This document summarizes a presentation on new SQL injection obfuscation techniques. It provides details on the speaker, Nick Galbreath, and the event: DEFCON 20 in Las Vegas on July 27, 2012. It then discusses libinjection, a tool for detecting SQLi, and analyses it on 32,000 SQLi attacks to find syntax not previously seen. The rest of the document explores unusual and underexploited SQL syntax related to numbers, comments, strings, and data types that could be useful for fuzzing, validation, and obfuscation.
libinjection and sqli obfuscation, presented at OWASP NYCNick Galbreath
SQL that isn't caught by WAFs but also isn't used (yet) by attackers! Why detecting SQLi is good, and why doing it with regular expressions is hard. And re-introducing libinjections which is a new way of detecting SQLi attacks.
This is a mashup of my Black Hat USA 2012 and DEFCON 20 talks, refreshed and updated.
SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013Nick Galbreath
What if we could reduce SQLi attacks in your application by 90%? WIth little to no changes in your application, with no new hardware or firewalls?
First presentated at RSA Conference USA, 2013-02-27
libinjection: from SQLi to XSS by Nick GalbreathCODE BLUE
libinjection was introduced at Black Hat USA 2012 to quickly and accurately detect SQLi attacks from user inputs. Two years later the algorithm has been used by a number of open-source and proprietary WAFs and honeypots. This talk will introduce a new algorithm for detecting XSS. Like the SQLi libinjection algorithm, this does not use regular expressions, is very fast, and has a low false positive rate. Also like the original libinjection algorithm, this is available on GitHub with free license.
Nick Galbreath
Nick Galbreath is Vice President of Engineering at IPONWEB, a world leader in the development of online advertising exchanges. Prior to IPONWEB, his role was Director of Engineering at Etsy, overseeing groups handling security, fraud, security, authentication and other enterprise features. Prior to Etsy, Nick has held leadership positions in number of social and e-commerce companies, including Right Media, UPromise, Friendster, and Open Market. He is the author of ""Cryptography for Internet and Database Applications"" (Wiley). Previous speaking engagements have been at Black Hat, Def Con, DevOpsDays and other OWASP events. He holds a master's degree in mathematics from Boston University and currently resides in Tokyo, Japan.
In 2013
- LASCON http://lascon.org/about/, Keynote Speaker Austin, Texas USA
- DevOpsDays Tokyo, Japan
- Security Development Conference (Microsoft) San Francisco, CA, USA
- DevOpsDays Austin, Texas, USA
- Positive Hack Days http://phdays.com, Moscow Russia
- RSA USA, San Francisco, CA, speaker and panelist
In 2012
- DefCon
- BlackHat USA
- Others
Recent workshop on security code review given at SecTalks Melbourne. The slides contain a link to the vulnerable PHP application to perform the review.
libinjection and sqli obfuscation, presented at OWASP NYCNick Galbreath
SQL that isn't caught by WAFs but also isn't used (yet) by attackers! Why detecting SQLi is good, and why doing it with regular expressions is hard. And re-introducing libinjections which is a new way of detecting SQLi attacks.
This is a mashup of my Black Hat USA 2012 and DEFCON 20 talks, refreshed and updated.
SQL-RISC: New Directions in SQLi Prevention - RSA USA 2013Nick Galbreath
What if we could reduce SQLi attacks in your application by 90%? WIth little to no changes in your application, with no new hardware or firewalls?
First presentated at RSA Conference USA, 2013-02-27
libinjection: from SQLi to XSS by Nick GalbreathCODE BLUE
libinjection was introduced at Black Hat USA 2012 to quickly and accurately detect SQLi attacks from user inputs. Two years later the algorithm has been used by a number of open-source and proprietary WAFs and honeypots. This talk will introduce a new algorithm for detecting XSS. Like the SQLi libinjection algorithm, this does not use regular expressions, is very fast, and has a low false positive rate. Also like the original libinjection algorithm, this is available on GitHub with free license.
Nick Galbreath
Nick Galbreath is Vice President of Engineering at IPONWEB, a world leader in the development of online advertising exchanges. Prior to IPONWEB, his role was Director of Engineering at Etsy, overseeing groups handling security, fraud, security, authentication and other enterprise features. Prior to Etsy, Nick has held leadership positions in number of social and e-commerce companies, including Right Media, UPromise, Friendster, and Open Market. He is the author of ""Cryptography for Internet and Database Applications"" (Wiley). Previous speaking engagements have been at Black Hat, Def Con, DevOpsDays and other OWASP events. He holds a master's degree in mathematics from Boston University and currently resides in Tokyo, Japan.
