This document provides an overview of Ruby on Rails (RoR) from a code auditor's perspective. It discusses the MVC architecture that RoR uses and describes where the different components (model, view, controller) are typically located in a RoR application. It also discusses common things to look for when reviewing RoR code like user input validation, filters, migrations and more. Specific examples of issues found in Redmine and another open source project are also provided like a persistent XSS issue and information leak.
JavaScript is the programming language of the web that allows for dynamic and interactive effects on web pages. It was created in the 1990s by Netscape and Sun Microsystems and has evolved through several versions. JavaScript code runs directly in the browser and is used to add interactivity to HTML pages through elements like variables, arrays, and functions. Common applications of JavaScript include slideshows, dropdown menus, form validation, popups, and automatic page refreshes. Its advantages include client-side execution, ease of use, and speed, while developers must be careful of issues like case sensitivity and proper syntax.
Send, pass, get variables with php, form, html & java script codeNoushadur Shoukhin
This document provides code examples for sending variables between PHP, HTML forms, and JavaScript. It demonstrates how to:
1) Send variables between PHP, forms, and JavaScript on the same page;
2) Send variables from one page to another via URLs, PHP sessions, or hidden form fields;
3) Dynamically update HTML elements based on form selections like radio buttons or dropdowns.
LESS is a CSS pre-processor that extends CSS by adding features like variables, mixins, functions and nested rules. This allows CSS to be more maintainable, themeable and extendable. The document outlines key LESS features like variables, operations, functions, mixins, loops and compiling LESS to CSS. It provides examples of how each feature can be used.
Building Complex GUI Apps The Right Way. With Ample SDK - SWDC2010Sergey Ilinsky
The document discusses the Ample SDK, a JavaScript GUI framework that aims to provide a consistent platform for building complex web applications. It virtualizes browser technologies to implement a standard programming model using XML for layout, CSS for styling, and JavaScript for logic. This allows developers to build reusable UI components. The framework also enables creation of domain-specific markup languages and extension of core technologies like SVG and XUL across browsers.
Slides for a presentation on advanced PHP (object-orientation, frameworks, security and debugging) given for the CS25010 web development module at Aberystwyth University.
JavaScript is the programming language of the web that allows for dynamic and interactive effects on web pages. It was created in the 1990s by Netscape and Sun Microsystems and has evolved through several versions. JavaScript code runs directly in the browser and is used to add interactivity to HTML pages through elements like variables, arrays, and functions. Common applications of JavaScript include slideshows, dropdown menus, form validation, popups, and automatic page refreshes. Its advantages include client-side execution, ease of use, and speed, while developers must be careful of issues like case sensitivity and proper syntax.
Send, pass, get variables with php, form, html & java script codeNoushadur Shoukhin
This document provides code examples for sending variables between PHP, HTML forms, and JavaScript. It demonstrates how to:
1) Send variables between PHP, forms, and JavaScript on the same page;
2) Send variables from one page to another via URLs, PHP sessions, or hidden form fields;
3) Dynamically update HTML elements based on form selections like radio buttons or dropdowns.
LESS is a CSS pre-processor that extends CSS by adding features like variables, mixins, functions and nested rules. This allows CSS to be more maintainable, themeable and extendable. The document outlines key LESS features like variables, operations, functions, mixins, loops and compiling LESS to CSS. It provides examples of how each feature can be used.
Building Complex GUI Apps The Right Way. With Ample SDK - SWDC2010Sergey Ilinsky
The document discusses the Ample SDK, a JavaScript GUI framework that aims to provide a consistent platform for building complex web applications. It virtualizes browser technologies to implement a standard programming model using XML for layout, CSS for styling, and JavaScript for logic. This allows developers to build reusable UI components. The framework also enables creation of domain-specific markup languages and extension of core technologies like SVG and XUL across browsers.
Slides for a presentation on advanced PHP (object-orientation, frameworks, security and debugging) given for the CS25010 web development module at Aberystwyth University.
Pragmatic Patterns of Ruby on Rails - Ruby Kaigi2009Yasuko Ohba
This document discusses coding patterns for developing large and complicated Ruby on Rails applications. It recommends expressing business logic in models using object-oriented principles, following DRY, CoC and RESTful principles, and writing code in models' standard flows like find, new/save, find/update, and find/destroy. Filter methods are suggested to avoid duplicating code and improve readability. Moving branching logic based on parameters and other model processing code from controllers to models improves testability and reusability. Choosing natural coding styles for Rails that follow its core principles helps keep code maintainable for other developers. Sharing such pragmatic patterns is important for developing large codebases.
This document provides guidelines for coding in Ruby on Rails. It covers naming conventions and formatting for Ruby code, as well as best practices for Rails configuration, routing, controllers, models, migrations, views, and logging. Useful gems are also listed, including RSpec for testing, Devise for authentication, Sidekiq for background jobs, and FriendlyId for permalinks.
This document provides a summary of changes and deprecations in Rails 3, including:
- Plugins will be removed, gems should be used instead.
- ActiveRecord validations syntax changed from validates_presence_of to validates.
- ARel syntax should be used instead of conditions for queries.
- Modules changed to use ActiveSupport::Concern.
- ActionMailer templates use different extensions and variables are no longer passed explicitly.
- General changes include removal of RJS, different asset paths, and Arel scopes concatenate elements instead of only conditions.
- Formtastic inputs changed syntax for values, dates, buttons. Custom inputs are more modular.
