1. The document analyzes obfuscated JavaScript exploitation using the process debug manager extension of Microsoft Visual Studio.
2. This extension allows tracing of JavaScript behavior like function calls and property changes during execution, which can help analyze sophisticated attacks using techniques like binary encoding and obfuscation.
3. The debugging extension provides a higher-level view of the scripting environment compared to traditional low-level debuggers, helping bridge the "semantic gap" between the kernel/user modes and the web application layer.
The document discusses using the Process Debug Manager (PDM) and Session Debug Manager (SDM) extensions of Microsoft Visual Studio to dynamically analyze JavaScript-based web browser attacks. It proposes applying the debugger extensions to trace the behavior of popular JavaScript exploits, such as the Google Aurora attack (MS10-002) and an Active Directory Federation Service attack (MS09-072). The system could extract features of web attacks and provide a new method for analyzing malicious JavaScript behavior.
This document discusses managing change and achieving regression isolation using dynamic Groovy edges. It describes how Groovy can be used to build edge components, such as web service clients, in a way that makes it easier to update them and reduce the need for full regression testing when changes occur. Groovy allows direct access to XML payloads using techniques like the Markup Builder and XML Slurper. The document provides examples of using Groovy to detect web service changes and consume web services. It also discusses strategies for configuring Groovy scripts in Spring applications.
This document discusses user authentication in Django. It covers setting up authentication with Django's auth application, creating user and profile models, adding login and registration views and templates, and restricting access with decorators. The key points are:
- Django's auth app provides user authentication functionality out of the box, including user models, permissions, and form/view tools.
- Additional user profile attributes can be added by creating a profile model with a one-to-one relationship to the user model.
- Registration is implemented with forms bound to the user and profile models, and a view to process registration and save to the database.
- Login functionality includes a form, view to authenticate and log in a user,
JavaScript Interview Questions and Answers | Full Stack Web Development Train...Edureka!
( ** Full Stack Web Developer Masters Program: https://www.edureka.co/masters-program/full-stack-developer-training ** )
This Edureka PPT on "JavaScript Interview Questions" will help you to prepare yourself for JavaScript Interviews (JavaScript Interview Questions Blog: https://www.edureka.co/blog/interview-questions/javascript-interview-questions/ ). Learn about the most important JavaScript interview questions and answers and know what will set you apart in the interview process.
Instagram: https://www.instagram.com/edureka_lea...
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
This document provides an overview of Java fundamentals including:
- A brief history of Java's development from 1991-1995.
- An explanation of how Java code is compiled to bytecode and run on any machine by a Java Virtual Machine (JVM), making Java platform independent.
- Descriptions of Java applications and applets, the Java Development Kit (JDK), Java Runtime Environment (JRE), and object-oriented programming principles in Java like inheritance and polymorphism.
- Details of Java's features like being compiled and interpreted, platform independent, object-oriented, robust, secure, distributed, and multi-threaded.
- An example of the "Hello World" first Java program.
iPhonical and model-driven software development for the iPhoneHeiko Behrens
These are the slides of my talk "iPhonical and model-driven software development on the iPhone" at the German iPhone Developer Conference 2009 in Cologne. Unfortunately, this version does not include the 25+ minutes demos I presented during the talk.
The document is a slide presentation on mastering Node.js. It introduces Node.js and its architecture, uses cases like at LinkedIn and eBay, and two-way communication using Socket.io. Node.js is described as a JavaScript runtime environment for building fast and scalable network applications. It is single-threaded and event-driven, handling requests asynchronously through an event loop. The presentation demonstrates how to create TCP servers and clients in Node.js, and use Socket.io for real-time communication between client and server through event emitters and callbacks.
The document discusses using the Process Debug Manager (PDM) and Session Debug Manager (SDM) extensions of Microsoft Visual Studio to dynamically analyze JavaScript-based web browser attacks. It proposes applying the debugger extensions to trace the behavior of popular JavaScript exploits, such as the Google Aurora attack (MS10-002) and an Active Directory Federation Service attack (MS09-072). The system could extract features of web attacks and provide a new method for analyzing malicious JavaScript behavior.
This document discusses managing change and achieving regression isolation using dynamic Groovy edges. It describes how Groovy can be used to build edge components, such as web service clients, in a way that makes it easier to update them and reduce the need for full regression testing when changes occur. Groovy allows direct access to XML payloads using techniques like the Markup Builder and XML Slurper. The document provides examples of using Groovy to detect web service changes and consume web services. It also discusses strategies for configuring Groovy scripts in Spring applications.
This document discusses user authentication in Django. It covers setting up authentication with Django's auth application, creating user and profile models, adding login and registration views and templates, and restricting access with decorators. The key points are:
- Django's auth app provides user authentication functionality out of the box, including user models, permissions, and form/view tools.
- Additional user profile attributes can be added by creating a profile model with a one-to-one relationship to the user model.
- Registration is implemented with forms bound to the user and profile models, and a view to process registration and save to the database.
- Login functionality includes a form, view to authenticate and log in a user,
JavaScript Interview Questions and Answers | Full Stack Web Development Train...Edureka!
( ** Full Stack Web Developer Masters Program: https://www.edureka.co/masters-program/full-stack-developer-training ** )
This Edureka PPT on "JavaScript Interview Questions" will help you to prepare yourself for JavaScript Interviews (JavaScript Interview Questions Blog: https://www.edureka.co/blog/interview-questions/javascript-interview-questions/ ). Learn about the most important JavaScript interview questions and answers and know what will set you apart in the interview process.
Instagram: https://www.instagram.com/edureka_lea...
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
This document provides an overview of Java fundamentals including:
- A brief history of Java's development from 1991-1995.
- An explanation of how Java code is compiled to bytecode and run on any machine by a Java Virtual Machine (JVM), making Java platform independent.
- Descriptions of Java applications and applets, the Java Development Kit (JDK), Java Runtime Environment (JRE), and object-oriented programming principles in Java like inheritance and polymorphism.
