Html5 for Security Folks
•
4 likes•1,575 views
HTML5 introduces many new features that can impact security, both positively and negatively. It allows richer multimedia but also makes some attacks easier. Features like Cross-Origin Resource Sharing, Web Storage, and IFRAME sandboxing could enable attacks like session hijacking or user tracking if not implemented correctly. The IFRAME sandboxing feature is particularly useful for security as it disables scripts and popups, though relaxing its restrictions too much could re-enable frame busting defenses. References are provided for further information on HTML5 security examples and specifications.
Report
Share
Report
Share
Download to read offline
Recommended
Don't Do what Derpy the Dreadful Dev Does
1) The document discusses common web application vulnerabilities like SQL injection and cross-site scripting. It demonstrates how these vulnerabilities can be exploited in PHP and Ruby on Rails applications.
2) While Ruby on Rails has security features built-in, the speaker argues these do not eliminate security risks and that all developers must take responsibility for security.
3) Popular tools like BeEF, SQLmap, and Burp Suite are demonstrated for exploiting vulnerabilities like cross-site scripting and stealing cookie sessions. The key message is that no framework can replace secure coding practices.
Mautic landing page setup & case study
Presented at the June Mautic Meetup Sydney, Tim shares some experiences of building a landing page with Mautic.
Joomla 3.5: better—faster—safer
Discover some of the differences between J! 3.4 and J! 3.5 and see why this version is fast becoming so popular
Tuenti teams - Php Conference
The document discusses the technical teams at Tuenti and their work developing various products and services. It covers their frontend, backend, and systems teams and some of the challenges they face in building large-scale, high-performance applications and services to support millions of users. It also provides specifics on their development of Tuenti's instant messaging platform using open-source technologies and Erlang.
Emergency WordPress Troubleshooting
What do you do when you need to fix your WordPress website and there's no developer around to help? Here are the tools you need, the steps to take, and how to call in the cavalry.
Practical tools for Web Accessibility testing
There is no single tool that does a full accessibility assessment of a web page. Developers use a variety of tools to help them evaluate websites. This is a practical talk with lots of demos. I will share my favorites, free and easy to use, tools to measure the level of accessibility of web page.
HTML5 security
A mid-level managers talk about the new capabilities in HTML5 and what to watch out for security-wise.
Be Securious – Hack Your Own Site for Better Security
This document summarizes a presentation about hacking your own WordPress site for better security. It introduces the speaker and their background in security. The presentation covers why website security is important, common WordPress vulnerabilities like admin login issues and outdated software. It suggests solutions like using strong passwords, limiting plugins, and keeping software updated. The presentation demonstrates security scanning tools like wpscan and Google dorks that attackers use to find vulnerabilities. Additional resources for hardening WordPress security are provided.
Recommended
Don't Do what Derpy the Dreadful Dev Does
1) The document discusses common web application vulnerabilities like SQL injection and cross-site scripting. It demonstrates how these vulnerabilities can be exploited in PHP and Ruby on Rails applications.
2) While Ruby on Rails has security features built-in, the speaker argues these do not eliminate security risks and that all developers must take responsibility for security.
3) Popular tools like BeEF, SQLmap, and Burp Suite are demonstrated for exploiting vulnerabilities like cross-site scripting and stealing cookie sessions. The key message is that no framework can replace secure coding practices.
Mautic landing page setup & case study
Presented at the June Mautic Meetup Sydney, Tim shares some experiences of building a landing page with Mautic.
Joomla 3.5: better—faster—safer
Discover some of the differences between J! 3.4 and J! 3.5 and see why this version is fast becoming so popular
Tuenti teams - Php Conference
The document discusses the technical teams at Tuenti and their work developing various products and services. It covers their frontend, backend, and systems teams and some of the challenges they face in building large-scale, high-performance applications and services to support millions of users. It also provides specifics on their development of Tuenti's instant messaging platform using open-source technologies and Erlang.
Emergency WordPress Troubleshooting
What do you do when you need to fix your WordPress website and there's no developer around to help? Here are the tools you need, the steps to take, and how to call in the cavalry.
Practical tools for Web Accessibility testing
There is no single tool that does a full accessibility assessment of a web page. Developers use a variety of tools to help them evaluate websites. This is a practical talk with lots of demos. I will share my favorites, free and easy to use, tools to measure the level of accessibility of web page.
HTML5 security
A mid-level managers talk about the new capabilities in HTML5 and what to watch out for security-wise.
Be Securious – Hack Your Own Site for Better Security
This document summarizes a presentation about hacking your own WordPress site for better security. It introduces the speaker and their background in security. The presentation covers why website security is important, common WordPress vulnerabilities like admin login issues and outdated software. It suggests solutions like using strong passwords, limiting plugins, and keeping software updated. The presentation demonstrates security scanning tools like wpscan and Google dorks that attackers use to find vulnerabilities. Additional resources for hardening WordPress security are provided.
HTML 5
Prof. Erwin M. Globio gave a presentation on HTML5 that covered:
1) The history and development of HTML5 by groups like WHATWG and its adoption by W3C.
2) New features in HTML5 like audio, video, and canvas elements to enable richer content as well as geo-location APIs for mobile apps.
