The presentation tells about performing cross domain ajax request. Subject included principles of preflight requests and limitations of cross origin resource sharing (CORS) policy. You will be able to find implementation examples for frontend (JavaScript, jQuery, AngularJS) and for backend (.Net, Ruby on Rails). Browser compatibility is covered in section ‘Limitation in IE 8,9‘ and there shown possible workarounds. And finally there are couple words about Content Security Policy – the latest approach in Web Application Security.
Riyaz Walikar discusses the Same Origin Policy (SOP) and Cross Origin Resource Sharing (CORS). SOP restricts how scripts from one origin can interact with resources from other origins for security. CORS allows relaxing SOP for legitimate cross-origin requests by using special HTTP headers. However, CORS implementations must be careful to avoid security issues like universal permissive policies, misplaced trust, CORS-based CSRF attacks, and caching or origin spoofing vulnerabilities.
Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the resource originated.
A web page may freely embed images, stylesheets, scripts, iframes, videos and some plugin content (such as Adobe Flash) from any other domain. However embedded web fonts and AJAX (XMLHttpRequest) requests have
traditionally been limited to accessing the same domain as the parent web page (as per the same-origin security policy). "Cross-domain" AJAX requests are forbidden by default because of their ability to perform
advanced requests (POST, PUT, DELETE and other types of HTTP requests, along with specifying custom HTTP headers) that introduce many cross-site scripting security issues.
CORS defines a way in which a browser and server can interact to determine safely whether or not to allow the cross-origin request. It allows for more freedom and functionality than purely
same-origin requests, but is more secure than simply allowing all cross-origin requests. It is a recommended standard of the W3C.
Cross site calls with javascript - the right way with CORSMichael Neale
Using CORS (cross origin resource sharing) you can easily and securely to cross site scripting in webapps - less servers and more integration from apis right in the browser
This was presented during Web Directions South, 2013, Sydney, Australia.
This document discusses cross-origin resource sharing (CORS) and content security policy (CSP) as techniques to improve security in web applications. It begins by explaining the need for the same-origin policy and how CORS helps address limitations of SOP by allowing controlled cross-origin requests. It then discusses cross-site scripting (XSS) attacks and how CSP helps prevent XSS by allowing web applications to restrict resources that can be loaded or executed.
If you had to rank the best and worst moments of your JavaScript life, you’d probably rank reading “The Good Parts” up towards the top, and deep down at the bottom of the list would be the day that you found out that you couldn’t make cross-domain requests in the browser. This talk covers the hacks, tips, and tricks to leave the Same Origin Policy in the dust. So grab a cookie, pad your JSON, and learn how to communicate properly.
The presentation tells about performing cross domain ajax request. Subject included principles of preflight requests and limitations of cross origin resource sharing (CORS) policy. You will be able to find implementation examples for frontend (JavaScript, jQuery, AngularJS) and for backend (.Net, Ruby on Rails). Browser compatibility is covered in section ‘Limitation in IE 8,9‘ and there shown possible workarounds. And finally there are couple words about Content Security Policy – the latest approach in Web Application Security.
Riyaz Walikar discusses the Same Origin Policy (SOP) and Cross Origin Resource Sharing (CORS). SOP restricts how scripts from one origin can interact with resources from other origins for security. CORS allows relaxing SOP for legitimate cross-origin requests by using special HTTP headers. However, CORS implementations must be careful to avoid security issues like universal permissive policies, misplaced trust, CORS-based CSRF attacks, and caching or origin spoofing vulnerabilities.
Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the resource originated.
A web page may freely embed images, stylesheets, scripts, iframes, videos and some plugin content (such as Adobe Flash) from any other domain. However embedded web fonts and AJAX (XMLHttpRequest) requests have
traditionally been limited to accessing the same domain as the parent web page (as per the same-origin security policy). "Cross-domain" AJAX requests are forbidden by default because of their ability to perform
advanced requests (POST, PUT, DELETE and other types of HTTP requests, along with specifying custom HTTP headers) that introduce many cross-site scripting security issues.
CORS defines a way in which a browser and server can interact to determine safely whether or not to allow the cross-origin request. It allows for more freedom and functionality than purely
same-origin requests, but is more secure than simply allowing all cross-origin requests. It is a recommended standard of the W3C.
Cross site calls with javascript - the right way with CORSMichael Neale
Using CORS (cross origin resource sharing) you can easily and securely to cross site scripting in webapps - less servers and more integration from apis right in the browser
This was presented during Web Directions South, 2013, Sydney, Australia.
This document discusses cross-origin resource sharing (CORS) and content security policy (CSP) as techniques to improve security in web applications. It begins by explaining the need for the same-origin policy and how CORS helps address limitations of SOP by allowing controlled cross-origin requests. It then discusses cross-site scripting (XSS) attacks and how CSP helps prevent XSS by allowing web applications to restrict resources that can be loaded or executed.
If you had to rank the best and worst moments of your JavaScript life, you’d probably rank reading “The Good Parts” up towards the top, and deep down at the bottom of the list would be the day that you found out that you couldn’t make cross-domain requests in the browser. This talk covers the hacks, tips, and tricks to leave the Same Origin Policy in the dust. So grab a cookie, pad your JSON, and learn how to communicate properly.
This document discusses methods for enabling cross-domain communication in JavaScript. It begins by explaining the need for cross-domain communication to access third-party APIs and the browser's same-origin policy security restriction. It then describes several approaches for implementing cross-domain communication including using iframes, the postMessage API for cross-window messaging, server-side proxies, JSONP, and the CORS HTTP header for enabling cross-origin requests directly in JavaScript.
