The document introduces bWAPP, a deliberately insecure web application used to teach web application security. It includes all major known web vulnerabilities and is used to help security enthusiasts, developers and students discover and prevent security issues. The document discusses how bWAPP works, its features, and how penetration testers can use it along with the bee-box virtual machine to test for vulnerabilities as part of the web application security testing process.
bWAPP, or a buggy web application, is a free and open source deliberately insecure web application.It helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities.bWAPP prepares one to conduct successful penetration testing and ethical hacking projects.
How to secure your web applications with NGINXWallarm
Your website is probably vulnerable and gonna be hacked one day. Here're 15 ready-to-use tips on how you can make your web applications more secure. How to protect web application from hacker attacks and mitigate DDoS with NGINX web server.
(WEB304) Running and Scaling Magento on AWS | AWS re:Invent 2014Amazon Web Services
Magento is a leading open source, eCommerce platform used by many global brands. However, architecting your Magento platform to grow with your business can sometimes be a challenge. This session walks through the steps needed to take an out-of-the-box, single-node Magento implementation and turn it into a highly available, elastic, and robust deployment. This includes an end-to-end caching strategy that provides an efficient front-end cache (including populated shopping carts) using Varnish on Amazon EC2 as well as offloading the Magento caches to separate infrastructure such as Amazon ElastiCache. We also look at strategies to manage the Magento Media library outside of the application instances, including EC2-based shared storage solutions and Amazon S3. At the data layer we look at Magento-specific Amazon RDSandndash;tuning strategies including configuring Magento to use read replicas for horizontal scalability. Finally, we look at proven techniques to manage your Magento implementation at scale, including tips on cache draining, appropriate cache separation, and utilizing AWS CloudFormation to manage your infrastructure and orchestrate predictable deployments.
You always think it will never happen to you but when it does, it’s all hands on deck. My personal site was almost hacked and since then I actively looked at what I could improve. During this talk I will talk what I had before and show all the improvements I made since then. It will be a mixed of using using the existing tools and my own creation in managing my sites.
bWAPP, or a buggy web application, is a free and open source deliberately insecure web application.It helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities.bWAPP prepares one to conduct successful penetration testing and ethical hacking projects.
How to secure your web applications with NGINXWallarm
Your website is probably vulnerable and gonna be hacked one day. Here're 15 ready-to-use tips on how you can make your web applications more secure. How to protect web application from hacker attacks and mitigate DDoS with NGINX web server.
(WEB304) Running and Scaling Magento on AWS | AWS re:Invent 2014Amazon Web Services
Magento is a leading open source, eCommerce platform used by many global brands. However, architecting your Magento platform to grow with your business can sometimes be a challenge. This session walks through the steps needed to take an out-of-the-box, single-node Magento implementation and turn it into a highly available, elastic, and robust deployment. This includes an end-to-end caching strategy that provides an efficient front-end cache (including populated shopping carts) using Varnish on Amazon EC2 as well as offloading the Magento caches to separate infrastructure such as Amazon ElastiCache. We also look at strategies to manage the Magento Media library outside of the application instances, including EC2-based shared storage solutions and Amazon S3. At the data layer we look at Magento-specific Amazon RDSandndash;tuning strategies including configuring Magento to use read replicas for horizontal scalability. Finally, we look at proven techniques to manage your Magento implementation at scale, including tips on cache draining, appropriate cache separation, and utilizing AWS CloudFormation to manage your infrastructure and orchestrate predictable deployments.
You always think it will never happen to you but when it does, it’s all hands on deck. My personal site was almost hacked and since then I actively looked at what I could improve. During this talk I will talk what I had before and show all the improvements I made since then. It will be a mixed of using using the existing tools and my own creation in managing my sites.
(WEB203) Building a Website That Costs Pennies to Operate | AWS re:Invent 2014Amazon Web Services
Amazon S3 gives you the ability to serve files from your Amazon S3 buckets. This session shows you how to set up a website with Amazon S3 to serve your static content. We show how you can use open source tools like Jekyll and Octopress to run a blog on your static site. Finally, you see how you can make that site more dynamic using other AWS products and the AWS SDK for JavaScript.