Código Saudável => Programador Feliz - Rs on Rails 2010Plataformatec
Palestra do Rs On Rails, na qual demos algumas dicas de boas práticas para manter seu código mais limpo e ter absoluto controle da sua aplicação em produção.
This document provides an overview of building web applications with Ruby on Rails. It discusses the core components of a Rails app including models, views, controllers, and database migrations. It also covers generating scaffolds, ActiveRecord queries in the console, embedded Ruby syntax in views, layouts, and view helpers. The goal is to explain the anatomy and basic functionality of a Rails application.
This document discusses ROM (Ruby Object Mapper), a library for building data access layers in Ruby. It summarizes ROM's key concepts including relations for reading data, commands for writing data, and repositories for accessing application data. It also highlights ROM's features like no global state, support for multiple databases and adapters, and avoidance of N+1 queries through relation composition.
Rails is a great Ruby-based framework for producing web sites quickly and effectively. Here are a bunch of tips and best practices aimed at the Ruby newbie.
- Ruby on Rails is an open-source, full-stack framework for developing database-backed web applications using the Model-View-Controller pattern. It uses the Ruby programming language.
- Rails uses conventions over configurations, don't repeat yourself (DRY) principles, and an opinionated philosophy. It provides a directory structure, environment modes, and generators to quickly develop applications.
- The document provides an example of generating a bookmarks application with models, views, controllers, validations, associations, and AJAX functionality using Rails.
This document provides an overview of learning to code for a startup minimum viable product (MVP) using Ruby on Rails. It discusses setting up a development environment, using Git version control, the Ruby programming language basics, Rails models and object-relational mapping, authentication with Devise, Rails controllers and routing, and using scaffolding to build out a sample Mini Twitter app with Posts and Users models. The goal is to provide attendees with the necessary skills to build a basic MVP for a startup.
2011-02-03 LA RubyConf Rails3 TDD WorkshopWolfram Arnold
This document provides an overview of test-driven development (TDD) using Rails 3. It discusses why TDD is important, how to structure tests in different layers (model, controller, etc.), and what to test for models, controllers and views. It also covers RSpec 2 and useful tools like RVM. The presentation includes live coding demos and in-class exercises on TDD.
Introduction to Ruby on Rails by Rails Core alumnus Thomas Fuchs.
Originally a 3-4 hour tutorial, 150+ slides about Rails, Ruby and the ecosystem around it.
This document provides a fast-paced introduction to Ruby, Rails, and additional technologies. It begins with an overview of Ruby basics, syntax, and uses beyond scripts. It then covers Rails fundamentals including MVC architecture, scaffolding, models, views, controllers, and routes. Additional topics discussed include gems, Git, and deploying to Heroku. The document concludes by outlining a sample project to build a marketplace for buying and selling robot spare parts.
Introduction to web scraping from static and Ajax generated web pages with Python, using urllib, BeautifulSoup, and Selenium. The slides are from a talk given at Vancouver PyLadies meetup on March 7, 2016.
The document discusses using Merb as a Ruby web framework. It provides instructions on installing Merb and common Merb gems, generating a basic Merb application with articles and authentication, using DataMapper for object-relational mapping, and deploying the Merb application to production. Additional resources discussed include text editors, wikis, IRC channels, and tutorials for learning more about Merb and related tools.
This document provides an introduction and overview of key changes between Rails 3 and Rails 4. It discusses changes to components like ActiveRecord and ActionPack. It outlines changes to models, including the introduction of AREL and concerns directories. Controller changes like strong parameters and view changes like new form helpers are reviewed. Routing changes such as PATCH verbs and constraints are covered. Finally, migration and turbolinks additions are summarized.
While the Python logging module makes it simple to add flexible logging to your application, wording log messages and choosing the appropriate level to maximize their helpfulness is a topic hardly covered in the documentation. This talk give guidelines on when to choose a certain log level, what information to include and which wording templates to use.
Ramaze - The Underrated Ruby Web Frameworkluccastera
Ramaze is an underrated Ruby web framework that is simple, light, and modular. It uses an MVC architecture and has many features including routing, controllers, views, helpers, and deployment options. Ramaze is well documented, stable, and has an active community for learning more and getting help.
Ruby is an object-oriented programming language created in 1993, while Rails is a web application framework built using Ruby. The document provides an overview of Ruby and Rails, including what Rails is and its key advantages such as convention over configuration, don't repeat yourself (DRY) principles, and object-relational mapping (ORM). It also demonstrates creating a sample Rails application and using the Spree e-commerce gem.
This document discusses strategies for making Ruby on Rails applications highly available. It covers common architectures using a single server, and moving to distributed systems. Key topics include application modularity, useful gems for asynchronous processing, database replication, session management, application deployment, configuration management, and load balancing. The conclusion emphasizes that porting Rails apps to a highly available environment requires thinking about architecture and distribution early, but is not prohibitively difficult if approached methodically.
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talkHackito Ergo Sum
This document summarizes a lightning talk presentation about binary instrumentation using Intel's Pin tool. It introduces Pin as a dynamic binary instrumentation tool that can insert code into programs at runtime. It then discusses several applications of Pin like performance profiling, security tools for sandboxing and reversing, and academic uses. The document provides examples of using Pin APIs and also lists some alternative dynamic instrumentation engines. It encourages the audience to start using Pin and sharing tools they create with the community.
