While input validation vulnerabilities such as XSS and SQL injection have been intensively studied, a new class of injection vulnerabilities called HTTP Parameter Pollution (HPP) has not received as much attention. HPP attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach.
In the talk we present the first automated system for the detection of HPP vulnerabilities in real web applications. Our approach consists of injecting fuzzed parameters into the web application and a set of tests and heuristics to determine if the pages that are generated contain HPP vulnerabilities. We used this system to conduct a large-scale experiment by testing more than 5,000 popular websites and discovering unknown HPP flaws in many important and well-known sites such as Microsoft, Google, VMWare, Facebook, Symantec, Paypal and others. These sites have been all informed and many of them have acknowledged or fixed the problems. We will explain in details how to efficiently detect HPP bugs and how to prevent this novel class of injection vulnerabilities in future web applications.
The document describes a methodology for discovering vulnerabilities in a fictional application with a microservices architecture. It involves mapping out all APIs, endpoints, subdomains and requests to extract a comprehensive list. Parameters are then fuzzed on all combinations to find unintended behaviors like old or unused endpoints exposing more data than intended, or endpoints making internal calls that can be exploited through server-side request forgery or path traversal. Examples are given of similar vulnerabilities discovered in real applications, such as an unused JSON API leaking private user data, path traversal through internal API calls, and account hijacking through improper protection of authentication keys.
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
This document provides an introduction to short file names (SFN) in Windows and discusses issues related to inadvertently disclosing SFNs through IIS. It begins with an overview of how SFNs work and how they map to long file names. It then discusses the history of SFN disclosure through IIS and how it can be abused to reveal sensitive file names. The document provides examples of automatically and manually enumerating SFNs to discover long file names. It concludes with tips and tricks for SFN enumeration along with examples of using it to reveal parts of unknown file names.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
HTTP Request Smuggling via higher HTTP versionsneexemil
This document summarizes HTTP request smuggling vulnerabilities. It explains how an attacker can craft a single HTTP request that is parsed differently by the frontend and backend servers, allowing the backend to interpret additional hidden requests. Several exploitation techniques and detection methods are described, including issues that can arise with HTTP/1, HTTP/2, and protocols like WebSockets. Automated testing tools have been developed but further research is still needed to fully understand and prevent these attacks.
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
This document discusses insecure direct object references (IDOR), which occur when a developer exposes references like file or database keys without access control. This allows attackers to access unauthorized data by manipulating the references. The document provides examples of IDOR vulnerabilities found in Twitter, Oculus, Square, Zapier, and WordPress. It emphasizes having a generic access control model, using user IDs instead of numeric IDs, and thoroughly reviewing code to prevent IDOR issues.
This document discusses exploiting vulnerabilities related to HTTP host header tampering. It notes that tampering with the host header can lead to issues like password reset poisoning, cache poisoning, and cross-site scripting. It provides examples of how normal host header usage can be tampered with, including by spoofing the header to direct traffic to malicious sites. The document also lists some potential victims of host header attacks, like Drupal, Django and Joomla, and recommends developers check settings to restrict allowed hosts. It proposes methods for bruteforcing subdomains and host headers to find vulnerabilities.
The document describes a methodology for discovering vulnerabilities in a fictional application with a microservices architecture. It involves mapping out all APIs, endpoints, subdomains and requests to extract a comprehensive list. Parameters are then fuzzed on all combinations to find unintended behaviors like old or unused endpoints exposing more data than intended, or endpoints making internal calls that can be exploited through server-side request forgery or path traversal. Examples are given of similar vulnerabilities discovered in real applications, such as an unused JSON API leaking private user data, path traversal through internal API calls, and account hijacking through improper protection of authentication keys.
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionSoroush Dalili
This document provides an introduction to short file names (SFN) in Windows and discusses issues related to inadvertently disclosing SFNs through IIS. It begins with an overview of how SFNs work and how they map to long file names. It then discusses the history of SFN disclosure through IIS and how it can be abused to reveal sensitive file names. The document provides examples of automatically and manually enumerating SFNs to discover long file names. It concludes with tips and tricks for SFN enumeration along with examples of using it to reveal parts of unknown file names.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
HTTP Request Smuggling via higher HTTP versionsneexemil
This document summarizes HTTP request smuggling vulnerabilities. It explains how an attacker can craft a single HTTP request that is parsed differently by the frontend and backend servers, allowing the backend to interpret additional hidden requests. Several exploitation techniques and detection methods are described, including issues that can arise with HTTP/1, HTTP/2, and protocols like WebSockets. Automated testing tools have been developed but further research is still needed to fully understand and prevent these attacks.
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
This document discusses insecure direct object references (IDOR), which occur when a developer exposes references like file or database keys without access control. This allows attackers to access unauthorized data by manipulating the references. The document provides examples of IDOR vulnerabilities found in Twitter, Oculus, Square, Zapier, and WordPress. It emphasizes having a generic access control model, using user IDs instead of numeric IDs, and thoroughly reviewing code to prevent IDOR issues.
This document discusses exploiting vulnerabilities related to HTTP host header tampering. It notes that tampering with the host header can lead to issues like password reset poisoning, cache poisoning, and cross-site scripting. It provides examples of how normal host header usage can be tampered with, including by spoofing the header to direct traffic to malicious sites. The document also lists some potential victims of host header attacks, like Drupal, Django and Joomla, and recommends developers check settings to restrict allowed hosts. It proposes methods for bruteforcing subdomains and host headers to find vulnerabilities.
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
This document discusses REST API security methods. It provides an overview of authentication and authorization and describes common security methods like cookie-based authentication, token-based authentication, OAuth, OpenID, and SAML. It then compares OAuth2, OpenID, and SAML and discusses best practices for securing REST APIs like protecting HTTP methods, validating URLs, using security headers, and encoding JSON input.
This talk shares the various techniques I found whilst building the XSS cheat sheet. It contains auto executing vectors, AngularJS CSP bypasses and dangling markup attacks.
General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.
1) The document provides guidance on testing APIs for security weaknesses, including enumerating the attack surface, common tools to use, what to test for (e.g. authentication, authorization, injections), and demo apps to practice on.
2) It recommends testing authentication and authorization mechanisms like tokens, injections attacks on state-changing requests, and how data is consumed client-side.
3) The document also discusses testing for denial of service conditions, data smuggling through middleware, API rate limiting, and cross-origin requests.
The document discusses Server Side Request Forgery (SSRF), including what it is, different types (blind and basic), ways to exploit it like bypassing filters and chaining vulnerabilities, tools that can be used for detection, and two case studies of SSRF vulnerabilities found in the wild. The first case involves using an SSRF to retrieve internal data and then storing malicious HTML in a generated PDF. The second case was an unauthenticated blind SSRF in a Jira OAuth authorization controller that was exploited through a malicious Host header.
