Это будет 6 живых демо взлома. Идея не обсудить сухую теория, а увидеть на практике, как не всегда очевидные ошибки являются источником серьезных уязвимостей в твоем JavScript приложении.
6 ways to hack your JavaScript application by Viktor Turskyi OdessaJS Conf
This will be 6 live hacking demos. We will not do theory, but will see in practice how small and not always obvious errors lead to significant vulnerabilities in your JavaScript application.
Visual version of http://blog.anantshri.info/forgotten_disclosure_dom_xss_prettyphoto The presentation talks about how a disclsoure was forgotten and what we can do to prevent such issues and how to keep a track on Vulnerable components
How to escalate privileges to administrator in latest Windows.Soya Aoyama
Attackers hope getting administrator privileges always. If they had get it, they can do anything. Therefore, they try to get administrator privileges in various ways, such as account stealing, privilege escalation, UAC bypass. I have found one way to escalate privileges to administrator without using vulnerability. I hope you to see the demo, understand the mechanism, and prepare against the attacks.
Secure your Web Application With The New Python Audit HooksNicolas Vivet
The audit hooks were added to Python 3.8 with the PEP 578. This security mechanism gives you more visibility and control over what your application does at runtime. After a short introduction of the new feature, we will explore ideas on how web developers, library maintainers and security engineers can leverage it to detect and block security vulnerabilities, illustrated with concrete examples.
This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player).
The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more than one way to successfully complete the challenges.
6 ways to hack your JavaScript application by Viktor Turskyi OdessaJS Conf
This will be 6 live hacking demos. We will not do theory, but will see in practice how small and not always obvious errors lead to significant vulnerabilities in your JavaScript application.
Visual version of http://blog.anantshri.info/forgotten_disclosure_dom_xss_prettyphoto The presentation talks about how a disclsoure was forgotten and what we can do to prevent such issues and how to keep a track on Vulnerable components
How to escalate privileges to administrator in latest Windows.Soya Aoyama
Attackers hope getting administrator privileges always. If they had get it, they can do anything. Therefore, they try to get administrator privileges in various ways, such as account stealing, privilege escalation, UAC bypass. I have found one way to escalate privileges to administrator without using vulnerability. I hope you to see the demo, understand the mechanism, and prepare against the attacks.
Secure your Web Application With The New Python Audit HooksNicolas Vivet
The audit hooks were added to Python 3.8 with the PEP 578. This security mechanism gives you more visibility and control over what your application does at runtime. After a short introduction of the new feature, we will explore ideas on how web developers, library maintainers and security engineers can leverage it to detect and block security vulnerabilities, illustrated with concrete examples.
This Kioptrix VM Image are easy challenges. The object of the game is to acquire root access via any means possible (except actually hacking the VM server or player).
The purpose of these games are to learn the basic tools and techniques in vulnerability assessment and exploitation. There are more than one way to successfully complete the challenges.
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...DevDay.org
Security testing of any system is about finding all possible ambiguities and flaws of the system which might result in loss of information at the hands of employees or outsiders of the organization. This seminar will give you knowledge of Security Testing and related topics with simple and useful examples to help you approach it easily.
Advanced Malware Analysis Training Session 7 - Malware Memory Forensicssecurityxploded
This presentation is part of our Advanced Malware Analysis Training Series program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
With the right skills, tools and software, you can protect yourself and remain secure. This session will take attendees from no knowledge of open source web security tools to a deep understanding of how to use them and their growing set of capabilities.
How to Make Your NodeJS Application Secure (24 Best Security Tips )Katy Slemon
For the start-ups that are already using Node.js in their web application, even you can implement these top 24 security tips to keep your Node.js app free from attacks.
The course syllabus of our course in metasploit from novice to Ninja advanced skills.
If you are a penetration tester, network/system administrator or even novice finding your way into ethical hacking >> this course is for you.