HES2011 - Jon Oberheide and Dan Rosenberg - StackjackingHackito Ergo Sum
This document discusses bypassing security protections provided by the grsecurity and PaX patchsets on Linux kernels. It begins with an introduction and agenda, then provides background on Linux kernel security issues over the past decade. The presentation notes that an arbitrary kernel write is a common exploitation primitive, but that this is insufficient to escalate privileges when protections like grsecurity/PaX are in place. It then introduces the concept of "stackjacking", where an attacker leverages kernel stack memory disclosures, which are common low severity vulnerabilities, along with an arbitrary kernel write to bypass grsecurity/PaX protections without needing to introduce new code or modify control flow.
More Related Content
Similar to HES2011 - joernchen - Ruby on Rails from a Code Auditor Perspective
Pragmatic Patterns of Ruby on Rails - Ruby Kaigi2009Yasuko Ohba
This document discusses coding patterns for developing large and complicated Ruby on Rails applications. It recommends expressing business logic in models using object-oriented principles, following DRY, CoC and RESTful principles, and writing code in models' standard flows like find, new/save, find/update, and find/destroy. Filter methods are suggested to avoid duplicating code and improve readability. Moving branching logic based on parameters and other model processing code from controllers to models improves testability and reusability. Choosing natural coding styles for Rails that follow its core principles helps keep code maintainable for other developers. Sharing such pragmatic patterns is important for developing large codebases.
This document provides guidelines for coding in Ruby on Rails. It covers naming conventions and formatting for Ruby code, as well as best practices for Rails configuration, routing, controllers, models, migrations, views, and logging. Useful gems are also listed, including RSpec for testing, Devise for authentication, Sidekiq for background jobs, and FriendlyId for permalinks.
This document provides a summary of changes and deprecations in Rails 3, including:
- Plugins will be removed, gems should be used instead.
- ActiveRecord validations syntax changed from validates_presence_of to validates.
- ARel syntax should be used instead of conditions for queries.
- Modules changed to use ActiveSupport::Concern.
- ActionMailer templates use different extensions and variables are no longer passed explicitly.
- General changes include removal of RJS, different asset paths, and Arel scopes concatenate elements instead of only conditions.
- Formtastic inputs changed syntax for values, dates, buttons. Custom inputs are more modular.
Código Saudável => Programador Feliz - Rs on Rails 2010Plataformatec
Palestra do Rs On Rails, na qual demos algumas dicas de boas práticas para manter seu código mais limpo e ter absoluto controle da sua aplicação em produção.
This document provides an overview of building web applications with Ruby on Rails. It discusses the core components of a Rails app including models, views, controllers, and database migrations. It also covers generating scaffolds, ActiveRecord queries in the console, embedded Ruby syntax in views, layouts, and view helpers. The goal is to explain the anatomy and basic functionality of a Rails application.
This document discusses ROM (Ruby Object Mapper), a library for building data access layers in Ruby. It summarizes ROM's key concepts including relations for reading data, commands for writing data, and repositories for accessing application data. It also highlights ROM's features like no global state, support for multiple databases and adapters, and avoidance of N+1 queries through relation composition.
Rails is a great Ruby-based framework for producing web sites quickly and effectively. Here are a bunch of tips and best practices aimed at the Ruby newbie.
- Ruby on Rails is an open-source, full-stack framework for developing database-backed web applications using the Model-View-Controller pattern. It uses the Ruby programming language.
- Rails uses conventions over configurations, don't repeat yourself (DRY) principles, and an opinionated philosophy. It provides a directory structure, environment modes, and generators to quickly develop applications.
- The document provides an example of generating a bookmarks application with models, views, controllers, validations, associations, and AJAX functionality using Rails.
This document provides an overview of learning to code for a startup minimum viable product (MVP) using Ruby on Rails. It discusses setting up a development environment, using Git version control, the Ruby programming language basics, Rails models and object-relational mapping, authentication with Devise, Rails controllers and routing, and using scaffolding to build out a sample Mini Twitter app with Posts and Users models. The goal is to provide attendees with the necessary skills to build a basic MVP for a startup.
2011-02-03 LA RubyConf Rails3 TDD WorkshopWolfram Arnold
This document provides an overview of test-driven development (TDD) using Rails 3. It discusses why TDD is important, how to structure tests in different layers (model, controller, etc.), and what to test for models, controllers and views. It also covers RSpec 2 and useful tools like RVM. The presentation includes live coding demos and in-class exercises on TDD.
Introduction to Ruby on Rails by Rails Core alumnus Thomas Fuchs.
Originally a 3-4 hour tutorial, 150+ slides about Rails, Ruby and the ecosystem around it.
This document provides a fast-paced introduction to Ruby, Rails, and additional technologies. It begins with an overview of Ruby basics, syntax, and uses beyond scripts. It then covers Rails fundamentals including MVC architecture, scaffolding, models, views, controllers, and routes. Additional topics discussed include gems, Git, and deploying to Heroku. The document concludes by outlining a sample project to build a marketplace for buying and selling robot spare parts.
Introduction to web scraping from static and Ajax generated web pages with Python, using urllib, BeautifulSoup, and Selenium. The slides are from a talk given at Vancouver PyLadies meetup on March 7, 2016.
The document discusses using Merb as a Ruby web framework. It provides instructions on installing Merb and common Merb gems, generating a basic Merb application with articles and authentication, using DataMapper for object-relational mapping, and deploying the Merb application to production. Additional resources discussed include text editors, wikis, IRC channels, and tutorials for learning more about Merb and related tools.
This document provides an introduction and overview of key changes between Rails 3 and Rails 4. It discusses changes to components like ActiveRecord and ActionPack. It outlines changes to models, including the introduction of AREL and concerns directories. Controller changes like strong parameters and view changes like new form helpers are reviewed. Routing changes such as PATCH verbs and constraints are covered. Finally, migration and turbolinks additions are summarized.