3) Issues with older standards like HTML4 and XHTML2 that HTML5 aims to address and improve cross-browser compatibility.
4) Questions around browser support for HTML5 and implications for web designers in adopting the new standard.
BeEF_EUSecWest-2012_Michele-Orru
Brief intro to BeEF
New core features: RESTful API, WebSockets, HTTPS
New extensions:
Evasion, Social Engineering
DevTeach Ottawa - Silverlight5 and HTML5
This document summarizes a presentation given by Frédéric HARPER and Laurent DUVEAU comparing the web development technologies Silverlight and HTML5. Some key points:
- Silverlight is a plugin that allows developing rich desktop-style applications for web browsers, while HTML5 can be used on any device with recent browsers without plugins.
- Both support development with Visual Studio and provide controls and capabilities for graphics, media, 3D, and data binding, though Silverlight controls and capabilities are more extensive currently.
- Performance benchmarks comparing row processing, vector graphics, and bitmap manipulation between the two technologies were demonstrated.
- The presenters concluded there is no clear winner currently as both technologies continue advancing
Html5 Application Security
HTML5 introduces significant changes for today\'s websites: new and updated tags, new functionality, better error handling and improved Document Object Model (DOM). However, the HTML5 new features come with new (application) security vulnerabilities. This presentation reviews the new attack vectors, associated risks and what a needs to be taken into consideration when implementing HTML5.
WHAT IS HTML5?(20100510)
This document discusses HTML5 and provides an overview of its features. It introduces Shumpei Shiraishi and their work related to HTML5 and Google APIs. It then explains that HTML5 is about more than just HTML, it also includes APIs that allow richer interactions. Some of the key features covered include semantics and accessibility, rich internet applications, 2D and 3D graphics, video and audio, offline web applications, and more. Resources for the Japanese HTML5 community are also listed.
Building rich interface components with SharePoint
The document discusses building rich interfaces for SharePoint using JavaScript and other technologies. It defines a rich interface as browser-based with features similar to desktop applications. The speaker will cover tools for building rich interfaces like jQuery, frameworks, and SharePoint's REST endpoints. He demonstrates a task board application built with jQuery, jQueryUI, and KnockoutJS. The document also discusses SharePoint 2013's focus on JavaScript, REST, and HTML5/CSS3 and considerations for localizing, managing state, and browser back button behavior in rich interfaces.
Attacking with html5(lava kumar)
The document discusses attacking websites using HTML5 features and capabilities. It introduces HTML5 and some of its new tags, attributes, and APIs that can be abused for attacks like cross-site scripting and bypassing input filters. Specific techniques demonstrated include bypassing blacklists using new HTML5 event attributes and tags, setting up reverse web shells using cross-origin requests, and clickjacking via the drag-and-drop API. The talk also covers poisoning the HTML5 application cache and exploiting client-side file includes through cross-origin XMLHttpRequests. Demo attacks are promised to illustrate these HTML5-based vulnerabilities.
Introduction web tech
This document provides information about a national workshop on web interfaces and web applications organized by the Human and Rural Development Society in collaboration with several other organizations. The workshop will be held at the Institute of Modern Sciences and Arts in Hyderabad, India and will be led by master trainer Engr. Liaquat Ali Rahoo. The workshop materials will cover topics related to web technologies, interfaces, and applications.
Owasp2013 johannesullrich
This document discusses how HTML5 features can be used for authentication purposes and addresses some security challenges. It describes APIs like local storage, canvas, geolocation, and notifications that could be leveraged for authentication factors like passwords, patterns, and one-time passwords. However, it also notes risks like storing sensitive data on devices, spoofing locations, and notifications not being reliable. The document advocates using HTML5 responsibly and understanding privacy and user behavior when designing authentication solutions.
HTML5 (Štěpán Bechynský)
Chcete vědět víc? Mnoho dalších prezentací, videí z konferencí, fotografií i jiných dokumentů je k dispozici v institucionálním repozitáři NTK: http://repozitar.techlib.cz
Would you like to know more? Find presentations, reports, conference videos, photos and much more in our institutional repository at: http://repozitar.techlib.cz/?ln=en
HTML5
Many are eagerly waiting for HTML5. What about you? Are you ready for this phase of advanced browsing experience and interactions; Are you ready to engage and delight your customers with a unique experience?
Cygnet Infotech welcomes you to this webinar to help you gear up for the "What", "When" and "Why" about HTML5. Join this 35 min session to learn more.
What You Will Learn in this Webinar
- HTML5 - What is it all about
- Reasons for moving to HTML5
- The Top 10 Tags in HTML5
- Browser Support for HTML5
- Working with HTML5
- How to move current websites to HTML5
- HTML5 for Mobile Applications
- Q&A
If you want to us to cover anything specific in this webinar, leave your message or suggestions at http://www.cygnet-infotech.com/webinars/html5-are-you-ready-for-it
Three Developer Behaviors to Eliminate 85 Percent of Accessibility Defects
Sean Kelly and Thomas F. Dinkel present Three Developer Behaviors to Eliminate 85 Percent of Accessibility Defects at CSUN 2018
HTML5 - Let’s make the WEB more powerful
This document discusses the evolution of HTML5 from earlier versions of HTML. It notes that HTML5 aims to give the web more power through multimedia, graphics and hardware acceleration without needing plugins. It outlines new features of HTML5 like access to local system resources, offline functionality, and improved graphics capabilities that make the web comparable to native mobile apps. The document also details specific new HTML5 elements, attributes, multimedia capabilities, and APIs for web applications, storage and databases. While HTML5 support varies across browsers, the document argues it is still ready for development using frameworks to standardize the experience.