This presentation illustrates a number of techniques to smuggle and reshape HTTP requests using features such as HTTP Pipelining that are not normally used by testers. The strange behaviour of web servers with different technologies will be reviewed using HTTP versions 1.1, 1.0, and 0.9 before HTTP v2 becomes too popular! Some of these techniques might come in handy when dealing with a dumb WAF or load balancer that blocks your attacks.
Presented @ BSides Manchester 2017 & SteelCon 2017
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
The document summarizes the top 10 security vulnerabilities in web applications according to the Open Web Application Security Project (OWASP). These include injection flaws, cross-site scripting, broken authentication and session management, insecure direct object references, cross-site request forgery, security misconfiguration, insecure cryptographic storage, failure to restrict URL access, insufficient transport layer protection, and unvalidated redirects and forwards. Countermeasures for each vulnerability are also provided.
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
XXE Exposed Webinar Slides:
Brief coverage of SQLi and XSS against Web Services to then talk about XXE and XEE attacks and mitigation. Heavily inspired on the "Practical Web Defense" (PWD) style of pwnage + fixing (https://www.elearnsecurity.com/PWD)
Full recording here:
NOTE: (~20 minute) XXE + XEE Demo Recording starts at minute 25
https://www.elearnsecurity.com/collateral/webinar/xxe-exposed/
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
Brief overview of API
▸ Fingerprinting & Discovering API
▸ Authentication attacks on API (JWT)
▸ Authorization attacks on API (OAuth)
▸ Bruteforce attacks on API
▸ Attacking Dev/Staging API
▸ Traditional attacks
The document discusses the OWASP API Security Top 10 project which aims to raise awareness of common API vulnerabilities. It highlights some frequent issues like input validation problems, insecure configurations, and data/exception leakage. The document also demonstrates examples of these vulnerabilities using a vulnerable demo API called Pixi.
This document discusses server-side request forgery (SSRF) exploitation. It provides examples of how SSRF can be used to access internal networks and bypass authentication by forging requests from the vulnerable server. Specific cases described include exploiting OAuth token hijacking, memcached exploitation using protocol smuggling, and exploiting vulnerabilities in libraries like TCPDF, LWP, and Postgres that enable SSRF. The document encourages finding creative ways to leverage SSRF and related vulnerabilities like open redirects, XML external entities, and SQL injection to compromise hosts and internal services.
This document outlines the OWASP API Security Top 10 project which identifies the top 10 risks associated with modern application programming interfaces (APIs). It describes each of the top 10 risks, including broken authentication, excessive data exposure, lack of resources and rate limiting, and insufficient logging and monitoring. For each risk, it provides real-world examples of APIs that have been exploited and mitigation strategies are proposed. Additional resources for the project are listed at the end.
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
We propose a new exploit technique that brings a whole-new attack surface to bypass SSRF (Server Side Request Forgery) protections. This is a very general attack approach, in which we used in combination with our own fuzzing tool to discover many 0days in built-in libraries of very widely-used programming languages, including Python, PHP, Perl, Ruby, Java, JavaScript, Wget and cURL. The root cause of the problem lies in the inconsistency of URL parsers and URL requesters.
Being a very fundamental problem that exists in built-in libraries, sophisticated web applications such as WordPress (27% of the Web), vBulletin, MyBB and GitHub can also suffer, and 0days have been discovered in them via this technique. This general technique can also adapt to various code contexts and lead to protocol smuggling and SSRF bypassing. Several scenarios will be demonstrated to illustrate how URL parsers can be exploited to bypass SSRF protection and achieve RCE (Remote Code Execution), which is the case in our GitHub Enterprise demo.
Understanding the basics of this technique, the audience won’t be surprised to know that more than 20 vulnerabilities have been found in famous programming languages and web applications aforementioned via this technique.
Http Parameter Pollution, a new category of web attacksStefano Di Paola
On May 14th @ OWASP Appsec Poland 2009, Stefano Di Paola (Minded Security) and Luca Carettoni presented a new attack category called
Http Parameter Pollution (HPP).
HPP attacks can be defined as the possibility to override or add HTTP GET/POST parameters by injecting query string
delimiters.
It affects a building block of all web technologies thus server-side and client-side attacks exist.
Exploiting HPP vulnerabilities, it may be possible to:
* Override existing hardcoded HTTP parameters.
* Modify the application behaviors.
* Access and, potentially exploit, uncontrollable variables.
* Bypass input validation checkpoints and WAFs rules.
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedMazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts: The Underrated Web-Danger
Testing and Exploiting Backup-File Artifacts with BFAC
BFAC Homepage: https://github.com/mazen160
Blog Post: http://blog.mazinahmed.net/2016/08/backup-file-artifacts.html
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin
This document discusses REST API security methods. It provides an overview of authentication and authorization and describes common security methods like cookie-based authentication, token-based authentication, OAuth, OpenID, and SAML. It then compares OAuth2, OpenID, and SAML and discusses best practices for securing REST APIs like protecting HTTP methods, validating URLs, using security headers, and encoding JSON input.
This talk shares the various techniques I found whilst building the XSS cheat sheet. It contains auto executing vectors, AngularJS CSP bypasses and dangling markup attacks.
General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.
1) The document provides guidance on testing APIs for security weaknesses, including enumerating the attack surface, common tools to use, what to test for (e.g. authentication, authorization, injections), and demo apps to practice on.
2) It recommends testing authentication and authorization mechanisms like tokens, injections attacks on state-changing requests, and how data is consumed client-side.
3) The document also discusses testing for denial of service conditions, data smuggling through middleware, API rate limiting, and cross-origin requests.
The document discusses Server Side Request Forgery (SSRF), including what it is, different types (blind and basic), ways to exploit it like bypassing filters and chaining vulnerabilities, tools that can be used for detection, and two case studies of SSRF vulnerabilities found in the wild. The first case involves using an SSRF to retrieve internal data and then storing malicious HTML in a generated PDF. The second case was an unauthenticated blind SSRF in a Jira OAuth authorization controller that was exploited through a malicious Host header.
This presentation illustrates a number of techniques to smuggle and reshape HTTP requests using features such as HTTP Pipelining that are not normally used by testers. The strange behaviour of web servers with different technologies will be reviewed using HTTP versions 1.1, 1.0, and 0.9 before HTTP v2 becomes too popular! Some of these techniques might come in handy when dealing with a dumb WAF or load balancer that blocks your attacks.