In 2013
- LASCON http://lascon.org/about/, Keynote Speaker Austin, Texas USA
- DevOpsDays Tokyo, Japan
- Security Development Conference (Microsoft) San Francisco, CA, USA
- DevOpsDays Austin, Texas, USA
- Positive Hack Days http://phdays.com, Moscow Russia
- RSA USA, San Francisco, CA, speaker and panelist
In 2012
- DefCon
- BlackHat USA
- Others
Recent workshop on security code review given at SecTalks Melbourne. The slides contain a link to the vulnerable PHP application to perform the review.
Mock what? What Mock?Learn What is Mocking, and how to use Mocking with ColdFusion testing, development, and continuous integration. Look at Mocking and Stubbing with a touch of Theory and a lot of Examples, including what you could test, and what you should test… and what you shouldn't test (but might be fun).
The Angular framework is great for building large-scale web applications that can be maintained and enhanced. When you're building enterprise-level apps, testing is vital to the development process. Testing improves the quality of code and reduces maintenance, saving both time and money. Developers who know how to build and leverage tests are highly valued by their clients and companies.
PHP unserialization vulnerabilities: What are we missing?Sam Thomas
Video at: https://www.youtube.com/watch?v=PqsudKzs79c
An introduction to PHP unserialization vulnerabilities, with some practical tips on methodology. Based around three new exploits for old vulnerabilities (CVE-2011-4962, CVE-2013-1453, CVE-2013-4338).
Van Wilson
Senior Consultant with Cardinal Solutions
Find more by Van Wilson: https://speakerdeck.com/vjwilson
All Things Open
October 26-27, 2016
Raleigh, North Carolina
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
Today most networks present one “gateway” to the whole network – The SSL-VPN. A vector that is often overlooked and considered “secure”, we decided to take apart an industry leading SSL-VPN appliance and analyze it to bits to thoroughly understand how secure it really is. During this talk we will examine the internals of the F5 FirePass SSL-VPN Appliance. We discover that even though many security protections are in-place, the internals of the appliance hides interesting vulnerabilities we can exploit. Through processes ranging from reverse engineering to binary planting, we decrypt the file-system and begin examining the environment. As we go down the rabbit hole, our misconceptions about “security appliances” are revealed.
Using a combination of web vulnerabilities, format string vulnerabilities and a bunch of frustration, we manage to overcome the multiple limitations and protections presented by the appliance to gain a remote unauthenticated root shell. Due to the magnitude of this vulnerability and the potential for impact against dozens of fortune 500 companies, we contacted F5 and received one of the best vendor responses we’ve experienced – EVER!
https://www.hackitoergosum.org
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015Matt Raible
Many Spring projects exist that leverage XML for their configuration and bean definitions. Most Java web applications use a web.xml to configure their servlets, filters and listeners. This session shows you how you can eliminate XML by configuring your Spring beans with JavaConfig and annotations. It also shows how you can remove your web.xml and configure your web components with Java.
Coding with style: The Scalastyle style checkerMatthew Farwell
Coding with style: The Scalastyle style checker
Scalastyle is a static code analysis tool that helps programmers write Scala code according to the coding standards their project.
It is heavily influenced by Checkstyle, PMD and FindBugs for Java. These tools are used by java developers everywhere, and Scalastyle will help Scala gain more acceptance within companies.
Scalastyle can check many aspects of your code. It has as goals:
- to check the style of your code according to house style (usage of tabs, correct whitespace usage),
- coding conventions (too many parameters to a method, usage of disallowed libraries, usage of return)
- and code which exhibits bug patterns (equals and hashCode not implemented in the same class).
Currently, scalastyle works as standalone, and there is an Eclipse plugin, and plugins for sbt and maven are planned.
In this talk, we discuss why we're creating Scalastyle, what it currently does (the rules that are checked), and how it does it (using the wonderful Scalariform), along with the current state of third part integration (Eclipse, Maven).
After years of promoting PHPUnit I still hear it's hard to get started with unit testing. So instead of showing nice step-by-step examples on how to use PHPUnit, we're going to take an example straight from github. So I've taken the challenge to start writing tests for PHP projects that don't have unit tests in place and explain how I decide where to begin, how I approach my test strategy and how I ensure I’m covering each possible use-case (and covering the CRAP index). The goal of this presentation is to show everyone that even legacy code, spaghetti code and complex code bases can be tested. After this talk you can immediately apply my examples on your own codebase (even if it's a clean code base) and get started with testing. To follow along a basic knowledge unit testing with PHPUnit is required.
