The document introduces a new approach to input validation testing using an open-source Firefox add-on called Groundspeed. It argues that the traditional approach of testing at the HTTP request level has limitations, including not having the form labels as context and requiring switching between the user interface and HTTP worlds. Groundspeed allows modifying web application interfaces directly, eliminating these issues and reducing friction. It summarizes the key capabilities of Groundspeed such as editing form fields and attributes to perform input validation testing more efficiently within the user interface.
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
Over the years web services have become an integral part of web and mobile applications. From critical business applications like SAP to mobile applications used by millions, web services are becoming more of an attack vector than ever before. Unfortunately, penetration testers haven't kept up with the popularity of web services, recent advancements in web service technology, testing methodologies and tools. In fact, most of the methodologies and tools currently available either don't work properly, are poorly designed or don't fully test for real world web service vulnerabilities. In addition, environments for testing web service tools and attack techniques have been limited to home grown solutions or worse yet, production environments.
In this presentation Tom, Josh and Kevin will discuss the new security issues with web services and release an updated web service testing methodology that will be integrated into the OWASP testing guide, new Metasploit modules and exploits for attacking web services and a open source vulnerable web service for the Samurai-WTF (Web Testing Framework) that can be used by penetration testers to test web service attack tools and techniques.
Real time web application involves clients which is also known as a browser getting updates from the server as they happen. The finance world is moving fast, and human brains cannot sustain processing data at that speed, so algorithms are used with regards to the limit observed in old-style real-time communication which include long polling, polling server-sent events and comets, this paper uses WebSocket technology when dealing with real time applications. The Web Socket offers improved result as compared to the conventional approaches that are considered to be good solution of providing real time information and lessens overhead acquired while communicating over the internet and offers stateful, efficient communication among web servers and clients. When there is need to track companies worth/stock using a dashboard immediately and not some seconds ago, WebSocket can be used to stream data without delays.
Vladimir Bacvanski and Rafael Coss
Common demands for Web 2.0 application are rich interactivity and ability to handle large volumes of data. Join us to see
how to integrate IBM DB2, IBM WebSphere sMash and high-performance data access through IBM Optim pureQuery. This
combination provides a way to rapidly develop data-centric, scalable dynamic Web applications. See how we begin with a DB2
database, access the data with Optim pureQuery, use business objects in Groovy, and expose them to users through Dojo AJAX framework.
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
Over the years web services have become an integral part of web and mobile applications. From critical business applications like SAP to mobile applications used by millions, web services are becoming more of an attack vector than ever before. Unfortunately, penetration testers haven't kept up with the popularity of web services, recent advancements in web service technology, testing methodologies and tools. In fact, most of the methodologies and tools currently available either don't work properly, are poorly designed or don't fully test for real world web service vulnerabilities. In addition, environments for testing web service tools and attack techniques have been limited to home grown solutions or worse yet, production environments.
In this presentation Tom, Josh and Kevin will discuss the new security issues with web services and release an updated web service testing methodology that will be integrated into the OWASP testing guide, new Metasploit modules and exploits for attacking web services and a open source vulnerable web service for the Samurai-WTF (Web Testing Framework) that can be used by penetration testers to test web service attack tools and techniques.
Real time web application involves clients which is also known as a browser getting updates from the server as they happen. The finance world is moving fast, and human brains cannot sustain processing data at that speed, so algorithms are used with regards to the limit observed in old-style real-time communication which include long polling, polling server-sent events and comets, this paper uses WebSocket technology when dealing with real time applications. The Web Socket offers improved result as compared to the conventional approaches that are considered to be good solution of providing real time information and lessens overhead acquired while communicating over the internet and offers stateful, efficient communication among web servers and clients. When there is need to track companies worth/stock using a dashboard immediately and not some seconds ago, WebSocket can be used to stream data without delays.
Vladimir Bacvanski and Rafael Coss
Common demands for Web 2.0 application are rich interactivity and ability to handle large volumes of data. Join us to see
how to integrate IBM DB2, IBM WebSphere sMash and high-performance data access through IBM Optim pureQuery. This
combination provides a way to rapidly develop data-centric, scalable dynamic Web applications. See how we begin with a DB2
database, access the data with Optim pureQuery, use business objects in Groovy, and expose them to users through Dojo AJAX framework.
An introduction to REST and RESTful web services.
