This document discusses security considerations for Ruby on Rails applications. It covers common vulnerabilities like cross-site scripting, SQL injection, session hijacking, and denial of service attacks. It provides recommendations to prevent these issues, such as sanitizing user input, using prepared statements, resetting sessions after login, and offloading static assets. The document emphasizes that Rails has built-in protections but is not inherently secure, and developers must still implement secure coding practices.
This document summarizes common Ruby on Rails security issues and best practices for addressing them. It covers potential information leaks from application setup and deployment, cross-site scripting vulnerabilities from unsanitized user input, session fixation issues, cross-site request forgery problems, SQL injection protection, preventing JavaScript hijacking, securing mass assignment, and security risks related to third-party Rails plugins. The document provides explanations of each issue and recommendations for configuration and code changes to enhance the security of Rails applications.
This document summarizes best practices for securing Rails applications. It discusses potential information leaks from server headers, status pages, and Subversion metadata. It also covers vulnerabilities like cookie session storage, cross-site scripting (XSS), session fixation, cross-site request forgery (CSRF), SQL injection, and JavaScript hijacking. The document provides recommendations to address each issue, such as disabling server headers, preventing .svn access, using secure session storage, sanitizing user input, resetting sessions after login, validating CSRF tokens, and escaping values in SQL queries.
The document discusses various HTTP security headers and their purposes. It provides descriptions and examples of HTTP Strict-Transport-Security (HSTS), X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy, and Content-Security-Policy-Report-Only headers. It also discusses limitations and recommendations for using these headers to strengthen security.
Protecting Java EE Web Apps with Secure HTTP HeadersFrank Kim
This document summarizes techniques for securing Java EE web applications with secure HTTP headers. It discusses cross-site scripting (XSS) and how to prevent it using the HttpOnly and X-XSS-Protection headers. It also covers session hijacking and how to prevent it with the Secure and Strict-Transport-Security headers. Finally, it discusses clickjacking and demonstrates how it works.
This document discusses the OpenSolaris Web Stack, which provides a set of integrated and optimized open source web infrastructure components. It summarizes the components included in the Web Stack, how they are packaged and supported on OpenSolaris, Solaris 10, and RHEL 5. It also discusses the performance benefits of using the Web Stack on newer Intel Nehalem servers and outlines future directions.
The document discusses troubleshooting SSO startup issues. It provides information on SSO architecture, common symptoms of failures like vCenter Server being unable to start or login issues, and a suggested troubleshooting procedure. This includes checking logs, services, ports, and database configuration. Case studies demonstrate normal startup logs and an example where the database host is not reachable.
Powering the Next Generation Services with Java Platform - Spark IT 2010Arun Gupta
This document discusses the evolution and capabilities of the Java platform. It outlines the major releases of the Java Development Kit and Java EE over time. It also describes some of the key features and technologies available in the Java ecosystem today, including Java EE, JavaFX, RESTful and SOAP web services, dynamic languages support, and Project Jigsaw for modularity. The document promotes the Java platform as powering next generation applications and services.
- GlassFish v3 is an upcoming release of the GlassFish application server that will include many new features implementing Java EE 6.
- It provides a modular and dynamic platform using OSGi and other technologies, while still maintaining high performance.
- New features in GlassFish v3 include support for Java EE 6 APIs, dynamic monitoring tools like BTrace, a RESTful administration interface, and the ability to easily extend the server using OSGi bundles.
This document summarizes common Ruby on Rails security issues and best practices for addressing them. It covers potential information leaks from application setup and deployment, cross-site scripting vulnerabilities from unsanitized user input, session fixation issues, cross-site request forgery problems, SQL injection protection, preventing JavaScript hijacking, securing mass assignment, and security risks related to third-party Rails plugins. The document provides explanations of each issue and recommendations for configuration and code changes to enhance the security of Rails applications.
This document summarizes best practices for securing Rails applications. It discusses potential information leaks from server headers, status pages, and Subversion metadata. It also covers vulnerabilities like cookie session storage, cross-site scripting (XSS), session fixation, cross-site request forgery (CSRF), SQL injection, and JavaScript hijacking. The document provides recommendations to address each issue, such as disabling server headers, preventing .svn access, using secure session storage, sanitizing user input, resetting sessions after login, validating CSRF tokens, and escaping values in SQL queries.
The document discusses various HTTP security headers and their purposes. It provides descriptions and examples of HTTP Strict-Transport-Security (HSTS), X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy, and Content-Security-Policy-Report-Only headers. It also discusses limitations and recommendations for using these headers to strengthen security.
Protecting Java EE Web Apps with Secure HTTP HeadersFrank Kim
This document summarizes techniques for securing Java EE web applications with secure HTTP headers. It discusses cross-site scripting (XSS) and how to prevent it using the HttpOnly and X-XSS-Protection headers. It also covers session hijacking and how to prevent it with the Secure and Strict-Transport-Security headers. Finally, it discusses clickjacking and demonstrates how it works.
This document discusses the OpenSolaris Web Stack, which provides a set of integrated and optimized open source web infrastructure components. It summarizes the components included in the Web Stack, how they are packaged and supported on OpenSolaris, Solaris 10, and RHEL 5. It also discusses the performance benefits of using the Web Stack on newer Intel Nehalem servers and outlines future directions.
The document discusses troubleshooting SSO startup issues. It provides information on SSO architecture, common symptoms of failures like vCenter Server being unable to start or login issues, and a suggested troubleshooting procedure. This includes checking logs, services, ports, and database configuration. Case studies demonstrate normal startup logs and an example where the database host is not reachable.