HTML5 WebSocket for the Real-Time Weband the Internet of ThingsPeter Moskovits
Abstract: In his talk Peter gives a brief introduction to WebSocket and discusses how real-time Web communications technologies can be applied to an always connected Web and mobile world. Then, he walks you through how to provide interactivity and collaboration by controlling physical objects remotely. The presentation features several live demonstrations of the concepts discussed throughout the session.
The security experts from Cloudflare and WP Engine help you navigate the security landscape for your web infrastructure.
Register to watch the on-demand webinar: https://hs.wpengine.com/webinar-securing-web-infrastructure
Rails security: above and beyond the defaultsMatias Korhonen
In a world with increasingly sophisticated adversaries employing both targeted and automated attacks, what can we do to keep our users and our web apps safe?
While Rails provides pretty decent security options straight out of the box, we can go further and make attacks more difficult to accomplish.
For example, why and how to implement a Content Security Policy. Should you use HTTP Public Key Pinning? How do you know if you've configured HTTPS correctly?
This talk is about how to build a cluster to run a python or ruby (ruby on rails) application. We'll have a look at how the procedure of building such a cluster could look like and what you should take into consideration.
We'll look at issues like: datacenter, networking, load balancing, storage, database replication, ....
Local Development with Vagrant & VVV
A talk from WordCamp Sacramento 2015. This talk covers installing Vagrant, VVV and a couple of other tools that make using VVV easier to use.
(WEB305) Migrating Your Website to AWS | AWS re:Invent 2014Amazon Web Services
Moving your website to AWS can provide you numerous advantages around the ability to grow, increasing physical security, and lowering the costs of running your website. In this session we'll focus on how you can move your existing website to AWS so you can take advantage of these benefits. You'll be hearing the about how BuzzFeed migrated to AWS when Hurricane Sandy impacted their operations. Director of Buzzfeed's Tech Ops, Eugene Ventimiglia, will walk through the timeline of the migration and describe how BuzzFeed was able to continue serving millions of users during hurricane Sandy. We'll discuss how to set up your site in AWS, strategies for managing the transition through deployment tools, load balancing trial deployments, and DNS cutover, as well as configuration settings necessary to ensure that your site will run well.
Slides from my speech about web apps performance. Images, CSS, JS optimization. PHP and HTTP server effects + caching. Performance profiling with Blackfire.io, debugging with Xdebug.
JMS, WebSocket, and the Internet of Things - Controlling Physical Devices on ...Peter Moskovits
JMS is widely used behind enterprise firewalls to build loosely coupled distributed systems. This session discusses how JMS can be extended and applied to an always connected Web and mobile environment to provide interactivity and collaboration by controlling physical objects, such as model cars, remotely. You’ll learn how you can connect an HTML5 client running on the Web browser of a smartphone and Java running on a Raspberry Pi, a credit-card-size computer, in real time, using open industry-standard Web technologies. The presentation features several live demonstrations of the concepts discussed throughout the session.
Presentation given by David Witherspoon and Prashant Khanal on Sep 25, 2013 at JavaOne in San Francisco.
(WEB203) Building a Website That Costs Pennies to Operate | AWS re:Invent 2014Amazon Web Services
Amazon S3 gives you the ability to serve files from your Amazon S3 buckets. This session shows you how to set up a website with Amazon S3 to serve your static content. We show how you can use open source tools like Jekyll and Octopress to run a blog on your static site. Finally, you see how you can make that site more dynamic using other AWS products and the AWS SDK for JavaScript.
HTML5 WebSocket for the Real-Time Weband the Internet of ThingsPeter Moskovits
Abstract: In his talk Peter gives a brief introduction to WebSocket and discusses how real-time Web communications technologies can be applied to an always connected Web and mobile world. Then, he walks you through how to provide interactivity and collaboration by controlling physical objects remotely. The presentation features several live demonstrations of the concepts discussed throughout the session.