The document discusses techniques for making cross-origin requests, including JSONP, CORS, and using Document.domain. JSONP works by dynamically inserting a <script> tag to load data via a JSON callback. CORS uses special request and response headers to allow cross-origin requests. Document.domain can make pages across different ports appear to be the same origin.
- CORS (Cross-Origin Resource Sharing) allows resources on a web page to be requested from another domain outside the domain from which the first resource was served.
- CORS uses additional HTTP headers to tell browsers to give a web application running at one origin access to selected resources from a different origin.
- Developer mistakes can lead to security vulnerabilities like cross-site request forgery if CORS is not implemented correctly, such as specifying '*' for allowed origins, failing to validate origins, or not handling credentials properly.
The document discusses the evolution of the web platform and browser security. It covers the basic technologies that underlie the web like HTML, CSS, JavaScript, and HTTP. It describes how these technologies work together to deliver content to users and allow for client-side interactivity. Key elements covered include HTML elements and tags, how CSS and JavaScript are used in web pages, JSON for data formatting, URIs for resource identification, the HTTP request/response protocol, and common HTTP methods and headers.
The document provides instructions for setting up a lab environment to practice HTML5 hacking techniques. It includes details on installing VirtualBox and shared folders, as well as IP addresses to use for the "localvictim" and "evil" servers. The remainder of the document outlines a plan to cover various HTML5-related attacks, including bypassing the same-origin policy, exploiting XSS vectors in HTML5, attacking with cross-origin resource sharing and web messaging, targeting client-side storage, and using web sockets. Disclaimers are provided about the practical nature of the workshops and limited time.
4Developers 2015: Bypassing Same-Origin Policy - Jakub ŻoczekPROIDEA
Jakub Żoczek
Language: Polish
Podczas prelekcji będzie można poznać tajniki jednego z kluczowych mechanizmów, zapewniających bezpieczeństwo w przeglądarkach - czyli Same-Origin Policy. Oprócz podstawowych informacji poznamy różne techniki, które pozwolą na ominięcie SOP i uzyskanie wrażliwych danych z interesujących nas domen.
The document discusses various techniques for finding vulnerabilities in web technologies like cookies, Flash, and browser encoding behaviors. It explains how cookies work and can be abused, how Flash crossdomain policies and LoadPolicyFiles can be exploited if not configured correctly, and how injecting malformed encodings into browsers may enable cross-site scripting attacks by bypassing input validation. The goal is to help developers better understand these technologies so they can avoid vulnerabilities, while acknowledging more research is needed to fully map out exploitation techniques.
Web service API opens new possibilities to extend websites/web applications including mobile applications, third parties services, etc. We will design a web service API from scratch and review best practices and common mistakes.
Presentation on various definitions for JSON including JSON-RPC, JSPON, JSON Schema, JSONP and tools for working these definitions including Persevere client and server..
HTTP is the protocol used to transmit data over the web. It is stateless and requires sessions to track state. Requests and responses use headers to transmit metadata. Sensitive data should only be sent over HTTPS and only through POST, PUT, PATCH requests never in the URL query string. Response headers like HSTS, CSP, and CORS help secure applications by controlling caching, framing, and cross-origin requests.
2014 database - course 1 - www introductionHung-yu Lin
This document provides an introduction to HTML, HTTP protocols, and how to build a basic web server. It begins with an overview of what happens when a browser opens a URL, including DNS lookup and the HTTP request. It then discusses the HTTP protocol and how GET, POST, PUT, and DELETE map to CRUD operations and REST APIs. The document explains how to parse an HTTP request and handle responses in a simple web server. It also introduces CGI as a way to execute scripts or programs on the server side. Finally, it provides recommendations for text editors and references for HTML, CSS, JavaScript, and building websites.
The document discusses various techniques for understanding and exploiting vulnerabilities in web technologies like cookies, Flash, and browser encoding behaviors. It covers how cookies work and can be abused, how crossdomain.xml and LoadPolicyFile policies for Flash can be bypassed, and how issues like UTF-7 encoding, NULL bytes, and HTML entity decoding can enable exploits. The document advocates for better documentation from developers to help understand these complex technologies.
HTML5 is great. Everyone thinks so. You just can't wait until the web has enough support for it, right? Well, there are plenty of tools you can use to make that dream a reality. Learn how to build on the HTML5 stack without looking behind your back the whole time. Modernizr provides the ideology behind doing this. Yepnope (Modernizr.load) provides the means for making it fast, and the polyfills do all the hard work to make your app consistent and beautiful... today.
A client is initially denied access to a resource due to an unauthorized request. The server responds with a 401 status code and details for Digest authentication. The client then resends the request with a Authorization header containing Digest authentication information and is granted access, receiving a 200 status code and the requested resource.
Basic Introduction About API Web ServiceHiraq Citra M
REST was designed by Roy Fielding to define constraints for web architectures and ensure protocol extensions would not violate the core principles that made the web successful. REST uses a stateless, client-server, uniform interface approach and relies on HTTP for data transfer, utilizing methods like GET, POST, PUT, DELETE. Fielding used REST principles to design HTTP 1.1 and URIs.