Powering the Next Generation Services with Java Platform - Spark IT 2010Arun Gupta
This document discusses the evolution and capabilities of the Java platform. It outlines the major releases of the Java Development Kit and Java EE over time. It also describes some of the key features and technologies available in the Java ecosystem today, including Java EE, JavaFX, RESTful and SOAP web services, dynamic languages support, and Project Jigsaw for modularity. The document promotes the Java platform as powering next generation applications and services.
- GlassFish v3 is an upcoming release of the GlassFish application server that will include many new features implementing Java EE 6.
- It provides a modular and dynamic platform using OSGi and other technologies, while still maintaining high performance.
- New features in GlassFish v3 include support for Java EE 6 APIs, dynamic monitoring tools like BTrace, a RESTful administration interface, and the ability to easily extend the server using OSGi bundles.
Middleware upgrade to Oracle Fusion Middleware(FMW) 12c.Real Case stories. Andrejs Vorobjovs
Tēmas apraksts: Middleware atjaunināšana līdz FMW 12c. Reālu projektu pieredze. Salīdzinoši nesen tika publicēta Oracle FMW 12c produktu līnija. Šoreiz gribu padalīties ar atjaunināšanas līdz Oracle FWM 12c pieredzi. Pamatu pamati, zemūdens akmeņi un tehniskie triki, kas var palīdzēt jums ietaupīt laiku un var būt arī saglabāt nervus.
Тема (РУ): Обновление Middleware до FMW 12c. Опыт реальных проектов.Описание: Относительно недавно вышла в свет линейка продуктов Oracle FMW 12c. В этот раз я хочу поделиться своим опытом обновления до Oracle FWM 12c.
Прописные истины, подводные камни и технические хитрости, которые помогут сберечь ваше время и, возможно и нервы.
Description(ENG): Relatively recently Orcale FMW 12c product line has been published.Today I would like to share my experience of middleware upgrade to Oracle FWM 12c.
Basics, pitfalls and technical tricks, that can save your time and nerves, may be.
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
Over 70% of the security issues in Drupal sites are either XSS, CSRF, or SQL Injection. Let's talk about how sites get hacked and how you can write secure Drupal code and maintain security throughout your development process and live maintenance.
About the Presenter:
Ben Jeavons is a member of the Drupal Security team and co-author of the Drupal Security Report. As an engineer at Acquia he works on the Acquia Network including the security and performance analysis tool, Acquia Insight.
Experience Level: Intermediate
This document summarizes a talk on the WildFly 8 application server. It discusses the history of Java EE and how WildFly was created to differentiate the open source and licensed versions of JBoss. Key features of WildFly 8 covered include support for Java EE 7, a new Undertow web server, simplified clustering, and role-based access control. Application programming interfaces new to Java EE 7 like the batch API, web sockets API, and concurrency API are demonstrated.
This document discusses techniques for troubleshooting issues with Red Hat JBoss EAP 6. It covers generating thread dumps, heap dumps, and log files to analyze where threads are stuck or understand memory usage. The JBoss Diagnostic Reporter (JDR) subsystem can collect troubleshooting information. Byteman allows inserting extra Java code into applications to aid debugging. The log subsystem level and GC logging can be configured for additional troubleshooting data in log files.
GlassFish & Java EE Business Update @ CEJUGArun Gupta
This document summarizes GlassFish and Java EE, including:
1. GlassFish has over 200 new customers in 2009 and over 24 million downloads since 2005. It is best for lightweight web applications while WebLogic is best for transactional Java EE applications.
2. GlassFish and WebLogic benefit each other, with GlassFish being the open source Java EE platform and WebLogic the commercial platform integrated with Oracle products.
3. GlassFish is the "scout thread" for Java EE standards and drives innovation, while WebLogic implements standards after GlassFish to ensure alignment. GlassFish 3.1 will include clustering in 2011.
Web Space Server 10 is a complete user interaction platform that provides web and portal capabilities along with user collaboration features like wikis, blogs, forums and social networking. It allows adding social networking features to content delivery. The platform has design goals of being modular, lightweight, opt-in, approachable, end-to-end, testable, sustainable, usable, interoperable and providing a compelling open source offering from Sun. It has major features including a core portal framework, social networking, collaboration, mashups, content management, identity-based content delivery, packaging and updates.
Mysql ir populārākā atvērta koda datubāze un tajā ir vairāk nekā 400 parametri, bet nepieciešams uzstādīt /izmainīt tikai dažus no tiem, lai jūs nesaskartos ar problēmām jau pirmajā dienā. Šajā prezentācijā stāstīšu par parametriem, kuri ietekme datu drošību, datu atjaunošanu un datu konsistenci.
This document discusses securing Drupal websites. It covers common Drupal attacks like XSS and SQL injection and recommends countermeasures like keeping software updated, following coding standards, sanitizing user input, and penetration testing. The document also provides an overview of securing the web server, PHP, and the Drupal codebase through permissions, input validation, and file uploads.
The document discusses servlets and provides examples of implementing servlets. It introduces servlets and their features like being efficient and supporting asynchronous programming. It describes the Servlet API including important interfaces like Servlet, ServletRequest, and ServletResponse. Code snippets show how to create a basic servlet that displays the current date and time. The document also discusses the web container and its role in servlet execution and lifecycle.
The Java EE 6 platform provides easier development, more flexibility, and improved learnability. It includes profiles like the Web Profile, improved technologies like Servlet 3.0 with asynchronous processing, EJB 3.1 with singleton sessions, and JPA 2.0 with criteria queries. The platform aims to embrace open source libraries and provide full pluggability. All specifications will be developed transparently and the final Java EE 6 release is scheduled for September 2009.