Tapir user manager
User management is essential for community and interactive web systems. User management is often an afterthought in a project; although it is critical to the usability (a user that can't register log in can't use the service) and managability of a site, developers often build ad hoc solutions that are unreliable, insecure and hard to use. Tapir User Manager is a user management system that's been used to support large traffic sites. This presentation introduces TUM and explains how it's been used for projects at CUL and elsewhere.
Implementing a Multi-Device Approach to E-learning Design (US Session)
This document discusses implementing a multi-device approach to e-learning design. It addresses the current reality of accessing content on multiple devices and browsers. It also discusses challenges like supporting different content types, managing future changes and transitions, and testing across devices. The document promotes using HTML5, CSS3 and JavaScript for content due to benefits like responsive design and accessibility. It also demonstrates rapid interactivity building tools like Raptivity that can be used to create instructionally sound interactions without coding.
Implementing a Multi-Device Approach to E-learning Design (APAC Session)
This document discusses implementing a multi-device approach to e-learning design. It notes that learners now access content across multiple devices and discusses challenges in supporting different devices, browsers, and transitions in web standards. It recommends using HTML5, CSS3, and JavaScript to create responsive design that adapts to different screen sizes. HTML5 elements like video, audio, and semantic tags can make the content easier to read and navigate on different devices. The document also demonstrates Raptivity, a tool for rapidly building interactive content that supports both Flash and HTML5 and can be integrated with authoring tools.
Html5, Native and Platform based Mobile Applications
This presentation compares between different mobile applications techniques: Native, HTML5 and platform based (Flash, JavaFX, Silverlight) as well as review the level of support each alternative has for video.
Html5
HTML5 is the latest revision of HTML that defines new elements and features to improve the semantic structure of web pages and make developing interactive web applications easier. It includes new elements for embedding video and audio, drawing graphics with the canvas element, and enabling offline web applications. While HTML5 is still under development, many modern browsers already support key features like video, geolocation, and local storage. HTML5 aims to make web development simpler by building on existing HTML standards and not requiring changes to existing code.
HTML5: An Introduction To Next Generation Web Development
HTML5 is the next generation web development standard that improves upon HTML4 and XHTML. It focuses on features rather than syntax, and includes new elements like <article> and <section>, native audio/video support, drawing APIs, geolocation, drag and drop, web forms 2.0, and more. HTML5 aims to improve multimedia capabilities while keeping code readable by humans and machines. It is supported by all major browsers, though support for specific features may vary, and polyfills can help with backwards compatibility.
Fundamentals of HTML5
HTML5 has changed the Web as we know it. The newest markup language has some exciting features that, for example, make it easy to embed and play multimedia content on the web without having to use proprietary plugins like Adobe’s Flash.
In this webinar, learn:
What HTML5 is and what it can do
New HTML5 tags
Useful coding examples
Testing and validation of your site
Future of HTML5
Participants will be given server space to create their own page and will be required to have a basic HTML editor like Notepad, Notepad++ or Eclipse.
Hardware security testing 101 (Null - Delhi Chapter)
Arun Mane is the founder and director of AmynaSec Labs. He is a security speaker and trainer who has presented at many conferences including Defcon, Blackhat, Nullcon, and HITB. His areas of expertise include security testing of IoT devices, connected vehicles, medical devices, and industrial control systems. Some common issues he finds include devices being publicly accessible, having backdoors, hardcoded credentials, and crypto or web application management problems. His testing methodology involves assessing web and mobile applications, embedded device communications, hardware testing through reverse engineering, and analyzing communication protocols and stored data.
Osint primer
This document outlines an agenda for a presentation on open-source intelligence (OSINT) gathering techniques. The agenda includes an introduction to OSINT, different types of intelligence gathering, a scenario example, OSINT gathering tactics and tools like Shodan, TheHarvester and Google dorks, applications of OSINT, a demonstration, references for OSINT, and a conclusion. Key OSINT tools that will be demonstrated include Twitter, Shodan, TheHarvester and Google dorks for gathering information from public online sources.
More Related Content
Similar to Html5 for Security Folks
HTML 5
Prof. Erwin M. Globio gave a presentation on HTML5 that covered:
1) The history and development of HTML5 by groups like WHATWG and its adoption by W3C.
2) New features in HTML5 like audio, video, and canvas elements to enable richer content as well as geo-location APIs for mobile apps.
3) Issues with older standards like HTML4 and XHTML2 that HTML5 aims to address and improve cross-browser compatibility.
4) Questions around browser support for HTML5 and implications for web designers in adopting the new standard.
