In this talk, we will dive into the data captured during last years Wall of Sheep applications and protocols that are giving your away credentials. This is something that anyone, with the right level of knowledge and inclination, could certainly do with a few basic ingredients. We will enumerate them. The dataset we will focus on was gathered as part of the Wall of Sheep contest during DEF CON 22. While this data was gathered using an off the shelf technology, that platform will not be the topic we discuss. Rather, we will focus on the types and scope of data sent totally in the clear for all to see. Additionally, we will discuss the ramifications this might have in a less "friendly" environment --where loss of one's anonymity, might really, really suck. Finally, we will discuss and recommend ways you can hamper this type of collection.
This presentation illustrates a number of techniques to smuggle and reshape HTTP requests using features such as HTTP Pipelining that are not normally used by testers. The strange behaviour of web servers with different technologies will be reviewed using HTTP versions 1.1, 1.0, and 0.9 before HTTP v2 becomes too popular! Some of these techniques might come in handy when dealing with a dumb WAF or load balancer that blocks your attacks.
Presented @ BSides Manchester 2017 & SteelCon 2017
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
This talk (hopefully) provides some new pentesters tools and tricks. Basically a continuation of last year’s Dirty Little Secrets they didn’t teach you in Pentest class. Topics include; OSINT and APIs, certificate stealing, F**king with Incident Response Teams, 10 ways to psexec, and more. Yes, mostly using metasploit.
In this talk, we will dive into the data captured during last years Wall of Sheep applications and protocols that are giving your away credentials. This is something that anyone, with the right level of knowledge and inclination, could certainly do with a few basic ingredients. We will enumerate them. The dataset we will focus on was gathered as part of the Wall of Sheep contest during DEF CON 22. While this data was gathered using an off the shelf technology, that platform will not be the topic we discuss. Rather, we will focus on the types and scope of data sent totally in the clear for all to see. Additionally, we will discuss the ramifications this might have in a less "friendly" environment --where loss of one's anonymity, might really, really suck. Finally, we will discuss and recommend ways you can hamper this type of collection.
This presentation illustrates a number of techniques to smuggle and reshape HTTP requests using features such as HTTP Pipelining that are not normally used by testers. The strange behaviour of web servers with different technologies will be reviewed using HTTP versions 1.1, 1.0, and 0.9 before HTTP v2 becomes too popular! Some of these techniques might come in handy when dealing with a dumb WAF or load balancer that blocks your attacks.
Presented @ BSides Manchester 2017 & SteelCon 2017
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
This talk (hopefully) provides some new pentesters tools and tricks. Basically a continuation of last year’s Dirty Little Secrets they didn’t teach you in Pentest class. Topics include; OSINT and APIs, certificate stealing, F**king with Incident Response Teams, 10 ways to psexec, and more. Yes, mostly using metasploit.
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
The very best attackers often use PowerShell to hide their scripts from A/V and application whitelisting technologies using encoded commands and memory-only payloads to evade detection. These techniques thwart Blue Teams from determining what was executed on a target system. However, defenders are catching on, and state-of-the-art detection tools now monitor the command line arguments for powershell.exe either in real-time or from event logs.
We need new avenues to remain stealthy in a target environment. So, this talk will highlight a dozen never-before-seen techniques for obfuscating PowerShell command line arguments. As an incident responder at Mandiant, I have seen attackers use a handful of these methods to evade basic command line detection mechanisms. I will share these techniques already being used in the wild so you can understand the value each technique provides the attacker.
Updated PowerShell event logging mitigates many of the detection challenges that obfuscation introduces. However, many organizations do not enable this PowerShell logging. Therefore, I will provide techniques that the Blue Team can use to detect the presence of these obfuscation methods in command line arguments. I will conclude this talk by highlighting the public release of Invoke-Obfuscation. This tool applies the aforementioned obfuscation techniques to user-provided commands and scripts to evade command line argument detection mechanisms.