This document discusses using GitHub Pages to publish linked data on the web with no tools, support, money or other resources needed. It notes some limitations like only supporting static files and GET requests. It provides examples of publishing RDF and HTML files with RDFa from GitHub Pages and notes concerns about stable URLs if GitHub were to go away. The overall message is that GitHub Pages allows starting to mint HTTP URIs for data with no support in order to get RDF representations of data out where people and machines can discover and use it.
JS Applications need to exchange data with Backend APIs running on domains other than your own – understanding the same origin policy CSP, CORS and postMessage.
Talk held on Grill.js conference in Wroclaw, Poland on 2018-08-18.
This document discusses building REST APIs using Laravel. It covers topics like HTTP methods, status codes, authentication, caching, pagination, versioning and more. Meticulous explanations are provided for concepts like authenticating applications/clients using OAuth 2 and authenticating users with basic authentication and access tokens. Examples are given for CRUD operations on a users resource, showing the requests and responses for creating, retrieving, updating and deleting users.
This document discusses weaknesses in data normalization that can lead to vulnerabilities. It covers issues at various levels including protocol (e.g. double URL encoding bypassing validation), filesystem (e.g. path traversal using unusual encodings), databases (e.g. truncation or encoding issues), and applications (e.g. bypassing input sanitization with multibyte encodings). The key message is that input validation needs to consider challenges across all these levels from protocols to storage to properly prevent attacks exploiting normalization weaknesses.
Learn about common web application security threats and how to avoid them in your code. We will discuss general security challenges and high level principles, example attacks, social engineering, browser security and more, providing best practices along the way. This talk is a good review of the topic for experienced developers, and is highly recommended for new programmers who have not been exposed to web application security challenges in the past.
This session is not specific to any particular server-side technology. We will not discuss network security (routers, DMZs) or OS security, as this talk is focused on web application developers.
DomainTools Fingerprinting Threat Actors with Web AssetsDomainTools
This document discusses techniques for fingerprinting threat actors using their web assets. It describes how programmers often reuse code across sites for convenience. Web assets like JavaScript files, CSS files, and images can provide fingerprints to link related malicious infrastructure. The document gives an example of finding related domains tied to a threat actor by searching for a unique CSS filename on Google. It suggests this approach could be extended to more sophisticated techniques like file-level hashing and coding style analysis to profile web threats similar to how malware is analyzed.
This document discusses methods for enabling cross-domain communication in JavaScript. It begins by explaining the need for cross-domain communication to access third-party APIs and the browser's same-origin policy security restriction. It then describes several approaches for implementing cross-domain communication including using iframes, the postMessage API for cross-window messaging, server-side proxies, JSONP, and the CORS HTTP header for enabling cross-origin requests directly in JavaScript.
The document discusses techniques for making cross-origin requests, including JSONP, CORS, and using Document.domain. JSONP works by dynamically inserting a <script> tag to load data via a JSON callback. CORS uses special request and response headers to allow cross-origin requests. Document.domain can make pages across different ports appear to be the same origin.
- CORS (Cross-Origin Resource Sharing) allows resources on a web page to be requested from another domain outside the domain from which the first resource was served.
- CORS uses additional HTTP headers to tell browsers to give a web application running at one origin access to selected resources from a different origin.
- Developer mistakes can lead to security vulnerabilities like cross-site request forgery if CORS is not implemented correctly, such as specifying '*' for allowed origins, failing to validate origins, or not handling credentials properly.
The document discusses the evolution of the web platform and browser security. It covers the basic technologies that underlie the web like HTML, CSS, JavaScript, and HTTP. It describes how these technologies work together to deliver content to users and allow for client-side interactivity. Key elements covered include HTML elements and tags, how CSS and JavaScript are used in web pages, JSON for data formatting, URIs for resource identification, the HTTP request/response protocol, and common HTTP methods and headers.
The document provides instructions for setting up a lab environment to practice HTML5 hacking techniques. It includes details on installing VirtualBox and shared folders, as well as IP addresses to use for the "localvictim" and "evil" servers. The remainder of the document outlines a plan to cover various HTML5-related attacks, including bypassing the same-origin policy, exploiting XSS vectors in HTML5, attacking with cross-origin resource sharing and web messaging, targeting client-side storage, and using web sockets. Disclaimers are provided about the practical nature of the workshops and limited time.
4Developers 2015: Bypassing Same-Origin Policy - Jakub ŻoczekPROIDEA
Jakub Żoczek
Language: Polish
Podczas prelekcji będzie można poznać tajniki jednego z kluczowych mechanizmów, zapewniających bezpieczeństwo w przeglądarkach - czyli Same-Origin Policy. Oprócz podstawowych informacji poznamy różne techniki, które pozwolą na ominięcie SOP i uzyskanie wrażliwych danych z interesujących nas domen.
The document discusses various techniques for finding vulnerabilities in web technologies like cookies, Flash, and browser encoding behaviors. It explains how cookies work and can be abused, how Flash crossdomain policies and LoadPolicyFiles can be exploited if not configured correctly, and how injecting malformed encodings into browsers may enable cross-site scripting attacks by bypassing input validation. The goal is to help developers better understand these technologies so they can avoid vulnerabilities, while acknowledging more research is needed to fully map out exploitation techniques.
Web service API opens new possibilities to extend websites/web applications including mobile applications, third parties services, etc. We will design a web service API from scratch and review best practices and common mistakes.
Presentation on various definitions for JSON including JSON-RPC, JSPON, JSON Schema, JSONP and tools for working these definitions including Persevere client and server..