Lie to Me: Bypassing Modern Web Application FirewallsIvan Novikov
The report considers analysis of modern Web Application Firewalls. The author provides comparison of attack detection algorithms and discusses their advantages and disadvantages. The talk includes examples of bypassing protection mechanisms. The author points out the necessity of discovering a universal method of masquerading for vectors of various attacks via WAFs for different algorithms.
Mock what? What Mock?Learn What is Mocking, and how to use Mocking with ColdFusion testing, development, and continuous integration. Look at Mocking and Stubbing with a touch of Theory and a lot of Examples, including what you could test, and what you should test… and what you shouldn't test (but might be fun).
The Angular framework is great for building large-scale web applications that can be maintained and enhanced. When you're building enterprise-level apps, testing is vital to the development process. Testing improves the quality of code and reduces maintenance, saving both time and money. Developers who know how to build and leverage tests are highly valued by their clients and companies.
PHP unserialization vulnerabilities: What are we missing?Sam Thomas
Video at: https://www.youtube.com/watch?v=PqsudKzs79c
An introduction to PHP unserialization vulnerabilities, with some practical tips on methodology. Based around three new exploits for old vulnerabilities (CVE-2011-4962, CVE-2013-1453, CVE-2013-4338).
Van Wilson
Senior Consultant with Cardinal Solutions
Find more by Van Wilson: https://speakerdeck.com/vjwilson
All Things Open
October 26-27, 2016
Raleigh, North Carolina
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
Today most networks present one “gateway” to the whole network – The SSL-VPN. A vector that is often overlooked and considered “secure”, we decided to take apart an industry leading SSL-VPN appliance and analyze it to bits to thoroughly understand how secure it really is. During this talk we will examine the internals of the F5 FirePass SSL-VPN Appliance. We discover that even though many security protections are in-place, the internals of the appliance hides interesting vulnerabilities we can exploit. Through processes ranging from reverse engineering to binary planting, we decrypt the file-system and begin examining the environment. As we go down the rabbit hole, our misconceptions about “security appliances” are revealed.
Using a combination of web vulnerabilities, format string vulnerabilities and a bunch of frustration, we manage to overcome the multiple limitations and protections presented by the appliance to gain a remote unauthenticated root shell. Due to the magnitude of this vulnerability and the potential for impact against dozens of fortune 500 companies, we contacted F5 and received one of the best vendor responses we’ve experienced – EVER!
https://www.hackitoergosum.org
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015Matt Raible
Many Spring projects exist that leverage XML for their configuration and bean definitions. Most Java web applications use a web.xml to configure their servlets, filters and listeners. This session shows you how you can eliminate XML by configuring your Spring beans with JavaConfig and annotations. It also shows how you can remove your web.xml and configure your web components with Java.
Coding with style: The Scalastyle style checkerMatthew Farwell
Coding with style: The Scalastyle style checker
Scalastyle is a static code analysis tool that helps programmers write Scala code according to the coding standards their project.
It is heavily influenced by Checkstyle, PMD and FindBugs for Java. These tools are used by java developers everywhere, and Scalastyle will help Scala gain more acceptance within companies.
Scalastyle can check many aspects of your code. It has as goals:
- to check the style of your code according to house style (usage of tabs, correct whitespace usage),
- coding conventions (too many parameters to a method, usage of disallowed libraries, usage of return)
- and code which exhibits bug patterns (equals and hashCode not implemented in the same class).
Currently, scalastyle works as standalone, and there is an Eclipse plugin, and plugins for sbt and maven are planned.
In this talk, we discuss why we're creating Scalastyle, what it currently does (the rules that are checked), and how it does it (using the wonderful Scalariform), along with the current state of third part integration (Eclipse, Maven).
After years of promoting PHPUnit I still hear it's hard to get started with unit testing. So instead of showing nice step-by-step examples on how to use PHPUnit, we're going to take an example straight from github. So I've taken the challenge to start writing tests for PHP projects that don't have unit tests in place and explain how I decide where to begin, how I approach my test strategy and how I ensure I’m covering each possible use-case (and covering the CRAP index). The goal of this presentation is to show everyone that even legacy code, spaghetti code and complex code bases can be tested. After this talk you can immediately apply my examples on your own codebase (even if it's a clean code base) and get started with testing. To follow along a basic knowledge unit testing with PHPUnit is required.
Lie to Me: Bypassing Modern Web Application FirewallsIvan Novikov
The report considers analysis of modern Web Application Firewalls. The author provides comparison of attack detection algorithms and discusses their advantages and disadvantages. The talk includes examples of bypassing protection mechanisms. The author points out the necessity of discovering a universal method of masquerading for vectors of various attacks via WAFs for different algorithms.