BeEF_EUSecWest-2012_Michele-Orru
Brief intro to BeEF
New core features: RESTful API, WebSockets, HTTPS
New extensions:
Evasion, Social Engineering
DevTeach Ottawa - Silverlight5 and HTML5
This document summarizes a presentation given by Frédéric HARPER and Laurent DUVEAU comparing the web development technologies Silverlight and HTML5. Some key points:
- Silverlight is a plugin that allows developing rich desktop-style applications for web browsers, while HTML5 can be used on any device with recent browsers without plugins.
- Both support development with Visual Studio and provide controls and capabilities for graphics, media, 3D, and data binding, though Silverlight controls and capabilities are more extensive currently.
- Performance benchmarks comparing row processing, vector graphics, and bitmap manipulation between the two technologies were demonstrated.
- The presenters concluded there is no clear winner currently as both technologies continue advancing
Html5 Application Security
HTML5 introduces significant changes for today\'s websites: new and updated tags, new functionality, better error handling and improved Document Object Model (DOM). However, the HTML5 new features come with new (application) security vulnerabilities. This presentation reviews the new attack vectors, associated risks and what a needs to be taken into consideration when implementing HTML5.
WHAT IS HTML5?(20100510)
This document discusses HTML5 and provides an overview of its features. It introduces Shumpei Shiraishi and their work related to HTML5 and Google APIs. It then explains that HTML5 is about more than just HTML, it also includes APIs that allow richer interactions. Some of the key features covered include semantics and accessibility, rich internet applications, 2D and 3D graphics, video and audio, offline web applications, and more. Resources for the Japanese HTML5 community are also listed.
Building rich interface components with SharePoint
The document discusses building rich interfaces for SharePoint using JavaScript and other technologies. It defines a rich interface as browser-based with features similar to desktop applications. The speaker will cover tools for building rich interfaces like jQuery, frameworks, and SharePoint's REST endpoints. He demonstrates a task board application built with jQuery, jQueryUI, and KnockoutJS. The document also discusses SharePoint 2013's focus on JavaScript, REST, and HTML5/CSS3 and considerations for localizing, managing state, and browser back button behavior in rich interfaces.
Attacking with html5(lava kumar)
The document discusses attacking websites using HTML5 features and capabilities. It introduces HTML5 and some of its new tags, attributes, and APIs that can be abused for attacks like cross-site scripting and bypassing input filters. Specific techniques demonstrated include bypassing blacklists using new HTML5 event attributes and tags, setting up reverse web shells using cross-origin requests, and clickjacking via the drag-and-drop API. The talk also covers poisoning the HTML5 application cache and exploiting client-side file includes through cross-origin XMLHttpRequests. Demo attacks are promised to illustrate these HTML5-based vulnerabilities.
Introduction web tech
This document provides information about a national workshop on web interfaces and web applications organized by the Human and Rural Development Society in collaboration with several other organizations. The workshop will be held at the Institute of Modern Sciences and Arts in Hyderabad, India and will be led by master trainer Engr. Liaquat Ali Rahoo. The workshop materials will cover topics related to web technologies, interfaces, and applications.
Owasp2013 johannesullrich
This document discusses how HTML5 features can be used for authentication purposes and addresses some security challenges. It describes APIs like local storage, canvas, geolocation, and notifications that could be leveraged for authentication factors like passwords, patterns, and one-time passwords. However, it also notes risks like storing sensitive data on devices, spoofing locations, and notifications not being reliable. The document advocates using HTML5 responsibly and understanding privacy and user behavior when designing authentication solutions.
HTML5 (Štěpán Bechynský)
Chcete vědět víc? Mnoho dalších prezentací, videí z konferencí, fotografií i jiných dokumentů je k dispozici v institucionálním repozitáři NTK: http://repozitar.techlib.cz
Would you like to know more? Find presentations, reports, conference videos, photos and much more in our institutional repository at: http://repozitar.techlib.cz/?ln=en
HTML5
Many are eagerly waiting for HTML5. What about you? Are you ready for this phase of advanced browsing experience and interactions; Are you ready to engage and delight your customers with a unique experience?
Cygnet Infotech welcomes you to this webinar to help you gear up for the "What", "When" and "Why" about HTML5. Join this 35 min session to learn more.
What You Will Learn in this Webinar
- HTML5 - What is it all about
- Reasons for moving to HTML5
- The Top 10 Tags in HTML5
- Browser Support for HTML5
- Working with HTML5
- How to move current websites to HTML5
- HTML5 for Mobile Applications
- Q&A
If you want to us to cover anything specific in this webinar, leave your message or suggestions at http://www.cygnet-infotech.com/webinars/html5-are-you-ready-for-it
Three Developer Behaviors to Eliminate 85 Percent of Accessibility Defects
Sean Kelly and Thomas F. Dinkel present Three Developer Behaviors to Eliminate 85 Percent of Accessibility Defects at CSUN 2018
HTML5 - Let’s make the WEB more powerful
This document discusses the evolution of HTML5 from earlier versions of HTML. It notes that HTML5 aims to give the web more power through multimedia, graphics and hardware acceleration without needing plugins. It outlines new features of HTML5 like access to local system resources, offline functionality, and improved graphics capabilities that make the web comparable to native mobile apps. The document also details specific new HTML5 elements, attributes, multimedia capabilities, and APIs for web applications, storage and databases. While HTML5 support varies across browsers, the document argues it is still ready for development using frameworks to standardize the experience.