Presented @ BSides Manchester 2017 & SteelCon 2017
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
The document summarizes the top 10 security vulnerabilities in web applications according to the Open Web Application Security Project (OWASP). These include injection flaws, cross-site scripting, broken authentication and session management, insecure direct object references, cross-site request forgery, security misconfiguration, insecure cryptographic storage, failure to restrict URL access, insufficient transport layer protection, and unvalidated redirects and forwards. Countermeasures for each vulnerability are also provided.
XXE Exposed: SQLi, XSS, XXE and XEE against Web ServicesAbraham Aranguren
XXE Exposed Webinar Slides:
Brief coverage of SQLi and XSS against Web Services to then talk about XXE and XEE attacks and mitigation. Heavily inspired on the "Practical Web Defense" (PWD) style of pwnage + fixing (https://www.elearnsecurity.com/PWD)
Full recording here:
NOTE: (~20 minute) XXE + XEE Demo Recording starts at minute 25
https://www.elearnsecurity.com/collateral/webinar/xxe-exposed/
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
Brief overview of API
▸ Fingerprinting & Discovering API
▸ Authentication attacks on API (JWT)
▸ Authorization attacks on API (OAuth)
▸ Bruteforce attacks on API
▸ Attacking Dev/Staging API
▸ Traditional attacks
The document discusses the OWASP API Security Top 10 project which aims to raise awareness of common API vulnerabilities. It highlights some frequent issues like input validation problems, insecure configurations, and data/exception leakage. The document also demonstrates examples of these vulnerabilities using a vulnerable demo API called Pixi.
This document discusses server-side request forgery (SSRF) exploitation. It provides examples of how SSRF can be used to access internal networks and bypass authentication by forging requests from the vulnerable server. Specific cases described include exploiting OAuth token hijacking, memcached exploitation using protocol smuggling, and exploiting vulnerabilities in libraries like TCPDF, LWP, and Postgres that enable SSRF. The document encourages finding creative ways to leverage SSRF and related vulnerabilities like open redirects, XML external entities, and SQL injection to compromise hosts and internal services.
This document outlines the OWASP API Security Top 10 project which identifies the top 10 risks associated with modern application programming interfaces (APIs). It describes each of the top 10 risks, including broken authentication, excessive data exposure, lack of resources and rate limiting, and insufficient logging and monitoring. For each risk, it provides real-world examples of APIs that have been exploited and mitigation strategies are proposed. Additional resources for the project are listed at the end.
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
We propose a new exploit technique that brings a whole-new attack surface to bypass SSRF (Server Side Request Forgery) protections. This is a very general attack approach, in which we used in combination with our own fuzzing tool to discover many 0days in built-in libraries of very widely-used programming languages, including Python, PHP, Perl, Ruby, Java, JavaScript, Wget and cURL. The root cause of the problem lies in the inconsistency of URL parsers and URL requesters.
Being a very fundamental problem that exists in built-in libraries, sophisticated web applications such as WordPress (27% of the Web), vBulletin, MyBB and GitHub can also suffer, and 0days have been discovered in them via this technique. This general technique can also adapt to various code contexts and lead to protocol smuggling and SSRF bypassing. Several scenarios will be demonstrated to illustrate how URL parsers can be exploited to bypass SSRF protection and achieve RCE (Remote Code Execution), which is the case in our GitHub Enterprise demo.
Understanding the basics of this technique, the audience won’t be surprised to know that more than 20 vulnerabilities have been found in famous programming languages and web applications aforementioned via this technique.
Http Parameter Pollution, a new category of web attacksStefano Di Paola
On May 14th @ OWASP Appsec Poland 2009, Stefano Di Paola (Minded Security) and Luca Carettoni presented a new attack category called
Http Parameter Pollution (HPP).
HPP attacks can be defined as the possibility to override or add HTTP GET/POST parameters by injecting query string
delimiters.
It affects a building block of all web technologies thus server-side and client-side attacks exist.
Exploiting HPP vulnerabilities, it may be possible to:
* Override existing hardcoded HTTP parameters.
* Modify the application behaviors.
* Access and, potentially exploit, uncontrollable variables.
* Bypass input validation checkpoints and WAFs rules.
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedMazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts: The Underrated Web-Danger
Testing and Exploiting Backup-File Artifacts with BFAC
BFAC Homepage: https://github.com/mazen160
Blog Post: http://blog.mazinahmed.net/2016/08/backup-file-artifacts.html
1. This document describes how to enable and disable hard disk drive (HDD) passwords on Dell client systems using the Client Configuration Toolkit (CCTK).
2. The steps include checking for HDD availability in the BIOS, using the "hddinfo" and "hddpwd" CCTK commands to view HDD details and set passwords, rebooting the system for changes to take effect, and verifying passwords are set properly in the BIOS and through additional CCTK commands.
3. The process to clear an HDD password uses the "hddpwd=" CCTK command along with the valid password that was previously set.
A customizable Enterprise Asset Management presentation you can use to share your learnings with the rest of your team. For more information, visit http://softworx.co.za
The document describes a new type of denial-of-service (DoS) attack that can occur in cloud data centers due to their underprovisioned nature. It identifies that by saturating the network bandwidth between hosts in different subnets, an attacker can target specific applications by congesting the uplink connecting the targeted subnet. It then proposes two approaches for an attacker to identify the network topology and determine a suitable bottleneck link to attack. Finally, it shows that through rapidly launching many virtual machines, an attacker can quickly gain access to a sufficient number of hosts connected to the targeted router subnet to launch an effective bandwidth saturation attack.
HTTP(S)-Based Clustering for Assisted Cybercrime InvestigationsMarco Balduzzi
This document describes SPuNge, a system for using HTTP(S) clustering to assist with cybercrime investigations into targeted attacks. SPuNge processes network traces to cluster similar malicious URLs and group machines that request those URLs. It identifies potential targeted attacks as groups of 2-5 machines from the same industry or country reaching clusters of similar URLs. The system was tested on one week of data and found multiple examples of potential targeted attacks on organizations in technology and oil/gas industries from Russia and China.
Cloud computing security policy framework for mitigating denial of service at...Venkatesh Prabhu
The document proposes a security management framework to mitigate denial of service attacks on cloud storage systems. The framework uses a cloud controller in a virtual machine to control data access management by blocking illegal data access. It aims to provide high-level security mechanisms to detect malicious access in cloud storage systems and implement a security policy framework. The proposed system was found to economically provide scaling and security against DOS attacks, though it has limitations such as taking time for installation and the virtual machine failure causing system shutdown.