This document provides an overview of clustering and load balancing capabilities in GlassFish V2. It describes the key components of a GlassFish cluster including the domain administration server, node agents, server instances, and how they interact. It also covers configuration of clusters, high availability techniques like memory replication and HADB, and load balancer setup using the Sun HTTP LB plugin.
The document describes the Peergreen Platform. It provides an overview of Peergreen as a startup with experienced engineers and open source contributions. It then discusses in depth the guidelines, boot process, deployment system, shell, web integration, console, security features, and development tools of the Peergreen Platform. Finally, it outlines next steps such as adding Java Transaction and Persistence API support.
JBoss Application Server is an open source application server. It supports J2EE 1.3 technologies including EJB 2.0, JMS, JDBC, and more. JBoss installs easily and can be configured for clustering, web services, and CORBA integration. It uses Apache Tomcat as its web server and integrates the open source JBossMQ for JMS. Default topics, queues, and a Hypersonic database are provided for testing and development.
Running your Java EE 6 Applications in the CloudArun Gupta
This document discusses running Java EE 6 applications in the cloud. It provides an overview of Java EE 6 and demonstrates deploying applications to various cloud platforms including Amazon Web Services, RightScale, Microsoft Azure, and Joyent. It also compares these platforms and discusses how Java EE can evolve to better support cloud computing.
Blackhat11 shreeraj reverse_engineering_browserShreeraj Shah
Hacking browser components by Reverse Engineering is emerging as the best way for discovering
potential vulnerabilities across web applications in an era of Rich Internet Applications (RIA). The RIA
space is flooded with technologies like HTML 5, Flex/Flash, Silverlight, extended DOM and numerous
third party libraries. Browsers are the target of hackers, worms and malware with specific scope, almost
on a daily basis. We have seen exploitation of these technologies on popular sites like Facebook, Twitter,
Yahoo, Google, to name a few. The traditional boundaries of web applications are disappearing.
Browsers today host a substantial part of web applications including data access, business logic,
encryption, etc. along with presentation layer. This shift is making browser components a potential
target for hackers. The danger of poorly written browser components being
The document summarizes various web application vulnerabilities from 2010, including client-side attacks like cross-site scripting (XSS) and cross-site request forgery (CSRF), and server-side attacks like SQL injection, XML injection, and remote code execution via stored procedures. It provides examples of exploiting these vulnerabilities on modern web applications and defenses against these attacks.
The document provides instructions for setting up a lab environment to practice HTML5 hacking techniques. It includes details on installing VirtualBox and shared folders, as well as IP addresses to use for the "localvictim" and "evil" servers. The remainder of the document outlines a plan to cover various HTML5-related attacks, including bypassing the same-origin policy, exploiting XSS vectors in HTML5, attacking with cross-origin resource sharing and web messaging, targeting client-side storage, and using web sockets. Disclaimers are provided about the practical nature of the workshops and limited time.
Summary of the MySQL 8.0.19 new features, released on January 13th, 2020.
==
== Highlights
==
* InnoDB ReplicaSet
* SQL Improvements
=> Table Value Constructors
=> LIMIT in recursive CTE
=> ALTER TABLE… DROP/ALTER CONSTRAINT
=> More information to Duplicate Key Error
* Account Management Enhancements
* Time zone offset for Timestamp & Datetime
* Information Schema views for SQL Roles
* MySQL Document Store Enhancements
* MySQL Shell Enhancements
* MySQL Router Enhancements
* MySQL InnoDB Cluster Enhancements
* MySQL Replication Enhancements
* MySQL NDB Cluster Enhancements
* MySQL Enterprise New Features
* Thanks to the Contributors
CTU June 2011 - Things that Every ASP.NET Developer Should KnowSpiffy
This document provides an overview of important topics for ASP.NET developers. It covers HTTP and web server fundamentals, debugging and analysis tools, development techniques, and patterns and practices. The agenda includes sections on IIS architecture, configuration files, tools like Fiddler and Network Monitor, reducing page size and requests, caching, and common design patterns for web applications. The goal is to discuss essential knowledge for building high-performance, secure ASP.NET applications.
This document provides an overview of common web application vulnerabilities and how to prevent them when developing Java web applications. It begins with examples of recent security breaches involving web apps and why web app security is important. It then discusses the typical architecture of web apps and principles of secure programming. The bulk of the document outlines the top 9 most common web vulnerabilities, providing examples of vulnerable code and solutions to prevent each type of vulnerability. It focuses on input validation, access controls, session management, and cross-site scripting vulnerabilities. The goal is to help developers learn how to build secure Java web apps.
This document discusses sets and their properties. It defines what a set is and the different ways to describe a set using word descriptions, listings, or set-builder notation. It discusses elements and members of sets, and whether certain values are elements of example sets. It also defines key set concepts like cardinality (the number of elements in a set), finite vs infinite sets, and why cardinal numbers cannot be determined for infinite sets.
At HolidayCheck we are working in a very fast and challenging environment on a daily base. Applying agile methods to improve our products and the solutions for our customers sounds logical. However it isn't a linear path and therefore we need to learn to deal with the various moves. The moves are similar like the once from a pendular. The softness of the tai-ch moves and forms is a great way to deal with these motions that you might not be able to control as an agile coach at all times.