--- Daniel Bohannon
Daniel Bohannon is an Incident Response Consultant at MANDIANT with over six years of operations and information security experience. His particular areas of expertise include enterprise-wide incident response investigations, host-based security monitoring, data aggregation and anomaly detection, and PowerShell-based attack research and detection techniques. As an incident response consultant, Mr. Bohannon provides emergency services to clients when security breach occur. He also develops new methods for detecting malicious PowerShell usage at both the host- and network-level while researching obfuscation techniques for PowerShell- based attacks that are being used by numerous threat groups. Prior to joining MANDIANT, Mr. Bohannon spent five years working in both IT operations and information security roles in the private retail industry. There he developed operational processes for the automated aggregation and detection of host- and network-based anomalies in a large PCI environment. Mr. Bohannon also programmed numerous tools for host-based hunting while leading the organization’s incident response team. Mr. Bohannon received a Master of Science in Information Security from the Georgia Institute of Technology and a Bachelor of Science in Computer Science from The University of Georgia.
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates and Ken Johnson will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. This talk will most definitely be an entertaining one but a cautionary tale as well, provoking attendees into action. Ultimately, this is research targeted towards awareness for those operating within a DevOps environment.
Slides from presentation: "Revoke-Obfuscation: PowerShell Obfuscation Detection (And Evasion) Using Science" originally released at Black Hat USA 2017 & DEF CON by @danielhbohannon and @Lee_Holmes.
For more information: http://www.danielbohannon.com/presentations/
Slides from presentation: "DevSec Defense: How DevOps Practices Can Drive Detection Development For Defenders"
For more information: http://www.danielbohannon.com/presentations/
Talk Venue: BSides Tampa 2020
Speakers: Mike Felch & Joff Thyer
This talk will focus on the many different ways that a penetration tester, or Red Teamer can leverage the Python programming language during offensive operations. Python is a rich and powerful programming language which above all else allows a competent developer to very quickly write new tools that might start as a Proof of Concept, but soon become an invaluable addition to the Red Teamer's tool-belt. Having the skills to both generate new tools, and modify existing tools on the fly is critically important to agility during testing engagement. Everything from utility processing of data, network protocol, API interaction, and exploit development can be rapidly developed due to the high functionality level and intuitive nature of Python.
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
You always think it will never happen to you but when it does, it’s all hands on deck. My personal site was almost hacked and since then I actively looked at what I could improve. During this talk I will talk what I had before and show all the improvements I made since then. It will be a mixed of using using the existing tools and my own creation in managing my sites.
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
The very best attackers often use PowerShell to hide their scripts from A/V and application whitelisting technologies using encoded commands and memory-only payloads to evade detection. These techniques thwart Blue Teams from determining what was executed on a target system. However, defenders are catching on, and state-of-the-art detection tools now monitor the command line arguments for powershell.exe either in real-time or from event logs.
We need new avenues to remain stealthy in a target environment. So, this talk will highlight a dozen never-before-seen techniques for obfuscating PowerShell command line arguments. As an incident responder at Mandiant, I have seen attackers use a handful of these methods to evade basic command line detection mechanisms. I will share these techniques already being used in the wild so you can understand the value each technique provides the attacker.
Updated PowerShell event logging mitigates many of the detection challenges that obfuscation introduces. However, many organizations do not enable this PowerShell logging. Therefore, I will provide techniques that the Blue Team can use to detect the presence of these obfuscation methods in command line arguments. I will conclude this talk by highlighting the public release of Invoke-Obfuscation. This tool applies the aforementioned obfuscation techniques to user-provided commands and scripts to evade command line argument detection mechanisms.