You can take the course below to learn about REST & RESTful web services.
https://www.udemy.com/building-php-restful-web-services/
ASP.NET Web API is the de facto framework for building HTTP-based services in the .NET ecosystem. With its WCF and MVC lineage, Web API brings to the table better architecture, easier configuration, increased testability, and as always, it's customizable from top to bottom. But to properly use Web API it is not enough to get familiar with its architecture and API, you also need to really understand what HTTP is all about. HTTP is the most common application layer protocol in the world, and yet, not many web developers are familiar with HTTP concepts such as of chunking, caching, and persisted connections. In this full-day tutorial, we will focus on designing and implementing HTTP-based services with ASP.NET Web API, and you will learn how to better use it to implement the features provided by HTTP.
Use Windows Azure Service Bus, BizTalk Services, Mobile Services, and BizTalk...BizTalk360
The Service Bus is part of Windows Azure and is designed to provide connectivity, queuing, and routing capabilities not only for the cloud applications but also for on-premises applications. Microsoft BizTalk Server enables organizations to connect and extend heterogeneous systems across the enterprise and with trading partners. Using both together enables a significant number of scenarios in which you can build secure, reliable and scalable hybrid solutions that span the cloud and on premises environments.
Windows Azure BizTalk Services is a simple, powerful, and extensible cloud-based integration service that provides Business-to-Business (B2B) and Enterprise Application Integration (EAI) capabilities for delivering cloud and hybrid integration solutions. Windows Azure Mobile Services accelerates connected client application development by streamlining common backend tasks like structuring storage, authenticating users, and sending push notifications. In this session you will see how to integrate these technologies to build secure, reliable and scalable hybrid solutions that span the cloud and on premises environments.
What is REST?
What is RESTful Webservices
HTTP-REST Request Basics
HTTP-REST Vocabulary
Authentication (OAuth)
OAuth 2.0 Web Server Flow
REST APIs using Apex REST
Resources
Overview of REST web service concepts (Representational State Transfer).
REST is a radically different approach for web services compared to the combo SOAP/WSDL.
REST defines an architectural style for web applications and web services.
REST makes heavy use of the underlying HTTP protocol.
REST itself is not a protocol but defines architectural principles based on the concept of addressable resources and a uniform access to these resources based on the well-known HTTP-methods GET, POST, PUT and DELETE.
The state of a client (web service consumer) is controlled by the REST web service through connected links between resources (resource oriented architecture). The client state however is stored on the client itself thus greatly increasing scalability of REST-based architectures.
The REST paradigm has mostly superseded SOAP / WSDL type web services in many enterprise applications. This is largely owed to the fact that the underlying HTTP protocol is well understood and proved its scalability in the WWW.
This slide show is from my presentation on what JSON and REST are. It aims to provide a number of talking points by comparing apples and oranges (JSON vs. XML and REST vs. web services).
An introduction to REST and RESTful web services.
You can take the course below to learn about REST & RESTful web services.
https://www.udemy.com/building-php-restful-web-services/
ASP.NET Web API is the de facto framework for building HTTP-based services in the .NET ecosystem. With its WCF and MVC lineage, Web API brings to the table better architecture, easier configuration, increased testability, and as always, it's customizable from top to bottom. But to properly use Web API it is not enough to get familiar with its architecture and API, you also need to really understand what HTTP is all about. HTTP is the most common application layer protocol in the world, and yet, not many web developers are familiar with HTTP concepts such as of chunking, caching, and persisted connections. In this full-day tutorial, we will focus on designing and implementing HTTP-based services with ASP.NET Web API, and you will learn how to better use it to implement the features provided by HTTP.
Use Windows Azure Service Bus, BizTalk Services, Mobile Services, and BizTalk...BizTalk360
The Service Bus is part of Windows Azure and is designed to provide connectivity, queuing, and routing capabilities not only for the cloud applications but also for on-premises applications. Microsoft BizTalk Server enables organizations to connect and extend heterogeneous systems across the enterprise and with trading partners. Using both together enables a significant number of scenarios in which you can build secure, reliable and scalable hybrid solutions that span the cloud and on premises environments.
Windows Azure BizTalk Services is a simple, powerful, and extensible cloud-based integration service that provides Business-to-Business (B2B) and Enterprise Application Integration (EAI) capabilities for delivering cloud and hybrid integration solutions. Windows Azure Mobile Services accelerates connected client application development by streamlining common backend tasks like structuring storage, authenticating users, and sending push notifications. In this session you will see how to integrate these technologies to build secure, reliable and scalable hybrid solutions that span the cloud and on premises environments.
What is REST?
What is RESTful Webservices
HTTP-REST Request Basics
HTTP-REST Vocabulary
Authentication (OAuth)
OAuth 2.0 Web Server Flow
REST APIs using Apex REST
Resources
Overview of REST web service concepts (Representational State Transfer).
REST is a radically different approach for web services compared to the combo SOAP/WSDL.