- Details of Java's features like being compiled and interpreted, platform independent, object-oriented, robust, secure, distributed, and multi-threaded.
- An example of the "Hello World" first Java program.
iPhonical and model-driven software development for the iPhoneHeiko Behrens
These are the slides of my talk "iPhonical and model-driven software development on the iPhone" at the German iPhone Developer Conference 2009 in Cologne. Unfortunately, this version does not include the 25+ minutes demos I presented during the talk.
The document is a slide presentation on mastering Node.js. It introduces Node.js and its architecture, uses cases like at LinkedIn and eBay, and two-way communication using Socket.io. Node.js is described as a JavaScript runtime environment for building fast and scalable network applications. It is single-threaded and event-driven, handling requests asynchronously through an event loop. The presentation demonstrates how to create TCP servers and clients in Node.js, and use Socket.io for real-time communication between client and server through event emitters and callbacks.
The presentation first makes the case for modularity in modern JavaScript systems and the resulting need for a transitive dependency management solution. Later it covers the state of dependency management in JavaScript. Finally it describes the open-source Jingo JavaScript dependency manager (http://jingo.googlecode.com) and its approach to solving the dependency management problem.
From the current offensive and defensive technique arsenal, memory analysis applied to volatile memory is far from being the most explored channel. It is more likely to hear about input validation attacks or attacks against the protocol & cryptography while keys, passphrases, credit card numbers and other precious artifacts are kept unsafely in memory. This analysis arises as a mine waiting to be explored since it is sustained by one of the most vulnerable and unavoidable resource to systems, memory. From Java to Stuxnex, as well as Windows but without forgetting the Cloud, I will try to show some scenarios where these techniques can be applied, its impact as a threat and bring an important and fun subject not just to those who work in forensics but also to penetration testers as myself. Finally, I will also try to show how can this be used for defensive technologies as tools for monitoring and protection in networks with systems in production.
This document provides an overview of OpenSocial gadgets. It discusses what gadgets are, how gadget XML specifications define them, and how containers render gadgets. Key points include:
- Gadgets are applications defined by XML specifications that can be rendered across different social networks.
- Gadget XML specs use HTML, CSS, and JavaScript to define the gadget's content and functionality. Containers optimize and render the specs.
- Gadgets can be rendered in different views depending on the container and page. Views allow gadgets to adapt their output.
- The OpenSocial JavaScript API provides utilities for gadgets to make AJAX calls, handle JSON, and more. This allows
This document discusses client-side JavaScript packages and module systems. It begins by describing CommonJS and AMD module systems, noting problems with AMD including configuration complexity and inability to easily consume third-party code. It then introduces the concept of packages as a better unit of code reuse than modules alone. NPM is presented as a package manager that solves problems of downloading, installing dependencies, and accessing other packages' code. Key aspects of NPM packages like directory structure and package.json are outlined. The document concludes by briefly covering NPM features like dependency hierarchies, Git dependencies, and using NPM without publishing to the public registry.
The document discusses JavaScript and jQuery. It covers how browsers work, the DOM and DOM API, jQuery library, DOM traversal and manipulation, event-driven programming, AJAX, and jQuery plugins. It provides examples and interactive demos of selecting elements with jQuery, modifying CSS classes and styles, reading and changing attributes, and inserting or removing elements to manipulate the DOM.
The Tellurium Automated Testing Framework (Tellurium) is a UI module-based web automated testing framework built on top of Selenium. Here is a step by step guide to teach you how to create a New Tellurium Test project.
Tellurium is an automated web testing framework that treats groups of UI elements as a whole. It addresses challenges of test robustness, dynamic web content, and maintainability. Tellurium features include abstract UI objects, UI modules, a domain-specific language, and support for dynamic locators, templates, and data-driven testing. The framework locates and caches entire UI modules to improve test speed and robustness.
This document provides an introduction to the Java programming language. It discusses the goals of Java, including being cross-platform, providing security through sandboxing with the Java Virtual Machine, and replacing C/C++. It explains what is needed to run and develop Java applications and the differences between Java editions. The document outlines some key differences between Java and C#/C++ and how to write a basic Java application. It also defines JAR files and provides principles for designing class structures in Java.
The document discusses the differences between JDK and JRE, copy constructors in Java, early and late binding, method signatures, and overriding methods to throw exceptions. It provides answers to common Java questions. JDK is for development and contains tools like compilers, while JRE is for running Java programs and contains the JVM. Copy constructors create identical object copies. Early binding resolves calls at compile-time while late binding occurs at runtime. A method signature contains its name and parameter types. Overridden methods can declare unchecked exceptions or the same checked exception as the parent method.
The document provides a professional summary and technical skills for Naresh K. It lists over 7 years of experience in web application development using Java/J2EE technologies. Some key skills listed include expertise in MVC architecture, design patterns, frameworks like Spring and Struts, databases like Oracle and SQL Server, and tools/IDEs like Eclipse, NetBeans and RAD. It also provides details of previous roles developing applications for banking and financial domains using technologies such as Hibernate, JMS and JSP.
The document discusses architecting non-trivial browser applications. It outlines the modern web application paradigm with client-server interactions over HTTP and separating concerns between frontend and backend. The consequences of this new architecture include better user experience but also increasing complexity on the client-side. The document advocates embracing this complexity through goals like reusability, encapsulation, and separation of concerns to support sustainable development of complex JavaScript applications.
The document discusses integrating Inversion of Control (IOC) concepts into JavaScript applications. It describes how to build modular components using Asynchronous Module Definition (AMD) and CommonJS module formats. It advocates for separating components from their dependencies and connections using an application composition layer. This allows for looser coupling between components, improved testability, and more flexibility to change implementations. It also covers topics like asynchronous programming, dependency injection, and aspect-oriented programming as ways to further decouple components and manage complexity in JavaScript applications.