Middleware upgrade to Oracle Fusion Middleware(FMW) 12c.Real Case stories. Andrejs Vorobjovs
Tēmas apraksts: Middleware atjaunināšana līdz FMW 12c. Reālu projektu pieredze. Salīdzinoši nesen tika publicēta Oracle FMW 12c produktu līnija. Šoreiz gribu padalīties ar atjaunināšanas līdz Oracle FWM 12c pieredzi. Pamatu pamati, zemūdens akmeņi un tehniskie triki, kas var palīdzēt jums ietaupīt laiku un var būt arī saglabāt nervus.
Тема (РУ): Обновление Middleware до FMW 12c. Опыт реальных проектов.Описание: Относительно недавно вышла в свет линейка продуктов Oracle FMW 12c. В этот раз я хочу поделиться своим опытом обновления до Oracle FWM 12c.
Прописные истины, подводные камни и технические хитрости, которые помогут сберечь ваше время и, возможно и нервы.
Description(ENG): Relatively recently Orcale FMW 12c product line has been published.Today I would like to share my experience of middleware upgrade to Oracle FWM 12c.
Basics, pitfalls and technical tricks, that can save your time and nerves, may be.
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
Over 70% of the security issues in Drupal sites are either XSS, CSRF, or SQL Injection. Let's talk about how sites get hacked and how you can write secure Drupal code and maintain security throughout your development process and live maintenance.
About the Presenter:
Ben Jeavons is a member of the Drupal Security team and co-author of the Drupal Security Report. As an engineer at Acquia he works on the Acquia Network including the security and performance analysis tool, Acquia Insight.
Experience Level: Intermediate
This document summarizes a talk on the WildFly 8 application server. It discusses the history of Java EE and how WildFly was created to differentiate the open source and licensed versions of JBoss. Key features of WildFly 8 covered include support for Java EE 7, a new Undertow web server, simplified clustering, and role-based access control. Application programming interfaces new to Java EE 7 like the batch API, web sockets API, and concurrency API are demonstrated.
This document discusses techniques for troubleshooting issues with Red Hat JBoss EAP 6. It covers generating thread dumps, heap dumps, and log files to analyze where threads are stuck or understand memory usage. The JBoss Diagnostic Reporter (JDR) subsystem can collect troubleshooting information. Byteman allows inserting extra Java code into applications to aid debugging. The log subsystem level and GC logging can be configured for additional troubleshooting data in log files.
GlassFish & Java EE Business Update @ CEJUGArun Gupta
This document summarizes GlassFish and Java EE, including:
1. GlassFish has over 200 new customers in 2009 and over 24 million downloads since 2005. It is best for lightweight web applications while WebLogic is best for transactional Java EE applications.
2. GlassFish and WebLogic benefit each other, with GlassFish being the open source Java EE platform and WebLogic the commercial platform integrated with Oracle products.
3. GlassFish is the "scout thread" for Java EE standards and drives innovation, while WebLogic implements standards after GlassFish to ensure alignment. GlassFish 3.1 will include clustering in 2011.
Web Space Server 10 is a complete user interaction platform that provides web and portal capabilities along with user collaboration features like wikis, blogs, forums and social networking. It allows adding social networking features to content delivery. The platform has design goals of being modular, lightweight, opt-in, approachable, end-to-end, testable, sustainable, usable, interoperable and providing a compelling open source offering from Sun. It has major features including a core portal framework, social networking, collaboration, mashups, content management, identity-based content delivery, packaging and updates.
Mysql ir populārākā atvērta koda datubāze un tajā ir vairāk nekā 400 parametri, bet nepieciešams uzstādīt /izmainīt tikai dažus no tiem, lai jūs nesaskartos ar problēmām jau pirmajā dienā. Šajā prezentācijā stāstīšu par parametriem, kuri ietekme datu drošību, datu atjaunošanu un datu konsistenci.
This document discusses securing Drupal websites. It covers common Drupal attacks like XSS and SQL injection and recommends countermeasures like keeping software updated, following coding standards, sanitizing user input, and penetration testing. The document also provides an overview of securing the web server, PHP, and the Drupal codebase through permissions, input validation, and file uploads.
The document discusses servlets and provides examples of implementing servlets. It introduces servlets and their features like being efficient and supporting asynchronous programming. It describes the Servlet API including important interfaces like Servlet, ServletRequest, and ServletResponse. Code snippets show how to create a basic servlet that displays the current date and time. The document also discusses the web container and its role in servlet execution and lifecycle.
The Java EE 6 platform provides easier development, more flexibility, and improved learnability. It includes profiles like the Web Profile, improved technologies like Servlet 3.0 with asynchronous processing, EJB 3.1 with singleton sessions, and JPA 2.0 with criteria queries. The platform aims to embrace open source libraries and provide full pluggability. All specifications will be developed transparently and the final Java EE 6 release is scheduled for September 2009.
This document provides an overview of clustering and load balancing capabilities in GlassFish V2. It describes the key components of a GlassFish cluster including the domain administration server, node agents, server instances, and how they interact. It also covers configuration of clusters, high availability techniques like memory replication and HADB, and load balancer setup using the Sun HTTP LB plugin.
The document describes the Peergreen Platform. It provides an overview of Peergreen as a startup with experienced engineers and open source contributions. It then discusses in depth the guidelines, boot process, deployment system, shell, web integration, console, security features, and development tools of the Peergreen Platform. Finally, it outlines next steps such as adding Java Transaction and Persistence API support.
JBoss Application Server is an open source application server. It supports J2EE 1.3 technologies including EJB 2.0, JMS, JDBC, and more. JBoss installs easily and can be configured for clustering, web services, and CORBA integration. It uses Apache Tomcat as its web server and integrates the open source JBossMQ for JMS. Default topics, queues, and a Hypersonic database are provided for testing and development.