All content not indexed by traditional web-based search engines is known as the DeepWeb. Wrongly been associated only with the Onion Routing (TOR), the DeepWeb's ecosystem comprises a number of other anonymous and decentralized networks. The Invisible Internet Project (I2P), FreeNET, and Alternative Domain Names (like Name.Space and OpenNic) are examples of networks leveraged by bad actors to host malware, high-resilient botnets, underground forums and bitcoin-based cashout systems (e.g., for cryptolockers).
We designed and implemented a prototype system called DeWA for the automated collection and analysis of the DeepWeb, with the goal of quickly identifying new threats as soon they appear.
In this talk, we provide concrete examples of how using DeWA to detect, e.g., trading of illicit and counterfeit goods, underground forums, privacy leaks, hidden dropzones, malware hosting and TOR-based botnets.
HITB2012AMS - SatanCloud: A Journey Into the Privacy and Security Risks of Cl...Marco Balduzzi
This document summarizes the findings of an automated analysis of over 5,000 Amazon Machine Images (AMIs) on Amazon's Elastic Compute Cloud (EC2) platform. The analysis found that a high percentage of AMIs contained known software vulnerabilities, malware infections, leftover credentials, and recoverable deleted files containing sensitive data. The security risks demonstrate that users must take precautions when obtaining and sharing AMIs to avoid unintentionally enabling attacks or compromising privacy.
The presentation we created at our class is going to be presented at the Musical school on the 14th of December. All city school will participate on this holiday which is devoted to our great writer.
This document discusses security threats in cloud computing. It introduces the concept of a threat model for analyzing security problems by identifying attackers, assets, vulnerabilities and threats. The key components of a threat model are described, including different types of attackers like insiders and outsiders, the assets and goals of attackers, and common threats organized using the STRIDE framework. Building an accurate threat model is important for designing appropriate security defenses for a cloud computing system.
This document discusses the configuration of electrical substations and distribution feeders. It mentions substations, distribution feeders, load points, sectionalizer switches, tie switches, and load joints connecting to other feeders. A new configuration is proposed.
The document introduces several characters including Ruslan and his dog Bibo, a baby with a toy, a sheriff with a big cap, a teacher with pretty glasses, students with books, minions with a blue and red scooter, a dog named Jake, and asks questions about characters' names.
Monitoring Application Attack Surface and Integrating Security into DevOps Pi...Denim Group
A web application’s attack surface is the combination of URLs it will respond to as well as the inputs to those URLs that can change the behavior of the application. Understanding an application’s attack surface is critical to being able to provide sufficient security test coverage, and by watching an application’s attack surface change over time security and development teams can help target and optimize testing activities. This presentation looks at methods of calculating web application attack surface and tracking the evolution of attack surface over time. In addition, it looks at metrics and thresholds that can be used to craft policies for integrating different testing activities into Continuous Integration / Continuous Delivery (CI/CD) pipelines for teams integrating security into their DevOps practices.
A Hacker's Perspective on Embedded Device Security, presented by Paul Dant of Independent Security Evaluators at the Security of Things Forum, Sept. 10, 2015
This document discusses integrating metrics collection and graphing into application frameworks to provide security-focused dashboards. It outlines collecting data from operating systems, services, frameworks and applications. Integration would make measurements frictionless for developers. Suggested dashboards focus on system health, application behaviors and errant behaviors to identify security issues. Metrics can detect problems like long queries, errors and abnormal page loads.
The PAC aims to promote engagement between various experts from around the world, to create relevant, value-added content sharing between members. For Neotys, to strengthen our position as a thought leader in load & performance testing.
Since its beginning, the PAC is designed to connect performance experts during a single event. In June, during 24 hours, 20 participants convened exploring several topics on the minds of today’s performance tester such as DevOps, Shift Left/Right, Test Automation, Blockchain and Artificial Intelligence.
The document discusses techniques for rapidly testing web applications through automation to find security vulnerabilities within a limited time frame (T) and network requests (Q). It proposes prioritizing testing based on features like platform, number of inputs, and response status. Algorithmic approaches are suggested like using polyglot payloads to check for multiple issues simultaneously, building a decision tree to classify hackability, and calculating page priorities to guide the scan. Whitebox testing techniques like custom grep scripts to find code vulnerabilities are also covered. The goal is to build an efficient automated web application scanner that traverses the "pwning paths graph" to find bugs within the constraints.
Slides for OWASP Pune Chapter Meetup dated 21st Apr 2016
Testing web applications for security issues and protecting them effectively needs use of various methodologies. Each of these have their own advantages and disadvantages. The talk starts with overview of the methodologies and then talks about how they can be combined to get the best results. Towards the end also touches up the emerging trends in the WebAppSec world.
Monitoring a Kubernetes-backed microservice architecture with PrometheusFabian Reinartz
As many startups of the last decade, SoundCloud’s architecture started as a Ruby-on-Rails monolith, which later had to be broken into microservices to cope with the growing size and complexity of the site. The microservices initially ran on an in-house container management and deployment platform. Recently, the company has started to migrate to Kubernetes.
With the introduction of microservices, the existing conventional monitoring setup failed both conceptually and in terms of scalability. Thus, starting in 2012, SoundCloud invested heavily into the development of the open-source monitoring system Prometheus, which was designed for large-scale highly dynamic service-oriented architectures.
Migrating to Kubernetes, it became apparent that Prometheus and Kubernetes are a match made in open-source heaven. The talk will demonstrate the current Prometheus setup at SoundCloud, monitoring a large-scale Kubernetes cluster.
Some old and new tips, tricks and tools for rapid web application security assessment (black and white box). They are useful in various situtations: pentest with very limited time or huge scope, competition, bugbounty program, etc.
Marc van 't Veer - Testing The API Behind a Mobile App - EuroSTAR 2012TEST Huddle
EuroSTAR Software Testing Conference 2012 presentation on Testing the API Behind a Moblie App by Marc van 't Veer. See more at: http://conference.eurostarsoftwaretesting.com/past-presentations/
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestMatt Tesauro
Take the ideas of DevOps and the notion of a delivery pipeline and combine them for an AppSec Pipeline. This talk covers the open source components used to create an AppSec Pipeline and the benefits we received from its implementation.
This document discusses property-based testing of web services using Haskell. It provides an introduction to functional programming with Haskell, describing its key properties like referential transparency and static typing. It then discusses property-based testing, an approach that specifies program properties and tests all valid inputs against these properties. The document outlines testing of web services, describing SOAP and REST approaches. It proposes using property-based testing techniques to automatically test web services for errors. In conclusion, it presents the Prowess project which aims to develop tools and techniques for property-based testing of web services.