Presented at RecSys 2012.
"BlurMe: Inferring and Obfuscating User Gender Based on Ratings"
User demographics, such as age, gender and ethnicity, are routinely used for targeting content and advertising products to users. Similarly, recommender systems utilize user demographics for personalizing recommendations and overcoming the cold-start problem. Often, privacy-concerned users do not provide these details in their online profiles. In this work, we show that a recommender system can infer the gender of a user with high accuracy, based solely on the ratings provided by users (without additional metadata), and a relatively small number of users who share their demographics. We design techniques for effectively adding ratings to a user's profile for obfuscating the user's gender, while having an insignificant effect on the recommendations provided to that user.
The methodology presented in this paper is based on the ability to identify and understand the flow of log streams. Once the feeds are incorporated and the best possible coverage has been achieved, detected category will be ready for rule definition. Correlation rules can also correlate events via their taxonomy allowing the creation of device-independent correlation rules
Expanding the control over the operating system from the databaseBernardo Damele A. G.
Using a database, either via a SQL injection or via direct connection, as a stepping stone to control the underlying operating system can be achieved.
There is much to say on operating system control by owning a database server: Windows registry access, anti-forensics technique to establish an out-of-band stealth connection, buffer overflow exploitation with memory protections bypass and custom user-defined function injection.
These slides have been presented at SOURCE Conference in Barcelona on September 21, 2009.
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
The very best attackers often use PowerShell to hide their scripts from A/V and application whitelisting technologies using encoded commands and memory-only payloads to evade detection. These techniques thwart Blue Teams from determining what was executed on a target system. However, defenders are catching on, and state-of-the-art detection tools now monitor the command line arguments for powershell.exe either in real-time or from event logs.
We need new avenues to remain stealthy in a target environment. So, this talk will highlight a dozen never-before-seen techniques for obfuscating PowerShell command line arguments. As an incident responder at Mandiant, I have seen attackers use a handful of these methods to evade basic command line detection mechanisms. I will share these techniques already being used in the wild so you can understand the value each technique provides the attacker.
Updated PowerShell event logging mitigates many of the detection challenges that obfuscation introduces. However, many organizations do not enable this PowerShell logging. Therefore, I will provide techniques that the Blue Team can use to detect the presence of these obfuscation methods in command line arguments. I will conclude this talk by highlighting the public release of Invoke-Obfuscation. This tool applies the aforementioned obfuscation techniques to user-provided commands and scripts to evade command line argument detection mechanisms.
--- Daniel Bohannon
Daniel Bohannon is an Incident Response Consultant at MANDIANT with over six years of operations and information security experience. His particular areas of expertise include enterprise-wide incident response investigations, host-based security monitoring, data aggregation and anomaly detection, and PowerShell-based attack research and detection techniques. As an incident response consultant, Mr. Bohannon provides emergency services to clients when security breach occur. He also develops new methods for detecting malicious PowerShell usage at both the host- and network-level while researching obfuscation techniques for PowerShell- based attacks that are being used by numerous threat groups. Prior to joining MANDIANT, Mr. Bohannon spent five years working in both IT operations and information security roles in the private retail industry. There he developed operational processes for the automated aggregation and detection of host- and network-based anomalies in a large PCI environment. Mr. Bohannon also programmed numerous tools for host-based hunting while leading the organization’s incident response team. Mr. Bohannon received a Master of Science in Information Security from the Georgia Institute of Technology and a Bachelor of Science in Computer Science from The University of Georgia.
Nullcon Goa 2016 - Automated Mobile Application Security Testing with Mobile ...Ajin Abraham
Mobile Security Framework (MobSF) is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. It can be used for effective and fast security analysis of Android and iOS Applications and supports both binaries (APK & IPA) and zipped source code. MobSF can also perform Web API Security testing with it's API Fuzzer that can do Information Gathering, analyze Security Headers, identify Mobile API specific vulnerabilities like XXE, SSRF, Path Traversal, IDOR, and other logical issues related to Session and API Rate Limiting.
This is the product and services portfolio of IBM Security, which is one pillar of IBM CAMSS strategy. Products in portfolio are still moving during early 2015 due to re-portfolio of IBM. However, it will be categorized in 2 major parts.
1) IBM Security Products : all security software and appliance
2) IBM Security Services : all security services, including Cloud security.
This is the talk given at NullCon 2017. This talk give s history of the Veil Framework, and showcases the differences between 2.0 and the newly released 3.0. Veil 3.0 is released in this talk
A pragmatic approach to different SQL Injection techniques such as Stacked statements, Tautology based, Union based, Error based, Second Order and Blind SQL Injection coherently explaining the path behind these attacks including tips and tricks to make them more likely to work in real life.