The security experts from Cloudflare and WP Engine help you navigate the security landscape for your web infrastructure.
Register to watch the on-demand webinar: https://hs.wpengine.com/webinar-securing-web-infrastructure
Rails security: above and beyond the defaultsMatias Korhonen
In a world with increasingly sophisticated adversaries employing both targeted and automated attacks, what can we do to keep our users and our web apps safe?
While Rails provides pretty decent security options straight out of the box, we can go further and make attacks more difficult to accomplish.
For example, why and how to implement a Content Security Policy. Should you use HTTP Public Key Pinning? How do you know if you've configured HTTPS correctly?
This talk is about how to build a cluster to run a python or ruby (ruby on rails) application. We'll have a look at how the procedure of building such a cluster could look like and what you should take into consideration.
We'll look at issues like: datacenter, networking, load balancing, storage, database replication, ....
Local Development with Vagrant & VVV
A talk from WordCamp Sacramento 2015. This talk covers installing Vagrant, VVV and a couple of other tools that make using VVV easier to use.
(WEB305) Migrating Your Website to AWS | AWS re:Invent 2014Amazon Web Services
Moving your website to AWS can provide you numerous advantages around the ability to grow, increasing physical security, and lowering the costs of running your website. In this session we'll focus on how you can move your existing website to AWS so you can take advantage of these benefits. You'll be hearing the about how BuzzFeed migrated to AWS when Hurricane Sandy impacted their operations. Director of Buzzfeed's Tech Ops, Eugene Ventimiglia, will walk through the timeline of the migration and describe how BuzzFeed was able to continue serving millions of users during hurricane Sandy. We'll discuss how to set up your site in AWS, strategies for managing the transition through deployment tools, load balancing trial deployments, and DNS cutover, as well as configuration settings necessary to ensure that your site will run well.
Slides from my speech about web apps performance. Images, CSS, JS optimization. PHP and HTTP server effects + caching. Performance profiling with Blackfire.io, debugging with Xdebug.
JMS, WebSocket, and the Internet of Things - Controlling Physical Devices on ...Peter Moskovits
JMS is widely used behind enterprise firewalls to build loosely coupled distributed systems. This session discusses how JMS can be extended and applied to an always connected Web and mobile environment to provide interactivity and collaboration by controlling physical objects, such as model cars, remotely. You’ll learn how you can connect an HTML5 client running on the Web browser of a smartphone and Java running on a Raspberry Pi, a credit-card-size computer, in real time, using open industry-standard Web technologies. The presentation features several live demonstrations of the concepts discussed throughout the session.
Presentation given by David Witherspoon and Prashant Khanal on Sep 25, 2013 at JavaOne in San Francisco.
TDIS 2014 - Dealing with the risks: web applicationsMalik Mesellem
Event: Trusted Digital Identity Symposium 2014
Topic: Dealing with the risks - web applications
Location: Living Tomorrow (Brussels Vilvoorde)
Organizer: Vasco Data Security
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
By now you’ve bought into the idea of using APIs to integrate cloud, mobile devices and the enterprise. But are building safe APIs? One insecure API can increase your organization’s risk profile exponentially. Securing APIs is not like securing the web—a point lost on many developers coming from a web-centric background. Learn what good practices to put in place and the common security anti-patterns you must avoid to ensure your company’s APIs are reliable, safe and secure. You will learn:
• The top ways hackers exploit APIs in the wild
• Common identity pitfalls and how to avoid them
• Why OAuth scopes are essential to master
• How to keep web developers from bringing bad habits with them
Here are the slides from the advanced Techniques for securing web applications session delivered by Sundar Jayashekar at the perimeter protection event in Stockholm.
This presentation takes a look at the advanced techniques for securing your web applications with AWS WAF and AWS Shield. In addition, this presentation also looks at the practical examples of how to configure AWS WAF and AWS Shield to protect against common attack vectors.