Tapir user manager
User management is essential for community and interactive web systems. User management is often an afterthought in a project; although it is critical to the usability (a user that can't register log in can't use the service) and managability of a site, developers often build ad hoc solutions that are unreliable, insecure and hard to use. Tapir User Manager is a user management system that's been used to support large traffic sites. This presentation introduces TUM and explains how it's been used for projects at CUL and elsewhere.
Implementing a Multi-Device Approach to E-learning Design (US Session)
This document discusses implementing a multi-device approach to e-learning design. It addresses the current reality of accessing content on multiple devices and browsers. It also discusses challenges like supporting different content types, managing future changes and transitions, and testing across devices. The document promotes using HTML5, CSS3 and JavaScript for content due to benefits like responsive design and accessibility. It also demonstrates rapid interactivity building tools like Raptivity that can be used to create instructionally sound interactions without coding.
Implementing a Multi-Device Approach to E-learning Design (APAC Session)
This document discusses implementing a multi-device approach to e-learning design. It notes that learners now access content across multiple devices and discusses challenges in supporting different devices, browsers, and transitions in web standards. It recommends using HTML5, CSS3, and JavaScript to create responsive design that adapts to different screen sizes. HTML5 elements like video, audio, and semantic tags can make the content easier to read and navigate on different devices. The document also demonstrates Raptivity, a tool for rapidly building interactive content that supports both Flash and HTML5 and can be integrated with authoring tools.
Html5, Native and Platform based Mobile Applications
This presentation compares between different mobile applications techniques: Native, HTML5 and platform based (Flash, JavaFX, Silverlight) as well as review the level of support each alternative has for video.
Html5
HTML5 is the latest revision of HTML that defines new elements and features to improve the semantic structure of web pages and make developing interactive web applications easier. It includes new elements for embedding video and audio, drawing graphics with the canvas element, and enabling offline web applications. While HTML5 is still under development, many modern browsers already support key features like video, geolocation, and local storage. HTML5 aims to make web development simpler by building on existing HTML standards and not requiring changes to existing code.
HTML5: An Introduction To Next Generation Web Development
HTML5 is the next generation web development standard that improves upon HTML4 and XHTML. It focuses on features rather than syntax, and includes new elements like <article> and <section>, native audio/video support, drawing APIs, geolocation, drag and drop, web forms 2.0, and more. HTML5 aims to improve multimedia capabilities while keeping code readable by humans and machines. It is supported by all major browsers, though support for specific features may vary, and polyfills can help with backwards compatibility.
Fundamentals of HTML5
HTML5 has changed the Web as we know it. The newest markup language has some exciting features that, for example, make it easy to embed and play multimedia content on the web without having to use proprietary plugins like Adobe’s Flash.
In this webinar, learn:
What HTML5 is and what it can do
New HTML5 tags
Useful coding examples
Testing and validation of your site
Future of HTML5
Participants will be given server space to create their own page and will be required to have a basic HTML editor like Notepad, Notepad++ or Eclipse.
Similar to Html5 for Security Folks (20)
Building rich interface components with SharePoint
Building rich interface components with SharePoint
Three Developer Behaviors to Eliminate 85 Percent of Accessibility Defects
Three Developer Behaviors to Eliminate 85 Percent of Accessibility Defects
Implementing a Multi-Device Approach to E-learning Design (US Session)
Implementing a Multi-Device Approach to E-learning Design (US Session)
Implementing a Multi-Device Approach to E-learning Design (APAC Session)
Implementing a Multi-Device Approach to E-learning Design (APAC Session)
Html5, Native and Platform based Mobile Applications
Html5, Native and Platform based Mobile Applications
HTML5: An Introduction To Next Generation Web Development
HTML5: An Introduction To Next Generation Web Development
More from n|u - The Open Security Community
Hardware security testing 101 (Null - Delhi Chapter)
Arun Mane is the founder and director of AmynaSec Labs. He is a security speaker and trainer who has presented at many conferences including Defcon, Blackhat, Nullcon, and HITB. His areas of expertise include security testing of IoT devices, connected vehicles, medical devices, and industrial control systems. Some common issues he finds include devices being publicly accessible, having backdoors, hardcoded credentials, and crypto or web application management problems. His testing methodology involves assessing web and mobile applications, embedded device communications, hardware testing through reverse engineering, and analyzing communication protocols and stored data.
Osint primer
This document outlines an agenda for a presentation on open-source intelligence (OSINT) gathering techniques. The agenda includes an introduction to OSINT, different types of intelligence gathering, a scenario example, OSINT gathering tactics and tools like Shodan, TheHarvester and Google dorks, applications of OSINT, a demonstration, references for OSINT, and a conclusion. Key OSINT tools that will be demonstrated include Twitter, Shodan, TheHarvester and Google dorks for gathering information from public online sources.