REST defines an architectural style for web applications and web services.
REST makes heavy use of the underlying HTTP protocol.
REST itself is not a protocol but defines architectural principles based on the concept of addressable resources and a uniform access to these resources based on the well-known HTTP-methods GET, POST, PUT and DELETE.
The state of a client (web service consumer) is controlled by the REST web service through connected links between resources (resource oriented architecture). The client state however is stored on the client itself thus greatly increasing scalability of REST-based architectures.
The REST paradigm has mostly superseded SOAP / WSDL type web services in many enterprise applications. This is largely owed to the fact that the underlying HTTP protocol is well understood and proved its scalability in the WWW.
This slide show is from my presentation on what JSON and REST are. It aims to provide a number of talking points by comparing apples and oranges (JSON vs. XML and REST vs. web services).
Quiz application system project report..pdfKamal Acharya
The ONLINE QUIZ is a web application for to take online test in an efficient manner and no time wasting for checking the paper. The main objective of ONLINE QUIZ is to efficiently evaluate the candidate thoroughly through a fully automated system that not only saves lot of time but also gives fast results. For students they give papers according to their convenience and time and there is no need of using extra thing like paper, pen etc.
This application is basically create in WORDPRESS. It is a web software you can use to create a beautiful website or blog. we like to say that WORDPRESS is both free and priceless at the same time.
Operational API design anti-patterns (Jason Harmon)Nordic APIs
This is a session given by Jason Harmon at Nordic APIs 2016 Platform Summit on October 26th, in Stockholm Sweden.
Description:
Normally, we find valuable data our clients need, and create APIs. We rationalize our domains into understandable resources, with clear boundaries of ownership (especially in microservice environments). However, if our design doesn’t include considerations for how clients will use the APIs, we can get into a lot of trouble when it goes live. We’ll look at some API design patterns that can cause operational headaches, and how to watch out for them. Furthermore, we’ll cover some tricks to get out of trouble if we already have it implemented.
A three hour tutorial I gave at PHP Quebec on the challenges, theory, and concepts behind making asynchronous JavaScript calls for Web 2.0 Applications using PHP
Most of us have in our IT careers worked on REST Api's and SOAP requests without deep diving into what they exactly represent. This presentation was created from a testers perspective to understand the concept of API & WSDL and how they come to represent REST and SOAP requests
Research Inventy : International Journal of Engineering and Scienceinventy
Research Inventy : International Journal of Engineering and Science is published by the group of young academic and industrial researchers with 12 Issues per year. It is an online as well as print version open access journal that provides rapid publication (monthly) of articles in all areas of the subject such as: civil, mechanical, chemical, electronic and computer engineering as well as production and information technology. The Journal welcomes the submission of manuscripts that meet the general criteria of significance and scientific excellence. Papers will be published by rapid process within 20 days after acceptance and peer review process takes only 7 days. All articles published in Research Inventy will be peer-reviewed.
Similar to Manipulating Web App Interfaces: a new approach to input validation testing (20)
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Welcome to the first live UiPath Community Day Dubai! Join us for this unique occasion to meet our local and global UiPath Community and leaders. You will get a full view of the MEA region's automation landscape and the AI Powered automation technology capabilities of UiPath. Also, hosted by our local partners Marc Ellis, you will enjoy a half-day packed with industry insights and automation peers networking.
📕 Curious on our agenda? Wait no more!
10:00 Welcome note - UiPath Community in Dubai
Lovely Sinha, UiPath Community Chapter Leader, UiPath MVPx3, Hyper-automation Consultant, First Abu Dhabi Bank
10:20 A UiPath cross-region MEA overview
Ashraf El Zarka, VP and Managing Director MEA, UiPath
10:35: Customer Success Journey
Deepthi Deepak, Head of Intelligent Automation CoE, First Abu Dhabi Bank
11:15 The UiPath approach to GenAI with our three principles: improve accuracy, supercharge productivity, and automate more
Boris Krumrey, Global VP, Automation Innovation, UiPath
12:15 To discover how Marc Ellis leverages tech-driven solutions in recruitment and managed services.