Building web apps with node.js, socket.io, knockout.js and zombie.js - Codemo...Ivan Loire
Node.js is a JavaScript runtime built on Chrome's V8 engine that is lightweight and efficient for building fast web applications. It allows single-threaded, event-driven programming that is ideal for I/O intensive applications like web servers. The document discusses why Node.js is exciting for developers, how it works asynchronously using callbacks, and how frameworks like Express.js help build full-featured web applications with Node.js.
The document summarizes a Java Emerging Technology (JET) conference held in September 2008. It provides outlines and details on sessions covering topics like Java 7 features and timelines, the EasyB behavior-driven development framework, Scala as an object-oriented functional language, Groovy as a dynamic language, Grails as a web application framework, developments in J2ME, and the Android mobile platform. Examples of code were provided for many of the sessions to demonstrate the technologies.
The Tellurium Automated Testing Framework (Tellurium) is a UI module-based web automated testing framework.
The Tellurium framework is written in Groovy and Java. The test cases can be written in Java, Groovy, or pure DSL. You do not need to know Groovy before you use it. Detailed Introduction, Frequent Asked Questions, and illustrative examples are provided. We expect and welcome your contributions.
This document discusses the transition from YUI3 to K2. It provides a brief history of YUI, describing its goals of code reuse through modular components and submodules. It highlights aspects of YUI3 that make it lighter, easier and faster to use than previous versions, including a more consistent API through the Node utility, language enhancements, dynamic loading, and combo handling for faster loading. The document suggests K2 builds upon these strengths.
Visage is the successor to the JavaFX Script Language, a domain-specific language for writing UIs. It excels at rapid application design and can be used on any platform that supports Java.
In this session you will learn how to supercharge your Android development by using Visage to create declarative UIs. Visage Android exposes the full set of Android APIs, allows you to mix Java and Visage code in the same application, and generates code that deploys to and runs on Android mobile devices.
Midiendo la calidad de código en WTF/Min (Revisado EUI Abril 2014)David Gómez García
The document discusses various examples of poor code quality, such as unnecessary comments, overly complex code, poor naming conventions, and unnecessary code. It provides examples of real code snippets that demonstrate these issues. It also discusses principles of good code quality like keeping code simple, avoiding duplication, and separation of concerns. Finally, it discusses tools and techniques for measuring and ensuring code quality like unit testing, code reviews, quality metrics, and issue tracking dashboards.
Google App Engine is a PaaS that allows developers to build and host web applications in the Google cloud. The document summarizes a workshop on using the Java runtime environment on GAE. It discusses the SDKs, deploying and managing apps on GAE, data storage using the datastore, and limitations like the 30-second request limit. The biggest benefits of GAE are scalability and low startup costs, while the hardest limit is the 30-second request processing time.
DWR (Direct Web Remoting) is a Java-based toolkit that facilitates asynchronous communication between a web server and client using Ajax techniques. It allows calling Java methods on the server directly from JavaScript. DWR handles marshalling requests and responses between the two environments using JSON. Some key advantages of DWR include tight integration with Spring, hiding of XMLHttpRequest details, and ability to use other UI libraries alongside it.
Bhavin Patel is a senior software engineer with over 10 years of experience developing software across various domains including mobile, printers, and storage devices. He has extensive expertise in UI framework design and development using technologies like Java, C/C++, Python, and Qt. Currently he works at SanDisk where he designs and develops tools for processing logs, validating firmware, and providing diagnostic views. Previously he held engineering roles at HP, Nokia, Persistent Systems, and e-Infochips working on projects ranging from identity management to video surveillance.
The document discusses Filthy Flex, which are graphically rich web applications created with Adobe Flex that immerse users. It provides an overview of Flex including its cross-platform capabilities, use of ActionScript and MXML, and demonstrations of common tasks like handling events, invoking JavaScript, making HTTP requests, using transitions, and building mobile apps with Adobe AIR. Technologies that can be used with Flex include LiveCycle, BlazeDS, Red5, and Cairngorm along with examples of how to implement common patterns like MVC.
The presentation first makes the case for modularity in modern JavaScript systems and the resulting need for a transitive dependency management solution. Later it covers the state of dependency management in JavaScript. Finally it describes the open-source Jingo JavaScript dependency manager (http://jingo.googlecode.com) and its approach to solving the dependency management problem.
From the current offensive and defensive technique arsenal, memory analysis applied to volatile memory is far from being the most explored channel. It is more likely to hear about input validation attacks or attacks against the protocol & cryptography while keys, passphrases, credit card numbers and other precious artifacts are kept unsafely in memory. This analysis arises as a mine waiting to be explored since it is sustained by one of the most vulnerable and unavoidable resource to systems, memory. From Java to Stuxnex, as well as Windows but without forgetting the Cloud, I will try to show some scenarios where these techniques can be applied, its impact as a threat and bring an important and fun subject not just to those who work in forensics but also to penetration testers as myself. Finally, I will also try to show how can this be used for defensive technologies as tools for monitoring and protection in networks with systems in production.
This document provides an overview of OpenSocial gadgets. It discusses what gadgets are, how gadget XML specifications define them, and how containers render gadgets. Key points include:
- Gadgets are applications defined by XML specifications that can be rendered across different social networks.
- Gadget XML specs use HTML, CSS, and JavaScript to define the gadget's content and functionality. Containers optimize and render the specs.
- Gadgets can be rendered in different views depending on the container and page. Views allow gadgets to adapt their output.
- The OpenSocial JavaScript API provides utilities for gadgets to make AJAX calls, handle JSON, and more. This allows
This document discusses client-side JavaScript packages and module systems. It begins by describing CommonJS and AMD module systems, noting problems with AMD including configuration complexity and inability to easily consume third-party code. It then introduces the concept of packages as a better unit of code reuse than modules alone. NPM is presented as a package manager that solves problems of downloading, installing dependencies, and accessing other packages' code. Key aspects of NPM packages like directory structure and package.json are outlined. The document concludes by briefly covering NPM features like dependency hierarchies, Git dependencies, and using NPM without publishing to the public registry.