SSRF exploit the trust relationship
This document provides an overview of server-side request forgery (SSRF) vulnerabilities, including what SSRF is, its impact, common attacks, bypassing filters, and mitigations. SSRF allows an attacker to induce the application to make requests to internal or external servers from the server side, bypassing access controls. This can enable attacks on the server itself or other backend systems and escalate privileges. The document discusses techniques for exploiting trust relationships and bypassing blacklists/whitelists to perform SSRF attacks. It also covers blind SSRF and ways to detect them using out-of-band techniques. Mitigations include avoiding user input that can trigger server requests, sanitizing input, whitelist
Nmap basics
Nmap is a network scanning tool that can perform port scanning, operating system detection, and version detection among other features. It works by sending TCP and UDP packets to a target machine and examining the response, comparing it to its database to determine open ports and operating system. There are different scanning techniques that can be used like TCP SYN scanning, UDP scanning, and OS detection. Nmap also includes a scripting engine that allows users to write scripts to automate networking tasks. The presentation concludes with demonstrating Nmap's features through some examples.
Metasploit primary
The document provides an introduction and overview of the Metasploit Framework. It defines key terms like vulnerability, exploit, and payload. It outlines the scenario of testing a subnet to find vulnerabilities. It describes the main features of msfconsole like searching for modules, using specific modules, and configuring options. It promotes understanding and proper use, emphasizing that Metasploit alone does not make someone a hacker.
Api security-testing
1) The document provides guidance on testing APIs for security weaknesses, including enumerating the attack surface, common tools to use, what to test for (e.g. authentication, authorization, injections), and demo apps to practice on.
2) It recommends testing authentication and authorization mechanisms like tokens, injections attacks on state-changing requests, and how data is consumed client-side.
3) The document also discusses testing for denial of service conditions, data smuggling through middleware, API rate limiting, and cross-origin requests.
Introduction to TLS 1.3
TLS 1.3 is an update to the Transport Layer Security protocol that improves security and privacy. It removes vulnerable optional parts of TLS 1.2 and only supports strong ciphers to implement perfect forward secrecy. The handshake process is also significantly shortened. TLS 1.3 provides security benefits by removing outdated ciphers and privacy benefits by enabling perfect forward secrecy by default, ensuring only endpoints can decrypt traffic even if server keys are compromised in the future.
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
This document provides an introduction to hacking mainframes in 2020. It begins with an overview of mainframe systems and terminology. It then discusses reconnaissance methods like port scanning and credential theft to gain initial access. Next, it covers conducting internal reconnaissance to escalate privileges by exploiting surrogate users, APF authorized libraries, and UNIX privilege escalation techniques. The document aims to provide enough context for curiosity about hacking mainframe systems.Talking About SSRF,CRLF
The document discusses CRLF injection and SSRF vulnerabilities. CRLF injection occurs when user input is directly parsed into response headers without sanitization, allowing special characters to be injected. SSRF is when a server is induced to make HTTP requests to domains of an attacker's choosing, potentially escalating access. Mitigations include sanitizing user input, implementing whitelists for allowed domains/protocols, and input validation.
Building active directory lab for red teaming
The document provides an overview of Active Directory, including its components and how it is used to centrally manage users, computers, and other objects within a network. It discusses key Active Directory concepts such as forests, domains, organizational units, users, computers, and domain trusts. It also provides step-by-step instructions for setting up an Active Directory lab environment for red teaming purposes and integrating a client machine into the domain.
Owning a company through their logs
A security engineer discusses how logs and passive reconnaissance can reveal sensitive information like AWS credentials. The engineer searched for open Jenkins and SonarQube instances which led to discovering Slack channels containing AWS access keys. Key lessons are to know your boundaries, automate mundane tasks, don't presume systems mask secrets, and persistence is important in security work.
Introduction to shodan
Shodan is a search engine that indexes internet-connected devices and provides information about devices, banners, and metadata. It works by generating random IP addresses and port scans to retrieve banner information from devices. This information is then stored in a searchable database. Users can search Shodan's database using filters like country, city, IP address, operating system, and ports. Shodan can be accessed through its website or command line interface. While useful for security research, Shodan also raises privacy and security concerns by revealing information about unprotected devices.
Cloud security
This document outlines an agenda for discussing cloud security. It begins with an introduction to cloud computing and deployment models. It then discusses challenges of cloud computing and why cloud security is important. Specific threats like data breaches and account hijacking are listed. The document reviews the shared responsibility model and scope of security in public clouds. It describes cloud security penetration testing methods like static and dynamic application testing. Finally, it provides prerequisites and methods for conducting cloud penetration testing, including reconnaissance, threat modeling, and following standard testing methodologies.
Detecting persistence in windows
This document discusses several techniques for maintaining persistence on Windows systems, including modifying accessibility features, injecting into image file execution options, using AppInit DLLs, application shimming, BITS jobs, registry run keys, and Windows Management Instrumentation event subscriptions. It provides details on how each technique works, common implementations, required privileges, relevant data sources, and example event log entries.
Frida - Objection Tool Usage
Frida is a dynamic instrumentation toolkit that allows injecting JavaScript into applications. Objection is a runtime mobile exploration toolkit powered by Frida that helps assess the security of mobile apps. It supports iOS and Android. Objection allows exploring apps by listing classes, methods, and injecting scripts to enable dynamic analysis like dumping keychain entries.