--- Daniel Bohannon
Daniel Bohannon is an Incident Response Consultant at MANDIANT with over six years of operations and information security experience. His particular areas of expertise include enterprise-wide incident response investigations, host-based security monitoring, data aggregation and anomaly detection, and PowerShell-based attack research and detection techniques. As an incident response consultant, Mr. Bohannon provides emergency services to clients when security breach occur. He also develops new methods for detecting malicious PowerShell usage at both the host- and network-level while researching obfuscation techniques for PowerShell- based attacks that are being used by numerous threat groups. Prior to joining MANDIANT, Mr. Bohannon spent five years working in both IT operations and information security roles in the private retail industry. There he developed operational processes for the automated aggregation and detection of host- and network-based anomalies in a large PCI environment. Mr. Bohannon also programmed numerous tools for host-based hunting while leading the organization’s incident response team. Mr. Bohannon received a Master of Science in Information Security from the Georgia Institute of Technology and a Bachelor of Science in Computer Science from The University of Georgia.
DevOops & How I hacked you DevopsDays DC June 2015Chris Gates
In a quest to move faster, organizations can end up creating security vulnerabilities using the tools and products meant to protect them. Both Chris Gates and Ken Johnson will share their collaborative research into the technology driving DevOps as well as share their stories of what happens when these tools are used insecurely as well as when the tools are just insecure.
Technologies discussed will encompass AWS Technology, Chef, Puppet, Hudson/Jenkins, Vagrant, Kickstart and much, much more. This talk will most definitely be an entertaining one but a cautionary tale as well, provoking attendees into action. Ultimately, this is research targeted towards awareness for those operating within a DevOps environment.
Slides from presentation: "Revoke-Obfuscation: PowerShell Obfuscation Detection (And Evasion) Using Science" originally released at Black Hat USA 2017 & DEF CON by @danielhbohannon and @Lee_Holmes.
For more information: http://www.danielbohannon.com/presentations/
Slides from presentation: "DevSec Defense: How DevOps Practices Can Drive Detection Development For Defenders"
For more information: http://www.danielbohannon.com/presentations/
Talk Venue: BSides Tampa 2020
Speakers: Mike Felch & Joff Thyer
This talk will focus on the many different ways that a penetration tester, or Red Teamer can leverage the Python programming language during offensive operations. Python is a rich and powerful programming language which above all else allows a competent developer to very quickly write new tools that might start as a Proof of Concept, but soon become an invaluable addition to the Red Teamer's tool-belt. Having the skills to both generate new tools, and modify existing tools on the fly is critically important to agility during testing engagement. Everything from utility processing of data, network protocol, API interaction, and exploit development can be rapidly developed due to the high functionality level and intuitive nature of Python.
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
You always think it will never happen to you but when it does, it’s all hands on deck. My personal site was almost hacked and since then I actively looked at what I could improve. During this talk I will talk what I had before and show all the improvements I made since then. It will be a mixed of using using the existing tools and my own creation in managing my sites.
Intro slides for a tutorial on hacking common vulnerabilities and how to prevent those problems in your own code. This is a PHP based tutorial that's hands on, but the slides can help as reference material for a few common hacks
The importance of security in 2013, with more websites getting hacked daily and penetration testers being one of the most the requested IT jobs.
Develops need to be sure how secure their applications against threads like SQL injection, cross site scripting, weak passwords, brute force or dictionary attacks.
Testing mit Codeception: Full-stack testing PHP frameworkSusannSgorzaly
Codeception is a PHP testing framework for Behavior Driven Development, which covers all kinds of tests: unit tests, functional tests and acceptance tests. It is fast and simple in both usage and execution. This talk will give you a introduction to the software testing basics using codeception. It will also cover some stumbling blocks when writing tests, like:
- Test code stability against small changes
- Data stability
- Test structure
Last but not least I will give you a short outlook how to make your tests also understandable for product owners.