The document discusses JavaScript and jQuery. It covers how browsers work, the DOM and DOM API, jQuery library, DOM traversal and manipulation, event-driven programming, AJAX, and jQuery plugins. It provides examples and interactive demos of selecting elements with jQuery, modifying CSS classes and styles, reading and changing attributes, and inserting or removing elements to manipulate the DOM.
The Tellurium Automated Testing Framework (Tellurium) is a UI module-based web automated testing framework built on top of Selenium. Here is a step by step guide to teach you how to create a New Tellurium Test project.
Tellurium is an automated web testing framework that treats groups of UI elements as a whole. It addresses challenges of test robustness, dynamic web content, and maintainability. Tellurium features include abstract UI objects, UI modules, a domain-specific language, and support for dynamic locators, templates, and data-driven testing. The framework locates and caches entire UI modules to improve test speed and robustness.
This document provides an introduction to the Java programming language. It discusses the goals of Java, including being cross-platform, providing security through sandboxing with the Java Virtual Machine, and replacing C/C++. It explains what is needed to run and develop Java applications and the differences between Java editions. The document outlines some key differences between Java and C#/C++ and how to write a basic Java application. It also defines JAR files and provides principles for designing class structures in Java.
The document discusses the differences between JDK and JRE, copy constructors in Java, early and late binding, method signatures, and overriding methods to throw exceptions. It provides answers to common Java questions. JDK is for development and contains tools like compilers, while JRE is for running Java programs and contains the JVM. Copy constructors create identical object copies. Early binding resolves calls at compile-time while late binding occurs at runtime. A method signature contains its name and parameter types. Overridden methods can declare unchecked exceptions or the same checked exception as the parent method.
The document provides a professional summary and technical skills for Naresh K. It lists over 7 years of experience in web application development using Java/J2EE technologies. Some key skills listed include expertise in MVC architecture, design patterns, frameworks like Spring and Struts, databases like Oracle and SQL Server, and tools/IDEs like Eclipse, NetBeans and RAD. It also provides details of previous roles developing applications for banking and financial domains using technologies such as Hibernate, JMS and JSP.
The document discusses architecting non-trivial browser applications. It outlines the modern web application paradigm with client-server interactions over HTTP and separating concerns between frontend and backend. The consequences of this new architecture include better user experience but also increasing complexity on the client-side. The document advocates embracing this complexity through goals like reusability, encapsulation, and separation of concerns to support sustainable development of complex JavaScript applications.
The document discusses integrating Inversion of Control (IOC) concepts into JavaScript applications. It describes how to build modular components using Asynchronous Module Definition (AMD) and CommonJS module formats. It advocates for separating components from their dependencies and connections using an application composition layer. This allows for looser coupling between components, improved testability, and more flexibility to change implementations. It also covers topics like asynchronous programming, dependency injection, and aspect-oriented programming as ways to further decouple components and manage complexity in JavaScript applications.
Building web apps with node.js, socket.io, knockout.js and zombie.js - Codemo...Ivan Loire
Node.js is a JavaScript runtime built on Chrome's V8 engine that is lightweight and efficient for building fast web applications. It allows single-threaded, event-driven programming that is ideal for I/O intensive applications like web servers. The document discusses why Node.js is exciting for developers, how it works asynchronously using callbacks, and how frameworks like Express.js help build full-featured web applications with Node.js.
The document summarizes a Java Emerging Technology (JET) conference held in September 2008. It provides outlines and details on sessions covering topics like Java 7 features and timelines, the EasyB behavior-driven development framework, Scala as an object-oriented functional language, Groovy as a dynamic language, Grails as a web application framework, developments in J2ME, and the Android mobile platform. Examples of code were provided for many of the sessions to demonstrate the technologies.
The Tellurium Automated Testing Framework (Tellurium) is a UI module-based web automated testing framework.
The Tellurium framework is written in Groovy and Java. The test cases can be written in Java, Groovy, or pure DSL. You do not need to know Groovy before you use it. Detailed Introduction, Frequent Asked Questions, and illustrative examples are provided. We expect and welcome your contributions.
This document discusses the transition from YUI3 to K2. It provides a brief history of YUI, describing its goals of code reuse through modular components and submodules. It highlights aspects of YUI3 that make it lighter, easier and faster to use than previous versions, including a more consistent API through the Node utility, language enhancements, dynamic loading, and combo handling for faster loading. The document suggests K2 builds upon these strengths.
Visage is the successor to the JavaFX Script Language, a domain-specific language for writing UIs. It excels at rapid application design and can be used on any platform that supports Java.
In this session you will learn how to supercharge your Android development by using Visage to create declarative UIs. Visage Android exposes the full set of Android APIs, allows you to mix Java and Visage code in the same application, and generates code that deploys to and runs on Android mobile devices.
Midiendo la calidad de código en WTF/Min (Revisado EUI Abril 2014)David Gómez García
The document discusses various examples of poor code quality, such as unnecessary comments, overly complex code, poor naming conventions, and unnecessary code. It provides examples of real code snippets that demonstrate these issues. It also discusses principles of good code quality like keeping code simple, avoiding duplication, and separation of concerns. Finally, it discusses tools and techniques for measuring and ensuring code quality like unit testing, code reviews, quality metrics, and issue tracking dashboards.
Google App Engine is a PaaS that allows developers to build and host web applications in the Google cloud. The document summarizes a workshop on using the Java runtime environment on GAE. It discusses the SDKs, deploying and managing apps on GAE, data storage using the datastore, and limitations like the 30-second request limit. The biggest benefits of GAE are scalability and low startup costs, while the hardest limit is the 30-second request processing time.
DWR (Direct Web Remoting) is a Java-based toolkit that facilitates asynchronous communication between a web server and client using Ajax techniques. It allows calling Java methods on the server directly from JavaScript. DWR handles marshalling requests and responses between the two environments using JSON. Some key advantages of DWR include tight integration with Spring, hiding of XMLHttpRequest details, and ability to use other UI libraries alongside it.
