHub security features, and using two-factor authentication.
This document discusses common security issues that can occur with APIs and provides examples and recommendations for addressing them. It covers topics like excessive data exposure, broken function-level authorization, mass assignment vulnerabilities, improper assets management, and the importance of email safety. The document provides real-world examples like data breaches at Snapchat and Airbnb. It recommends approaches like explicitly defining what data can be accessed, monitoring for unusual patterns, hashing credentials, knowing what third parties do with data, and treating non-production APIs the same as production APIs. The document directs readers to additional resources on API security best practices.
Join us this month as we recap the Microsoft and 3rd Party security patches released on Patch Tuesday. We will discuss things to watch out for, products to be sure to test adequately, and which patches should be highest priority to roll out.
HTTP Parameter Pollution (HPP) - SEaCURE.it presentation by Luca Carettoni and Stefano Di Paola
Throughout this presentation, we will present a new attack technique called HTTP Parameter Pollution (HPP). We will examine with a fresh perspective a newly discovered input validation flaw, while demonstrating new threats and possible attack scenarios. Such injection can be defined as the possibility to override the HTTP GET/POST parameters within the query string. In such situations, an attacker may replace existent values which are normally hardcoded and not accessible. In many cases it can be used to modify the behaviors of client-side and server-side applications, to exploit vulnerabilities in uncontrollable variables as well as bypassing web application firewalls. Some of the attacks covered in this talk have been discovered in real-world applications.
Although input validation vulnerabilities are a well-known subject in the web application security field and are extensively covered by several researchers, it is quite surprising that no formal definition of the HPP attack was previously published, as far as we know. Once again, it is a clear demonstration of how important is to develop comprehensive input validation filters in order to manage new incoming web application threats
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
View the on-demand recording: http://securityintelligence.com/events/avoiding-application-attacks/
Your organization is running fast to build your business. You are developing new applications faster than ever and utilizing new cloud-based development platforms. Your customers and employees expect applications that are powerful, highly usable, and secure. Yet this need for speed coupled with new development techniques is increasing the likelihood of security issues.
How can you meet the needs of speed to market with security? Hear Paul Ionescu, IBM Security, Ethical Hacking Team Lead discuss:
- How application attacks work
- Open Web Application Security Project (OWASP) goals
- How to build defenses into your applications
- The 10 most common web application attacks, including demos of the infamous Shellshock and Heartbleed vulnerabilities
- How to test for and prevent these types of threats
IRJET- A Defense System Against Application Layer Ddos Attacks with Data Secu...IRJET Journal
This document proposes a defense system against application layer distributed denial of service (DDoS) attacks that uses data structures to quickly detect and mitigate such attacks. The system uses a CAPTCHA test to determine if a request is part of an attack. Requests from blacklisted IP addresses are blocked, while requests from whitelisted IP addresses are allowed. The experimental results show that the system can reduce malicious requests quickly while posing limited impact on normal users. The system also includes a honey pot technique for file security in cloud storage, where unique codes are generated for uploaded files and must be provided to download files, returning dummy files for invalid codes.
This presentation by Mike Shame of Qualys the basics of Web Application Security and how to safeguard your web infrastructure against the most prevalent online threats and security risks, such as: cross-site scripting (XSS) attacks, SQL injection, directory traversals, and other web vulnerabilities. Learn how to proactively identify critical web application vulnerabilities and take corrective actions to minimize risks.
Join us this month as we recap the Microsoft and 3rd Party security patches released on Patch Tuesday. We will discuss things to watch out for, products to be sure to test adequately, and which patches should be highest priority to roll out.
Operationalizing Multi Cluster Istio_ Lessons Learned and Developing Ambient ...MichaelOLeary82
Kevin Dorosh presented on operationalizing multi-cluster Istio and developing ambient mesh. He discussed connectivity and communication challenges when services span multiple clusters. He then explained how Istio provides service discovery, secure communication, traffic control, policy enforcement, and resilience. Dorosh also covered ambient mesh, which removes the sidecar proxy and instead runs a single proxy on each node for lower overhead and easier operations. He demonstrated how ambient mesh maintains Istio's security features like mTLS and access control.
A summary of the document is:
1. The document contains news articles and summaries about recent security events, tools, and vulnerabilities including a SQL injection on a Dutch website exposing 168,000 personal records, IBM unleashing a virus on attendees of a security conference, Symantec acquiring VeriSign's web security business, and the release of new versions of security tools like Metasploit and Dirbuster.
2. It also provides information on the Month of PHP Security in May, the inventor of the ATM, a new tool for recovering router passwords, and vulnerabilities in older versions of Firefox.
3. Links are provided for further details on many of these topics.
Developer in a digital crosshair, 2022 edition - Oh My H@ck!SecuRing
Attacks on third-party libraries and tools that are often used while developing software have become dramatically frequent.