Running your Java EE 6 Applications in the CloudArun Gupta
This document discusses running Java EE 6 applications in the cloud. It provides an overview of Java EE 6 and demonstrates deploying applications to various cloud platforms including Amazon Web Services, RightScale, Microsoft Azure, and Joyent. It also compares these platforms and discusses how Java EE can evolve to better support cloud computing.
Blackhat11 shreeraj reverse_engineering_browserShreeraj Shah
Hacking browser components by Reverse Engineering is emerging as the best way for discovering
potential vulnerabilities across web applications in an era of Rich Internet Applications (RIA). The RIA
space is flooded with technologies like HTML 5, Flex/Flash, Silverlight, extended DOM and numerous
third party libraries. Browsers are the target of hackers, worms and malware with specific scope, almost
on a daily basis. We have seen exploitation of these technologies on popular sites like Facebook, Twitter,
Yahoo, Google, to name a few. The traditional boundaries of web applications are disappearing.
Browsers today host a substantial part of web applications including data access, business logic,
encryption, etc. along with presentation layer. This shift is making browser components a potential
target for hackers. The danger of poorly written browser components being
The document summarizes various web application vulnerabilities from 2010, including client-side attacks like cross-site scripting (XSS) and cross-site request forgery (CSRF), and server-side attacks like SQL injection, XML injection, and remote code execution via stored procedures. It provides examples of exploiting these vulnerabilities on modern web applications and defenses against these attacks.
The document provides instructions for setting up a lab environment to practice HTML5 hacking techniques. It includes details on installing VirtualBox and shared folders, as well as IP addresses to use for the "localvictim" and "evil" servers. The remainder of the document outlines a plan to cover various HTML5-related attacks, including bypassing the same-origin policy, exploiting XSS vectors in HTML5, attacking with cross-origin resource sharing and web messaging, targeting client-side storage, and using web sockets. Disclaimers are provided about the practical nature of the workshops and limited time.
Summary of the MySQL 8.0.19 new features, released on January 13th, 2020.
==
== Highlights
==
* InnoDB ReplicaSet
* SQL Improvements
=> Table Value Constructors
=> LIMIT in recursive CTE
=> ALTER TABLE… DROP/ALTER CONSTRAINT
=> More information to Duplicate Key Error
* Account Management Enhancements
* Time zone offset for Timestamp & Datetime
* Information Schema views for SQL Roles
* MySQL Document Store Enhancements
* MySQL Shell Enhancements
* MySQL Router Enhancements
* MySQL InnoDB Cluster Enhancements
* MySQL Replication Enhancements
* MySQL NDB Cluster Enhancements
* MySQL Enterprise New Features
* Thanks to the Contributors
CTU June 2011 - Things that Every ASP.NET Developer Should KnowSpiffy
This document provides an overview of important topics for ASP.NET developers. It covers HTTP and web server fundamentals, debugging and analysis tools, development techniques, and patterns and practices. The agenda includes sections on IIS architecture, configuration files, tools like Fiddler and Network Monitor, reducing page size and requests, caching, and common design patterns for web applications. The goal is to discuss essential knowledge for building high-performance, secure ASP.NET applications.
This document provides an overview of common web application vulnerabilities and how to prevent them when developing Java web applications. It begins with examples of recent security breaches involving web apps and why web app security is important. It then discusses the typical architecture of web apps and principles of secure programming. The bulk of the document outlines the top 9 most common web vulnerabilities, providing examples of vulnerable code and solutions to prevent each type of vulnerability. It focuses on input validation, access controls, session management, and cross-site scripting vulnerabilities. The goal is to help developers learn how to build secure Java web apps.
This document discusses sets and their properties. It defines what a set is and the different ways to describe a set using word descriptions, listings, or set-builder notation. It discusses elements and members of sets, and whether certain values are elements of example sets. It also defines key set concepts like cardinality (the number of elements in a set), finite vs infinite sets, and why cardinal numbers cannot be determined for infinite sets.
At HolidayCheck we are working in a very fast and challenging environment on a daily base. Applying agile methods to improve our products and the solutions for our customers sounds logical. However it isn't a linear path and therefore we need to learn to deal with the various moves. The moves are similar like the once from a pendular. The softness of the tai-ch moves and forms is a great way to deal with these motions that you might not be able to control as an agile coach at all times.
The document provides assessment criteria for evaluating student performance in science across four assessment focuses and various threads within each focus.
1) It outlines criteria for assessing students' abilities to think scientifically by using models, weighing evidence, understanding development of scientific ideas, and recognizing the provisional nature of evidence.
2) It also describes evaluating students' understanding of applications and implications of science in areas like societal influences, technological developments, and relationships between science and jobs.
3) Additionally, the document provides criteria for assessing students' communication and collaboration skills in science like presenting information and considering different views.
4) Finally, it outlines assessing students' use of investigative approaches including planning investigations, identifying variables, gathering reliable data, and
The document lists Todd Ropog's contact information and then lists values, principles, practices, roles, and an outline related to software development. It emphasizes communication, feedback, simplicity, respect, and continuous improvement. It promotes teamwork, testing, and collaboration across various roles from programmers to product managers.
Web Application Social Engineering Vulnerabilitiesmvcooley
In this presentation from Triangle Infosecon 2011, we discuss common web application vulnerabilities which could be leveraged for social engineering attacks.