Bhavin Patel is a senior software engineer with over 10 years of experience developing software across various domains including mobile, printers, and storage devices. He has extensive expertise in UI framework design and development using technologies like Java, C/C++, Python, and Qt. Currently he works at SanDisk where he designs and develops tools for processing logs, validating firmware, and providing diagnostic views. Previously he held engineering roles at HP, Nokia, Persistent Systems, and e-Infochips working on projects ranging from identity management to video surveillance.
The document discusses Filthy Flex, which are graphically rich web applications created with Adobe Flex that immerse users. It provides an overview of Flex including its cross-platform capabilities, use of ActionScript and MXML, and demonstrations of common tasks like handling events, invoking JavaScript, making HTTP requests, using transitions, and building mobile apps with Adobe AIR. Technologies that can be used with Flex include LiveCycle, BlazeDS, Red5, and Cairngorm along with examples of how to implement common patterns like MVC.
- Scripting languages like PHP, Python, and Ruby are becoming increasingly popular for web application development and administrative tasks due to their simplicity.
- Java is embracing dynamic scripting languages through standards like JSR 223 which allows scripts like JavaScript, Groovy, and BeanShell to be integrated with Java applications and the Java platform.
- Groovy is a popular Java-based scripting language that can be used to simplify and accelerate enterprise development by reducing code length and improving productivity.
This document provides an overview of popular JavaScript libraries including Dojo Toolkit, YUI, Prototype, and jQuery. It discusses problems they aim to solve like cross-browser inconsistencies. Key features of each library are mentioned like Dojo's widgets, YUI's controls, Prototype's Ruby-like syntax, and jQuery's chaining and node selection. The document also covers ideas from the libraries like progressive enhancement, animation APIs, and leveraging hosting on CDNs.
Web Performance Part 4 "Client-side performance"Binary Studio
The presentation is devoted to client side performance of a web app. All 4 presentations will help you reduce latency, enrich optimization of javascript code, discover tricky parts when working with API browser, see best practices of networking and learn lots of other important and interesting things. Enjoy! =)
How I learned to stop worrying and love embedding JavaScriptKevin Read
Embed your Javascript code in your native mobile app for fun and profit. We showcase our approach to embed Canvas-heavy interactive JS code within our iOS and Android app.
SF JUG - GWT Can Help You Create Amazing Apps - 2009-10-13Fred Sauer
This document summarizes a presentation about Google Web Toolkit (GWT). It discusses how GWT can help developers create apps by allowing them to use Java to build AJAX apps that run on any modern browser, highlights of GWT features like widgets, libraries, compiler optimizations for performance and code size, and resources for learning more about GWT.
This document discusses using various technologies on Google App Engine including JIQL, GaeVFS, RESTlets, scheduled tasks, JRuby on Rails, task queues, XMPP, and Clojure. JIQL emulates a relational database on App Engine's Bigtable datastore. GaeVFS provides a virtual filesystem on Bigtable. RESTlets make RESTful web services easy to implement in Java on App Engine. Scheduled tasks allow for background processing via cron jobs. JRuby on Rails provides a way to run Ruby on Rails applications on App Engine. Task queues allow for asynchronous background processing. XMPP enables instant messaging and peer-to-peer applications. Clojure can also be used
[JMaghreb 2014] Developing JavaScript Mobile Apps Using Apache CordovaHazem Saleh
Apache Cordova is a platform for building native mobile applications using common Web technologies (HTML, CSS and JavaScript). Apache Cordova offers a set of APIs that allow the mobile application developers to access mobile native functions such as (Audio, Camera, File, Battery, Contacts …etc) using JavaScript. Although there are many JavaScript mobile application frameworks, jQuery mobile is one of the best mobile web application frameworks which allows the web developers to develop web applications that are mobile friendly. This session illustrates how to use Apache Cordova with the combination of jQuery mobile in order to develop a native Android application and deploy on a real Android device. The demo application (“Memo” application) utilizes mobile native functions (Audio and Camera) using pure JavaScript.
The document discusses various topics related to .NET Framework and C#. It provides definitions of concepts like framework, CLR, and comparisons between C# and other languages. It also includes code examples in C# and Java for calculating directory size recursively. Quizzes are included to test understanding.
This document provides an overview of Node.js including:
- What Node.js is and its event-driven, non-blocking architecture
- How to install Node.js and build applications
- How to use modules like Express.js and Socket.io
- Examples of deploying Node.js applications to Microsoft Azure
- A demonstration of building a collaborative drum machine app with Node.js, WebSockets, and the Web Audio API
"JavaME + Android in action" CCT-CEJUG Dezembro 2008Vando Batista
Mini-cursos de JavaME e Android no evento do CEJUG Café com Tapioca, em Dezembro de 2008.
1. Introdução: overview do desenvolvimento em Java para dispositivos portáteis/móveis
2. Java ME in action: tutorial hands-on de desenvolvimento (mini-curso)
3. Android in action: tutorial hands-on de desenvolvimento (mini-curso)
Autor: Vando Batista
This document discusses how web design firms can compete with internal GIS teams by providing web-based GIS (WebGIS) applications. It notes that WebGIS requires learning new tools like JavaScript, AJAX, and RESTful services. To protect their work, internal GIS teams need to learn these new web technologies and prioritize usability over features to create responsive applications. The document advocates for an iterative development process with a focus on performance and usability testing.
This document discusses fraud detection in online auctions. It begins with an introduction that describes how online auctions work and the types of fraud that can occur, such as sellers not delivering purchased items or posting fake listings. It then outlines the hardware and software requirements for developing a fraud detection system, including using Java, Tomcat web server, and MySQL database. The document provides literature reviews on these technologies and describes the existing system, proposed improved system, and system design modules.
Introduction to A-frame and WEB-VR.WebVR is an open specification that makes it possible to experience VR in your browser. The goal is to make it easier for everyone to get into VR experiences, no matter what device you have.