This document discusses bots and spiders and their uses in bioinformatics. It begins with background on bots, spiders and how they work. Bots perform simple, repetitive tasks quickly, while spiders systematically crawl and index web pages. The Googlebot crawler is commonly used to index pages for Google search. APIs allow automated querying of databases and integration with other programming languages. Examples discussed include using bots to query PubMed and Ensembl via their APIs to gather gene and sequence data for further analysis. Real-life case studies demonstrate text mining of PubMed results and automated analysis of gene expression data from NCBI GEO.
The document discusses analyzing web server and database server logs to investigate security incidents. It provides examples of analyzing web server logs to filter relevant requests and validate variables. It also discusses analyzing database query logs to detect SQL injection and persistent cross-site scripting attacks, and analyzing error logs to detect brute force attacks on the database server. The document aims to demonstrate an approach to incident analysis through log parsing and pattern matching.
The Query Service is the new platform solution for querying a variety of data sources. The goal of Query Service is that administrators can configure a metadata description of the data source that can then be used by end users without detailed knowledge of the underlying data source. This session explains how to configure Query Service data sources and use them with the RESTful API or component collection.
Software Analytics: Data Analytics for Software EngineeringTao Xie
This document summarizes a presentation on software analytics and its achievements and opportunities. It begins by noting how both how software and how it is built and operated are changing, with data becoming more pervasive and development more distributed. It then defines software analytics as enabling analysis of software data to obtain insights and make informed decisions. It outlines research topics covering different areas of the software domain throughout the development cycle. It describes target audiences of software practitioners and outputs of insightful and actionable information. Selected projects demonstrating software analytics are then summarized, including StackMine for performance debugging at scale, XIAO for scalable code clone analysis, and others.
Introduction to Web Programming - first courseVlad Posea
The document provides an introduction to a web programming course, outlining its objectives, what students will learn, and how they will be evaluated. Key points covered include:
- Students will understand web applications and develop basic skills in HTML, CSS, JavaScript.
- Evaluation will be based on exam scores, lab work, and individual study demonstrating understanding and skills.
- The course will cover the history of the web, how the HTTP protocol works, and core frontend technologies.
Similar to HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011) (20)
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Marco Balduzzi
Protocol gateways are embedded devices used in industrial facilities to integrate legacy equipment such as serial PLCs with modern control networks. Given the importance that these devices play in the operation of manufacturing plants, we conducted a vendor agnostic analysis of the technology behind protocol translation, by identifying new unexplored weaknesses and vulnerabilities. We evaluated five popular gateway products and discovered translation problems that enable potential adversaries to conduct stealthy and difficult-to-detect attacks, for example to arbitrarily disable, or enable a targeted machinery by mean of innocent-looking packets that bypass common ICS firewalls. In this presentation, we share the results of our findings and discuss the impact to the problems that we identified and their potential countermeasures.
Capure the Signal (CTS) at Hardwear.io Virtual 2020
Together against #COVID-19, learning, sharing <3
https://twitter.com/SignalCapture
https://www.trendmicro.com/cts/
SCSD 2020 - Security Risk Assessment of Radio-Enabled TechnologiesMarco Balduzzi
Dr. Marco Balduzzi presented research on security risks of radio-enabled technologies. He discussed how these systems are now ubiquitous but often lack basic security protections like authentication, encryption, and logging. This complex and heterogeneous ecosystem has become easier to analyze with cheaper software-defined radio equipment. His research goals are to identify threats, collaborate with industry, and raise awareness. Specific systems analyzed included maritime vessel tracking systems like AIS, industrial radio remote controls, and entertainment lighting systems, finding issues like spoofing of identities and commands.
Radio-frequency (RF) remote controllers are widely used in multiple industrial applications like manufacturing, construction and transportation. Cranes, drillers and diggers, among others, are commonly equipped with RF controllers, which have become the weakest link in safety-critical IIoT applications.
Our security assessment revealed a lack of important security features at different levels, with vendors using obscure proprietary protocols instead of standards. As a consequence, this technology appeared to be vulnerable to attacks like replay, command injection, e-stop abuse, malicious repairing and reprogramming. Together with ZDI, we ran into a 6-months responsible disclosure process and then released 10 security advisories.
In this presentation, we share the findings of our research and make use of demos to discuss the problems in detail. We conclude providing recommendations for all parties involved in the life-cycle of these devices, from vendors to users and system integrators.
Using Machine-Learning to Investigate Web Campaigns at Large - HITB 2018Marco Balduzzi
Web defacement is the practice of altering a website after its compromise. The altered pages, called defaced pages, can negatively affect the reputation and business of the victim. While investigating several campaigns, we observed that the artifacts left by these attackers allow an expert analyst to investigate their modus operandi and social structure, and expand from single attacks to a group of related incidents. However, manually performing such analysis on millions of events is tedious, and poses scalability challenges.
From these observations, we conceived an automated system that efficiently builds intelligence information out of raw events. Our approach streamlines the analysts job by automatically recognizing web campaigns, and assigning meaningful textual labels to them. Applied to a comprehensive dataset of 13 million incidents, our approach allowed us to conduct what we believe been the first large-scale investigation of this form. In addition, our approach is meant to be adopted operationally by analysts to identify live campaigns in the real world.
We analyze the social structure of modern web attackers, which includes lone individuals as well as actors that cooperate in teams. We look into their motivations, and we draw a parallel between the time line of word-shaping events and web campaigns, which represent the evolution of the interests and orientation of modern attackers.
Behind the scene of malware operators. Insights and countermeasures. CONFiden...Marco Balduzzi
Modern cybercrime operates highly-sophisticated campaigns that challenge, or even evade, the state-of-art in defense and protection. On a daily basis, users worldwide are fooled by new techniques and threats that went under the radar, like new 0-days or attack vectors. We passively monitored how these attacks are conducted on real installations, and unveiled the modus operandi of malware operators. In this presentation, we share with the audience our recent findings and trends that we observed in-the-wild from the analysis we conducted on 3 million software downloads, involving hundreds of thousands of Internet connected machines. During the talk, we provide insights on our investigation like the effect of code signing abuse, the compromise of cloud providers' operations, the use of domains generated automatically via social engineering, and the business model behind modern malware campaigns. We also discuss the problem of "unknown threats", showing how the Internet's threats landscape is still largely unexplored and how it badly impacts on million of users. We conclude with a proof-of-concept system that we designed and that uses machine-learning to generate human-readable rules for detection. Our system represents a potential mitigation to the problem of "unknown threats" and an assistance tool for analysts globally.