While the Python logging module makes it simple to add flexible logging to your application, wording log messages and choosing the appropriate level to maximize their helpfulness is a topic hardly covered in the documentation. This talk give guidelines on when to choose a certain log level, what information to include and which wording templates to use.
Ramaze - The Underrated Ruby Web Frameworkluccastera
Ramaze is an underrated Ruby web framework that is simple, light, and modular. It uses an MVC architecture and has many features including routing, controllers, views, helpers, and deployment options. Ramaze is well documented, stable, and has an active community for learning more and getting help.
Ruby is an object-oriented programming language created in 1993, while Rails is a web application framework built using Ruby. The document provides an overview of Ruby and Rails, including what Rails is and its key advantages such as convention over configuration, don't repeat yourself (DRY) principles, and object-relational mapping (ORM). It also demonstrates creating a sample Rails application and using the Spree e-commerce gem.
This document discusses strategies for making Ruby on Rails applications highly available. It covers common architectures using a single server, and moving to distributed systems. Key topics include application modularity, useful gems for asynchronous processing, database replication, session management, application deployment, configuration management, and load balancing. The conclusion emphasizes that porting Rails apps to a highly available environment requires thinking about architecture and distribution early, but is not prohibitively difficult if approached methodically.
Similar to HES2011 - joernchen - Ruby on Rails from a Code Auditor Perspective (20)
HES 2011 - Gal Diskin - Binary instrumentation for hackers - Lightning-talkHackito Ergo Sum
This document summarizes a lightning talk presentation about binary instrumentation using Intel's Pin tool. It introduces Pin as a dynamic binary instrumentation tool that can insert code into programs at runtime. It then discusses several applications of Pin like performance profiling, security tools for sandboxing and reversing, and academic uses. The document provides examples of using Pin APIs and also lists some alternative dynamic instrumentation engines. It encourages the audience to start using Pin and sharing tools they create with the community.
HES2011 - Jon Oberheide and Dan Rosenberg - StackjackingHackito Ergo Sum
This document discusses bypassing security protections provided by the grsecurity and PaX patchsets on Linux kernels. It begins with an introduction and agenda, then provides background on Linux kernel security issues over the past decade. The presentation notes that an arbitrary kernel write is a common exploitation primitive, but that this is insufficient to escalate privileges when protections like grsecurity/PaX are in place. It then introduces the concept of "stackjacking", where an attacker leverages kernel stack memory disclosures, which are common low severity vulnerabilities, along with an arbitrary kernel write to bypass grsecurity/PaX protections without needing to introduce new code or modify control flow.
HES2011 - Gabriel Gonzalez - Man In Remote PKCS11 for fun and non profitHackito Ergo Sum
This document discusses remotely using the Spanish National Electronic ID (DNIe) and potential attacks. It provides an introduction to the DNIe and describes a "Man in the Remote" (MiR) attack where an attacker is able to remotely access and use the functionalities of a DNIe card plugged into a different computer. It demonstrates how the attacker could achieve remote authentication and signing. It also discusses some potential solutions to prevent MiR attacks based on analyzing response times.
HES2011 - Sebastien Tricaud - Capture me if you canHackito Ergo Sum
The document discusses techniques for capturing network traffic and system logs to detect security incidents in large networks. It describes how to capture traffic using libpcap, nfqueue, and DAQ. It also discusses challenges like fragmentation and the need to decode protocols. For logs, it highlights weaknesses like signature-based detection and the importance of normalized, unconfigurable logs. It introduces CUDA and NetGPU for GPU-accelerated traffic processing and visualization tools like SecViz and Circos for analyzing large datasets. The conclusion emphasizes that visualization can help solve the problem of events getting lost in noise and overcome technical limitations of current detection approaches.
HES2011 - Eloi Vanderbeken - Hackito Ergo Sum CrackmeHackito Ergo Sum
This document is a presentation about a crackme called Hackito Ergo Sum. It discusses the various techniques used to protect the crackme, including a verification algorithm using RC4 encryption, instruction mutation, control flow graph obfuscation, encryption layers, direct native API calls, anti-debugging methods, and ways attackers could potentially break it such as bruteforcing the encryption key or reversing the encryption algorithm. The presentation concludes by thanking the audience and opening the floor for questions.
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHackito Ergo Sum
This document summarizes an approach to auditing the Adobe Shockwave file format and verifying vulnerabilities. It describes how the authors:
1) Encountered difficulties reversing the Shockwave memory manager using traditional debugging tools.
2) Developed a technique using dynamic binary instrumentation to hook the Shockwave file read function and search read buffers for fuzzed file data.
3) Further refined their approach by directly hooking the file read function in MSVCR71.dll, allowing the technique to be reused for other projects.
HES2011 - Jon Larimer - Autorun Vulnerabilities on LinuxHackito Ergo Sum
This document discusses potential vulnerabilities related to autorun functionality and removable storage devices like USB drives on Linux systems. It notes that while Linux desktop environments don't automatically run scripts from removable devices, vulnerabilities could still exist in drivers and applications that handle connecting and accessing such devices. Specific vulnerabilities are identified in USB drivers, file system drivers, thumbnail generation applications, and external thumbnailer programs. Exploiting these could allow gaining root access or defeating full disk encryption from physical access to a system.