Java application security the hard way - a workshop for the serious developerSteve Poole
Cybercrime is rising at an alarming rate. As a Java developer you know you need to be better informed about security matters but it’s hard to know where to start. This workshop will help you understand how to improve the security of your application through a series of demonstration hacks and related hands on exercises. Serious though the topic is, this practical session will be fun and will leaving you more informed and better prepared. Start building your security memory muscle here
KharkivJS 2018 Information Security PracticeViktor Turskyi
Real examples of hacking. Set of demos for JavaScript developers based on twitter like application written in ReactJs and NodeJs. We will run real code and real exploits during demo.
[DevDay2018] Security Testing - By Thuy Nguyen, Software Engineer at Axon Act...DevDay.org
Security testing of any system is about finding all possible ambiguities and flaws of the system which might result in loss of information at the hands of employees or outsiders of the organization. This seminar will give you knowledge of Security Testing and related topics with simple and useful examples to help you approach it easily.
Advanced Malware Analysis Training Session 7 - Malware Memory Forensicssecurityxploded
This presentation is part of our Advanced Malware Analysis Training Series program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
With the right skills, tools and software, you can protect yourself and remain secure. This session will take attendees from no knowledge of open source web security tools to a deep understanding of how to use them and their growing set of capabilities.
How to Make Your NodeJS Application Secure (24 Best Security Tips )Katy Slemon
For the start-ups that are already using Node.js in their web application, even you can implement these top 24 security tips to keep your Node.js app free from attacks.
The course syllabus of our course in metasploit from novice to Ninja advanced skills.
If you are a penetration tester, network/system administrator or even novice finding your way into ethical hacking >> this course is for you.
Java application security the hard way - a workshop for the serious developerSteve Poole
Cybercrime is rising at an alarming rate. As a Java developer you know you need to be better informed about security matters but it’s hard to know where to start. This workshop will help you understand how to improve the security of your application through a series of demonstration hacks and related hands on exercises. Serious though the topic is, this practical session will be fun and will leaving you more informed and better prepared. Start building your security memory muscle here
KharkivJS 2018 Information Security PracticeViktor Turskyi
Real examples of hacking. Set of demos for JavaScript developers based on twitter like application written in ReactJs and NodeJs. We will run real code and real exploits during demo.
Secure Software: Action, Comedy or Drama? (2017 edition)Peter Sabev
If they made movies about the most important software security issues, they could be put into five titles: Insecure Interface, Insufficient Authentication, Security Misconfiguration, Lack of Transport Encryption and Privacy Concerns. What are the action, comedy and drama parts in software security nowadays? A talk presented on IT-Weekend event in Ruse, Bulgaria (2017)
Discussing Errors in Unity3D's Open-Source ComponentsPVS-Studio
Unity3D is one of the most promising and rapidly developing game engines to date. Every now and then, the developers upload new libraries and components to the official repository, many of which weren't available in as open-source projects until recently. Unfortunately, the Unity3D developer team allowed the public to dissect only some of the components, libraries, and demos employed by the project, while keeping the bulk of its code closed. In this article, we will try to find bugs and typos in those components with the help of PVS-Studio static analyzer.
Google Hacking Lab ClassNameDate This is an introducti.docxwhittemorelucilla
Google Hacking Lab
Class
Name:
Date:
This is an introduction to using search engines for penetration testing. "Google Hacking" is a valuable skill for penetration testers. Google's automated search algorithms constantly visit every IP in the world and collect information about the services that IP provides and indexes the content the IP makes available. Google hacking could be called an art. The information gathered is only limited to your ingenuity when crafting your queries. Keep in mind, the principles behind Google hacking apply to all search engines.
In this lab you will enumerate sub-domains, identify new machines, scour web servers for files that reside on directories but have been forgotten, learn about the underlying architecture of web servers, locate logon portals, and use targeted queries to locate specific file types. When clicking on links used the cached version so you visit Google's cache and not the website itself.