Among these attacks, one can find dependency confusion, issues in popular dev tools (Codecov, Homebrew, npm...), typosquatting, incidents (PHP, GitHub...), or malicious changes in popular dependencies (UAParser.js, coa, node-ipc...). I will share a lot of gripping real-life examples of such attacks, their causes and effects, and help you stay secure while developing software.
7.1 Identify which attribute scopes are thread-safe:
Local variables
Instance variables
Class variables
Request attributes
Session attributes
Context attributes
7.2 Identify correct statements about differences between the multithreaded and single-threaded servlet models.
7.3 Identify the interface used to declare that a servlet must use the single thread model.
Similar to GitStack 0day . Remote code execution - Adam Nurudini (20)
Hand Rolled Applicative User ValidationCode KataPhilip Schwarz
Could you use a simple piece of Scala validation code (granted, a very simplistic one too!) that you can rewrite, now and again, to refresh your basic understanding of Applicative operators <*>, <*, *>?
The goal is not to write perfect code showcasing validation, but rather, to provide a small, rough-and ready exercise to reinforce your muscle-memory.
Despite its grandiose-sounding title, this deck consists of just three slides showing the Scala 3 code to be rewritten whenever the details of the operators begin to fade away.
The code is my rough and ready translation of a Haskell user-validation program found in a book called Finding Success (and Failure) in Haskell - Fall in love with applicative functors.
Mobile App Development Company In Noida | Drona InfotechDrona Infotech
Drona Infotech is a premier mobile app development company in Noida, providing cutting-edge solutions for businesses.
Visit Us For : https://www.dronainfotech.com/mobile-application-development/
Zoom is a comprehensive platform designed to connect individuals and teams efficiently. With its user-friendly interface and powerful features, Zoom has become a go-to solution for virtual communication and collaboration. It offers a range of tools, including virtual meetings, team chat, VoIP phone systems, online whiteboards, and AI companions, to streamline workflows and enhance productivity.
SOCRadar's Aviation Industry Q1 Incident Report is out now!
The aviation industry has always been a prime target for cybercriminals due to its critical infrastructure and high stakes. In the first quarter of 2024, the sector faced an alarming surge in cybersecurity threats, revealing its vulnerabilities and the relentless sophistication of cyber attackers.
SOCRadar’s Aviation Industry, Quarterly Incident Report, provides an in-depth analysis of these threats, detected and examined through our extensive monitoring of hacker forums, Telegram channels, and dark web platforms.
Unveiling the Advantages of Agile Software Development.pdfbrainerhub1
Learn about Agile Software Development's advantages. Simplify your workflow to spur quicker innovation. Jump right in! We have also discussed the advantages.
Do you want Software for your Business? Visit Deuglo
Deuglo has top Software Developers in India. They are experts in software development and help design and create custom Software solutions.
Deuglo follows seven steps methods for delivering their services to their customers. They called it the Software development life cycle process (SDLC).
Requirement — Collecting the Requirements is the first Phase in the SSLC process.
Feasibility Study — after completing the requirement process they move to the design phase.
Design — in this phase, they start designing the software.
Coding — when designing is completed, the developers start coding for the software.
Testing — in this phase when the coding of the software is done the testing team will start testing.
Installation — after completion of testing, the application opens to the live server and launches!
Maintenance — after completing the software development, customers start using the software.
SMS API Integration in Saudi Arabia| Best SMS API ServiceYara Milbes
Discover the benefits and implementation of SMS API integration in the UAE and Middle East. This comprehensive guide covers the importance of SMS messaging APIs, the advantages of bulk SMS APIs, and real-world case studies. Learn how CEQUENS, a leader in communication solutions, can help your business enhance customer engagement and streamline operations with innovative CPaaS, reliable SMS APIs, and omnichannel solutions, including WhatsApp Business. Perfect for businesses seeking to optimize their communication strategies in the digital age.
Flutter is a popular open source, cross-platform framework developed by Google. In this webinar we'll explore Flutter and its architecture, delve into the Flutter Embedder and Flutter’s Dart language, discover how to leverage Flutter for embedded device development, learn about Automotive Grade Linux (AGL) and its consortium and understand the rationale behind AGL's choice of Flutter for next-gen IVI systems. Don’t miss this opportunity to discover whether Flutter is right for your project.
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...XfilesPro
Wondering how X-Sign gained popularity in a quick time span? This eSign functionality of XfilesPro DocuPrime has many advancements to offer for Salesforce users. Explore them now!
E-commerce Development Services- Hornet DynamicsHornet Dynamics
For any business hoping to succeed in the digital age, having a strong online presence is crucial. We offer Ecommerce Development Services that are customized according to your business requirements and client preferences, enabling you to create a dynamic, safe, and user-friendly online store.