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
Today most networks present one “gateway” to the whole network – The SSL-VPN. A vector that is often overlooked and considered “secure”, we decided to take apart an industry leading SSL-VPN appliance and analyze it to bits to thoroughly understand how secure it really is. During this talk we will examine the internals of the F5 FirePass SSL-VPN Appliance. We discover that even though many security protections are in-place, the internals of the appliance hides interesting vulnerabilities we can exploit. Through processes ranging from reverse engineering to binary planting, we decrypt the file-system and begin examining the environment. As we go down the rabbit hole, our misconceptions about “security appliances” are revealed.
Using a combination of web vulnerabilities, format string vulnerabilities and a bunch of frustration, we manage to overcome the multiple limitations and protections presented by the appliance to gain a remote unauthenticated root shell. Due to the magnitude of this vulnerability and the potential for impact against dozens of fortune 500 companies, we contacted F5 and received one of the best vendor responses we’ve experienced – EVER!
https://www.hackitoergosum.org
This was presented at the March 16th, 2016 WordPress Meetup in Hamilton and describes WordPress Security and best practices that should be taken to protect any WordPress website against hackers whom target WordPress websites and impact your Google reputation and online presence.
Blog World 2010 - How to Keep Your Blog from Being HackedBrian Layman
This presentation was given in Las Vegas at BlogWorld 2010 by Brian Layman. It describes techniques that can be used to keep your WordPress website safe.
This is the presentation which I used during the awesome "WPSession #11: Security for Site Owners". I shared important information about how site owners should react to website attacks. I talked about risk management, assets evaluation and getting help from the right people that know WordPress and care about security.
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Chris Gates
This talk (hopefully) provides some new pentesters tools and tricks. Basically a continuation of last year’s Dirty Little Secrets they didn’t teach you in Pentest class. Topics include; OSINT and APIs, certificate stealing, F**king with Incident Response Teams, 10 ways to psexec, and more. Yes, mostly using metasploit.
Talk at TYPO3 Conference 2016 in Bologna/Italy. Basic insights into hacking websites with SqlMap and BeEF XSS and considerations to prevent that. Screencasts of SQLi and XSS at https://www.youtube.com/watch?v=VIGVlmaKqxY & https://www.youtube.com/watch?v=WBDWWv5zdUQ
This presentation is about the following points,
1. Handle Browser,
2. Handle Edit box / Text Box,
3. Handle Link Element,
4. Handle Button,
5. Handle Text Area / Message,
6. Handle Dropdown box /List box,
7. Handle Radio Button,
8. Handle Check Box
Some security vulnerabilities are more dangerous than others, or at least more commonly exploited. In this session we'll look at the top 25 most dangerous software weaknesses and learn how to mitigate them in your CFML code.
Owning computers without shell access 2Royce Davis
These are the slides from my talk at BSides Puerto Rico 2013. I will post a link to the slides later.
Abstract:
For many years Penetration Testers have relied on gaining shell access to remote systems in order to take ownership of network resources and enterprise owned assets. AntiVirus (AV) companies are becoming increasingly more aware of shell signatures and are therefore making it more and more difficult to compromise remote hosts. The current industry mentality seams to believe the answer is stealthier payloads and super complex obfuscation techniques. I believe a more effective answer might lie in alternative attack methodologies involving authenticated execution of native Windows commands to accomplish the majority of shell reliant tasks common to most network level penetration tests. The techniques I will be discussing were developed precisely with this style of attack in mind. Using these new tools, I will demonstrate how to accomplish the same degree of network level compromise that has been enjoyed in the past with shell-based attack vectors, while avoiding detection from AV solut
How to Position Your Globus Data Portal for Success Ten Good PracticesGlobus
Science gateways allow science and engineering communities to access shared data, software, computing services, and instruments. Science gateways have gained a lot of traction in the last twenty years, as evidenced by projects such as the Science Gateways Community Institute (SGCI) and the Center of Excellence on Science Gateways (SGX3) in the US, The Australian Research Data Commons (ARDC) and its platforms in Australia, and the projects around Virtual Research Environments in Europe. A few mature frameworks have evolved with their different strengths and foci and have been taken up by a larger community such as the Globus Data Portal, Hubzero, Tapis, and Galaxy. However, even when gateways are built on successful frameworks, they continue to face the challenges of ongoing maintenance costs and how to meet the ever-expanding needs of the community they serve with enhanced features. It is not uncommon that gateways with compelling use cases are nonetheless unable to get past the prototype phase and become a full production service, or if they do, they don't survive more than a couple of years. While there is no guaranteed pathway to success, it seems likely that for any gateway there is a need for a strong community and/or solid funding streams to create and sustain its success. With over twenty years of examples to draw from, this presentation goes into detail for ten factors common to successful and enduring gateways that effectively serve as best practices for any new or developing gateway.