HES2011 - James Oakley and Sergey bratus-Exploiting-the-Hard-Working-DWARFHackito Ergo Sum
The document describes how DWARF bytecode, included in GCC-compiled binaries to support exception handling, can be exploited to insert trojan payloads. DWARF bytecode interpreters are included in the standard C++ runtime and are Turing-complete, allowing the bytecode to perform arbitrary computations by influencing program flow. A demonstration shows how DWARF bytecode can be used to hijack exceptions and execute malicious payloads without requiring native code.
HES2011 - Raould Chiesa - Hackers Cybercriminals from Wargames to the Undergr...Hackito Ergo Sum
This document provides a summary of a presentation by Raoul Chiesa on cybercrime trends from the past to present. It discusses how hacking has evolved from curiosity-driven activities by bored teens to profit-motivated crimes by adults. Reasons for the rise of cybercrime include the increasing number of internet users and victims, economic incentives, availability of hacking tools, recruitment of inexperienced people, and lack of consequences. The presentation also notes how media portrayal has changed perceptions of who hackers are.
HES2011 - Richard Johnson - A Castle Made of Sand Adobe Reader X SandboxHackito Ergo Sum
The document discusses Adobe Reader's use of sandboxing to improve security. It provides background on past vulnerabilities in Adobe Reader and discusses the architecture of the Adobe Reader X sandbox. The sandbox isolates rendering code in a lower privileged process and uses a higher privileged broker process to validate and fulfill requests for system resources according to internal policy. The document outlines how to analyze the sandbox's security mechanisms, such as by determining the rights of processes, auditing the IPC mechanisms, and fuzzing the resource request validation.
HES2011 - Tarjei Mandt – Kernel Pool Exploitation on Windows 7Hackito Ergo Sum
This document discusses kernel pool exploitation on Windows 7. It begins with an introduction and overview of the kernel pool and its internals such as pool descriptors, free lists, and lookaside lists. It then covers attacks on the kernel pool and ways to harden it against exploitation, such as by modifying pool structures.
HES2011 - Yuval Vadim Polevoy – Money Is In The Eye Of The Beholder: New And ...Hackito Ergo Sum
The document discusses new and evolving ways that criminals steal money through digital means. It outlines how criminal operations have become more sophisticated and business-like, moving from individual hackers to organized underground companies. It describes various technical methods that are used, such as phishing, pharming, malware injections, and man-in-the-browser attacks to steal login credentials and hijack financial transactions. It also discusses how criminal groups set up complex international operations using mules, drop points, and covert channels to launder and cash out the stolen money without being detected. The document warns that security measures are catching up, but that criminals will continue adapting their methods, such as through screen scraping or new types of online games involving money.
The document discusses how software can be used to damage hardware through various techniques like overclocking, overvolting, overheating, and firmware flashing. It provides examples of how components like CPUs, RAM, graphics cards, hard drives, and BIOS can be permanently damaged by exploiting their software interfaces. The goal could be industrial espionage, terrorism, or other malicious motives like destroying a commercial rival's operations through an act of industrial cyber warfare.
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...DanBrown980551
This LF Energy webinar took place June 20, 2024. It featured:
-Alex Thornton, LF Energy
-Hallie Cramer, Google
-Daniel Roesler, UtilityAPI
-Henry Richardson, WattTime
In response to the urgency and scale required to effectively address climate change, open source solutions offer significant potential for driving innovation and progress. Currently, there is a growing demand for standardization and interoperability in energy data and modeling. Open source standards and specifications within the energy sector can also alleviate challenges associated with data fragmentation, transparency, and accessibility. At the same time, it is crucial to consider privacy and security concerns throughout the development of open source platforms.
This webinar will delve into the motivations behind establishing LF Energy’s Carbon Data Specification Consortium. It will provide an overview of the draft specifications and the ongoing progress made by the respective working groups.
Three primary specifications will be discussed:
-Discovery and client registration, emphasizing transparent processes and secure and private access
-Customer data, centering around customer tariffs, bills, energy usage, and full consumption disclosure
-Power systems data, focusing on grid data, inclusive of transmission and distribution networks, generation, intergrid power flows, and market settlement data
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...GlobalLogic Ukraine
Під час доповіді відповімо на питання, навіщо потрібно підвищувати продуктивність аплікації і які є найефективніші способи для цього. А також поговоримо про те, що таке кеш, які його види бувають та, основне — як знайти performance bottleneck?
Відео та деталі заходу: https://bit.ly/45tILxj
"What does it really mean for your system to be available, or how to define w...Fwdays
We will talk about system monitoring from a few different angles. We will start by covering the basics, then discuss SLOs, how to define them, and why understanding the business well is crucial for success in this exercise.
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillLizaNolte
HERE IS YOUR WEBINAR CONTENT! 'Mastering Customer Journey Management with Dr. Graham Hill'. We hope you find the webinar recording both insightful and enjoyable.
In this webinar, we explored essential aspects of Customer Journey Management and personalization. Here’s a summary of the key insights and topics discussed:
Key Takeaways:
Understanding the Customer Journey: Dr. Hill emphasized the importance of mapping and understanding the complete customer journey to identify touchpoints and opportunities for improvement.
Personalization Strategies: We discussed how to leverage data and insights to create personalized experiences that resonate with customers.
Technology Integration: Insights were shared on how inQuba’s advanced technology can streamline customer interactions and drive operational efficiency.
AI in the Workplace Reskilling, Upskilling, and Future Work.pptxSunil Jagani
Discover how AI is transforming the workplace and learn strategies for reskilling and upskilling employees to stay ahead. This comprehensive guide covers the impact of AI on jobs, essential skills for the future, and successful case studies from industry leaders. Embrace AI-driven changes, foster continuous learning, and build a future-ready workforce.