Make WebVR with HTML and Entity-Component
Works on Vive, Rift, Daydream, GearVR, desktop
Node.js is an asynchronous event-driven JavaScript runtime that uses non-blocking I/O to build scalable network applications. It allows for the creation of web servers and networking tools using a event-driven, non-blocking I/O model rather than the traditional threaded model. Node.js is popular because it uses JavaScript and allows code reuse on both the server-side and client-side, offers high performance and scalability for real-time applications, and has a large passionate community supporting its use.
gDayX 2013 - Advanced AngularJS - Nicolas EmbletonGeorge Nguyen
This document provides an overview of AngularJS. It begins with introductions and then outlines the agenda which includes bootstrapping, why AngularJS is useful, main features like templating and data binding, best practices, testing and tooling, SEO considerations, and whether it can be used for enterprise projects. It then demonstrates some AngularJS concepts like directives and templating. The document emphasizes AngularJS' reusability, testability, and production readiness while noting best practices are important for complex projects.
The document summarizes various techniques for automated software testing using fuzzing, including coverage-based fuzzing (AFL), directed greybox fuzzing (AflGO), and neural network-based approaches (FuzzGuard). It discusses how genetic algorithms and simulated annealing are used in AFL and AflGO respectively to guide test case mutation towards new code areas. It also provides examples of vulnerabilities found using these fuzzing tools.
「C言語のポインタ(型の変数)は、可変長配列を扱うために使う」という点に絞って、50分間程度の解説をしています。
最終的に下記の12行のプログラムを47分間使って解説します。
(7行目、11行目の”<”は除いています)
1: int size = N;
2: int x[size];
3: int *p;
4:
5: p = x;
6:
7: for ( int = 0; i size; i++)
8: p[i] = i;
9:
10: int y = 0
11: for ( int i = 0; i size; i++)
12: y = y + p[i];
https://www.youtube.com/watch?v=KLFlk1dohKQ&t=1496s
1. The model is a polynomial regression model that fits a polynomial function to the training data.
2. The loss function used is the sum of squares of the differences between the predicted and actual target values.
3. The optimizer used is GradientDescentOptimizer which minimizes the loss function to fit the model parameters.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
20240609 QFM020 Irresponsible AI Reading List May 2024
Jwis2011 ruo ando
1. Analysis of obfuscated Java
Script exploitation using
process debug manager
Ruo Ando
Network Security Institute,
National Institute of Information and
Communication Technology, Tokyo, Japan
2. Introduction
towards alternative Java Script debugger
• Nowadays, Java Scripts are everywhere (including Android and
Google App Engine) with the pervasive of JSON (RFC 4627) , JQuery
(AJAX interface) and so on.
• Consequently, Java Scripts has become sophisticated with binary
coding of attack code and obfuscation using concatenation which
imposes a great burden on security analysis.
• Unfortunately, there does not exist useful debuggers specified for this
kind of Java Script eploitation.
• In this paper we propose the application of extension of MS visual
studio debugging extension for providing a new techniques for tracing
Java Script behavior.
• Proposed system could extract features of some representative web
attacks such as google Operation Aurora (MS10-002), IE styleObject
(MS09-072) exploit.
3. the old new thing;
impact and memory of google aurora operation
ultra-sophisticated advanced persistent attack
• The attack was named "Operation Aurora" by Dmitri Alperovitch, Vice President of
Threat Research at cyber security company McAfee which informs this attack of
WhiteHouse on Janurary 2010.
• Origin: Operation Aurora is a cyber attack which began in mid-2009 and continued
through December 2009. The attack was first publicly disclosed by Google on
January 12, 2010, in a blog post. In the blog post, Google said the attack originated in
China.
• Ultra sophisticated: The attacks were both sophisticated and well resourced and
consistent with an advanced persistent threat attack. The attack has been aimed at
dozens of other organizations, of which Adobe Systems, Juniper Networks and
Rackspace have publicly confirmed that they were targeted. According to media
reports,
Yahoo, Symantec, Northrop Grumman, Morgan Stanley and Dow Chemical were also
among the targets.
• Google and china: As a result of the attack, Google stated in its blog that it plans to
operate a completely uncensored version of its search engine in China "within the law,
if at all", and acknowledged that if this is not possible it may leave China and close its
Chinese offices.Official Chinese media responded stating that the incident is part of a
U.S. government conspiracy. Aurora operation is said to be Chinese Government’s
attempts to wipe out Google from mainland.
4. BACKGROUND: attack vector is very short. But …
Can we analyze (or debug) this IE exploitation using
commodity probes?
<html><head><script> function ev1 (evt)
{
var sc = unescape("%u9090%u19eb%u4b5b%..) e1 = document.createEventObject (evt);
var sss = Array (826, 679, 798, 224, 770, 427, 819, document.getElementById ("sp1").innerHTML = "";
770, 707, 805, 693, 679, 784, 707, 280, window.setInterval (ev2, 50);
238, 259, 819, 336, 693, 336, 700, 259, 819, 336, }
224, 770, 427, 770, 322, 805, 819, 686, function ev2 ()
805, 812, 798, 735, 770, 721, 280, 336, 448, 371); {
var arr = new Array; p = "¥u0c0d¥uu0c0d¥u0c0d¥u0c0d";
for (var i = 0; i < sss.length; i ++) { for (i = 0; i < x1.length; i ++) {
arr[i] = String.fromCharCode (sss [i] / 7); x1 [i].data = p;
} };
var cc = arr.toString (); var t = e1.srcElement;
cc = cc.replace (/,/g, ""); }
cc = cc.replace (/@/g, ","); </script>
eval (cc); </head>
var x1 = new Array ();
for (i = 0; i < 200; i ++) { <body>
x1 [i] = document.createElement ("COMMENT") <span id="sp1"><IMG SRC="aaa.gif"
x1 [i].data = "abc"; onload="ev1(event)" width="16" height="16"></span>
};
var e1 = null;
</body>
It is impossible to trace the script engines’ behavior
allocating memory and gif processing !