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
Understanding Globus Data Transfers with NetSageGlobus
NetSage is an open privacy-aware network measurement, analysis, and visualization service designed to help end-users visualize and reason about large data transfers. NetSage traditionally has used a combination of passive measurements, including SNMP and flow data, as well as active measurements, mainly perfSONAR, to provide longitudinal network performance data visualization. It has been deployed by dozens of networks world wide, and is supported domestically by the Engagement and Performance Operations Center (EPOC), NSF #2328479. We have recently expanded the NetSage data sources to include logs for Globus data transfers, following the same privacy-preserving approach as for Flow data. Using the logs for the Texas Advanced Computing Center (TACC) as an example, this talk will walk through several different example use cases that NetSage can answer, including: Who is using Globus to share data with my institution, and what kind of performance are they able to achieve? How many transfers has Globus supported for us? Which sites are we sharing the most data with, and how is that changing over time? How is my site using Globus to move data internally, and what kind of performance do we see for those transfers? What percentage of data transfers at my institution used Globus, and how did the overall data transfer performance compare to the Globus users?
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeAftab Hussain
Understanding variable roles in code has been found to be helpful by students
in learning programming -- could variable roles help deep neural models in
performing coding tasks? We do an exploratory study.
- These are slides of the talk given at InteNSE'23: The 1st International Workshop on Interpretability and Robustness in Neural Software Engineering, co-located with the 45th International Conference on Software Engineering, ICSE 2023, Melbourne Australia
Large Language Models and the End of ProgrammingMatt Welsh
Talk by Matt Welsh at Craft Conference 2024 on the impact that Large Language Models will have on the future of software development. In this talk, I discuss the ways in which LLMs will impact the software industry, from replacing human software developers with AI, to replacing conventional software with models that perform reasoning, computation, and problem-solving.
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamtakuyayamamoto1800
In this slide, we show the simulation example and the way to compile this solver.
In this solver, the Helmholtz equation can be solved by helmholtzFoam. Also, the Helmholtz equation with uniformly dispersed bubbles can be simulated by helmholtzBubbleFoam.
GraphSummit Paris - The art of the possible with Graph TechnologyNeo4j
Sudhir Hasbe, Chief Product Officer, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Top 7 Unique WhatsApp API Benefits | Saudi ArabiaYara Milbes
Discover the transformative power of the WhatsApp API in our latest SlideShare presentation, "Top 7 Unique WhatsApp API Benefits." In today's fast-paced digital era, effective communication is crucial for both personal and professional success. Whether you're a small business looking to enhance customer interactions or an individual seeking seamless communication with loved ones, the WhatsApp API offers robust capabilities that can significantly elevate your experience.
In this presentation, we delve into the top 7 distinctive benefits of the WhatsApp API, provided by the leading WhatsApp API service provider in Saudi Arabia. Learn how to streamline customer support, automate notifications, leverage rich media messaging, run scalable marketing campaigns, integrate secure payments, synchronize with CRM systems, and ensure enhanced security and privacy.
Navigating the Metaverse: A Journey into Virtual Evolution"Donna Lenk
Join us for an exploration of the Metaverse's evolution, where innovation meets imagination. Discover new dimensions of virtual events, engage with thought-provoking discussions, and witness the transformative power of digital realms."