1. Open a browser and navigate to: google.com
2. We're going to search exclusively for Wilmu domains.
2a. Type: site:wilmu.edu
3. We received too many www.wilmu.edu returns for this search to be of use. Let's subtract some information from our query.
3a. Type: site:wilmu.edu -site:www.wilmu.edu -site:libguides.wilmu.edu
3b. What new domains did you identify?
Answer:
4. Now let's see what systems provide directory listings. Directory listings are important because there is the potential you will be able to see the entire website's file structure. Also, many webmasters forget to remove content they no longer make visible with hyperlinks. This content is valuable for various information gathering and exploitation reasons because it could be old pictures, databases, password files, etc. (Be sure to click on the cached links and not the actual links.)
4a. Type: site:umass.edu intitle:index.of
5. Another search we might do is for error or warning messages that give us an indication of the underlying infrastructure and application. Depending on the error or warning we will be able to determine if the web server is running Apache, IIS, SharePoint, WordPress, etc. To do this we would use the "or" operator. A query with the or operator for warnings or errors would look something like this: intitle:"apache status" "apache server status for" | "welcome to windows small business server 2003"
6. Let's look for applications and databases we may login to. Many organizations use Federated rights, meaning once you're logged in you may login to other systems. This is called "single sign-on" or SSO.
6a. Type: site:wilmu.edu logon | login
6b. What Portals did you find?
Answer:
7. We found some interesting portals but those are for students. Where else might a penetration tester look?
7a. Type: site:wilmu.edu faculty | staff | admin | administrator + login | logon
7b. What results did you find?
Answer:
8. We've been looking for interesting information about sub-domains, posted on websites, log ...
Browser exploitation techniques and low-level binary exploitation, this presentation is presented in Stockholm SEC-T cybersecurity conference in September/2019
I'm take picture from here and there by goggling not mentioning all source please let me know if anyone has any objection. This presentation was presented in “securITy” Information Security Conference at BASIS SoftExpo 2012
To go faster in a car, you need not only a powerful engine, but also safety mechanisms like brakes, air bags, and seat belts. This is a talk about the safety mechanisms that allow you to build software faster. It's based on the book "Hello, Startup" (http://www.hello-startup.net/). You can find the video of the talk here: https://www.youtube.com/watch?v=4fKm6ImKml8
Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysissecurityxploded
This presentation is part of our Reverse Engineering & Malware Analysis Training program.
For more details refer our Security Training page
http://securityxploded.com/security-training.php
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
"Through cooperation between browser vendors and standards bodies in the recent past, numerous standards have been created to enforce stronger client-side control for web applications. As web appsec practitioners continue to shift from mitigating vulnerabilities to implementing proactive controls, each new standard adds another layer of defense for attack patterns previously accepted as risks. With the most basic controls complete, attention is shifting toward mitigating more complex threats. As a result of the drive to control for these threats client-side, standards such as SubResource Integrity (SRI), Content Security Policy (CSP), and HTTP Public Key Pinning (HPKP) carry larger implementation risks than others such as HTTP Strict Transport Security (HSTS). Builders supporting legacy applications actively make trade-offs between implementing the latest standards versus accepting risks simply because of the increased risks newer web standards pose.
In this talk, we'll strictly explore the risks posed by SRI, CSP, and HPKP; demonstrate effective mitigation strategies and compromises which may make these standards more accessible to builders and defenders supporting legacy applications; as well as examine emergent properties of standards such as HPKP to cover previously unforeseen scenarios. As a bonus for the breakers, we'll explore and demonstrate exploitations of the emergent risks in these more volatile standards, to include multiple vulnerabilities uncovered quite literally during our research for this talk (which will hopefully be mitigated by d-day)."