HTTP is the protocol used to transmit data over the web. It is stateless and requires sessions to track state. Requests and responses use headers to transmit metadata. Sensitive data should only be sent over HTTPS and only through POST, PUT, PATCH requests never in the URL query string. Response headers like HSTS, CSP, and CORS help secure applications by controlling caching, framing, and cross-origin requests.
2014 database - course 1 - www introductionHung-yu Lin
This document provides an introduction to HTML, HTTP protocols, and how to build a basic web server. It begins with an overview of what happens when a browser opens a URL, including DNS lookup and the HTTP request. It then discusses the HTTP protocol and how GET, POST, PUT, and DELETE map to CRUD operations and REST APIs. The document explains how to parse an HTTP request and handle responses in a simple web server. It also introduces CGI as a way to execute scripts or programs on the server side. Finally, it provides recommendations for text editors and references for HTML, CSS, JavaScript, and building websites.
The document discusses various techniques for understanding and exploiting vulnerabilities in web technologies like cookies, Flash, and browser encoding behaviors. It covers how cookies work and can be abused, how crossdomain.xml and LoadPolicyFile policies for Flash can be bypassed, and how issues like UTF-7 encoding, NULL bytes, and HTML entity decoding can enable exploits. The document advocates for better documentation from developers to help understand these complex technologies.
HTML5 is great. Everyone thinks so. You just can't wait until the web has enough support for it, right? Well, there are plenty of tools you can use to make that dream a reality. Learn how to build on the HTML5 stack without looking behind your back the whole time. Modernizr provides the ideology behind doing this. Yepnope (Modernizr.load) provides the means for making it fast, and the polyfills do all the hard work to make your app consistent and beautiful... today.
A client is initially denied access to a resource due to an unauthorized request. The server responds with a 401 status code and details for Digest authentication. The client then resends the request with a Authorization header containing Digest authentication information and is granted access, receiving a 200 status code and the requested resource.
Basic Introduction About API Web ServiceHiraq Citra M
REST was designed by Roy Fielding to define constraints for web architectures and ensure protocol extensions would not violate the core principles that made the web successful. REST uses a stateless, client-server, uniform interface approach and relies on HTTP for data transfer, utilizing methods like GET, POST, PUT, DELETE. Fielding used REST principles to design HTTP 1.1 and URIs.
This document discusses using GitHub Pages to publish linked data on the web with no tools, support, money or other resources needed. It notes some limitations like only supporting static files and GET requests. It provides examples of publishing RDF and HTML files with RDFa from GitHub Pages and notes concerns about stable URLs if GitHub were to go away. The overall message is that GitHub Pages allows starting to mint HTTP URIs for data with no support in order to get RDF representations of data out where people and machines can discover and use it.
JS Applications need to exchange data with Backend APIs running on domains other than your own – understanding the same origin policy CSP, CORS and postMessage.
Talk held on Grill.js conference in Wroclaw, Poland on 2018-08-18.
This document discusses building REST APIs using Laravel. It covers topics like HTTP methods, status codes, authentication, caching, pagination, versioning and more. Meticulous explanations are provided for concepts like authenticating applications/clients using OAuth 2 and authenticating users with basic authentication and access tokens. Examples are given for CRUD operations on a users resource, showing the requests and responses for creating, retrieving, updating and deleting users.
This document discusses weaknesses in data normalization that can lead to vulnerabilities. It covers issues at various levels including protocol (e.g. double URL encoding bypassing validation), filesystem (e.g. path traversal using unusual encodings), databases (e.g. truncation or encoding issues), and applications (e.g. bypassing input sanitization with multibyte encodings). The key message is that input validation needs to consider challenges across all these levels from protocols to storage to properly prevent attacks exploiting normalization weaknesses.
Learn about common web application security threats and how to avoid them in your code. We will discuss general security challenges and high level principles, example attacks, social engineering, browser security and more, providing best practices along the way. This talk is a good review of the topic for experienced developers, and is highly recommended for new programmers who have not been exposed to web application security challenges in the past.
This session is not specific to any particular server-side technology. We will not discuss network security (routers, DMZs) or OS security, as this talk is focused on web application developers.
DomainTools Fingerprinting Threat Actors with Web AssetsDomainTools
This document discusses techniques for fingerprinting threat actors using their web assets. It describes how programmers often reuse code across sites for convenience. Web assets like JavaScript files, CSS files, and images can provide fingerprints to link related malicious infrastructure. The document gives an example of finding related domains tied to a threat actor by searching for a unique CSS filename on Google. It suggests this approach could be extended to more sophisticated techniques like file-level hashing and coding style analysis to profile web threats similar to how malware is analyzed.
This document summarizes Dan Kaminsky's talk on rethinking web defense. Some key points:
1) Common web vulnerabilities like XSS and XSRF persist due to how difficult it is for developers to implement defenses like randomized tokens in a way that doesn't break other aspects of a site.
2) Web security solutions often ignore other engineering requirements around performance, compatibility, reliability and usability, making them difficult and expensive to implement.
3) Kaminsky argues the security community needs to develop defenses that meet all engineering requirements and don't break the web, rather than just criticizing developers. A secure session context could help prevent entire classes of vulnerabilities.