This document discusses the Plead APT, which has targeted Taiwanese government and industry organizations since 2012 through spear phishing emails containing malicious attachments or links. The attacks utilized exploits like Flash zero-days and Microsoft Word vulnerabilities to compromise victims and establish persistence through credential harvesting and command execution. Stolen data was exfiltrated using tools like DRIGO to synchronize with Google Drive in a stealthy manner. The attacks demonstrate the multi-stage nature of advanced threats and importance of threat intelligence and defense-in-depth protections against sophisticated adversaries.
Detection of Malware Downloads via Graph Mining (AsiaCCS '16)Marco Balduzzi
Mastino, a novel defense system to detect malware download events. A download event is a 3-tuple that identifies the action of downloading a file from a URL that was triggered by a client (machine). Mastino utilizes global situation awareness and continuously monitors various network- and system-level events of the clients' machines across the Internet and provides real time classification of both files and URLs to the clients upon submission of a new, unknown file or URL to the system. To enable detection of the download events, Mastino builds a large download graph that captures the subtle relationships among the entities of download events, i.e. files, URLs, and machines. We implemented a prototype version of Mastino and evaluated it in a large-scale real-world deployment. Our experimental evaluation shows that Mastino can accurately classify malware download events with an average of 95.5% true positive (TP), while incurring less than 0.5% false positives (FP). In addition, we show the Mastino can classify a new download event as either benign or malware in just a fraction of a second, and is therefore suitable as a real time defense system.
AIS Exposed. New vulnerabilities and attacks. (HITB AMS 2014)Marco Balduzzi
AIS, Automatic Identification System, is a promoted standard and implementation for vessels traffic safety and monitoring. With more than 400,000 installations worldwide, AIS is currently a mandatory installation for commercial vessels and a de-facto equipment for leisure crafts. AIS is largely used in ports worldwide -- Rotterdam alone monitors over 700 AIS-enabled vessels each day, serving 32,000 seagoing and 87,000 inland vessels a year.
Back in October 2013, during HITB KUL, we showed that AIS is hardly broken, both at implementation and protocol level, and it suffers from severe vulnerabilities like spoofing and man-in-the-middle. In this talk, we extend our research by sharing with the audience several novel attacks that we recently discovered, for example how to extensively disable AIS communications or attack the software installed at back-end by port authorities. By doing so, we hope to raise the necessary awareness and lead the involved parties into calling for a more robust and secure AIS.
Attacking the Privacy of Social Network users (HITB 2011)Marco Balduzzi
The document summarizes research into attacking the privacy of social network users. It describes how the researcher was able to automatically query social networks to map email addresses to user profiles and correlate information across networks. Experiments showed this could profile over 10 million users, discovering inconsistencies. The researcher also demonstrated how to leverage friend networks through techniques like reverse social engineering and drive-by downloads. Finally, alternatives like a decentralized "Safebook" social network are proposed to address privacy and security issues.
This document summarizes research into the privacy and security of file hosting services. The researchers studied 100 file hosting services and found that many used sequential identifiers for files, weak non-sequential identifiers, or had bugs in their software. They were able to access over 300,000 private files uploaded to services with sequential identifiers. Additionally, a honeypot experiment showed that attackers do access and download files from these services, particularly those containing credentials or other sensitive information. The researchers propose a browser plugin called SecureFS that would encrypt files before upload and require a key to download, in order to better protect user privacy on these inherently insecure file hosting services.
Stealthy, Resilient and Cost-Effective Botnet Using SkypeMarco Balduzzi
The document proposes a new botnet model that uses the Skype peer-to-peer network as a command and control channel. The key advantages are that botnet traffic would be indistinguishable from regular Skype traffic, it has no single point of failure, and losing individual bots has little impact. The model was tested through simulations showing the average distance between bots and the botmaster grows slowly as the botnet size increases. A proof of concept with 40 geographically distributed bots validated the simulation results. Potential limitations include replay attacks mapping the botnet, but this could be mitigated.
- Owasp AppSec Research 2010 -
Over the past year, clickjacking received extensive media coverage. News portals and security forums have been overloaded by posts claiming clickjacking to be the upcoming security threat.
In a clickjacking attack, a malicious page is constructed (or a benign page is hijacked) to trick the user into performing unintended clicks that are advantageous for the attacker, such as propagating a web worm, stealing confidential information or abusing of the user session.
This presentation introduces a novel solution we designed and implemented for an automated detection of clickjacking attacks on web-pages. The presentation details the architecture of our detection and testing system and it presents the results we obtained from the analysis of over a million "possibly malicious" Internet pages.
Paper: A Solution for the Automated Detection of Clickjacking AttacksMarco Balduzzi
Clickjacking is a web-based attack that has recently received a wide media coverage. In a clickjacking attack, a malicious page is constructed such that it tricks victims into clicking on an element of a different page that is only barely (or not at all) visible. By stealing the victim's clicks, an attacker could force the user to perform an unintended action that is advantageous for the attacker (e.g., initiate an online money transaction). Although clickjacking has been the subject of many discussions and alarming reports, it is currently unclear to what extent clickjacking is being used by attackers in the wild, and how significant the attack is for the security of Internet users. In this paper, we propose a novel solution for the automated and efficient detection of clickjacking attacks. We describe the system that we designed, implemented and deployed to analyze over a million unique web pages. The experiments show that our approach is feasible in practice. Also, the empirical study that we conducted on a large number of popular websites suggests that clickjacking has not yet been largely adopted by attackers on the Internet.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Securing your Kubernetes cluster_ a step-by-step guide to success !
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
1. HTTP Parameter Pollution
Vulnerabilities in Web Applications
Marco `embyte’ Balduzzi
(C. Torrano, D.Balzarotti, E. Kirda)
Do you have the last version of this presentation?
http://www.iseclab.org/people/embyte/slides/BHEU2011/hpp-bhEU2011.pdf
3. Who am I?
• From Bergamo (IT) to the French
Riviera
• MSc in Computer Engineering
• PhD student at EURECOM
• 8+ years experience in IT Security
• Engineer and consultant for different
international firms
• Co-founder of BGLug, Applied Uni
Lab, (ex) SPINE Group, Nast, etc…
• http://www.iseclab.org/people/embyte
4. The Web as We Know It
• Has evolved from being a collection of simple
and static pages to fully dynamic applications
• Applications are more complex than they
used to be
• Multi-tier architecture is the normal
• Many complex systems have web interfaces
7. Increased Importance of Web Security
• As a consequence:
– Web security has increased in importance
– OWASP, the Top Ten Project
– Attack against web apps constitute 60% of attacks on
the Internet (SANS’s The Top Cyber Security Risks)
– Application being targeted for hosting drive-by-
download content or C&C servers
– Malware targeting browsers (e.g. key and network
loggers)
8. Increased Importance of Web Security
• A lot of work done to detect injection type flaws:
– SQL Injection
– Cross Site Scripting
– Command Injection
• Injection vulnerabilities have been well-studied, and tools
exist
– Sanitization routines in languages (e.g., PHP)
– Static code analysis (e.g., Pixy, OWASP Orizon)
– Dynamic techniques (e.g., Huang et al.)