Also I will show you ways to avoid weak defenses as black listing and quote filtering as well as how privilege escalation may take place from this sort of vulnerabilities.
There will be a live demonstration where you can catch on some handy tools and actually see blind sql injection working efficiently with the latest techniques showing you why this type of SQL injection shouldn't be taken any less seriously than any other.
Finally, a word on countermeasures and real solutions to prevent these attacks, what you should do and what you should not.
http://videos.sapo.pt/ZvwITnTBMzD8HYvEZrov (video)
AppeX and JavaScript Support Enhancements in Cincom SmalltalkESUG
First Name: Vladimir
Last Name: Degen
youtube: https://youtu.be/sZRAG7L1DgI
Title: AppeX and JavaScript Support Enhancements in Cincom Smalltalk™
Type: Talk
Abstract:
JavaScript is the de facto language of the web, while Smalltalk is a premier language for developing powerful and innovative programs. AppeX, featured at
ESUG in past years, continues to evolve as a tool for bringing these two languages together in a simple and natural way to support the development of
complex web applications. AppeX is a very lightweight and flexible modern web application framework in Cincom Smalltalk. With AppeX, users get the most
current web technologies like HTML5, JavaScript, Ajax, JSON, XHR, etc. AppeX is open and uses any preferred JavaScript libraries, as well as automatic
session management. AppeX allows users to manage Smalltalk and JavaScript code within Cincom Smalltalk and also provides browser support for JavaScript,
which allows users to search senders/implementers and parse JavaScript literals.
In this talk, Vladimir Degen will explain and demonstrate some recent, interesting features of AppeX, including editing arbitrary JavaScript code from
within AppeX, and the ability of AppeX to "task" web browsers to do such things as utilizing JavaScript libraries and functionally testing and scripting
websites from within Smalltalk.
Bio:
Vladimir Degen, a senior software engineer, has been with Cincom Systems, Inc. now for three years. Vladimir is a valuable member of the Protocols team
responsible for network protocols, security and web application development components of the Cincom Smalltalk™ Foundation. With Cincom® ObjectStudio® and
Cincom® VisualWorks® both built on the same Foundation, this engineering group is responsible for critical improvements that enhance both products.
Specifically, Vladimir combines his experience in Smalltalk and JavaScript to enhance the web application development components in Cincom Smalltalk.
Vladimir will be discussing the latest AppeX and JavaScript Support Enhancements in Cincom Smalltalk.
Vladimir first decided that there must be something better than Basic to create wargame simulations back before entering college. Unfortunately the
internet back then just wasn't what it is today, and he remained oblivious of Smalltalk while pursuing his other love, physics, and into the early 90's,
when he first heard talk of Smalltalk from a fellow contract programmer in SAS. Eager to make up for lost time, he's spent most of his professional life
since then working with Smalltalk, and also (more recently), as a JavaScript developer. A few years ago he found an opportunity at Cincom to combine
working with Smalltalk and JavaScript and has been doing so from his home in Maryland up to the present time.
Apart from work, Vladimir has engaged in various martial arts (most recently Kung Fu and Kunst des Fechtens),
Why you should be using the shiny new C# 6.0 features now!Eric Phan
C# 6.0 will change the way you write C#. There are many language features that are so much more efficient you’ll wonder why they weren’t there since the beginning.
Getting Buzzed on Buzzwords: Using Cloud & Big Data to Pentest at ScaleBishop Fox
You’ve heard about cloud, big data, server-less infrastructure, web scale, and other buzzwords that cause VCs to throw money at people - but how does this help you? If you’re getting bored going over the same checklist in your pentests then you’re missing out on what some of these new technologies can offer you. Using some of the newer cloud technologies not only can you automate all of your workflows, but you can do so with almost zero maintenance at a low cost with almost infinite scalability! This talk will show you how to blow conventional pentesters out of the water using some cool new technologies along with a little bit of trickery.
Some of the topics we’ll go over include: * Cheap and scalable rainbow tables with BigQuery, 5TB in 10 seconds * SQS & Lambda, like Burp Intruder but 10K QPS * Scalable GPU Clusters on the cheap with Spot Instances and Elastic Beanstalk * Cloud exit nodes, rotating IPs via Elastic Beanstalk and nano instances * Cost effective fuzzing with Elastic Beanstalk and Spot Instances
(This was originally presented on November 16, 2018 at Kiwicon 2038).