5. the new old thing:
web attack and Java Script
• Java Scripts are everywhere (including Android and Google App Engine) with
the pervasive of JSON (RFC 4627) , JQuery (AJAX interface) and so on.
• Unfortunately again, there have not been striking probing (debugging) frames
for tracing Java Script behavior such as google aurora operation said before.
• In this paper we exploit the debugger extension of Microsoft Visual Studio
2010 (or later) debugging extension for tracking some famous Java Script
exploitation dynamically.
• Windows OS has longer history and therefore more mature interfaces to probe
Java Script Execution.
• We can conclude Microsoft PDM extension provide new aspect for analyzing
malicious Java Script.
• Techniques we have obtained here could be applied for constructing probe
modules for other systems such as Dalvik VM of Android because the Java
Script behavior should be the same regardless of OS (platform) types.
6. Commodity Debugger is not always enough !
Java Script and its semantic gap
• Current popular debugging Malicious Java Script
tools such as ollyDBG and
Bad thing has been happened
winDBG are not optimized (or
enough) for tracing the
behavior of Web scripting. MS Active Scripting Engine
• Sementic gap between kernel /
user mode debugger and web
Memory Allocate Read/Write
application execution layer. File I/O request
We can’t estimate the
Semantic Gap USER mode debugger
event occurred above Can’t understand
by naïve memory and what is going on
IO request. API.
MS Dynamic Link Binaries
• Semantic gap means that Jscript.DLL etc
probe running in user / kernel
mode layer lacks the Native I/O request
IRQ packets
knowledge of higher level
events such as web browser KERNEL mode debugger
property change.
7. PDM and SDM: an extension of Microsoft Visual Studio 2005 – 2010
and later
• PDM and SDM are components of the
extension of Microsoft Visual Studio
Extension.
• PDM and SDM provides higher level of
debugging view mainly for web scripting
such as Java Script.
• Process Debug Manager (PDM) is a
component to make all running
programs available to VSPackage
(Visual Studio debugger components).
Manage chain: PDM makes the target process
available to SDM and DE. Session debug
• By registering PDM, we can track the
manager (SDM) manages several Debug Engine function call of high-level API invoked
(DE). DE uses expression evaluator and symbol by web browser. Also, property change
handler. SDM wraps IDebugExpression2
interface to obtain a stack frame with a help of
(such as variable substitution) can be
DE by IDebugThread2::EnumFrameInfo. logged.
8. Behavior description of Java Script
in this paper
①File Name
r = debugDocument[i]-
>GetName(DOCUMENTNAMETYPE_URL,&filenameStr[i]);
②Function
fDesc[i].pdsf
->GetDescriptionString(0,&functionStr[i]);
b2s(functionStr[i],function,BUFLEN);
③Code (substitution)
debugProperty = funcs->getDebugProperty(f);
getPropertyInfoRecursive(debugProperty,props,0);
④Code(loop)
props-
>propertyIsChanged(propInfos[i].m_bstrFullName,propInfos[i].m_bstrVa
lue)==TRUE)
9. Sample output: www.yahoo.co.jp
Start Logging On: 2011/02/18 19:16:49 Process ID of IE
Process ID:7072
MaxDepth 1
Process Name:Windows Internet Explorer
Filename:http://www.yahoo.co.jp/ Depth of logging
Function:JScript global code
window:DispHTMLWindow2:{...}
err:Object:{...} Function invoked
ver:Undefined:undefined
YAHOO:Undefined:undefined
d:Undefined:undefined
$:Undefined:undefined Property change
14:var ver="ga3_ie"
ver:String:"ga3_ie"
15:if(typeof YAHOO=="undefined"||!YAHOO) Executed code
15:var YAHOO={} substitute
YAHOO:Object:{...}
15:YAHOO.namespace=function(){var
a=arguments,b=null,d,e,c;for(d=0;d<a.length;d=d+1){c
=(""+a[d]).split(".");b=YAHOO;for(e=(c[0]=="YAHOO") Executed code
?1:0;e<c.length;e=e+1){b[c[e]]=b[c[e]]||{};b=b[c[e]]}}ret
Loop
urn b}
……
10. Proposed system:
IE initialization and main loop
Main loop
IApplicationDebugger::onHandleBreakPoint
Internet Explorer
①URL: what kinds of URL accessed ?
hr = sfDesc[i].pdsf->GetCodeContext(&codeContext);
if(hr!=S_OK){goto out ;}
hr = codeContext->GetDocumentContext(&docContext[i]);
if(hr!=S_OK){goto out;}
hr = docContext[i]->GetDocument(&debugDocument[i]);
Published by if(hr!=S_OK){goto out;}
hr = debugDocument[i]->GetName
PDM and SDM (DOCUMENTNAMETYPE_URL,&filenameStr[i]);
(VS DGB extension)
②Property Change:
②-1:What kinds of function invoked ?
sfDesc[i].pdsf->GetDescriptionString(0,&functionStr[i]);
b2s(functionStr[i],function,BUFLEN);
②-2:What kinds of variables changed ?
Internet Explorer debugProperty = funcs->getDebugProperty(f);
(debuggee) getPropertyInfoRecursive(debugProperty,props,0);
11. Two core interfaces of SDM / PDM
• IRemoteDebugApplication Interface
This registered interface allows the session debug
manager (SDM) to obtain information about
programs that have been "published" through the
IDebugProgramPublisher2 interface.
Outside the debugger
Debugger connect, start and stop
• IApplicationDebugger Interface
Represents a running application. It does not need to
correspond to an operating-system process.
Typically, a debugger targets an application for
debugging. The Process Debug Manager typically
implements the application object.
Inside the debugger
CauseBreak, handling breakPoint
12. Publishing IE (1)
injecting my callbacks
hr =PDM->WatchForProviderEvents(
0,
method description
// Tell the PDM that we want it to stop
watching
IDebugProgram
NULL, Provider2:: Obtains information about
// The PDM GetProvider programs running, filtered in
ProcessDat a variety of ways.
implementation of this interface does a
not require the 'port' parameter IDebugProgram
processId, Provider2::
Gets a program node, given a
GetProvider
specific process ID.