Read More - https://bit.ly/3VKly70
This talk will cover ScyllaDB Architecture from the cluster-level view and zoom in on data distribution and internal node architecture. In the process, we will learn the secret sauce used to get ScyllaDB's high availability and superior performance. We will also touch on the upcoming changes to ScyllaDB architecture, moving to strongly consistent metadata and tablets.
Lee Barnes - Path to Becoming an Effective Test Automation Engineer.pdfleebarnesutopia
So… you want to become a Test Automation Engineer (or hire and develop one)? While there’s quite a bit of information available about important technical and tool skills to master, there’s not enough discussion around the path to becoming an effective Test Automation Engineer that knows how to add VALUE. In my experience this had led to a proliferation of engineers who are proficient with tools and building frameworks but have skill and knowledge gaps, especially in software testing, that reduce the value they deliver with test automation.
In this talk, Lee will share his lessons learned from over 30 years of working with, and mentoring, hundreds of Test Automation Engineers. Whether you’re looking to get started in test automation or just want to improve your trade, this talk will give you a solid foundation and roadmap for ensuring your test automation efforts continuously add value. This talk is equally valuable for both aspiring Test Automation Engineers and those managing them! All attendees will take away a set of key foundational knowledge and a high-level learning path for leveling up test automation skills and ensuring they add value to their organizations.
"Choosing proper type of scaling", Olena SyrotaFwdays
Imagine an IoT processing system that is already quite mature and production-ready and for which client coverage is growing and scaling and performance aspects are life and death questions. The system has Redis, MongoDB, and stream processing based on ksqldb. In this talk, firstly, we will analyze scaling approaches and then select the proper ones for our system.
Introducing BoxLang : A new JVM language for productivity and modularity!Ortus Solutions, Corp
Just like life, our code must adapt to the ever changing world we live in. From one day coding for the web, to the next for our tablets or APIs or for running serverless applications. Multi-runtime development is the future of coding, the future is to be dynamic. Let us introduce you to BoxLang.
Dynamic. Modular. Productive.
BoxLang redefines development with its dynamic nature, empowering developers to craft expressive and functional code effortlessly. Its modular architecture prioritizes flexibility, allowing for seamless integration into existing ecosystems.
Interoperability at its Core
With 100% interoperability with Java, BoxLang seamlessly bridges the gap between traditional and modern development paradigms, unlocking new possibilities for innovation and collaboration.
Multi-Runtime
From the tiny 2m operating system binary to running on our pure Java web server, CommandBox, Jakarta EE, AWS Lambda, Microsoft Functions, Web Assembly, Android and more. BoxLang has been designed to enhance and adapt according to it's runnable runtime.
The Fusion of Modernity and Tradition
Experience the fusion of modern features inspired by CFML, Node, Ruby, Kotlin, Java, and Clojure, combined with the familiarity of Java bytecode compilation, making BoxLang a language of choice for forward-thinking developers.
Empowering Transition with Transpiler Support
Transitioning from CFML to BoxLang is seamless with our JIT transpiler, facilitating smooth migration and preserving existing code investments.
Unlocking Creativity with IDE Tools
Unleash your creativity with powerful IDE tools tailored for BoxLang, providing an intuitive development experience and streamlining your workflow. Join us as we embark on a journey to redefine JVM development. Welcome to the era of BoxLang.
AppSec PNW: Android and iOS Application Security with MobSFAjin Abraham
Mobile Security Framework - MobSF is a free and open source automated mobile application security testing environment designed to help security engineers, researchers, developers, and penetration testers to identify security vulnerabilities, malicious behaviours and privacy concerns in mobile applications using static and dynamic analysis. It supports all the popular mobile application binaries and source code formats built for Android and iOS devices. In addition to automated security assessment, it also offers an interactive testing environment to build and execute scenario based test/fuzz cases against the application.
This talk covers:
Using MobSF for static analysis of mobile applications.
Interactive dynamic security assessment of Android and iOS applications.
Solving Mobile app CTF challenges.
Reverse engineering and runtime analysis of Mobile malware.
How to shift left and integrate MobSF/mobsfscan SAST and DAST in your build pipeline.
ScyllaDB is making a major architecture shift. We’re moving from vNode replication to tablets – fragments of tables that are distributed independently, enabling dynamic data distribution and extreme elasticity. In this keynote, ScyllaDB co-founder and CTO Avi Kivity explains the reason for this shift, provides a look at the implementation and roadmap, and shares how this shift benefits ScyllaDB users.
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...Fwdays
Direct losses from downtime in 1 minute = $5-$10 thousand dollars. Reputation is priceless.
As part of the talk, we will consider the architectural strategies necessary for the development of highly loaded fintech solutions. We will focus on using queues and streaming to efficiently work and manage large amounts of data in real-time and to minimize latency.
We will focus special attention on the architectural patterns used in the design of the fintech system, microservices and event-driven architecture, which ensure scalability, fault tolerance, and consistency of the entire system.
From Natural Language to Structured Solr Queries using LLMsSease
This talk draws on experimentation to enable AI applications with Solr. One important use case is to use AI for better accessibility and discoverability of the data: while User eXperience techniques, lexical search improvements, and data harmonization can take organizations to a good level of accessibility, a structural (or “cognitive” gap) remains between the data user needs and the data producer constraints.