(Source: Black Hat USA 2016, Las Vegas)
JS Fest 2019/Autumn. Роман Савіцький. Webcomponents & lit-element in productionJSFestUA
В далекому 2016 році світ почув про вебкомпоненти, а одна ще тоді не дуже розумна команда, якій приходилось верстати дуже багато, вирішила спробувати те все в продукті, який би допоміг зменшити верстку. Про біди вебкомпонентів відомо всім, але про те, як вижити і дійти з альфи до стабільної версії знають не багато. Використання lit-element & lit-html і вирішення наболілих проблем, ось справня ціль моєї доповіді. Happy end обіцяю.
In this talk, attendees will see examples to improve their Javascript Performance making a few changes in their existent application. We will talk about Cache, Node.js common flow, and best practices. They'll see how to avoid performance problems working in Javascript loops, tips to work with Web APIs and best practices javascript applications.
JS Fest 2019/Autumn. Alexandre Gomes. Embrace the "react fatigue"JSFestUA
As a subset of the JS community, react has seen a lot of so-called ""good practices"" these last years, made out of libraries and design patterns. As if it wasn't hard enough to stay sane in a crazy JS world, we're now doing the same in react.
Together, let's explore how such abundance of new techniques can actually be embraced, without making you lose your mind !
JS Fest 2019/Autumn. Anton Cherednikov. Choreographic or orchestral architect...JSFestUA
When we developing a loosely coupled and reusable application, often arises the question: how to arrange to communicate between services or applications? To a large extent, it depends on the nature of the request and the granularity of your applications or services.
We will discuss the two classic microservice integration patterns: service choreography and orchestration.
What is the difference between these two modes of communication? Which one we should use? How to ensure data consistency? How to implement disturbed transactions?
We will discuss these issues, consider an example of implementing orchestration on nodejs, and of course we will not forget about logging, monitoring and alerting.
JS Fest 2019/Autumn. Adam Leos. So why do you need to know Algorithms and Dat...JSFestUA
During the presentation, we will consider what advantages a front-end developer will get from knowledge of algorithms and data structures.
We will analyze real-world examples where this knowledge simplified logic and accelerated applications dramatically.
And finally we will understand the most necessary things that will allow us to determine the effectiveness of the code and easily improve it.
JS Fest 2019/Autumn. Marko Letic. Saving the world with JavaScript: A Data Vi...JSFestUA
Did you know that the beginnings of data visualization are strongly tied to solving some of the biggest problems humanity has ever faced? Wouldn’t it be more interesting to say that you’re not a doctor, but you do save lives than to say you’re just a developer?
When talking about data visualization and JavaScript your mind usually goes to D3.js. But if our data has a location-based representation, we are faced with a limited choice. The main topic of this talk is to introduce the audience with deck.gl, an open-source WebGL-powered library developed by Uber that allows us to create beautiful data visualizations of large datasets and raise the level of interactivity for the user on a whole new level. We’ll see how our code can tell a story and how that story can potentially save lives. A short introduction to the library and it’s API will be demonstrated along with practical use-cases, live-code examples and it’s integration with popular frameworks such as Angular and React.
JS Fest 2019/Autumn. Александр Товмач. JAMstackJSFestUA
Вы уже слышали о JAMstack, который пришел на смену SSR и SPA? Подход, который оптимизирует веб приложения так, что они ограничены только скоростью вашего интернет соединения. Никаких просадок при рендере на клиенте, никаких падений серверов от нагрузки, только SEO-friendly приложения без проблем с масштабируемостью.
We'll go through the possible ways to bring technology agnostic microservice architecture to the frontend, review pros/cons of each of them. We also will check the "ultimate solution" that handles microservices with SSR in SPA manner.
This talk will be interesting for ones who have multiple teams working on the same frontend application.
JS Fest 2019/Autumn. Дмитрий Жарков. Blockchainize your SPA or Integrate Java...JSFestUA
Blockchain and decentralized applications are getting used more and more often. Many big enterprises like IBM, Walmart, Alibaba, FedX, British Airways, and others are already integrating blockchain into their ecosystems.