OSQuery - Monitoring System Process
Osquery is an open source tool that allows users to perform SQL queries on their system to retrieve information. It supports various platforms and makes it easy to get details about the system. Osquery consists of Osqueryi, Osqueryd, and Osqueryctl components. Basic queries can be run in user context mode to view system information, configuration, and tables. Osqueryd runs in daemon mode and can be configured using packs and decorators to monitor specific events and files. Osqueryctl is used to control the Osquery daemon process.
DevSecOps Jenkins Pipeline -Security
This document discusses DevSecOps, beginning with an introduction from Tibin Lukose. It then covers some challenges in DevSecOps such as developers lacking security skills, cultural challenges, and difficulties balancing speed, coverage and accuracy in testing. The document proposes a model DevSecOps company, Infosys, and provides a demo and contact information for any further questions.
Extensible markup language attacks
This document provides an introduction to XML and related technologies like libxml2, XSLT, XPath, and XML attacks. It discusses the basics of XML including elements, tags, attributes, and validation. It also describes common XML libraries and tools like libxml2, xmllint, and xsltproc. Finally, it provides an overview of different types of XML attacks like XML injection, XPath injection, XXE, and XSLT injection.
Linux for hackers
This document contains the agenda for a presentation on Linux for hackers. The agenda includes discussing the Linux file system, managing virtual machines smartly, command line tools like alias, tee, pipe, grep, cut, uniq, and xargs, Bash scripting, logging, and proxy chaining. It also mentions demonstrating several commands and tools. The presentation aims to be an interactive session where the presenter will answer any questions from attendees.
Android Pentesting
This document provides an overview of Android penetration testing. It discusses requirements and tools for static and dynamic analysis, including Apptitude, Genymotion, and ADB. It covers analyzing the Android manifest and classes.dex files. It also describes vulnerabilities in WebViews, such as loading cleartext content and improper SSL handling. Best practices for coding securely on Android are also presented.
More from n|u - The Open Security Community (20)
Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Recently uploaded
PCOS corelations and management through Ayurveda.
This presentation includes basic of PCOS their pathology and treatment and also Ayurveda correlation of PCOS and Ayurvedic line of treatment mentioned in classics.
South African Journal of Science: Writing with integrity workshop (2024)
South African Journal of Science: Writing with integrity workshop (2024)Academy of Science of South Africa
A workshop hosted by the South African Journal of Science aimed at postgraduate students and early career researchers with little or no experience in writing and publishing journal articles.The History of Stoke Newington Street Names
Presented at the Stoke Newington Literary Festival on 9th June 2024
www.StokeNewingtonHistory.com
Advanced Java[Extra Concepts, Not Difficult].docx
This is part 2 of my Java Learning Journey. This contains Hashing, ArrayList, LinkedList, Date and Time Classes, Calendar Class and more.
Main Java[All of the Base Concepts}.docx
This is part 1 of my Java Learning Journey. This Contains Custom methods, classes, constructors, packages, multithreading , try- catch block, finally block and more.
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
Denis is a dynamic and results-driven Chief Information Officer (CIO) with a distinguished career spanning information systems analysis and technical project management. With a proven track record of spearheading the design and delivery of cutting-edge Information Management solutions, he has consistently elevated business operations, streamlined reporting functions, and maximized process efficiency.
Certified as an ISO/IEC 27001: Information Security Management Systems (ISMS) Lead Implementer, Data Protection Officer, and Cyber Risks Analyst, Denis brings a heightened focus on data security, privacy, and cyber resilience to every endeavor.
His expertise extends across a diverse spectrum of reporting, database, and web development applications, underpinned by an exceptional grasp of data storage and virtualization technologies. His proficiency in application testing, database administration, and data cleansing ensures seamless execution of complex projects.
What sets Denis apart is his comprehensive understanding of Business and Systems Analysis technologies, honed through involvement in all phases of the Software Development Lifecycle (SDLC). From meticulous requirements gathering to precise analysis, innovative design, rigorous development, thorough testing, and successful implementation, he has consistently delivered exceptional results.
Throughout his career, he has taken on multifaceted roles, from leading technical project management teams to owning solutions that drive operational excellence. His conscientious and proactive approach is unwavering, whether he is working independently or collaboratively within a team. His ability to connect with colleagues on a personal level underscores his commitment to fostering a harmonious and productive workplace environment.
Date: May 29, 2024
Tags: Information Security, ISO/IEC 27001, ISO/IEC 42001, Artificial Intelligence, GDPR
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: ISO/IEC 27001 Information Security Management System - EN | PECB
ISO/IEC 42001 Artificial Intelligence Management System - EN | PECB
General Data Protection Regulation (GDPR) - Training Courses - EN | PECB
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
How to Make a Field Mandatory in Odoo 17
In Odoo, making a field required can be done through both Python code and XML views. When you set the required attribute to True in Python code, it makes the field required across all views where it's used. Conversely, when you set the required attribute in XML views, it makes the field required only in the context of that particular view.