Brendan Lingam, Director of Sales and Business Development, Marc Ellis
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Enhancing Performance with Globus and the Science DMZGlobus
ESnet has led the way in helping national facilities—and many other institutions in the research community—configure Science DMZs and troubleshoot network issues to maximize data transfer performance. In this talk we will present a summary of approaches and tips for getting the most out of your network infrastructure using Globus Connect Server.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Manipulating Web App Interfaces: a new approach to input validation testing
1. Manipulating Web Application
Interfaces – a New Approach to
Input Validation Testing
Felipe Moreno-Strauch
felipe@wobot.org
http://groundspeed.wobot.org
AppSec DC
Nov 13, 2009
The OWASP Foundation
http://www.owasp.org
2. Abstract
This talk will present two arguments against
performing input validation testing at the HTTP
request level (using proxies) and suggest a new
approach: performing input validation testing
directly in the user interface
It will also introduce Groundspeed, an open-
source add-on for Mozilla Firefox that allows you
to modify, on the fly, the forms and form fields
in the page loaded in the browser
Groundspeed is available at:
http://groundspeed.wobot.org
OWASP 2
4. An Answer with no Question
In the “Hitchhikers Guide to the Galaxy”, some
super intelligent beings build a super computer
to answer “the ultimate question of life the
universe and everything”
After seven and a half million years, the
computer gives its answer: “42”
Puzzled and disappointed, they ask the
computer what the question was
But the computer is not powerful enough to
respond that
OWASP 4
5. Information Needs Context to be Useful
In the book, the joke is in the fact that the
answer “42” makes no sense without the question
In order to understand the information in the
answer, we need to know the question because
the question provides context to the answer
This is an usual problem when people try to
understand a piece data, and it affects us more
than we first imagine
Let’s consider a normal example of interaction
with a web application
OWASP 5
6. Example: User Submits a Form
User loads a web page with a form
User types a value in a form field and submits
Client side logic validation is executed
Browser creates an HTTP with the input data in
a parameter in the GET or POST request
Browser sends the request to the server
Server reads the HTTP request and handles data
to application
Application processes the data and responds
OWASP 6
7. The Life Cycle of Input Data
User “I am John Smith”
Types input data
in form field
User Interface Name: “John Smith”
Client Side Logic custname.value = “John Smith”;
HTTP Request … &custname=“John Smith”& …
To the server
OWASP 7
8. Interface Labels Provide Context to Humans
The form label next to the textbox field (for
example “Name: ”) is the question being asked
to the user
The value typed inside the textbox is the
response to that question
As data travels down through the layers, the
answer is separated from the question
When considered from the perspective of the
HTTP request, the data is no longer in its
original context (the labels provided context)
OWASP 8
9. Argument 1: The Mapping Problem
Usually this is not a big problem because we can
use the HTTP parameter names as “pseudo”
labels
But parameter names do not need to match the
labels, they are meant for server-side code not
for humans so it could be any arbitrary value
In order to compensate for the lack of context,
we need to solve this “mapping
problem” (mapping label to parameter name),
and this makes the test a little more difficult
OWASP 9
10. Filling the Gaps
When performing input validation with a proxy,
the tester has to solve the mapping problem
We probably figured out some tricks to help with
this process:
Typing input data that explain what each field is
Using the source code of the page to map parameters
and label names
But these tricks only work well for simple web
applications
OWASP 10
11. A Problem That Will Get Harder to Solve
The problem is that in order for the tricks to
work, we have to assume two conditions:
That one form will translate to one HTTP request,
form fields matching HTTP parameters one to one
That submitting one form will cause one HTTP
request to be sent, at the time of the click
But those conditions are not true all the time:
As client-side logic gets more complex, data can be
consolidated, pre-processed, encoded on the client
AJAX (no synchronicity of the user actions and HTTP)
And things will only get more complicated
OWASP 11
12. Argument 2: Working at Two Places
Another problem of working at the HTTP level is
that it forces the tester to switch between two
worlds (user interface and HTTP)
Ideally, manipulation of the input data should
happen in the user interface, but testers have to
work at the HTTP level to bypass browser
limitations
This switching has a cost associated to it
Let’s consider the task of performing one input
validation test on one form field
OWASP 12
13. Task Breakdown
In the browser, fill in the field to be tested
Submit the form
Select the proxy window
Scan through the HTTP request to find where the
request parameters are located
Scan through the parameters to find the one that
needs to be modified
Insert the attack string
Send the request to the server and select the
browser window to see the result
OWASP 13
14. Hard Problems
Even considering a simple task (1 test on 1 field)
there are a lot of steps to complete
Some steps are distracting
But some steps create problems
Scanning through text requires “parsing”
Find the right parameter requires “mapping”
There are even more tasks if some fields are
encoded or if there is form validation
There are a lot of secondary steps that do not
contribute to the main goal: test input validation
OWASP 14
15. Test Friction
Consider now all the tests we have to perform on
all the parameters of the web application
There will be a lot of secondary tasks, this is not
an optimal process
The secondary steps are like energy that is lost in
things that do not contribute to the goal
We could think about them as “test friction”