Hacking Vulnerable Websites to Bypass FirewallsNetsparker
These slides were used by our security researcher Sven Morgenroth during the live demo of how to hack web applications and bypass firewalls. You can watch the live demo here: https://www.netsparker.com/blog/web-security/vulnerable-web-applications-developers-target/#livedemo
The document discusses securing web applications. It argues that traditional approaches like blaming developers or banning third-party cookies are not effective solutions. Adding random tokens manually to URLs is difficult for developers. Using the referer header is unreliable due to inconsistencies across browsers and plugins. The origin header has similar problems. The document proposes an "interpreter suicide" approach where JavaScript detects cross-site navigation and prevents further execution to block attacks. This provides a client-side way to enforce session context without requiring manual token management.
Many companies are looking for "DevOps'' in many forms, but what kind of skills or experiences are actually needed? I’ll debunk some of the myths surrounding what recruiters or internet lurkers might tell you and find out if you might actually have an aptitude for Site Reliability or Infrastructure Engineering. If so, what might be good knowledge areas to get started with? And if learning leads to an interview, what might that look like?
13 practical tips for writing secure golang applicationsKarthik Gaekwad
Writing secure applications in a new language is challenging. Here are some tips to help get you started for writing secure code in golang. Presented at Lascon 2015
Rails security: above and beyond the defaultsMatias Korhonen
- The document discusses securing Rails web applications by improving on the framework's default security settings.
- It emphasizes using HTTPS to encrypt traffic, securing certificates with tools like Let's Encrypt, and strengthening configurations using the Mozilla SSL Configuration Generator.
- Content Security Policies provide an added layer of security by restricting what content can be loaded from external sources, reducing vulnerabilities, though they require careful configuration.
- HTTP Public Key Pinning can lock users out if misconfigured, so caution is advised. Overall, the talk provides guidance on tightening security beyond Rails defaults.
Upgrading the Web with Douglas Crockford @ FITC's Web Unleashed 2015FITC
Presented at Web Unleashed on September 16-17, 2015 in Toronto, Canada
More info at www.fitc.ca/webu
Upgrading the Web
with Douglas Crockford
The web was originally imagined to be a simple distributed document retrieval system. It is now being used for applications that go far beyond the system’s original capabilities and intentions. We have found ways to make it work, but they are difficult and far too fragile. Many times companies have offered to replace the web with superior proprietary systems, but we rejected them. We have been adding features to the web, but this does little to correct the deep underlying deficiencies, increasing instead of reducing its complexity.
This talk suggests a way forward, taking inspiration from our successful transition from NTSC to HDTV. There is a way forward to a web that is safer, easier, and as good as we desire.
The document discusses various SSL/TLS security issues including Heartbleed, GNUTLS bugs, Apple bugs, Lucky13, BEAST, and CRIME. It provides details on the Heartbleed bug in OpenSSL, explaining how it allowed retrieval of up to 64KB of private data from affected servers. It also discusses other exploits like BEAST, CRIME, and Lucky13. The document advises administrators to patch systems, monitor for issues, and leverage big data to identify anomalies. Developers are advised to carefully manage library dependencies and versions to prevent vulnerabilities.
The document discusses various techniques for circumventing the same-origin policy (SOP) in web browsers, which aims to isolate documents retrieved from different origins for security reasons. It provides an overview of SOP and defines what constitutes the same origin. It then examines several methods for enabling cross-origin communication, such as JSONP, CORS headers, modifying the document.domain property in JavaScript, and using the postMessage API, noting security risks with improperly implementing these techniques. Code examples are provided to demonstrate JSONP and postMessage.
Long thought to be relegated to the domain of fast, multithreaded desktop applications, race conditions have made their way into web applications. These bugs are often difficult to test for, and are becoming increasingly prevalent due to faster and faster clients, while server-side languages like Node.js and PHP are struggling to keep up. Race conditions are no longer just bugs- when they are found in critical components of web applications, they become a serious security vulnerability. If the proper checks and defensive measures are not in place, databases get confused, “one-time-use” becomes a relative term, and “limited” becomes “unlimited”. This talk will detail specific examples where malicious users could cause damage or profit from a race-condition flaw in a web application. A custom open-source tool will also be introduced to help security researchers and developers easily check for this class of vulnerability in web applications.
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Divyanshu
Browser exploitation| Reporting vulnerability in top browsers and finding CVE.
Session in Null Bangalore Meet 23 November 2019 Null/OWASP/G4H combined meetup
Thanks to respective researchers for their work.
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
"Through cooperation between browser vendors and standards bodies in the recent past, numerous standards have been created to enforce stronger client-side control for web applications. As web appsec practitioners continue to shift from mitigating vulnerabilities to implementing proactive controls, each new standard adds another layer of defense for attack patterns previously accepted as risks. With the most basic controls complete, attention is shifting toward mitigating more complex threats. As a result of the drive to control for these threats client-side, standards such as SubResource Integrity (SRI), Content Security Policy (CSP), and HTTP Public Key Pinning (HPKP) carry larger implementation risks than others such as HTTP Strict Transport Security (HSTS). Builders supporting legacy applications actively make trade-offs between implementing the latest standards versus accepting risks simply because of the increased risks newer web standards pose.
In this talk, we'll strictly explore the risks posed by SRI, CSP, and HPKP; demonstrate effective mitigation strategies and compromises which may make these standards more accessible to builders and defenders supporting legacy applications; as well as examine emergent properties of standards such as HPKP to cover previously unforeseen scenarios. As a bonus for the breakers, we'll explore and demonstrate exploitations of the emergent risks in these more volatile standards, to include multiple vulnerabilities uncovered quite literally during our research for this talk (which will hopefully be mitigated by d-day)."