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
Iván Bornacelly, Policy Analyst at the OECD Centre for Skills, OECD, presents at the webinar 'Tackling job market gaps with a skills-first approach' on 12 June 2024
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
it describes the bony anatomy including the femoral head , acetabulum, labrum . also discusses the capsule , ligaments . muscle that act on the hip joint and the range of motion are outlined. factors affecting hip joint stability and weight transmission through the joint are summarized.
Wound healing PPT
This document provides an overview of wound healing, its functions, stages, mechanisms, factors affecting it, and complications.
A wound is a break in the integrity of the skin or tissues, which may be associated with disruption of the structure and function.
Healing is the body’s response to injury in an attempt to restore normal structure and functions.
Healing can occur in two ways: Regeneration and Repair
There are 4 phases of wound healing: hemostasis, inflammation, proliferation, and remodeling. This document also describes the mechanism of wound healing. Factors that affect healing include infection, uncontrolled diabetes, poor nutrition, age, anemia, the presence of foreign bodies, etc.
Complications of wound healing like infection, hyperpigmentation of scar, contractures, and keloid formation.
Pengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptx
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
বাংলাদেশের অর্থনৈতিক সমীক্ষা ২০২৪ [Bangladesh Economic Review 2024 Bangla.pdf] কম্পিউটার , ট্যাব ও স্মার্ট ফোন ভার্সন সহ সম্পূর্ণ বাংলা ই-বুক বা pdf বই " সুচিপত্র ...বুকমার্ক মেনু 🔖 ও হাইপার লিংক মেনু 📝👆 যুক্ত ..
আমাদের সবার জন্য খুব খুব গুরুত্বপূর্ণ একটি বই ..বিসিএস, ব্যাংক, ইউনিভার্সিটি ভর্তি ও যে কোন প্রতিযোগিতা মূলক পরীক্ষার জন্য এর খুব ইম্পরট্যান্ট একটি বিষয় ...তাছাড়া বাংলাদেশের সাম্প্রতিক যে কোন ডাটা বা তথ্য এই বইতে পাবেন ...
তাই একজন নাগরিক হিসাবে এই তথ্য গুলো আপনার জানা প্রয়োজন ...।
বিসিএস ও ব্যাংক এর লিখিত পরীক্ষা ...+এছাড়া মাধ্যমিক ও উচ্চমাধ্যমিকের স্টুডেন্টদের জন্য অনেক কাজে আসবে ...
clinical examination of hip joint (1).pdf
described clinical examination all orthopeadic conditions .
Recently uploaded (20)
South African Journal of Science: Writing with integrity workshop (2024)
South African Journal of Science: Writing with integrity workshop (2024)
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
ISO/IEC 27001, ISO/IEC 42001, and GDPR: Best Practices for Implementation and...
Digital Artefact 1 - Tiny Home Environmental Design
Digital Artefact 1 - Tiny Home Environmental Design
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
Beyond Degrees - Empowering the Workforce in the Context of Skills-First.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptx
Pengantar Penggunaan Flutter - Dart programming language1.pptx
Film vocab for eal 3 students: Australia the movie
Film vocab for eal 3 students: Australia the movie
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
Liberal Approach to the Study of Indian Politics.pdf
Liberal Approach to the Study of Indian Politics.pdf
Html5 for Security Folks
- 1. HTML5 for Security folks!! Have you upgraded your skillset? Vaibhav Gupta Security Researcher - Adobe Twitter: @vaibhavgupta_1
- 2. What is HTML5? • The next revision for HTML • Tons of new features/technologies/APIs • Rich multimedia support • Its just an update….old HTML still works! • Blah blah…….“Work in progress”
- 3. Information Security Impact • Most attacks are already possible, HTML5 simply makes them easier or more powerful • Great majority of these vulnerabilities affect the browser and doesn’t have any direct impact on the server
- 4. Interesting Features • Cross Origin Resource Sharing (CORS) • Web Storage • IFRAME Sandboxing • Web Messaging • Multimedia & Graphics • Getlocation • …… many more!
- 6. Cross Origin Resource Sharing
- 10. OPTIONS /usermail HTTP/1.1 Origin: mail.example.com Content-Type: text/html HTTP/1.0 200 OK Access-Control-Allow-Origin: http://www.example.com, https://login.example.com Access-Control-Allow-Methods: POST, GET, OPTIONS Access-Control-Allow-Headers: X-Prototype-Version, X-Requested-With, Content-Type, Accept Access-Control-Max-Age: 86400 Content-Type: text/html; charset=US-ASCII Connection: keep-alive Content-Length: 0 Configuring CORS correctly
- 13. • Session Hijacking • Confidential Information Risk • User Tracking • Persistent Attack Vectors
- 14. IFRAM Sandboxing • Really good security feature ! • “sandbox” attribute disables form submissions, scripts, popups etc. <iframe sandbox src=“http://e.com”></iframe> • Can be relaxed with few tokens <iframe sandbox=“allow-scripts” src=“http://e.com”></iframe> • !! Disables JS based frame busting defense !!
- 15. Content Security Policy (CSP)
- 19. Enough of CRAP !
- 20. References: • Examples: slides.html5rocks.com • Slides content: prezi.com/k2ibkogftt2i/understanding-html5- security • And……google.com