This is a user experience problem not a usability
problem
OWASP 15
17. Why do We Work at the HTTP Level?
The browser is a tool designed for normal users,
so it does not provide all the functionality that
web app testers need
A few years ago, to modify the browser was too
hard (closed source) and to create a browser
from scratch was too much work
Working outside the browser, at the HTTP level
was the best alternative
The mapping problem was easy to solve in the old web
The user experience problem was a reasonable price
to pay
OWASP 17
18. Now Things are Different
Because of the richer web apps, mapping
parameters to interface labels is getting harder
The mapping problem might still be tolerable but
will only get worse as apps get more complex
Working at the HTTP level forces the tester has
to switch between two worlds: user interface
(browser) and HTTP (proxy) adding “friction” to
the process
Another important change: browsers are now
easier to modify (open source and add-on
systems)
OWASP 18
19. Suggesting a New Approach
We should reconsider the strategy for input
validation tests
It makes sense to keep some tests at the HTTP level
But most could benefit from work at the interface level
It is easier and more efficient to manipulate data
from the user interface instead of the HTTP level
That would eliminate the mapping problem
Data makes more sense at the user interface level
(bigger chance of business logic exploitation)
Improves user experience for tester (reduces friction)
OWASP 19
21. Introducing Groundspeed
Groundspeed is an open-source add-on for
Mozilla Firefox (http://groundspeed.wobot.org)
Groundspeed allows a tester to perform input
validation testing from the web app user
interface
Groundspeed modify the browser in order to
adapt it to the needs of web app testers:
Manipulate the application’s user interface
Remove client side validation and other limitations
OWASP 21
22. Download and Install Groundspeed
Visit http://groundspeed.wobot.org
The following screenshots were taken on demo
forms available at groundspeed.wobot.org/demo
OWASP 22
23. How to Start Groundspeed
In order to start working with groundspeed,
open the sidebar using:
Tools – Groundspeed
Once groundspeed is open, load the form
information from the current page using the
“Reload” button
OWASP 23
25. Select a Form or a Form Field
The groundspeed sidebar has two sections
The top section lists the forms and fields in the page
The bottom section lists the HTML attributes of the
selected form or form element
Select one form or field in the list in the top
section, and groundspeed will highlight that
element in the page and display its attributes in
the lower part of the sidebar
OWASP 25
26. View the Selected Form and its Attributes
select
result
result
OWASP 26
27. View the Selected Field and its Attributes
select
result
result
OWASP 27
28. View Hidden Fields
If you select a hidden field from the list of forms
and form fields, the hidden field becomes visible
in the page
OWASP 28
30. Edit Attributes of Forms and Fields
Groundspeed lets you modify, add and remove
HTML attributes on the form and the form fields
In the upper list, select the form or the form
field that you want to change the attributes
Right-click on the attribute in the lower list and
select from the context menu
A double-click on a selected attribute will edit
the current value
OWASP 30
32. Change the Type of any Form Field
Groundspeed allows you to change any form
field into a textbox with 2 clicks:
Right-click on the element you want to convert
Choose the “Transform into Text Input”
After the change, you can edit the contents of
the field directly in the page
Groundspeed will create a label that matches the
field “name” or “id” attribute
For “Select” elements, groundspeed adds a
“cheat-sheet” with the options that existed in
the drop down list
OWASP 32
33. Change the Type of any Form Field
right click select
result
OWASP 33
35. Other Manipulations in Forms
Other useful things you can do in a form:
Add a new form fields
Make the form submit in a new window (so you don’t
have to manipulate the interface all over again)
Change all hidden fields into textboxes
Save all form field values (and clear the saved values)
Remove all JavaScript event handlers (in the form
and its fields)
These are all options available when right
clicking the form in the list
OWASP 35
37. Other Manipulations in Fields
Other useful things you can do in a text or
hidden field:
Remove length limits (so you can add more data)
Modify size (so the field looks bigger in the page)
Encode and decode the contents (Base64, Hex, HTML
Entities, Unicode, URL Encode)
Hash the contents of the field (MD5, SHA1)
Remove all JavaScript Event Handlers
These options are available when you right-click
on a field in the list
OWASP 37
39. Groundspeed
Adapts the web application interface to fit the
needs of the security tester
What you need, where you need: no friction
Eliminates the complex secondary tasks
Allows input validation to be performed from the
interface
Eliminates the mapping problem
OWASP 39
40. Groundspeed Limitations and Bugs
Groundspeed does not work with poorly
designed pages (where layout is made with
HTML tables) because of DOM hierarchy
Groundspeed does not see JavaScript event
handlers that are set programmatically using
JavaScript
OWASP 40