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppGoogle
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-fusion-buddy-review
AI Fusion Buddy Review: Key Features
✅Create Stunning AI App Suite Fully Powered By Google's Latest AI technology, Gemini
✅Use Gemini to Build high-converting Converting Sales Video Scripts, ad copies, Trending Articles, blogs, etc.100% unique!
✅Create Ultra-HD graphics with a single keyword or phrase that commands 10x eyeballs!
✅Fully automated AI articles bulk generation!
✅Auto-post or schedule stunning AI content across all your accounts at once—WordPress, Facebook, LinkedIn, Blogger, and more.
✅With one keyword or URL, generate complete websites, landing pages, and more…
✅Automatically create & sell AI content, graphics, websites, landing pages, & all that gets you paid non-stop 24*7.
✅Pre-built High-Converting 100+ website Templates and 2000+ graphic templates logos, banners, and thumbnail images in Trending Niches.
✅Say goodbye to wasting time logging into multiple Chat GPT & AI Apps once & for all!
✅Save over $5000 per year and kick out dependency on third parties completely!
✅Brand New App: Not available anywhere else!
✅ Beginner-friendly!
✅ZERO upfront cost or any extra expenses
✅Risk-Free: 30-Day Money-Back Guarantee!
✅Commercial License included!
See My Other Reviews Article:
(1) AI Genie Review: https://sumonreview.com/ai-genie-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
#AIFusionBuddyReview,
#AIFusionBuddyFeatures,
#AIFusionBuddyPricing,
#AIFusionBuddyProsandCons,
#AIFusionBuddyTutorial,
#AIFusionBuddyUserExperience
#AIFusionBuddyforBeginners,
#AIFusionBuddyBenefits,
#AIFusionBuddyComparison,
#AIFusionBuddyInstallation,
#AIFusionBuddyRefundPolicy,
#AIFusionBuddyDemo,
#AIFusionBuddyMaintenanceFees,
#AIFusionBuddyNewbieFriendly,
#WhatIsAIFusionBuddy?,
#HowDoesAIFusionBuddyWorks
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Software Engineering, Software Consulting, Tech Lead.
Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Security,
Spring Transaction, Spring MVC,
Log4j, REST/SOAP WEB-SERVICES.
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
How to discover 1352 Wordpress plugin 0days in one hour (not really)
1. How to Discover 1352
Wordpress Plugin XSS 0days in
one hour
(Not Really)
v1.9
Larry W. Cashdollar
DefCon 24
Speakers Workshop
2. Who Am I
• Humble Vulnerability Researcher
• 100+ CVEs
• Former Unix Systems Administrator
• Penetration Tester Back in Late 90s
• Enjoy Writing Code
• Member of Akamai Security Incident Response Team (SIRT)
• Penetration Tester Back in Late
3. Assumptions
• You know what Wordpress is
• You know what a Wordpress plugin is
• You know what XSS is
• You’re not prone to violence when disappointed…
4. Why XSS?
• Kept seeing echo $_GET|POST|REQUEST[‘var’] in code
• I thought these were a sure thing*
• Curiosity about vulnerability discovery automation
• Figured I could auto generate PoCs on the fly
* We will explore later where I fu*ked up
5. Plugin Collection
• Download all 50,000 or so
• Scrape http://plugins.svn.wordpress.org with wget?
Problems
• Wordpress blocked my IP….for 8 months or so
• Get lots of cruft, plugins that had been removed
• We want metadata too!
6. Plugin Collection v2.0
• Use list of plugins from plugins.svn.wordpress.org as index
• Scrape plugin page http://wordpress.org/plugins/$plugin
• Pipe this all through Proxychains
• Took five days to finish, downloaded 42,478 plugins
7. XSS mining
• Hack up an old perl script
• look for echo $_GET[‘ or echo $_POST[‘ or echo $_REQUEST[‘
• Try to find variations like $_GET[“ or $_GET[s’ etc..