– Web Application Firewalls (WAF)
9. HTTP Parameter Pollution
• A new class of Injection Vulnerability called HTTP Parameter
Pollution (HPP) is less known
– Has not received much attention
– First presented by S. di Paola and L. Carettoni at OWASP 2009
• Attack consists of injecting encoded query string delimiters into
existing HTTP parameters (e.g. GET/POST/Cookie)
– If application does not sanitize its inputs, HPP can be used to
launch client-side or server-side attacks
– Attacker may be able to override existing parameter values, inject a
new parameter or exploit variables out of a direct reach
10. Research Objectives
• To create the first automated approach for detecting HPP
flaws
– Blackbox approach, consists of a set of tests and heuristics
• To find out how prevalent HPP problems were on the web
– Is the problem being exaggerated?
– Is this problem known by developers?
– Does this problem occur more in smaller sites than larger
sites?
– What is the significance of the problem?
11. HTTP Parameter Handling
• During interaction with web application, client provides
parameters via GET/POST/Cookie
– http://www.site.com/login?login=alice
• HTTP allows the same parameter to be provided twice
– E.g., in a form checkbox
http://www.w3schools.com/html/tryit.asp?filename=tryhtml_form_checkbox
• What happens when the same parameter is provided
twice?
– http://www.site.com/login?login=alice&login=bob
14. HTTP Parameter Handling
• We manually tested common methods of 5 different
languages
Technology/Server Tested Method Parameter Precedence
ASP/IIS Request.QueryString(“par”) All (comma-delimited string)
PHP/Apache $_GET(“par”) Last
JSP/Tomcat Request.getParameter(“par”) First
Perl(CGI)/Apache Param(“par”) First
Python/Apache getvalue(“par”) All (List)
• There is nothing bad with it, if the developer is aware of
this behavior
• Languages provide secure functions (python’s getfirst())
15. HTTP Parameter Pollution
• An HTTP Parameter Pollution (HPP)
attack occurs
– When a malicious parameter Pinj, preceded by
an encoded query string delimiter (e.g. %26), is
injected into an existing parameter Phost
• Typical scenario (client-side)
– Web application for election for two candidates
16. HTTP Parameter Pollution
Url : http://host/election.jsp?poll_id=4568
Link1: <a href="vote.jsp?poll_id=4568&candidate=white”>
Vote for Mr.White </a>
Link2: <a href="vote.jsp?poll_id=4568&candidate=green”>
Vote for Mrs.Green </a>
• The two links are built from the URL
ID = Request.getParameter(“pool_id”)
href_link = “vote.jsp?poll_id=” + ID + ”&candidate=xyz”
• No sanitization
17. HTTP Parameter Pollution
• poll_id is vulnerable and Attacker creates URL:
http://host/election.jsp?poll_id=4568%26candidate%3Dgreen
• The resulting page now contains injected links:
<a href=vote.jsp?pool_id=4568&candidate=green&candidate=white>
Vote for Mr. White </a>
<a href=vote.jsp?pool_id=4568&candidate=green&candidate=green>
Vote for Mrs. Green </a>
• If the developer expects to receive a single value
– Jsp’s Request.getParameter(“candidate”)returns the 1st value
– The parameter precedence is consistent…
• Candidate Mrs. Green is always voted!
18. Consequence
• Override existing (hardcoded) values
• Inject a new parameter
• Exploit a parameter out of a direct reach
• Client-side (user) or server-side (web-
application) attack
19. Parameter Pollution – More uses
• Cross-channel pollution
– HPP attacks can also be used to override parameters
between different input channels (GET/POST/Cookie)
– Good security practice: accept parameters only from where
they are supposed to be supplied
• HPP to bypass CSRF tokens
– E.g. Yahoo Mail client-side attack (di Paola & Carrettoni)
20. Bonus
• By concatenating the same parameter multiple time
• Bypass WAFs input validation checks
– Exploit ASP concatenation behavior and inline
comments
– Concatenate the attack payload after the WAF filtering
Standard: show_user.aspx?id=5;select+1,2,3+from+users+where+id=1–
Over HPP: show_user.aspx?id=5;select+1&id=2&id=3+from+users+where+id=1—
Standard: show_user.aspx?id=5+union+select+*+from+users—
Over HPP: show_user.aspx?id=5/*&id=*/union/*&id=*/select+*/*&id=*/from+users--
21. System for HPP Detection
• Four main components: browser, crawler, two scanners
22. Main Components
Instrumented browser fetches the web pages and renders their
content
– Full support for client-side scripts (e.g. Javascript) and external
resources (e.g. <embed>)
– Extracts all links and forms
Crawler communicates with browser, determines URLs to visit
and forms to submit. Passes the information to two scanners
P-Scan: Determines page behavior when two parameters with
the same name are injected
V-Scan: Tests and attempts to verify that site is vulnerable to
HPP
23. P-Scan: Analysis of the Parameter Precedence
– Analyzes a page to determine the precedence of
parameters, when multiple occurrences of the same
parameter are submitted
– Take parameter par1=val1, generate a similar value
par1=new_val
• Page0 (original): app.php?par1=val1
• Page1 (test 1) : app.php?par1=new_val
• Page2 (test 2) : app.php?par1=val1&par1=new_val
– How do we determine precedence? Naïve approach:
• Page0==Page2 -> precedence on first parameter
• Page1==Page2 -> precedence on second parameter
24. P-Scan: Problem with the naïve approach
• In practice, naïve technique does not work well
– Applications are complex, much dynamic content
(publicity banners, RSS feeds, ads, etc.)
– Hence, we perform pre-filtering to eliminate dynamic
components (embedded content, applets, iframes,
stylesheets, etc.)
– Remove all self-referencing URLs (as these change
when parameters are inserted)
– We then perform different tests to determine similarity
25. P-Scan: Tests
• Error test
– The application crashes, or return an “internal” error, when
an identical parameter is injected multiple times
– Regexps from the sqlmap project
• Identity test
– Is the tested parameter considered by the application
• Page0=Page1=Page2
• Base test
– Test assumes that the pre-filtering works perfectly (seldom
the case)
26. P-Scan: Tests
• Join test
– Are the two values are somehow combined
together (e.g. ASP)?