The document discusses Joomla! architecture and internationalization. It will provide an overview of international Joomla!, the Joomla! architecture, and solutions for international sites. The author is Alex Kempkens, a member of the Joomla! core team and event team leader who will discuss features of Joomla! 1.5 that improve internationalization capabilities.
The slides from the 24C3 session "Ruby on Rails Security" by Jonathan Weiss, 30.12.2007.
Even though Ruby on Rails introduces a lot of best practices to the developer, it is still quite easy for an imprudent programmer to forget that every web application is a potential target. Web application attacks like Cross Site Scripting or Cross Site Request Forgery are very popular these days and every Rails developer should have an idea about the different possibilities that his application presents to an attacker.
This talk will cover most of the common web application vulnerabilities like Cross Site Scripting and Cross Site Request Forgery, SQL and Code injection, and deployment security and how they apply to Rails. Further Ruby on Rails specific issues like Rails plugin security, JavaScript/Ajax security, and Rails configuration will be examined and best practices introduced.
Jonathan Weiss presented on Ruby on Rails security. He discussed potential vulnerabilities in Rails application setup and deployment, application code, and the Rails framework. He highlighted information leaks, SQL injection, cross-site scripting (XSS), session fixation, cross-site request forgery (CSRF), mass assignment, and denial of service attacks as specific security risks and provided best practices for mitigating each one.
This document discusses breaking and penetration testing Ruby on Rails applications. It covers fingerprinting the Rails framework, testing the attack surface through routes, session security issues, authentication vulnerabilities, authorization testing, CSRF protection bypass, model attribute assignment and SQL injection issues, view rendering exploits, and insecure defaults. Recommended tools for analysis include Brakeman, grep searches, and the Ruby Mechanize and Nokogiri libraries. The document provides references for further Rails security best practices.
This document discusses various web development technologies and their usage. It covers popular frameworks for languages like Java, Ruby, PHP, and JavaScript. It also discusses SQL injection prevention and technologies used by companies like Facebook, Twitter, and ChatWork including their migrations from some technologies to others. The document provides links to external articles for further reading.
Dynamic Languages & Web Frameworks in GlassFishIndicThreads
“Dynamic languages such as JRuby, Groovy, and Jython are increasingly playing an important role in the web these days. The associated frameworks such as Rails, Grails, and Django are gaining importance because of the agility provided by them.
The GlassFish project provides an easy-to-use and robust development and deployment platform for hosting these web applications. It also enables the various languages to leverage the investment in your existing Java Platform, Enterprise Edition (Java EE platform) infrastructure. This session gives an overview of various Dynamic Languages and associated Web frameworks that can be used on the GlassFish project.
It starts with a brief introduction to JRuby and details on how the GlassFish project provides a robust development and deployment platform for Rails, Merb, Sinatra and other similar applications without pain. As a basis for further discussion, this presentation shows the complete lifycycle for JRuby-on-Rails applications on GlassFish v2 and v3. It discusses the various development options provided by GlassFish v3, demonstrates how popular Rails applications can be easily deployed on GlassFish without any modification, and shows how v3 Gem can be used as an effective alternative to WEBrick and Mongrel. It also demonstrates debugging of Rails applications using NetBeans IDE. For enterprise users, it shows how JMX and other mechanisms can be used to monitor Rails applications.
It also talks in detail about the Groovy/Grails and Python/Django development and deployment models in context of GlassFish v3. By following the simple deployment steps the presentation shows, developers will be able to deploy their existing web applications on the GlassFish project.The session also describes the known limitations and workarounds for each of them.
The talk will show a working sample created in different frameworks and deployed on GlassFish v3. The demo will show how different features of the underlying GlassFish runtime are easily accessible to the frameworks running on top of it.”
Running your Java EE 6 applications in the CloudArun Gupta
The document discusses running Java EE applications in the cloud using platforms like Amazon Web Services, RightScale, Microsoft Azure, and Joyent. It provides an overview of deploying Java EE applications on each platform, including how to configure and manage applications on Amazon EC2 and S3, deploy using RightScripts on RightScale, publish to Microsoft Azure using Visual Studio, and the language and server options for Joyent. The document also touches on pricing models and some considerations for evolving Java EE for cloud platforms.
JavaOne India 2011 - Running your Java EE 6 Apps in the CloudArun Gupta
This document discusses running Java EE 6 applications in the cloud. It provides an overview of deploying Java EE 6 applications to various cloud platforms including Amazon Web Services, RightScale, Microsoft Azure, and Joyent. It also discusses the Java EE 7 specification and how it will further support cloud deployments with a focus on multi-tenancy and elasticity. Lastly, it outlines the GlassFish Server distributions for both open source and commercial use on private and public clouds.
Running your Java EE 6 Apps in the Cloud - JavaOne India 2011Arun Gupta
This document discusses running Java EE 6 applications in the cloud. It provides an overview of deploying Java EE 6 applications to various cloud platforms including Amazon Web Services, RightScale, Microsoft Azure, and Joyent. It also discusses the Java EE 7 specification and how it will further support cloud deployments with a focus on multi-tenancy and elasticity. Lastly, it outlines the GlassFish Server distributions for both open source and commercial use on private and public clouds.
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Divyanshu
Browser exploitation| Reporting vulnerability in top browsers and finding CVE.
Session in Null Bangalore Meet 23 November 2019 Null/OWASP/G4H combined meetup
Thanks to respective researchers for their work.
JFokus 2011 - Running your Java EE 6 apps in the CloudArun Gupta
Oracle provides Java EE 6 application servers and databases that can run on various cloud platforms including Amazon Web Services, RightScale, Microsoft Azure, and Joyent. These cloud platforms offer virtual servers, storage, databases and additional services that allow flexible deployment of Java EE 6 applications in public, private and hybrid cloud environments. Pricing models vary between platforms and include consumption-based or commitment-based options.