As most of the applications on the web, decentralized applications require a client to make interaction with them user-friendly. I would like to share how to connect/integrate JavaScript applications with decentralized, blockchain services. Take a look at what are the differences between decentralized and standard backends, what challenges and issues developers might meet.
JS Fest 2019/Autumn. Maciej Treder. Angular Schematics - Develop for developersJSFestUA
Say hello to the Angular CLI from new perspective. Get to know what schematics are and how you can use them for your purpose. Make use of ng add, ng update, ng new command and much more. Learn how to create read update and delete files automatically in your project, and how to execute npm tasks such as installing dependencies.
JS Fest 2019/Autumn. Kyle Boss. A Tinder Love Story: Create a Wordpress Blog ...JSFestUA
Want to make a WordPress blog using React instead of PHP? There is a new tool on the React scene that has been generating a lot of buzz recently. It’s called GatsbyJS. Come learn how Tinder used GatsbyJS to implement our heavy-traffic lifestyle blog. We will also explore the challenges we faced while using this cutting edge technology.
After attending this talk, you will be able to: - Empower non-engineering teams to create fabulous content without engineers. - Empower engineering teams to code in their favorite programming languages. - Empower users to surf your fast, static website. No real-time API calls. Automagically optimized images. Speedy load-times. - Convince your boss to give everyone raises.
Bring your humor, forget the PHP, & let’s have some nerdy fun together!
JS Fest 2019/Autumn. Андрей Старовойт. Зачем нужен тип "true" в TypeScript?JSFestUA
Литеральные типы в TypeScript, которые появились несколько лет назад, на самом деле произвели мини-революцию в языке, которую многие не заметили. Сегодня сложно представить себе TypeScript без этих типов и механизмов, построеных поверх них: mapped, indexer, keyof types и многие другие. В докладе я расскажу, как и почему литеральные типы появились в TypeScript и какие концепции они привнесли в язык. Поговорим также о том, почему с точки зрения разработчика анализатора TypeScript литеральные типы — это по-настоящему сложная языковая фича. Ну и конечно коснемся вопроса, как это все согласуется с реальным миром, а именно с JavaScript.
JS Fest 2019/Autumn. Eyal Eizenberg. Tipping the ScaleJSFestUA
Times Square is the most visited place globally with about 380,000 pedestrian visitors a day - roughly the same amount of people which go to Wix’s dashboard. Building a page which receives such high traffic requires having great performance and intelligent architecture. In this talk, Eyal will go over the challenges of rebuilding Wix’s dashboard, the architecture and how we got it to load under 1 second.
JS Fest 2019/Autumn. Sota Ohara. Сreate own server less CMS from scratchJSFestUA
We created CMS using React, Google Cloud Storage and Google Cloud Functions from scratch.
I'd like to share the knowledge of how to build serverless CMS from scratch.
JS Fest 2019/Autumn. Джордж Евтушенко. Как стать программистом, которого хотятJSFestUA
Что имеется в виду, когда говорят: "С ним приятно работать"? Бывает и наоборот, когда говорят: "Она классный специалист, но работать с ней я бы не хотел". Приходите послушать как формируется отношение к человеку на основании его профессиональных качеств и сможете унести с собой список конкретных полезных советов на этот счет.
JS Fest 2019/Autumn. Алексей Орленко. Node.js N-API for RustJSFestUA
There are plenty of use cases for native modules in Node.js. Most importantly, one might want to interface with third-party libraries or operating system services that provide functionality not available in Node.js core out-of-the-box. Another popular option is to use a compiled language for a computationally-heavy algorithm while still using JavaScript for application business logic (although care must be taken and no premature optimization be made as often the cost of crossing the boundary may be higher than performance increase, unless you are doing some kind of image processing or linear algebra, for example). For a long time C++ was the only option to write native addons for Node.js (technically, there were projects that allowed to use other languages, but they were merely second-level bridges, thus twice FFI overhead). In this talk we will look at the history of native modules in Node.js, what N-API is, which problems does it solve and how it enables to use other systems programming languages. We will also look at the future perspectives and briefly discuss in which cases WebAssembly and upcoming WASI can be used instead of native modules.