That is where AI – and most importantly, Natural Language Processing and Large Language Model techniques – could make a difference. This natural language, conversational engine could facilitate access and usage of the data leveraging the semantics of any data source.
The objective of the presentation is to propose a technical approach and a way forward to achieve this goal.
The key concept is to enable users to express their search queries in natural language, which the LLM then enriches, interprets, and translates into structured queries based on the Solr index’s metadata.
This approach leverages the LLM’s ability to understand the nuances of natural language and the structure of documents within Apache Solr.
The LLM acts as an intermediary agent, offering a transparent experience to users automatically and potentially uncovering relevant documents that conventional search methods might overlook. The presentation will include the results of this experimental work, lessons learned, best practices, and the scope of future work that should improve the approach and make it production-ready.
The Microsoft 365 Migration Tutorial For Beginner.pptxoperationspcvita
This presentation will help you understand the power of Microsoft 365. However, we have mentioned every productivity app included in Office 365. Additionally, we have suggested the migration situation related to Office 365 and how we can help you.
You can also read: https://www.systoolsgroup.com/updates/office-365-tenant-to-tenant-migration-step-by-step-complete-guide/
The Microsoft 365 Migration Tutorial For Beginner.pptx
HES2011 - joernchen - Ruby on Rails from a Code Auditor Perspective
1. Ruby on Rails from a code auditor's
perspective
0x0b4dc0de the RoR way
9th April 2011
Hackito Ergo Sum
2. Meta / Disclaimer
● It's an attempt to share my experience in reading Ruby on
Rails code with the aim to find nice¹ bugs
● You can expect some code and practical examples from
● Redmine
– Open Source project management software
● CCCMS
– http://ccc.de
● I'm not a coder
● Rather, I enjoy reading other people's code
– So don't expect a RoR development tutorial
¹) as in: security
5. MVC
● Model-View-Controller: a software architecture
pattern isolating different domains of the
software into three parts
● Model: handling data of the application as well as
state changes
● View: user interface elements
● Controller: I/O, application logic calling methods of
the model and view
6. RoR – Controller
● Located in $railsapp/app/controllers
class PostsController < ActionController::Base
[…]
1 def show
2 @post = Post.find(params[:id])
3 respond_to do |format|
4 format.html # show.html.erb
5 format.xml { render :xml => @post }
6 end
7 end
[…]
7. RoR – Model
● Located in $railsapp/app/models
1 class User < ActiveRecord::Base
2 has_many :posts
3 verifies_presence_of :name
4 verifies_uniqueness_of :name
5 end
8. RoR – View
● Located in $railsapp/app/views
● Typically written in ERB
● Mixture of HTML and Ruby
01 <% if @posts.blank? %>
02 <p>There are no posts yet.</p>
03 <% else %>
04 <ul id="posts">
05 <% @posts.each do |c| %>
06 <li><%= link_to c.title, {:action => 'show', :id => c.id} =%></li>
07 <% end %>
08 </ul>
09 <% end %>
10 <p><%= link_to "Add new Post", {:action => 'new' }%></p>
11. RoR – Reading the Code
● Ruby tends to be easy to read, so does RoR
● There are at least three layers (MVC)
● All layers have to be covered when reading the
source code (for finding bugs)
● Additionally, there's libs, helpers, etc.
● There might be checks somewhere you don't
expect
● There might be bugs somewhere you don't expect
12. RoR – Database
● Database is configured in
● $railsapp/config/database.yml
● Migrations are used to describe the database
tables (in Ruby)
● These are then deployed on the database using
rake
14. RoR - Filters
● Filter example taken from Redmine
● app/controllers/issues_controller.rb
1 class UsersController < ApplicationController
2 layout 'admin'
3
4 before_filter :require_admin, :except => :show
15. RoR – Filters
● So mainly, there are
● before_filter
● after_filter
● skip_before_filter
● skip_after_filter
● around_filter
16. RoR – User Input
● Look for params[:something] in the
controller
● Take a look at the model/migration/DB to know
which fields you might potentially influence
● Post it like: something=foo
● params[:something][:bar] is posted like
something[bar]=foo
17. RoR – User Input
● RoR also takes automagically user input as
● XML
– Post with Content-Type text/xml:
<user>
<firstname>chunky</firstname>
</user>
● JSON
– Post with Content-Type application/json:
{
User:{
lastname:'bacon'
}
}
20. The Usual Web Application
Suspects
● SQL Injection
● XSS
● CSRF
21. SQL Injection the RoR way
● Rarely found
● Per se, RoR hides away plain SQL
– User.where(:first_name => “Chunky”, :last_name =>
“Bacon”)
● Look for the typical concatenation patterns
1 def sqlinjectme
2 User.find(:all, :conditions => "id = #{params[:id]}")
3 end
● Unfortunately stacked queries do not work
22. XSS the RoR way
● In order to find XSS bugs
● Look at the views
– <%= @post.title %>
vs.
– <%= h @post.title %>
● Look at formatters
● Just try to find XSS scripted/manually
23. Redmine persistent XSS
● Somewhat hard to spot
● Found it by chance ;)
● Problem in the syntax highlighter:
● lib/redcloth3.rb
27. Bugs the RoR way
● Rails has a lot of fancy automagic
● … which might eventually blow up in your face
● “Most of you are familiar with the virtues of a
programmer. There are three, of course: laziness,
impatience, and hubris.” – Larry Wall
28. Automagic – Mass Assignments
● When there is an assignment like
● user[name] = “Chunky Bacon”
● This is typically saved with
● 1 user = @params[:user]
● 2 user.save
29. Automagic – Mass Assignments
● When there is an assignment like
● user[name] = “Chunky Bacon”
● This is typically saved with
● 1 user = @params[:user]
● 2 user.save
● So what if you posted
● user[name]= “Chunky Bacon”
● user[admin]= true
30. Mass Assignment – CCC Website
● CCCMS – “feature” allowing regular users
promoting themselves to admin
1 def update
2
3 if @user.update_attributes(params[:user])
[…]
31. Mass Assignment – CCC Website
● CCCMS – patch preventing regular users
promoting themselves to admin
1 def update
2 params[:user].delete(:admin) unless current_user.is_admin?