• Fuzzy test
– It is designed to cope with pages whose dynamic
components have not been perfectly sanitized
– Based on the Gestalt Pattern Matching algorithm
– Compute the similarity among the pages
27. V-Scan: Testing for HPP vulnerabilities
• For every page, an innocuous URL-encoded parameter
(nonce) is injected
– E.g., “%26foo%3Dbar”
– Then check if the “&foo=bar” string is included inside the
URLs of links or forms in the answer page
• V-Scan starts by extracting the list PURL=[PU1,PU2,…PUn] of
the parameters that are present in the page URL, and the
list Pbody=[PB1,PB2,…PUm] of the parameters that are
present in links or forms contained in the page body
28. Where to inject the nonce
• PA = PURL ∩ PBody : set of parameters that appear
unmodified in the URL and in the page content (links,
forms)
• PB = p | p PURL p / PBody : URL parameters that do
not appear in the page. Some of these parameters may
appear in the page under a different name
• PC = p | p / PURL p PBody : set of parameters that
appear somewhere in the page, but that are not present in
the URL
29. V-Scan: Special Cases
• E.g., one of the URL parameters (or part of it) is used as the
entire target of a link
• Self-referencing links
• Similar issues with printing, sharing functionalities
• To reduce false positives, we use heuristics
– E.g., the injected parameter does not start with http://
– Injection without URL-encoding
30. Implementation – The PAPAS tool
• PAPAS: Parameter Pollution Analysis System
• The components communicate via TCP/IP sockets
– Crawler and Scanner are in Python
– The browser component has been implemented as a
Firefox extension
– Advantage: We can see exactly how pages are
rendered (cope with client-side scripts)
– Support for multiple sessions (parallelization)
31. Implementation – The PAPAS tool
• PAPAS is fully customizable
– E.g., scanning depth, number of performed
injections, page loading timeouts, etc.
• Three modes are supported
– Fast mode, extensive mode, assisted mode
– In assisted mode, authenticated areas of a site
can be scanned as well
32. Possible improvements
• PAPAS does not support the crawling of links embedded
in active content
– E.g., flash
• Support additional encoding schemas (UTF-8, Double
URL)
• PAPAS currently only focuses on client-side exploits
where user needs to click on a link
– HPP is also possible on the server side – but this is more
difficult to detect
– Analogous to detecting stored XSS
33. Ethical Considerations
• Only client-side attacks. The server-side have
the potential to cause harm
• We provided the applications with innocuous
parameters (&foo=bar). No malicious code.
• Limited scan time (15min) and activity
• We immediately informed, when possible, the
security engineers of the affected applications
– Thankful feedbacks
34. Two set of experiments
We used PAPAS to scan a set of popular
websites
– About 5,000 sites collected by the first 500 of
Alexa’s main categories
– The aim: To quickly scan as many websites as
possible and to see how common HPP flaws are
We then analyzed some of the sites we
identified to be HPP-vulnerable in more detail
35. The 5,016 tested sites
Categories # of Tested Categories # of Tested
Applications Applications
Financial 110 Shopping 460
Games 300 Social Networking 117
Government 132 Sports 256
Health 235 Travel 175
Internet 698 University 91
News 599 Video 114
Organization 106 Others 1,401
Science 222
36. Efficient assessment
• In 13 days, we tested 5,016 sites and more than 149,000
unique pages
• To maximize the speed, the scanner
– Crawled pages up to a distance of 3 from the homepage
– Considered links with at least one parameter (except for the
homepage)
– Considered at max 5 instances for page (same page,
different query string)
– We disabled pop-ups, images, plug-ins for active content
technologies
37. Evaluation – Parameter Precedence
• Database Errors
– Web developers does not seem conscious of the
possibility to duplicate GET/POST parameters
38. Evaluation – Parameter Precedence
• Parameter Inconsistency
– Sites developed using a combination of heterogeneous
technologies (e.g. PHP and Perl)
– This is perfectly safe if the developer is aware of the
HPP threat… this is not always the case
39. Evaluation – HPP Vulnerabilities
• PAPAS discovered that about 1,500 (30%)
websites contained at least one page vulnerable to
HTTP Parameter Injection
– The tool was able to inject (and verify) an encoded
parameter
• Vulnerable != Exploitable
– Is the parameter precedence consistent?
– Can a possible attacker override existing parameter
values?
40. Vulnerable or exploitable?
• Injection on link:
– Parameter in the middle -> always overriding
– Parameter at the begin/end -> automated check
via P-Scan
• Injection on form:
– The injected value is automatically encoded by the
browser
– Still, someone may be able to run a two-step
attack (client-side) or a server-side attack
41. Vulnerable or exploitable?
• 702 applications are exploitable
– About 14%
– The injected parameter either overrides the
value of an existing one or is accepted as
“new parameter”
• E.g. A new action is injected
Url: pool.pl?par1=val1%26action%3Dreset
Link: target.pl?x=y&w=z&par1=val1&action=reset
43. False Positives
• 10 applications (1.12%) use the injected
parameter as entire target for one link
• Variation of the special case we saw in
slide 18 (V-Scan: special cases)
– The application applied a transformation to the
parameter before using it as a link’s URL
44. Some Case Studies
• We investigated some of the websites in more detail
– Among our “victims”: Facebook, Google, Symantec,
Microsoft, PayPal, Flickr, FOX Video, VMWare, …
– We notified security officers and some of the problems were
fixed
– Facebook: share component
– Several shopping cart applications could be manipulated to
change the price of an item
– Some banks were vulnerable and we could play around with
parameters
– Google: search engine results could be manipulated
54. HPP Prevention
• Input validation
– Encoded query string delimiters
• Use safe methods
– Parameter precedence (ref. slide 14)
– Channel (GET/POST/Cookie) validation (ref. slide 19)
• Raise awareness
– The client can provide the same parameter twice (or
more)
55. Acknowledgments, References
• Co-joint work:
– M. Balduzzi, C. Torrano Gimenez, D. Balzarotti,
and E. Kirda. Automated discovery of parameter
pollution vulnerabilities in web applications. In
NDSS’11, San Diego, CA.
• http://papas.iseclab.org/cgi-bin/resources.py
• Black Hat’s White Paper
56. Conclusion
Presented the first technique and system to detect
HPP vulnerabilities in web applications.
• We call it PAPAS, http://papas.iseclab.org
Conducted a large-scale study of the Internet
• About 5,000 web sites
Our results suggest that Parameter Pollution is a
largely unknown, and wide-spread problem
We hope our work will help raise awareness about
HPP!