Integrating with Adobe Marketing Cloud - Summit 2014Paolo Mottadelli
Adobe Marketing Cloud provides a number of extension points to allow external systems to integrate. Third-party applications can easily register as clients and share information within the Adobe Marketing Cloud user interface. External data providers can be connected to several Adobe Marketing Cloud solutions, as well as to the shared infrastructure layer. Some of the Adobe solutions support implementing and deploying plug-ins to extend their capabilities or integrate with other systems, both on cloud-based and on-premises architectures. This session presents some integration patterns and existing examples.
Learn about:
– Adobe Marketing Cloud integration points
– How to get started with a new integration
– Real integration examples
This session is for developers, technical business users, and technical executives, such as CTOs, of Adobe Marketing Cloud customers and partners.
Video available from Parleys.com:
https://www.parleys.com/talk/java-versus-javascript-head-head
Programmers are often advised to use “the right tool for the right job.” So how does Java compare to JavaScript? This session compares and contrasts Java and JavaScript in different areas and determines just which is the king of the languages that start with Java.
Java Web Application Security - Utah JUG 2011Matt Raible
During this presentation, I demonstrate how to implement authentication in your Java web applications using Spring Security, Apache Shiro and good ol' Java EE Container Managed Authentication. You'll also learn how to secure your REST API with OAuth and lock it down with SSL.
After learning how to develop authentication, I'll introduce you to OWASP, the OWASP Top 10, its Testing Guide and its Code Review Guide.
Much of this talk is contained in demos and I plan on uploading those as screencasts throughout May and June. I'll also be delivering this talk at ÜberConf in July 2011.
Java Web Application Security - Jazoon 2011Matt Raible
During this presentation, I demonstrate how to implement authentication in your Java web applications using good ol' Java EE Container Managed Authentication, Spring Security and Apache Shiro. You'll also learn how to secure your REST API with OAuth and lock it down with SSL.
After learning how to develop authentication, I'll introduce you to pentest your app, as well as OWASP, the OWASP Top 10, its Testing Guide and its Code Review Guide.
Much of this talk is contained in demos and tutorials, which are available on my blog at http://raibledesigns.com/rd/tags/security and http://youtube.com/mraible.
Java Web Application Security - UberConf 2011Matt Raible
During this presentation, I demonstrate how to implement authentication in your Java web applications using good ol' Java EE Container Managed Authentication, Spring Security and Apache Shiro. You'll also learn how to secure your REST API with OAuth and lock it down with SSL.
After learning how to develop authentication, I'll introduce you to pentest your app, as well as OWASP, the OWASP Top 10, its Testing Guide and its Code Review Guide.
Much of this talk is contained in demos and tutorials, which are available on my blog at http://raibledesigns.com/rd/tags/security and http://youtube.com/mraible.
Oracle WebLogic Server 12.2.1 Do More with LessEd Burns
Oracle WebLogic Server 12.2.1 (WLS) is the most significant release of WLS since Oracle added WLS to its product portfolio with the acquisition of BEA in 2008. This session by WebLogic developer and JCP Specification Lead Ed Burns goes behind the buzzwords and explains the enterprise value-add brought by WLS 12.2.1 in plain English. Ed infuses his decades long experience in web technologies throughout the presentation, addressing such topics as why app servers are still useful, what role standards play in transitioning to the cloud, and what is the difference between "full stack" and "monolith".
See an interview about this topic at <https: />.
Ed introduces the new version of WLS by taking a tour of two big ticket new features: multitenancy and Java EE 7. Other features such as continuous availability, REST management, and Docker/devops features will also be included.
The multitenancy features in WebLogic Server offer extreme efficiency, full isolation, application portability, and full automation, all in an easy to adopt format.
Java EE 7 is the latest version of the Java standard full stack of loosely coupled, highly cohesive technologies for building enterprise software. EE 7 features new versions of popular standards such as JAX-RS (REST), CDI, Servlet, JSF, JSON, WebSocket, JMS, and more.