JS Fest 2019/Autumn. Daniel Ostrovsky. Falling in love with decorators ES6/Ty...JSFestUA
Decorators are part of proposal TC39 (stage 2), this means that sooner or later decorators will become a part of the JS. However, there is no need to wait! We can use decorators in JavaScript (with babel) and in TypeScript. Let's see how decorators can extend the functionality of classes and methods in a clean and declarative fashion. And many other things which gives you more flexibility.
JS Fest 2019/Autumn. Андрей Андрийко. Гексагональна архітектура в Nodejs проектіJSFestUA
Ідея гексагональної архітектури полягає в тому, щоб відділити зовнішні взаємодії від бізнес логіки задопомогою так званих портів. Мета - ізолювати центральну логіку вашої програми від зовнішніх залежностей.
Під час виступу хочу поділитися досвідом розробки Nodejs додатку з використанням гексагональної архітектури. Обговоримо підводні камені, з якими можна стикнулися під час розробки, основні перевагами та недолікі архітектури. На прикладі розглянемо, як саме організувати архітектуру в Nodejs середовищі, а також стек технологій, що ми використовували, та підходи до тестування.
JS Fest 2019/Autumn. Борис Могила. Svelte. Почему нам не нужно run-time ядроJSFestUA
Использование различных фреймворков дает нам возможность писать быстрые приложения с минимальными затратами времени. Но за это наши пользователи платят продолжительностью первой загрузки и трафиком. Я расскажу как можно писать быстрые приложения с гораздо меньшим размером исходного кода с той же удобностью.
JS Fest 2019/Autumn. Виталий Кухар. Сравнение кластеризации HTTP, TCP и UDP н...JSFestUA
В этом докладе, я хочу сравнить кластеризацию HTTP, TCP, UDP на процессах и потоках в NodeJS. Оценить производительность и использование ресурсов при разных подходах.
A review of the growth of the Israel Genealogy Research Association Database Collection for the last 12 months. Our collection is now passed the 3 million mark and still growing. See which archives have contributed the most. See the different types of records we have, and which years have had records added. You can also see what we have for the future.
This slide is special for master students (MIBS & MIFB) in UUM. Also useful for readers who are interested in the topic of contemporary Islamic banking.
How to Add Chatter in the odoo 17 ERP ModuleCeline George
In Odoo, the chatter is like a chat tool that helps you work together on records. You can leave notes and track things, making it easier to talk with your team and partners. Inside chatter, all communication history, activity, and changes will be displayed.
it describes the bony anatomy including the femoral head , acetabulum, labrum . also discusses the capsule , ligaments . muscle that act on the hip joint and the range of motion are outlined. factors affecting hip joint stability and weight transmission through the joint are summarized.
MATATAG CURRICULUM: ASSESSING THE READINESS OF ELEM. PUBLIC SCHOOL TEACHERS I...NelTorrente
In this research, it concludes that while the readiness of teachers in Caloocan City to implement the MATATAG Curriculum is generally positive, targeted efforts in professional development, resource distribution, support networks, and comprehensive preparation can address the existing gaps and ensure successful curriculum implementation.
The simplified electron and muon model, Oscillating Spacetime: The Foundation...RitikBhardwaj56
Discover the Simplified Electron and Muon Model: A New Wave-Based Approach to Understanding Particles delves into a groundbreaking theory that presents electrons and muons as rotating soliton waves within oscillating spacetime. Geared towards students, researchers, and science buffs, this book breaks down complex ideas into simple explanations. It covers topics such as electron waves, temporal dynamics, and the implications of this model on particle physics. With clear illustrations and easy-to-follow explanations, readers will gain a new outlook on the universe's fundamental nature.