DWX 2018 - Automatisiertes Datenbankdeployment im DevOps ProzessMarc Müller
Komplexe Anwendungen bedingen nicht nur Entwicklungstätigkeiten in der Software, sondern sind ebenfalls geprägt durch die Optimierung der Datenbank durch einen DBA. Oft wird die Verwaltung der Datenbank-Entwicklung im Rahmen der Build und Release-Automatisierung eher stiefmütterlich behandelt. Gerade bei vielen Releases DevOps Umfeld, ist es umso wichtiger, das Datenbank Deployment und die dazugehörigen Schema- und Datenmigrationen zu automatisieren. In dieser Session zeigen wir Ihnen den Einsatz von SQL Server Data Tools in Visual Studio sowie die Einbindung der Datenbankprojekte in das Build- und Release-System.
DWX 2018 - Automatisiertes Datenbank-Deployment im DevOps ProzessMarc Müller
Komplexe Anwendungen bedingen nicht nur Entwicklungstätigkeiten in der Software, sondern sind ebenfalls geprägt durch die Optimierung der Datenbank durch einen DBA. Oft wird die Verwaltung der Datenbank-Entwicklung im Rahmen der Build und Release-Automatisierung eher stiefmütterlich behandelt. Gerade bei vielen Releases DevOps Umfeld, ist es umso wichtiger, das Datenbank Deployment und die dazugehörigen Schema- und Datenmigrationen zu automatisieren. In dieser Session zeigen wir Ihnen den Einsatz von SQL Server Data Tools in Visual Studio sowie die Einbindung der Datenbankprojekte in das Build- und Release-System.
How many lines of code does it take to generate a running total? How would you find a value in the next row of data – without using a cursor or loop? How can you efficiently store rows of data with a lot of optional fields, and how can you quickly find which of those rows have values? And how can you eliminate locking without resorting to dirty reads? SQL Server has answers for all of these questions, and none requires more than a few lines of code. Give me an hour, and I will blow your mind!
SPARKNaCl: A verified, fast cryptographic libraryAdaCore
SPARKNaCl https://github.com/rod-chapman/SPARKNaCl is a new, freely-available, verified and fast reference implementation of the NaCl cryptographic API, based on the TweetNaCl distribution. It has a fully automated, complete and sound proof of type-safety and several key correctness properties. In addition, the code is surprisingly fast - out-performing TweetNaCl's C implementation on an Ed25519 Sign operation by a factor of 3 at all optimisation levels on a 32-bit RISC-V bare-metal machine. This talk will concentrate on how "Proof Driven Optimisation" can result in code that is both correct and fast.
"ClojureScript journey: from little script, to CLI program, to AWS Lambda fun...Julia Cherniak
In this talk, I’d like to show that engineer, in order to make progress, should develop its own “outside the box” thinking. Experienced programmer regardless of the language ought to look at things from various standpoints outside the commonly used paradigm. This allows her to choose the proper strategy which fits the task, customer’s requirements, saves time and money. Having our product as an example, I’d like to show new language and new methods, which are not that frequently used in the mainstream. I believe this will broaden the horizon of the conference audience.
Fixing security by fixing software developmentNick Galbreath
Fixing Security by Fixing Software Development Using Continuous Deployment
Do you have an effective release cycle? Is your process long and archaic? Long release cycle are typically based on assumptions we haven't seen since the 1980s and require very mature organizations to implement successfully. They can also disenfranchise developers from caring or even knowing about security or operational issues. Attend this session to learn more about an alternative approach to managing deployments through Continuous Deployment, otherwise known as Continuous Delivery. Find out how small, but frequent changes to the production environment can transform an organization’s development process to truly integrate security. Learn how to get started with continuous deployment and what tools and process are needed to make implementation within your organization a (security) success.
Rebooting Software Development - OWASP AppSecUSA Nick Galbreath
If we are ever going to get ahead of the whack-a-mole security vulnerability game, we, as security professionals need to start getting involved more in the development of software. Let's review the origins of the traditional software development, and what assumptions are made. Then we'll review if those assumptions still hold for modern web applications, and what problems they cause, especially for security. Continuous deployment helps address these problems and allows for faster, more secure development. It's more than just "pushing code a lot", when done correctly it can be transformative to the organization. We'll discuss what continuous deployment is, how to get started, and what components are needed to make it successful, and secure.
Continuous Deployment - The New #1 Security Feature, from BSildesLA 2012Nick Galbreath
First presented at Security BSidesLA, Hermosa Beach, California, August 16, 2012
Continuous deployment is characters by a small and frequent changes to production. Find out why it's my #1 security feature. It's not just about pushing fast!
How do fonts look when uploaded onto slideshare when the presentation is of various sides? How does it look on a washed-out projector? For plain text? For computer-code?