• Grab line number, & vulnerable code
• Auto generate exploit & title
• Collect vulnerable variables
8. Auto Generating an XSS PoC
• $_GET and $_REQUEST only
• Create a basic Generic exploit for testing
• var=”><script>alert(1);</script><”
• Where to store all of this?
• I’ve got 900 vulns with 900 untested PoCs…
9. Building the Database
• create database wpvulndb;
• What columns?
• Store title, plugin name, file, vulnerable code, PoC, date
• Collect metadata & populate more fields in database like version,
author, downloads, download link
• Probably should notify folks at Wordpress and some vulnerability
database folks I know for advice?
• Ran the scripts for $_POST[‘
10. In Over my head
• I need an adult
• Should notify some smart people of what I’ve done
• plugins@wordpress.org
• Jericho Attrition.org
• Mitre just in case
• Scott Moore -> IBM XForce
• Ryan Dewhurst -> wpvulndb
• Friends at Akamai
• Solar Designer -> oss-security list
11. Notifications
• Thought I had 1352 legit XSS
• Exported database to various parties
• Had skype call with a group of security researchers from the
University of Stuttgart!
• I was starting to become one of the cool kidz*
*Before it all blows up in my face
12. Massaging the Data
• Created custom .csv files for anyone who asked
• Sent .sql database + php code to wordpress + friends at German
university
• Worked with Jericho to fix mangled entries etc..
• Took suggestions on what data to store and..
13. Added moar columns!
• CVE/DWF ID
• Figured I’d notify Mitre and self assign my own DWF IDs
• Type
• Is this via GET or POST or REQUEST
• Nonce
• Does the plugin use nonce?
• Auto_verify
• Boolean - part of the auto exploit stuff I’ll get into
• Filename with out full path
• Just to make things easier
• Vendor contact_date
• Initial plan was to automate notifications…
14. Validate PoC or Go Home
• I really want to verify what I have with working exploits
• Idea on how to test this automatically
• Would be so cool to have working verified PoC with each vulnerability
entry
15. Auto Exploit v1.0
• Try to send our auto generated payloads (GET/REQUEST) to 900+
vulnerable plugins
• Setup cgi-bin environment
• exec vulnerable code and inject our javascript payload
• New Payload will be:
"><script>new%20Image().src='http://192.168.0.25/e.php?i=741';</script><”
• e.php just sets auto_verify to 1 for vdbid $num in database
16. Auto Exploit: Execute php and render html
• Setup environment variables
• GATEWAY_INTERFACE=CGI/1.1
• PATH_TRANSLATED=vulnerable php filename
• QUERY_STRING=payload
• REDIRECT_STATUS=CGI
• REQUEST_METHOD=GET
17. Auto Exploit – render to html
#!/bin/sh
CWD=`pwd`
PHPCGI=`which php-cgi`
echo "#################################################################################"
echo "# F4st-cgi exploiter v1.5 #"
echo "#################################################################################"
echo "[+] Setting Full path :$1"
echo "[+] Script file name :$2"
echo "[+] Query string :$3"
echo "[+] Changing working directory to $1"
cd $1
export GATEWAY_INTERFACE=CGI/1.1
export PATH_TRANSLATED=$2
export QUERY_STRING=$3
export REDIRECT_STATUS=CGI
export REQUEST_METHOD=GET
echo -n "[+] exec $PHPCGI"
echo -n " "
echo "$2"
php-cgi $2
cd $CWD
18. Two Step Process
Generate .html
For loop for all type=GET or type=REQUEST
$ ./f4st-cgi-exploiter.sh /usr/share/wordpress/ 1255-evr_pdf_out.php "id="><script>new%20Image().src='http://192.168.0.25/e.php?i=1255';</script><"" > files/$id.html
Render .html and exec JavaScript
Tool to use: PhantomJS
19. PhantomJS
• http://phantomjs.org/
• Full web stack no browser required
• Will execute our Javascript payload
• Generates .html and .png as would be rendered in browser
Scandir.js read .html files from a directory and execute javascript.
files/ has all of our .html files from php5-cgi run
$ phantomjs scandir.js files/
22. Results
• 38 exploits fire and set auto_verify = 1 in database
The bad
• I was hoping for another digit in that number
• 38/900=4% success rate #derp
The good
• It worked!