Running your Java EE 6 applications in the Cloud (FISL 12)Arun Gupta
This document discusses running Java EE 6 applications in the cloud. It provides an overview of Java EE 6 and demonstrates how to deploy Java EE 6 applications on various cloud platforms including Amazon Web Services, RightScale, Microsoft Azure, and Joyent. The document also discusses the Java EE 7 specification and upcoming GlassFish Server distributions.
In this Java Hibernate Training session, you will learn Integrating Struts with Hibernate. Topics covered in this session are:
• Struts 2
• Struts Action Class
• Validation
• Control Tags
• Data Tags
For more information, visit this link:
https://www.mindsmapped.com/courses/software-development/learn-hibernate-fundamentals-from-scratch/
The document discusses various techniques for hacking web applications and web services, including:
1. Profiling infrastructure, attacking authentication and authorization, exploiting data connectivity, attacking client-side vulnerabilities, and denial of service attacks against web applications.
2. Using automated scanning tools to discover servers, services, and vulnerabilities. Common vulnerabilities in Apache, SQL injection, and insecure web service descriptions are described.
3. Attacking web application management interfaces through insecure protocols like Telnet and exploiting features like WebDAV that allow remote file manipulation.
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
The document discusses techniques for fingerprinting web servers by analyzing differences in their responses to common HTTP requests. It then outlines how this information can be used to identify specific web server software and versions. The document also examines how web server fingerprinting could enable cross-site tracing attacks if certain HTTP request methods like TRACE are enabled.
Rails security best practices involve defending at multiple layers including the network, operating system, web server, web application, and database. The document outlines numerous vulnerabilities at the web application layer such as information leaks, session hijacking, SQL injection, mass assignment, unscoped finds, cross-site scripting (XSS), cross-site request forgery (CSRF), and denial-of-service attacks. It provides recommendations to address each vulnerability through secure coding practices and configuration in Rails.
This document provides an overview and introduction to Ruby on Rails. It begins with an agenda and introduction to the speaker. It then provides a brief introduction to Rails, including what industries use it, examples of popular websites built with Rails, and an explanation of its model-view-controller architecture and RESTful design philosophy. The document continues with sections on auditing Rails applications, identifying common vulnerabilities like mass assignment and cross-site scripting, and recommendations for removing vulnerabilities.
This document describes a final project for a computer science course involving various cybersecurity vulnerabilities and techniques for preventing them. It discusses SQL injection and demonstrates how to prevent it using prepared statements. It also covers cross-site scripting (XSS), cross-site request forgery (CSRF), and ways to mitigate these risks, such as input validation and using synchronized tokens. The project code repository and demo sites for vulnerable and secure code are provided.
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
Infrastructure Challenges in Scaling RAG with Custom AI modelsZilliz
Building Retrieval-Augmented Generation (RAG) systems with open-source and custom AI models is a complex task. This talk explores the challenges in productionizing RAG systems, including retrieval performance, response synthesis, and evaluation. We’ll discuss how to leverage open-source models like text embeddings, language models, and custom fine-tuned models to enhance RAG performance. Additionally, we’ll cover how BentoML can help orchestrate and scale these AI components efficiently, ensuring seamless deployment and management of RAG systems in the cloud.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceIndexBug
Imagine a world where machines not only perform tasks but also learn, adapt, and make decisions. This is the promise of Artificial Intelligence (AI), a technology that's not just enhancing our lives but revolutionizing entire industries.
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
How to Get CNIC Information System with Paksim Ga.pptx
Ruby On Rails Security 9984
1. Ruby on Rails Security
Jonathan Weiss, 30.12.2007
Peritor Wissensmanagement GmbH
2. Who am I ?
Jonathan Weiss
• Consultant for Peritor Wissensmanagement GmbH
• Specialized in Rails, Scaling, and Code Review
• Active member of the Rails community
• MeinProf.de - one of the first big German Rails sites
• Webistrano - Rails deployment tool
• FreeBSD Rubygems and Ruby on Rails maintainer
2
3. Agenda
Follow the application stack
and look for
Setup and deployment
• Information leaks
Application code
• Possible vulnerabilities
• Best practices
Framework code
Rails Application Stack
3
3
9. Information leaks
Is the target application a Rails application?
• Default setup for static files:
/javascripts/application.js
/stylesheets/application.css
/images/foo.png
• Pretty URLs
/project/show/12
/message/create
/folder/delete/43
/users/83
9
10. Information leaks
Is the target application a Rails application?