This presentation provides a number of sans-serif and monospace fonts to help answer these questions.
Rate Limiting at Scale, from SANS AppSec Las Vegas 2012Nick Galbreath
Rate Limits at Scale SANS AppSec Las Vegas.
Rate Limit Everything All the time using a quantized time system with Memcache or Redis. Use this protect resources or discover anomalies.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
New techniques in sql obfuscation, from DEFCON 20
1. New Techniques in
SQLi Obfuscation
SQL never before used in SQL Injection
Nick Galbreath
@ngalbreath
nick@client9.com
nickg@etsy.com
DEFCON 20 at the Rio in sunny Las Vegas
2012-07-27 Friday 4:20 pm!
2. Follow along or get the latest version:
http://
www.client9.com/
20120727/
Nick Galbreath DEFCON20 @ngalbreath
3. whoami
• Nick Galbreath
• Director of Engineering at Etsy
• Security, Fraud, Enterprise Features
• Published book on Cryptography
(Wiley, 2002)
• Fixing broken authentication systems and
password storage for the last 15 years.
Nick Galbreath DEFCON20 @ngalbreath
4. SQL Specification
• http://www.contrib.andrew.cmu.edu/
~shadow/sql/sql1992.txt
• 625 pages of plain text
• http://savage.net.au/SQL/sql-2003-2.bnf
• 119 pages of pure BNF
• No one implements exactly
• Everyone has extensions, exceptions, bugs
Nick Galbreath DEFCON20 @ngalbreath
6. libinjection
• libinjection is a quasi-SQL tokenizer, parser
to detect SQli
• Released at BlackHat 2012
• http://www.client9.com/20120725/
• http://www.client9.com/libinjection/
Nick Galbreath DEFCON20 @ngalbreath
7. Sources
Tens of thousands attacks of varying quality
• Output from SQLi vulnerability scanners
against dummy sites
• Published attacks
• SQLi How-to guides
• Stuff we see at Etsy
Nick Galbreath DEFCON20 @ngalbreath
8. Analysis
• Ran all 32,000 SQLi attacks through
libinjection (which detects all as SQLi)
• Used gcov code coverage to see what
paths weren't being used.
• That plus SQL syntax not implemented is
SQL never before used in SQLi
Nick Galbreath DEFCON20 @ngalbreath
9. Lots of Dark Corners
• We'll review many of the SQL oddities that
aren't actively being used or are interesting
enough to re-review.
• Great for new fuzzers, vulnerability
scanners, WAF builders and validators.
Nick Galbreath DEFCON20 @ngalbreath
11. MySQL NULL Alias
MySQL NULL can written as N
case sensitive. n is not a null.
This means any WAF that does a "to_lower"
on the user input and looks for "null" will miss
this case.
Nick Galbreath DEFCON20 @ngalbreath
12. NULL PGSQL
• ISNULL, NOTNULL (same as IS NULL),
this is a function in MSSQL
• "IS [NOT] UNKNOWN"
• "IS [NOT] DISTINCT"
Nick Galbreath DEFCON20 @ngalbreath
15. Exceptions
• 1.AND 2 (no space between "1." "AND")
some parsers accept, some don't
• 1e1 vs. 1e1.0 ?
• 123AND456 vs. 123 AND 456
Nick Galbreath DEFCON20 @ngalbreath
16. Oracle Special Literals
numbers without numbers!
•binary_double_infinity
•binary_double_nan
•binary_float_infinity
•binary_float_nan
might be case sensitive
Nick Galbreath DEFCON20 @ngalbreath
17. Hexadecimal Literals
• 0xDEADbeef MySQL, MSSQL
0x is case sensitive
• 0x (empty string) MSSQL only
• x'DEADbeef' PgSQL
Nick Galbreath DEFCON20 @ngalbreath
19. Money Literals
• MSSQL has a money type.
•-$45.12
•$123.0
• +$1,000,000.00 Commas ignored
• Haven't really experimented with this yet.
• Does it auto-cast to a float or int type?
Nick Galbreath DEFCON20 @ngalbreath
21. MySQL # Comment
• '#' signals an till-end-of-line Comment
• Well used in SQLi attacks
• However... '#' is an operator in PgSQL.
Beware that s/#.*n// will delete code
that needs inspecting.
• Lots of other MySQL comment oddities:
http:/ dev.mysql.com/doc/refman/5.6/en/comments.html
/
Nick Galbreath DEFCON20 @ngalbreath
22. PGSQL Comments
• Besides the usual -- comment
• PgSQL has recursive C-Style Comments
•/* foo /* bar */ */
• Careful! What happens when you 'remove
comments' in
/* /* */ UNION ALL /* */ */
Nick Galbreath DEFCON20 @ngalbreath
24. C-Style String Merging
• C-Style consecutive strings are merged into
one.