(Source: Black Hat USA 2016, Las Vegas)
The subject of passwords is important today since they protect all of your accounts, and are frequently attacked by crackers. In this presentation I examine the technology used to handle and protect passwords, and make recommendations for what the user can do to protect themselves online.
This document discusses embracing HTTP and changing approaches to web application development. It suggests flipping dependencies so that applications are built around HTTP rather than frameworks. It also recommends taking a more stateful approach by going CQRS/ES rather than relying on CRUD and resources. The document questions common patterns and promotes thinking beyond frameworks to more fundamental concepts.
Browsers nowadays are competing with operating systems as the next application development platform. The rapid development of Web 2.0 keeps pushing browser developers into implementing advanced features that allow the creation of interactive multimedia applications. This sets the grounds for a new fertile environment in which a new breed of malware can come to life. Malware that is OS and architecture independent, as covert as a cutting edge rootkit but at the same time implemented through a series of API\'s and a generous variety of high-level OOP languages simplifying the task
The document provides instructions for setting up a lab environment to demonstrate HTML5 hacking techniques, including exploiting the same origin policy, cross-site scripting using HTML5 features, exploiting web messaging, attacking with cross origin resource sharing, targeting client-side storage, bypassing content security policy, and analyzing browser cross-site scripting filters. It outlines various HTML5-based attacks and provides URLs to demonstration sites to try out the exploits hands-on.
Similar to Misconfigured CORS, Why being secure isn't getting easier. AppSec USA 2016 (20)
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Instagram has become one of the most popular social media platforms, allowing people to share photos, videos, and stories with their followers. Sometimes, though, you might want to view someone's story without them knowing.
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
12. Reflecting all Origin headers
As Access-Control-Allow-Origin WITH Access-Control-Allow-
Credentials: true
Would be really bad.
Does anyone do this?
13. Why?
It basically turns off Same-Origin policy…
Which is like ... one of the worst security problems to
have.
19. How do I know?
I scanned the Alexa 1M for websites that:
● Access-Control-Allow-Origin: <myevilsite.com>
● Access-Control-Allow-Credentials: true
● I followed redirects
● I checked both http and https
21. The code - https://github.com/ejcx/badcors-massscan
● Written in go
● Heavy use of concurrency patterns
● Making it public after this talk, and making the results and all the sites
public.
24. What do you do when you find a thousand
vulnerable websites?
25. Started tracking these misconfigurations at their src
● I started looking for the libraries that people were using to cause this
behavior.
● I reported this to
○ SAILS JS
○ Rack CORS
○ (some go library rs/cors.go or something)
○ More to come.
31. Cross origin resource sharing could be way easier.
● The authors clearly wanted to prevent people from this type of
behavior.
● That’s why “*” and “Allow-Credentials: true” is not allowed.
● Why make it possible at all.
● Why do you need 6 different response headers
● Reminds me of OpenSSL
32. CORS is not alone...
● CSP
● SRI
● HPKP
● Credential management
● HSTS
33. Content Security Policy
● A new “hot” http response header
● CSP is still a mess. Has 3 headers.
● It is growing in complexity BY THE GOSH DARN DAY
35. Sub-Resource Integrity
● Load only expected assets. SRI dictates that you can only load things
sub resources that match a hash that is baked in to the DOM.
● This is nice, but SRI is confusing. Who should use SRI. When is it no
tnecessary? The spec is not clear.
36. HTTP Public Key Pinning
● There are probably a bakers dozen of websites where this is useful
● Securityheaders.io tries to make you want to turn on HPKP
● Huge operational burden
● Disaster.
● Complex.
38. Credential Management
● In your browser NOW! Be afraid
● Allows websites to log you in using the browser password manager
39. HTTP Strict Transport Security
● Very normal header to set now’a’days.
● It is not easy. Beware of “includeSubdomains
● https://twitter.com/bcrypt/status/781969754806366208
43. It should be easy to make a castle,
so where do we go from here?
44. Demand simplicity
● Web specifications are hard. Why are they not easy?
● Cross Origin Resource Sharing needs a full rewrite.
● There are three different Content Security Policy headers....
● Some browsers still don’t support it.
● Some browsers still don’t support SRI.
WHAT A MESS! Web Specs should be easy!
45. Come help us save the web
This stuff is all too hard.
Editor's Notes
Welcome to my talk. My talk is called misconfigured cors. Why being secure isn’t getting easier.
For this talk we will be thinking about the internet as a whole, based off of a specific vulnerability I found.
I am going to look at a really nasty vulnerability I found in a lot of websites, with the point of looking at the internet as a whole. There’s some tech talk in here about how I looked for the vuln at a pretty large scale, too, which is pretty cool.
Cloudflare. I work on product security at cloudflare. Cloudflare is a giant network CDN that proxies a huge percentage of all web traffic. We pretty much operate only on port 443 and port 80, as a web company.
I’ll start out this talk with a question. “How would you secure the internet”.
This is a lofty and idealistic goal. The internet will never be “secure”. There are core limitations baked in to the very fabric of the net. BGP hijacking. DNS. Even in TLS there are many security risks and each CA that is baked in to your trust store, or a signed intermediate, has the ability to man in the middle the encrypted encrypted channels of everyone.
This is something we talk about at work regularly. Not, “how can we make the internet as bullet proof as Luke Cage”, but how can we have an impact for a lot of web properties.