Acetabularia Information For Class 9 .docxvaibhavrinwa19
Acetabularia acetabulum is a single-celled green alga that in its vegetative state is morphologically differentiated into a basal rhizoid and an axially elongated stalk, which bears whorls of branching hairs. The single diploid nucleus resides in the rhizoid.
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
3. Why I talk about security?
1. I switched to software development from IT security
2. I work with software engineers for many years and this topic is highly
undercovered
3. I work with different businesses for many years and risks are highly
underestimated
4. Governmental regulations (GDPR, PCI DSS etc)
5. It makes you a better software engineer
6. It is FUN!!
4. What I will talk about?
1. Not about OWASP (Open Web Application Security Project) Top 10 report
2. Not about security tools (metasploit, sqlmap etc)
3. Not about content security policy.
4. Only practical cases that we’ve met in real life.
5. JavaScript based demos
6. Real cases simulated in environment
a. React frontend
b. NodeJs backend
c. Set of exploits
6. Let’s play a game
1. I show you a piece of application code with vulnerability.
2. Who sees the vulnerability?
3. I run exploit
4. You guess the exploits algorithm
5. I go through exploit in details
8. Case 1: Description
To improve security a company decided to use SMS for password recovery.
User enters own email and receives on phone code like: 7483
18. Algorithm
1. Prepare payloads for any object creation and password restore link
generation.
2. Send them simultaneously.
3. Use got ObjectId of newly created object as base
4. Increment counters (at first) and timestamp (it is in seconds,+-1 is enough in
most cases)
5. Use the new object id for password recovery
21. Case 2: Takeaways
Mongo ID predictable (on all version of mongo)
UUID v1 predictable (unique, but not random)
UUID v4 unpredictable
Always think about predictability of URLs (keys, etc)
27. A lot of frameworks had this vulnerability
ACSII: CHAR “.” = DEC 46 = HEX 2E = %2E (in URL)
/static/../etc/config.json
/static/%2e%2e/etc/config.json
Main reason: validate, then escape (should be escape, then validate)
28. Algorithm
1. Prepare path where do you expect to have sensitive data (configs).
2. Replace dots in relative paths with “%2e”
3. Get configs with JWT keys
4. Create own session for any user
29. Very popular modules can be vulnerable (11k weekly downloads)
Use npm audit (NODEJS DEVS ARE LUCKY TO HAVE IT)
Check your dependencies
Security is a question of trust
apt update
JWT vulnerability example (next slides)
Case 3: Takeaways
36. Algorithm
1. Prepare zip archive and pack symlink which references server configuration.
2. Upload zip archive to server
3. Download the uploaded file (which is symlink in real). It will return server
config
4. Create own session using a key from the config
46. Case 5: Takeaways
IF YOU SEE WYSIWYG, CHECK YOUR CODE FOR XSS
Do not use regex for extracting script tags
Use sanitizer with tags and attrs white-listing
CORS will allow you do cross domain request
XSS worms issues
47. Case 6: The most popular vulnerability in
ReactJs boilerplates
56. Case 6: Takeaways
Know HTML page parsing (inline JS not the same as external JS)
Think about data usage context
Use “serialize-javascript”: serializeJs(initialState, { isJSON: true }) instead of
JSON.stringify(initialState)
59. Case 8..14:
Case 8: Clickjacking
Case 9: Tabnapping
Case 10: CSRF (cookie, basic auth)
Case 11: SQL Injection (pass through ORM)
Case 12: ORM Injection
Case 13: Unsafe HTTPS Redirect
Case 14: Target=_blank (without rel="noopener noreferrer")
60. Do you know how these things work?
Heartbleed
Shellshock
WPA Krack
Meltdown and Spectre
61. Why I like information security?
Information security is about understanding how things work
It makes you a better developer
You can create more complex projects
It is fun!