•SELECT 'foo' 'bar';
• SELECT 'foo' "bar"; (mysql)
• SQL Spec and PgSQL requires a newline
between literals:
SELECT 'foo'
'bar';
Nick Galbreath DEFCON20 @ngalbreath
25. Standard Unicode
• N'....' or n'...'
• MSSQL Case-sensitive 'N'
• Not sure on escaping rules.
Nick Galbreath DEFCON20 @ngalbreath
26. MySQL Ad-Hoc
Charset
•_charset'....'
•_latin1'.....'
•_utf8'....'
Nick Galbreath DEFCON20 @ngalbreath
27. PGSQL Dollar Quoting
From http://www.postgresql.org/docs/9.1/static/sql-syntax-lexical.html#SQL-SYNTAX-COMMENTS
A dollar-quoted string constant consists of a dollar sign
($), an optional "tag" of zero or more characters, another
dollar sign, an arbitrary sequence of characters that
makes up the string content, a dollar sign, the same tag
that began this dollar quote, and a dollar sign. For
example, here are two different ways to specify the
string "Dianne's horse" using dollar quoting:
$$Dianne's horse$$
$SomeTag$Dianne's horse$SomeTag$
Want more fun? They can be nested!
Nick Galbreath DEFCON20 @ngalbreath
28. PGSQL Unicode
From http://www.postgresql.org/docs/9.1/static/sql-syntax-
lexical.html emphasis mine:
... This variant starts with U& (upper or lower case U followed by ampersand)
immediately before the opening double quote, without any spaces in between, for
example U&"foo". (Note that this creates an ambiguity with the operator &. Use spaces
around the operator to avoid this problem.) Inside the quotes, Unicode characters can be
specified in escaped form by writing a backslash followed by the four-digit hexadecimal
code point number or alternatively a backslash followed by a plus sign followed by a six-
digit hexadecimal code point number. For example, the identifier "data" could be
written as
U&"d0061t+000061"
The following less trivial example writes the Russian word "slon" (elephant)
in Cyrillic letters:
U&"0441043B043E043D"
If a different escape character than backslash is desired, it can be
specified using the UESCAPE clause after the string, for example:
U&"d!0061t!+000061" UESCAPE '!'
Nick Galbreath DEFCON20 @ngalbreath
29. Oracle Q String
http://docs.oracle.com/cd/B28359_01/appdev.111/b28370/
fundamentals.htm#autoId6
q'!...!' notation allows use of single quotes inside literal
string_var := q'!I'm a string!';
You can use delimiters [, {, <, and (, pair them with ], }, >, and ),
pass a string literal representing a SQL statement to a
subprogram, without doubling the quotation marks around
'INVALID' as follows:
func_call(q'[SELECT index_name FROM user_indexes
WHERE status ='INVALID']');
Nick Galbreath DEFCON20 @ngalbreath
32. More Operators!
• !=, <=> (mysql), <> (mssql), ^= (oracle)
• !>, !< not less than, (mssql)
• / Bitwise XOR (oracle)
Nick Galbreath DEFCON20 @ngalbreath
33. Expressions!
• Using the common query extension of
"OR 1=1"
• Besides using literals, one can use functions:
•COS(0) = SIN(PI()/2)
•COS(@VERSION) = -
SIN(@VERSION + PI()/2)
Nick Galbreath DEFCON20 @ngalbreath
34. EXCEPT (mssql)
MINUS (Oracle)
• Like UNION, UNION ALL
• But returns all results from first query
minus/except the ones from the second
query
• There is also INTERSECT as well.
• I think someone clever could use these,
typically not in WAF rules.
Nick Galbreath DEFCON20 @ngalbreath
35. Side Note: "IN" lists
• e.g. ....WHERE id IN (1,2,3,4) ....
• These have to be manually created.
• There is no API or parameter binding for
this construct in any platform,framework or
language.
• There is no consistent, safe way to make
this (other than convention, validation)
Nick Galbreath DEFCON20 @ngalbreath
36. Why don't we see
more attacks using
these techniques?
• Dumb attacks work (for now)
• I don't get to see the more advanced
attacks?
Nick Galbreath DEFCON20 @ngalbreath
37. What's Next?
• Add more parsing rules to libinjection
• More testing frameworks
• Investigate BIGINT types
• pgsql has a regexp engine, and various
other datatypes
• Worry about various character encodings
Nick Galbreath DEFCON20 @ngalbreath