// the process id to query ProgramNo
de
ScriptEngineFilter,
IDebugProgram
// We are interested in script code Establishes a callback to watch for
Provider2::
provider events associated
GUID_NULL, WatchForP
with specific kinds of
roviderEve
// no launching engine processes.
nts
pMyCallback
IDebugProgram Establishes a locale for any
// callback interface Provider2:: language-specific resources
SetLocale needed by the DE.
);
Callbacks to inject
13. Publishing IE (2)
querying and unmarshaling before launch
for(DWORD pnode = 0;pnode<procData.ProgramNodes.dwCount;pnode++){
IDebugProviderProgramNode2 *dppn;
hr = procData.ProgramNodes.Members[pnode]
->QueryInterface(__uuidof(IDebugProviderProgramNode2),(void**)&dppn);
if(hr == S_OK){
IRemoteDebugApplication *rda; CHECK 1
QueryInterface: inspects
hr = dppn->UnmarshalDebuggeeInterface wheter the object
(__uuidof(IRemoteDebugApplication),(void**)&rda); (IE in this case)
supports a certain
COM interace. If this
if(hr == S_OK){ method returns S_OK,
procList[numScriptProcs]=processes[cp]; Windows OS increments
the object reference count
applicationDebugger[numScriptProcs] = new and the application can
JSLogApplicationDebugger use the interface.
(processId.ProcessId.dwProcessId,rda,maxDepth,maxStack,
CHECK 2
heckGlobal);
applicationDebugger[numScriptProcs]->startDebugging(); This method is used when the
numScriptProcs++; debug engine is running in the
Visual Studio process space
} and the program being
debugged is running in its own
process space.
OK. Start debugger using Obtains a specified interface
across process boundaries.
IRemoteDebugApplication Interface
14. Two core interfaces of
proposed system: active script debugger interface
• IRemoteDebugApplication Interface for connect / start / stop debugger of IE
IRemoteDebugApplication::ResumeFromBre
Continues an application that is currently in a breakpoint.
akPoint
IRemoteDebugApplication::CauseBreak Causes the application to break into the debugger at the earliest opportunity.
IRemoteDebugApplication::Conn
Connects a debugger to this application.
ectDebugger
IRemoteDebugApplication::DisconnectDebug
Disconnects the current debugger from the application.
ger
IRemoteDebugApplication::GetDebugger Returns the current debugger connected to the application.
Provides a mechanism for the debugger IDE, running out-of-process to the
IRemoteDebugApplication::CreateInstanceAt
application,
Application
to create objects in the application process.
IRemoteDebugApplication::QueryAlive Indicates if the application is responsive.
IRemoteDebugApplication::Enum Enumerates all threads known to be associated with the
Threads application.
IRemoteDebugApplication::GetName Returns the name of this application node.
Returns the application node under which all nodes associated with the
IRemoteDebugApplication::GetRootNode
application are added.
IRemoteDebugApplication::EnumGlobalExpr Enumerates the global expression contexts for all languages running in this
essionContexts application.
15. Two core interfaces of
proposed system: active script debugger interface
• IDebugApplication Interface for cause/handle breakpoint of IE
method description
IDebugProgramProvider
Obtains information about programs running,
2::GetProviderProcessDa
filtered in a variety of ways.
ta
IDebugProgramProvider
Gets a program node, given a specific process
2::GetProviderProgramN
ID.
ode
IDebugProgramProvider Establishes a callback to watch for provider
2::WatchForProviderEve events associated with specific kinds of
nts processes.
IDebugProgramProvider Establishes a locale for any language-specific
2::SetLocale resources needed by the DE.
Visual Studio Debugging Extensibility:
http://msdn.microsoft.com/en-US/library/bb147088%28v=VS.80%29.aspx
17. Experiment
①Google Aurora Attack (MS10-002 HTML object memory corruption)
MS10-002 is HTML object memory corruption, known as Google aurora attack.This cyber
attack began in mid 2009 and first publicly disclosed by Google on January by a blog post.
The attack was also named as ”Operation Aurora” by Dmitri Alperovitch. McAfee Labs
discovered that Aurora was included file path on the attacker’s machine.
• MSB-MS10-002
• CVE-2010-0249
• OSVDB-61697
② Active Directory Federation Service Attack
(MS09-072 ATL headers vulnerability)
MS09-072 is the vulnerability of Internet Explorer, which affects Microsoft Active Directory
Federation Service (ADFS). In MS07-072, an active X control build with Microsoft Active
Template Library (ATL) headers could allow advisory to execute remote code. The ATL
vulnerability prompted an out-of-band release earlier this year from Microsoft.
• MSB-MS09-072
• CVE-2009-3672
• OSVDB-50622
• BID-37085
20. Conclusion and further works
Writing alternative Java Script debugger is exciting challenge!
It works partly now.
• Java Scripts are everywhere (including Android and Google App Engine)
with the pervasive of JSON (RFC 4627) , JQuery (AJAX interface) and so
on.
• However and further work: there have not been striking probing (debugging)
frames for tracing Java Script behavior.
• In this paper we exploit the debugger extension of Microsoft Visual Studio
2010 (or later) debugging extension for tracking some famous Java Script
exploitation dynamically.
Extensibility for other operating systems and platforms
• Windows OS is the shortest path to understand Java Script behavior.
Windows OS has longer history and therefore more mature interfaces to
probe Java Script Execution. Techniques we have obtained here could be
applied for constructing probe modules for other systems such as Dalvik VM
of Android because the Java Script behavior should be the same regardless
of OS (platform) types.
IT IS NOT ENOUGH :- Memory dump is necessary, eventually
idea: anomaly loop detection of Java Script + active memory monitoring by
DLL injection etc.