When you are thinking about the internet as a whole, don’t get stuck thinking about your own little bubble. Everyone using the internet, for the most part, stays within their little bubble. NYTimes, Hacker News, Google, Amazon. Everyone’s bubble is different and there are massively popular sites that you have never heard of. Go take a look at the alexa 1m, start at like site number 200,000, read like 1000 of the sites on there and I guarantee you probably will not have heard of more than 3 of them.
I think it’s really utilitarian to say “if we can raise the average security of a million websites 5% (whatever 5% means), the impact would be pretty large.
A lot of the popular small sites are sites with 0 security budget. Maybe they don’t even have software developer budget, or they have a contract developer they know who they hire a few hours a week.
It’s easy to think small, about individual websites. It’s harder to think bigger. About the entire web.
This talk is about details, micro-scale, but the point of the talk is macro-scale.
So. Let’s start with this:
Ideally, this is what we could compare the security someone’s website to. Companies that are growing, making money, and committed to the web might build something like this.
This might be a Google, Amazon, Apple, Etc. Castles are mature. They are built on a solid foundation. The details of the castle might not be as pretty on the inside, and there might be a lot of hacks or problems that they solved to build it, but for the most part they are very solid
Ideally, all websites are castles, but that isn’t always easy for people. Devs make mistakes. People install wordpress plugins. Eventually, a lot of websites end up looking more like this….
This: is your average site in the alexa 1 million, and not only from a security perspective. Also from a usability perspective and more.
We care mostly about application security, but from a usability perspective, from a loading speed perspective, the image of a bounce house is what a lot of companies look like. I’m not sure if you’ve read the blog post by Maciej C, the guy who runs pinboard, called “The web obesity crisis”.
Let’s stick to just talking about security though. You have a few companies with huge security budgets. Companies like Google, Facebook, Microsoft who were the pioneers of the bug bounty thing. Started this “hall of fame” thing years ago. They had such large security budgets they were paying people they didn’t even know for security work!
Besides that, you pretty much have bounce houses surrounding these castles, like an old medieval city.
These inflatable castles are sites that do not have dedicated security teams. They are mom-and-pop sites, bloggers with their own wordpress dedicated server on dreamhost, installing plugins and doing all sorts of garbage just trying to make things work. It is not easy for these people to be secure.
Lets talk tech now. This “how do you improve the security of the web” question is the question I want you to keep in the back of your mind as I talk about this problem.
Alright next, let’s talk about the lynchpin of all web security.
Same-Origin policy is the foundation that all web security is built on. I think most people should be familiar with this idea, but the idea is that scripts from one website cannot access data of a different origin. I’m sure most web people are familiar with this already.
It dictates that example1.com here, requesting example2.com will be blocked by default. It’s fundamental. If this wasn’t the case, you would sign on to your online banking, go to a website, and they would have ajax that fetched all your banking information with your browser.
Cross origin resource sharing is a way for a website to share things with other websites. This is normally blocked.
Here is an example of CORS. You have example1.com making a request to example2.com with ajax. We don’t really have to talk about what is being requested. We just know that by default, this is blocked.
Here is an example of cross origin resource sharing. Same Origin policy might not be wanted in all situations. Sometimes there is a reason for for the two sites to communicate cross origin. Here is an example of CORS with a pretty normal configuration that a lot of CDNs have.
Javascript from example.com is consuming the example-api.com API over AJAX.
You see example-api has the Access-Control-Allow-Origin * header. This means any website can consume it! This header has a lot of baggage to learn about it. But we have a very small set of things we care about, for purposes of this talk.
For the purpose of this talk, you don’t need to know a ton about CORS. I’m going to give you a quick 2 slide run down of CORS. I’m going to show you two different HTTP requests, and talk about the difference between the CORS policies.
This means no cookies can be sent!
This is fundamentally different than
If you want to allow cookies to be sent cross origin, you there
‘*’ means no cookies can never be sent to the along with the cross origin request.
Here’s a real HTTP request that has a CORS turned on. This allows a website to fetch this javascript page dynamically, and not have to hard code a script source tag.
This is really common for javascript CDNs.
Here is another CORS example. This is fastly.com, one of cloudflare’s competitors actually.
Here you see a different CORS response. Instead of * there is a hostname here. If you notice which hostname, it’s the one from the Origin header we sent.
If you want to allow cookies to be sent cross origin, you there
‘*’ means no cookies can never be sent to the along with the cross origin request.
How big of a problem is this? To put it in english….
Here is an example of why CORS reflecting all origins with access control allow credentials true could be exploited.
A user would go to evil.com, and evil would request something from your bank. This slide is bad because your bank is returning lat long information and not bank data, but it should be returning bank data.
Okay. so it’s really easy to do with curl. This is good for testing a single individual site.
Here’s a proof of concept. It was fixed last night at like 11pm, and I didn’t create a new one…. This is a real HTTP request that I sent a couple weeks ago.
Streamable is vulnerable. Here’s an example of how simple it is to exploit this.
We are thinking about the internet at a wide scale. Not one site.
This problem is “YOOGE” around the net.
This problem is really big. There are some really weird edge cases to search for here, but I kept it really simple.
This is a lot of sites. It is important to remember, though, that not all of these sites are “problematic”.
There is no problem for sites that are serving static content. Only sites that are taking user data. Doing per user things. Setting per user cookies.
This brings up a new problem to solve for me. The disclosue problem.
To scan for this, I wrote go code.
This will be open source soon. Github.com/ejcx/hw. Im working on some legal issues we had with some really big companies
This is the basic go routine. This is opening a bunch of files and reading lines from them, and finally passing them to a channel.