UI5con 2024 - Bring Your Own Design SystemPeter Muessig
How do you combine the OpenUI5/SAPUI5 programming model with a design system that makes its controls available as Web Components? Since OpenUI5/SAPUI5 1.120, the framework supports the integration of any Web Components. This makes it possible, for example, to natively embed own Web Components of your design system which are created with Stencil. The integration embeds the Web Components in a way that they can be used naturally in XMLViews, like with standard UI5 controls, and can be bound with data binding. Learn how you can also make use of the Web Components base class in OpenUI5/SAPUI5 to also integrate your Web Components and get inspired by the solution to generate a custom UI5 library providing the Web Components control wrappers for the native ones.
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeAftab Hussain
Understanding variable roles in code has been found to be helpful by students
in learning programming -- could variable roles help deep neural models in
performing coding tasks? We do an exploratory study.
- These are slides of the talk given at InteNSE'23: The 1st International Workshop on Interpretability and Robustness in Neural Software Engineering, co-located with the 45th International Conference on Software Engineering, ICSE 2023, Melbourne Australia
Atelier - Innover avec l’IA Générative et les graphes de connaissancesNeo4j
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Allez au-delà du battage médiatique autour de l’IA et découvrez des techniques pratiques pour utiliser l’IA de manière responsable à travers les données de votre organisation. Explorez comment utiliser les graphes de connaissances pour augmenter la précision, la transparence et la capacité d’explication dans les systèmes d’IA générative. Vous partirez avec une expérience pratique combinant les relations entre les données et les LLM pour apporter du contexte spécifique à votre domaine et améliorer votre raisonnement.
Amenez votre ordinateur portable et nous vous guiderons sur la mise en place de votre propre pile d’IA générative, en vous fournissant des exemples pratiques et codés pour démarrer en quelques minutes.
2. Whoami
• Adam Nurudini
CEH, ITIL V3, CCNA, CCNP, CASP, PCI-DSS, BSC-IT
Lead Security Researcher @ Netwatch Technologies
Project Consultant, Information Security Architects Ltd
Member, Cybersecurity Resilience Service Team
Web Application Penetration Tester
3. INTRODUCTION
The following presentation describes an unauthenticated action in
GitStack that allows a remote attacker to add new users and then
trigger remote code execution.
Description
An issue was discovered in GitStack through 2.3.10. User controlled input is not
sufficiently filtered, allowing an unauthenticated attacker to add a user to the server via
the username and password fields to the rest/user/ URI.
CVE-ID
CVE-2018-5955
Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5955
Vulnerability Disclosed by:
An independent security researcher, Kacper Szurek, reported the vulnerability to Beyond Security's SSD
Vendor response
“Since October 17, 2017, we have tried to contact GitStack many times and have received a response, but have not
provided details about the solution or workaround.”
4. • GitStack is a web application that allows
users to set up your own private Git
server.
• This means you can create a version
control system with no content.
• GitStack makes it easy to keep your
server up to date. It is really Git for
Windows and is compatible with any
other Git client. GitStack is completely
free for small teams.
6. UPCLOSE WITH CVE-2018-5955
In vulnerable versions of GitStack, a flaw in Authentication.class.php allows
unauthenticated remote code execution since $_SERVER['PHP_AUTH_PW']
is passed directly to an exec function.
7. UPCLOSE WITH CVE-2018-5955
To exploit the vulnerability, the repository web interface must be enabled, a repository must
exist, and a user must have access to the repository.
Note: A passwd file should be created by GitStack for local user accounts. Default location:
C:GitStackdatapasswdfile.
Once an attacker adds a user to the server, he can enable the web repository feature.
8. UPCLOSE WITH CVE-2018-5955
Now, an attacker can create a repository from a remote location and prevent others from
accessing our new repository. In the repository, an attacker can upload a backdoor and
use it to execute code:
1. View users
Use the GET method to directly view the user list of the GitStack repository, and there is an
unauthorized access information disclosure vulnerability.
9. UPCLOSE WITH CVE-2018-5955
2. Create user
Through the POST method, specifying the username and password can directly add the
repository user, and there is any user added vulnerability:
11. UPCLOSE WITH CVE-2018-5955
3. Create a repository arbitrarily
Directly POST a name to create the corresponding project, But CSRF_TOKEN is
required in POST data. CSRF_TOKEN is obtained as follows, visit the landing page,
such as http://$IP/registration/login/?next=/gitstack/ view the source code:
13. UPCLOSE WITH CVE-2018-5955
4. Add user to any repository
You can add it by following this format:
POST http://$IP/rest/repository/”repository name”/user/”user name”/
14. Remote command execution vulnerability
By default, the GitStack Web Interface is enabled. Access http://xx/web/index.php
An unauthenticated user can upload reverse shell payload to the gitstack repository to
compromise the web application and the server hosting it.
DEMO | 5mins
15. PROACTIVE REMEDIATION
Focus on development best practices like
OWASP Top 10 Application Security Risks – 2017
In this scenario the presenter believes
A2:2017 Broken Authentication
A5:2017 Broken Access Control
A6:2017 Security Misconfiguration