23. Proves or Disproves:
If successful JS execution
• Code in PoC is escaping tags properly.
• Execution doesn’t require authentication.
• Code isn’t just defined in a class we can’t reach.
• Injection point truly isn’t sanitized.
If unsuccessful JS execution
• Injection point might be sanitized.
• Code might require authentication - admin etc.
• PoC isn’t escaping tags properly.
• Code is part of a class and not easily reachable.
24. Where I Fu*ked up
• Didn’t have Wordpress in the path*
• Should have notified everyone later on in my research
• Didn’t have entire plugin copied **
• Include or require of other plugin files would fail
• php5-cgi doesn’t set headers
e.g header(‘Content-Type:text/css’); <- not rendered by browser
* Found out Wordpress escapes $_GET $_POST $_REQUEST
** this provided me with some false negatives!
26. Total Verified with honoring headers
• 27 Auto XSS’d
• 3 manually validated that needed some tweaking to
the payload
• False positives too, stuff like:
$_GET['ID'] = (int) $_GET['ID'];
echo $_GET[‘ID’];
28. What I learned
• Test your stuff end to end!
• Full server stack for any testing
• Research any odd results that aren’t making sense
• The Wordpress escaping GPCS super globals made any XSS in plugin
files loading WP context dependent
• Escapes ’ “ /
29. Context Dependent XSS
<?php
include ‘wp-load.php’;
.
.
echo “Search Results For:”;
echo $_GET[‘s’];
We can still use
• s=<script>alert(1);</script>
31. Vetting XSS
• I’d need to manually review all 1322 entries
• Not enough time
• dreaming about XSS == stop
32. What’s Next
• I’m kind of done with WP Plugin XSS
• Some XSS entries might be valid, need testing
• Maybe try looking at fopen(), SQL, unserialize(), passthru(), eval()?
• Other CMSs?
• Joomla does not escape super globals…
• Drupal extensions https://ftp.drupal.org/files/projects/
33. Researcher Picks Up the Ball
• @BruteLogic uses my technique to find vulnerabilities in open source
PHP applications
• http://brutelogic.com.br/blog/looking-xss-php-source/
• Wrote a script in bash checking for various XSS
• Downloaded lots of open source PHP code
34. Vulnerabilities in my Database Showing up
• Posted to full disclosure on July 19th by Summer of Pwnage @sumofpwn
• Vulnerability ID 419 in my database
• https://sumofpwn.nl/advisory/2016/cross_site_scripting_in_contact_form_to_e
mail_wordpress_plugin.html
35. Thank You
• Everyone here for listening to me ramble
• Brian Martin
• Scott Moore
• Ryan Duhurst
• Mika @ wordpress.org
• Solar Designer
36. I’m sorry
• Everyone here for listening to me ramble
• Brian Martin
• Scott Moore
• Ryan Duhurst
• Mika @ wordpress.org
• Solar Designer
37. Questions?
• larry0@me.com or larry@akamai.com
• @_larry0
• http://www.vapidlabs.com
• Greetings to @vladz,@indoushka,@squirrelbudda,
@dotmudge,@brutelogic,@sumofpwn,@gattaca,
@d1rt_diggler,@E1337za and Akamai SIRT
Editor's Notes
Single / double quotes get escaped
Someone could be doing something you’re not expecting
These would all need manual auditing
$_GET; $_POST; REQUEST; COOKIE; SERVER;
https://core.trac.wordpress.org/ticket/18322