3 if @user.update_attributes(params[:user])
[…]
32. Preventing Mass Assignments
● To be fixed in the model
● Example taken from Redmine:
1 class User < Principal
[…]
2 attr_protected :login, :admin, […]
33. Laziness – Infoleaks
● All those fanciness of RoR doesn't help against
lazy developers
● If you're having a second controller accessing a
model, you have to implement proper filters as
well
34. Redmine – Journals Infoleak
● Leaks info about issue descriptions, even if they are not visible
to the current user
● app/controllers/journals_controller.rb
1 class JournalsController < ApplicationController
2 before_filter :find_journal, :only => [:edit]
3 before_filter :find_issue, :only => [:new]
4 before_filter :find_optional_project, :only => [:index]
5
[…]
35. Redmine – Journals Infoleak
● Leaks info about issue descriptions, even if they are not visible
to the current user
● app/controllers/journals_controller.rb
1 class JournalsController < ApplicationController
2 before_filter :find_journal, :only => [:edit]
3 before_filter :find_issue, :only => [:new]
4 before_filter :find_optional_project, :only => [:index]
5 before_filter :authorize, :only => [:new, :edit]
[…]
37. Digging a bit deeper
● There is more than just the MVC code
● $railsapp/lib/
● $railsapp/vendor/plugins
● $railsapp/app/helpers
● There is RoR code itself
41. XXX¹
● Open Source Rails app
● Developed by xxx.com
● Was suspicious to me due to heavily using send
statements on user input
● send(symbol, [args...])
● Invokes the method identified by symbol, passing it any
arguments specified.
● Allows private methods to be called
¹) sorry had to censor this
42. send, my new best friend
● In XXX's controllers I didn't find anything
directly exploitable :-(
● But then a search helper lib got my attention:
● some/lib/path/search.rb:
01 values.each do |condition, value|
02 mass_conditions[condition.to_sym] = value
03 value.delete_if { |v| ignore_value?(v) } if value.is_a?(Array)
04 next if ignore_value?(value)
05 @current_scope = @current_scope.send(condition, value)
43. send, my new best friend
● How about:
GET /triggerpath?search[instance_eval]=
%60touch%20%2ftmp%2fcommand_exec%60
HTTP/1.1
● Or just msfupdate in a couple of days ;-)
44. Rails itself
● Of course, there is the RoR code itself
● Didn't look into it deeply enough (yet)
45. Security Mechanisms –
CSRF Tokens
● Short recap:
● protect_from_forgery
● But wait a minute
● Thumbs up to Felix Gröbert (Google Sec. Team)
– CVE-2011-0447
– Fixed in Rails 3.0.4
49. RoR Generic CSRF
Protection Bypass
● Post to yoursite.com with flash¹
● Let yoursite.com redirect via 307 to target.com
● Supply application/json with proper json params
● authenticity_token should also be present
(arbitrary string)
● Resend popup in Firefox
¹) Cross-domain POST header manipulation
details: http://bit.ly/hc65g3
50. Session Cookies
● Session cookie holds all session information
● Accessed like: session[:user_id]
● _twitter_sess=$base64blob$sha1hmac
51. Session Cookies
● Can be loaded after base64 decoding with
● Marshal.load token
● => {:logged_in_after_phx_default=>false,
:created_at=>1293669570258, :in_new_user_flow=>nil,
:show_help_link=>nil, :user=>19395266,
:password_token=>"censored",
"show_discoverability_for_joernchen"=>nil,
"flash"=>{}, :id=>"censored", :csrf_id=>"censored"}
52. Some Thoughts on Session Cookies
● Looked at the RoR handling of Session
Cookies → looked fine to me
● Maybe you find something I missed
● But keep in mind:
● What has been HMACed can't be un-HMACed
53. What has been HMACed
● A fictional example of some RoR controller:
01 def grant_token # called only once for a user
02 session[:token] = true
03 end
04 def invalidate # called in do_the_magic
05 session[:token] = false
06 end
07 def check # check if user has used token
08 if session[:token] == true
09 do_the_magic
10 else
11 do_not_do the magic
12 end
13 end
54. What has been HMACed
● The before made example is vulnerable to simple replay
attacks
● Once you have a HMACed session cookie with special
capabilities in a naïve implementation noone stops you
from reusing that cookie.
● Simple experiment:
● Go to twitter.com and login (without “Remember Me”).
● Save your _twitter_sess cookie
● Logout
● Restore the _twitter_sess cookie
● Be logged in again :-)
56. Kudos to Jean-Philippe Lang
● Initial notification of
● Infoleak issue
● Persistent XSS
● Multiple CMD-Exec bugs
● ~ 2:00 PM
● Respone “I'll fix it and let you know”
● ~ 6:00 PM
● Response “It's fixed and there will be a new release tomorrow”
● ~ 8:00 PM
● 2h for a complete fix.
● So in case you use Redmine
● Update at least to version 1.0.5 =)