• Rails provides default templates for 404 and 500 status pages
• Different Rails versions use different default pages
• 422.html only present in applications generated with Rails 2.0
10
11. Sample Status Pages
http://www.twitter.com/500.html http://www.43people.com/500.html
http://www.strongspace.com/500.html Rails >= 1.2 status 500 page
11
12. Server Header
GET http://www.43people.com
Date: Tue, 25 Dec 2007 21:23:24 GMT
Server: Apache/1.3.34 (Unix) mod_deflate/1.0.21 mod_fastcgi/2.4.2 mod_ssl/2.8.25 OpenSSL/0.9.7e-p1
Cache-Control: no-cache
…
GET https://signup.37signals.com/highrise/solo/signup/new
Date: Tue, 25 Dec 2007 21:23:24 GMT
Server: Mongrel 1.1.1Status: 200 OK
…
Disable Server header
# httpd.conf
Header unset Server
12
13. Information leaks
Subversion metadata
• Typically Rails applications are deployed with Capistrano / Webistrano
• This will push .svn directories to the servers
GET http://www.strongspace.com/.svn/entries
…
dir
25376
http://svn.joyent.com/joyent/deprecated_repositories/www.strongspace/trunk/public
http://svn.joyent.com/joyent
Prevent .svn download
2006-04-14T03:06:39.902218Z <DirectoryMatch quot;^/.*/.svn/quot;>
34 ErrorDocument 403 /404.html
justin@joyent.com Order allow,deny
… Deny from all
Satisfy All
</DirectoryMatch>
13
14. Cookie Session Storage
Since Rails 2.0 by default the session data is stored in the cookie
Base64(CGI::escape(SESSION-DATA))--HMAC(secret_key, SESSION-DATA)
14
15. Cookie Session Storage
Security implications
• The user can view the session data in plain text
• The HMAC can be brute-forced and arbitrary session data could be created
• Replay attacks are easier as you cannot flush the client-side session
Countermeasures
• Don’t store important data in the session!
• Use a strong password,
Rails already forces at least 30 characters
• Invalidate sessions after certain time on the server side
… or just switch to another session storage
15
17. Cross-Site Scripting - XSS
“The injection of HTML or client-side Scripts (e.g. JavaScript) by malicious users into
web pages viewed by other users.”
17
18. Cross-Site Scripting - XSS
Cases of accepted user input
• No formatting allowed
search query, user name, post title, …
• Formatting allowed
post body, wiki page, …
18
19. XSS - No Formatting Allowed
Use the Rails `h()` helper to HTML escape user input
But using `h()` everywhere is easy to forget
• Use safeERB plugin
• safeERB will raise an exception whenever a tainted string is not escaped
• Explicitly untaint string in order to not escape it
http://agilewebdevelopment.com/plugins/safe_erb
19
20. XSS - Formatting Allowed
Two approaches
Use custom tags that will translate to HTML (vBulletin tags, RedCloth, Textile, …)
Use HTML and remove unwanted tags and attributes
• Blacklist - Rails 1.2
• Whitelist - Rails 2.0
20
21. XSS - Custom Tags
Relying on the external syntax is not really secure
Filter HTML anyhow
21
22. XSS - HTML Filtering
Use the Rails `sanitize()` helper
Only effective with Rails 2.0:
• Filters HTML nodes and attributes
• Removes protocols like “javascript:”
• Handles unicode/ascii/hex hacks
22
26. Session Fixation
Rails uses only cookie-based sessions
Still, you should reset the session after a login
The popular authentication plugins like restful_authentication are not doing this!
26
27. Cross-Site Request Forgery - CSRF
You visit a malicious site which has an image like this
Only accepting POST does not really help
27
28. CSRF Protection in Rails
By default Rails 2.0 will check all POST requests for a session token
All forms generated by Rails will supply this token
28
29. CSRF Protection in Rails
Very useful and on-by-default, but make sure that
• GET requests are safe and idempotent
• Session cookies are not persistent (expires-at)
29
31. SQL Injection Protection in Rails
Always use the escaped form
If you have to manually use a user-submitted value, use `quote()`
31
32. JavaScript Hijacking
http://my.evil.site/
JSON response
The JSON response will be evaled by the Browser’s JavaScript engine.
With a redefined `Array()` function this data can be sent back to http://my.evil.site
32
33. JavaScript Hijacking Prevention
• Don’t put important data in JSON responses
• Use unguessable URLs
• Use a Browser that does not support the redefinition of Array & co,
currently only FireFox 3.0
• Don’t return a straight JSON response, prefix it with garbage:
The Rails JavaScript helpers don’t support prefixed JSON responses
33
36. Mass Assignment
Use `attr_protected` and `attr_accessible`
Vs.
Start with `attr_protected` and migrate to `attr_accessible` because of the different
default policies for new attributes.
36
37. Rails Plugins
Re-using code through plugins is very popular in Rails
Plugins can have their problems too
• Just because somebody wrote and published a plugin it doesn’t mean the plugin is
proven to be mature, stable or secure
• Popular plugins can also have security problems, e.g. restful_authentication
• Don’t use svn:externals to track external plugins,
if the plugin’s home page is unavailable you cannot deploy your site
37
38. Rails Plugins
How to handle plugins
• Always do a code review of new plugins and look for obvious problems
• Track plugin announcements
• Track external sources with Piston, a wrapper around svn:externals
http://piston.rubyforge.org/
38
39. Rails Denial of Service Attacks
Rails is single-threaded and a typical setup concludes:
• Limited number of Rails instances
• ~8 per CPU
• Even quite active sites (~500.000 PI/day ) use 10-20 CPUs
• All traffic is handled by Rails
39
40. Rails Denial of Service Attacks
A denial of service attack is very easy if Rails is handling down/uploads.
Just start X (= Rails instances count) simultaneous down/uploads over a throttled line.
This is valid for all slow requests, e.g.
• Image processing
• Report generation
• Mass mailing
40
41. Rails Slow Request DoS Prevention
Serve static files directly through the web server
• Apache, Lighttpd, nginx (use x-sendfile for private files)
• Amazon S3
Contaminate slow requests
• Define several clusters for several tasks
• Redirect depending on URL
41
43. Conclusion
Rails has many security features enabled by default
• SQL quoting
• HTML sanitization
• CSRF protection
The setup can be tricky to get right
Rails is by no means a “web app security silver bullet” but adding security
is easy and not a pain like in many other frameworks
43