This is the code to create n worker “threads”. It’s really neat. I create a lot of workers that all read from the channel s, that contains site names, and scans them
What do you do when you find over 1000 vulnerable websites? How do you triage this?
Report it on hackerone? Bugcrowd and hackerone do not have anything close to the type of industry penetration that I can actually reliably look companies up on this.
Some of the companies are really big. Really hard to get in contact with the proper channels
Some companies are startups. I look for these and get pretty instant responses back (from CEOs awake at 3am looking at their emails.).
This isn’t something I can get a CVE for. It is very general and up to individuals who are misunderstanding CORS, not someone rolling out a vulnerable software version. There is no patch for this.
What did I do?
So. After finding >1000+ websites with this undesirable behavior I decided that…
“Devs do not make repeated mistakes like this”.
SAILSJS fixed it immediately. RackCORS is a DEAD PROJECT. DO NOT USE IT.
None of the problems were as funny to me as this.
This is an answer on stackoverflow that introduces this vulnerability Im talking about today.
We have a top answer on stackoverflow that is just plain old awful. This in the picture only has 106 upvotes, but today is has over 130. But… there is something nice
This is one of the comments on that stackoverflow answer. They PERFECTLY explain the risk that the answer provides. It is very ugly but this person, Jules, does it perfectly in just a few sentences. Jules is a god damn hero.
So…. What is this all about? What is the point of me finding this problem?
What was the problem, anyways, can I actually blame the people writing the libraries that?
Who is the real person that we can throw under the bus? What is the root cause of this?
So. The real person to throw under the bus is……..
Complexity. Complexity is the real issue here. Complexity is the root of all security evil. Complexity makes things hard which means things are
CORS is so complex, it is one RFC with
3 HTTP Request Headers
6 HTTP Response Headers.
This is ALL TO ALLOW A SITE LIKE www.yoursite.com to communicate with api.yousite.com
It’s really just sad. 6 Response headers, all with their own rules and more.
Most people who implemented the libraries did not realize that * was a real CORS policy.
Regarding complexity. CORS is not alone. Theres are some of the “exciting and hot words” on the menu in 2016. CSP, content security policy. SRI, sub resource integrity. HPKP, http public key pinning. Credential management which provides js APIs for websites to access the password store in a user’s browser, and HSTS.
HSTS is very surprising to be up here…. They all have a lot of baggage
This is a lot of complexity to learn.
CSP is very complicated. It is one of my bones to pick. It is super popular as a “hot” thingg to add to your website if you are an appsec person.
It isn’t just one header it is
X-WebKit-CSP
Content-Security-Policy
X-Content-Security-Policy
This is a lot of headers. It used to be a pretty simple Idea but it is slowly growing out of control. The idea of Content Security Policy is to provide an HTTP response header that restricts what resources the page can load.
It’s a great header because, at a big company, it really forces the marketing and front end team to engage with the security team more often, once a CSP header exists. But besides that. Lots of things are being thrown on top of CSP.
CSP is so complicated that Mike West actually produced a spec where content security policy is a compile time target for CSP rules. You write something, that compiles to CSP .CSP is so god damn complicated.
If you’re unfamiliar with who mike west is, he is a “CSP author”. He works on CSP and decides the future of it
SRI stands for sub resource integrity.
HTTP Public Key pinning is an amazing header.
HPKP means that clients who receive a valid HPKP header can ONLY talk to the HTTPS site that produces the public key signatures found in the HPKP header.
This leads to a lot of operational issues.
HTTP Public Key pinning is an amazing header.
HPKP means that clients who receive a valid HPKP header can ONLY talk to the HTTPS site that produces the public key signatures found in the HPKP header.
This leads to a lot of operational issues.
This is a new RFC and webappsec spec. Brand new. It is a way for websites to request passwords and log you in from the password manager that chrome has.
In my opinion, it is something chrome is going to double down on and try to put lastpass and other similar password managers out of business.
HSTS doesn’t get enough credit as a tough security header.
It is one of the most common security headers, and it causes an unbelievable amount of operational issues. It is very tough.
People think of HSTS as kind of a necessity these days. But it’s actually not that easy. Google chrome expects you to have “include subdomains” set to true, so all subdomains are also supporting HTTPS. This is not usually the case
This is a picture of uber having to get themselves removed from the HSTS preload list. Tough stuff. They added include subdomains, broke their site, and had to get themselves removed. That’s very sad.
Usable security. Web Application Security RFCs are not for web application security experts, they should be for average developers. WebAppSec specs are consumed by the web. They are immediately consumed by weirdo’s like me, but they are eventually consumed by regular, non security, developers. They should be written with them in mind.
This is what I want and this will have a big impact in helping people not make mistakes and allow session stealing on their website.
There is nobody making sure that the people making webappsec specs, The people making CSP, HSTS, HPKP, are making something that can actually be consumed by the outside world. Their work is consumed by millions of dev, and their work is a contract that some new feature will exist in the years to come in browsers, so they need more eyes.
Who remembers OpenSSL? Does anyone use OpenSSL? I don’t think they do…
I’m only kidding
TLS was plagued with numerous problems over the years. Numerous really neat vulnerabilities. Some were only possible to find using formal methodologies, and some were more obviou, like heartbleed.
I really like what tls1.3 authors did recently. Im not a tls expert by any means, fair warning. The TLS people limited decisions of people who would be using it. There are only a few supported ciphersuites. This is a huge win. Don’t give people the opportunity to be insecure, because they will take it.