WLS 12.2.1 delivers these and other new features, while continuing the promise of stability and scale developers expect.
In the last couple of years, security has become a bigger focus point and it hasn’t been different for WordPress. During this talk, I dive into this a bit more by focusing on our role in making sure that projects are delivered as secure as they can be. This by going over several security issues that were discovered this year and ways how you can prevent yourself.
Palo Alto Networks - инновационная платформа сетевой безопасности ядром которой является next generation firewall, на базе уникальной, разработанной PA Networks технологии App-ID, обеспечивает безопасность сети на уровне приложений, пользователей и контента с использованием как физической так и виртуальной архитектуры. Решения сетевой защиты PAN соответствуют самым высоким требованиям к сетевой безопасности, как по производительности так и по функциональности, и являются безусловными лидерами отрасли, что подтверждено отчетами Gartner, количеством пользователей и растущим объемом продаж компании.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Welcome! Nice to meet you.It’s an honor to be here, talking about bWAPP at SANS 2014 Orlando.
Some impressions of my stay in Orlando...An almost empty swimming pool.
Because everyone is going to Netwars.
Magic happens here...
My name is Malik Mesellem (from Belgium).I have always had a passion for Ethical Hacking and Penetration Testing (actually from since I was a teenager…).I am obsessed with Windows and web application (in)security.In 2010, I decided to start my own company: MME BVBA.We are specialized in IT security audits, penetration testing, ethical hacking, and InfoSec training.I give master classes and lectures for several institutions. For Belgium, I am a mentor for the SANS Institute and an OWASP ZAP evangelist (evantjelist).And of course, I am the founder and creator of bWAPP…
My name is Malik Mesellem (from Belgium).I have always had a passion for Ethical Hacking and Penetration Testing (actually from since I was a teenager…).I am obsessed with Windows and web application (in)security.In 2010, I decided to start my own company: MME BVBA.We are specialized in IT security audits, penetration testing, ethical hacking, and InfoSec training.I give master classes and lectures for several institutions. For Belgium, I am a mentor for the SANS Institute and an OWASP ZAP evangelist (evantjelist).And of course, I am the founder and creator of bWAPP…
Today I will talk about web security and web application penetration testing with bWAPP.We start our presentation with an overview of why web applications are an attractive target.Then, I will show how bWAPP can help you to ‘improve’ your web security.I will explain the concepts of web application penetration testing and last but not least...We will exploit some vulnerabilities, so expect live demo’s (if there’s time enough)!
OK! Let’s kick off...
Web application security is today's most overlooked aspect of securing the enterprise.These days, hackers are concentrating their efforts on our (precious) websites and web applications.Websites and web applications are a very attractive target for cyber criminality, cyber warfare and hacktivism...
They are an attractive target because…They are 24/7 available via the InternetSometimes, mission-critical business applicationsare published on the Internet through a web interface, and there is often direct access to backend data and to the internal network (using pivoting techniques)You should also know that traditional firewalls and SSL provide no protection against web attacks, and sysadmins know little about these sophisticated application-level attacksIn addition, many applications are also custom-made, meaning that they are probably vulnerable
Meet the bad guys!
It’s definitely time to improve our web security! Defense is really needed…
bWAPP, or a buggy web application, is a free and open source deliberately insecure web application. It is made for testing and educational purposes.It includes all major known web vulnerabilities.It helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities.bWAPP prepares one to conduct successful web application penetration testing and ethical hacking projects.I started with the bWAPP project in Christmas Holidays 2012. As a penetration tester, I was looking for a lab environment to test and improve my web application pentesting skills. There are many deliberately insecure web applications, but most of them lack diversity and flexibility… so that’s why I started to create my own vulnerable application, bWAPP.For me, it was also a good practice to learn how to deal with these web vulnerabilities: to learn some secure coding techniques and hardening best practices.
This is the bWAPP main page, or portal, after a successful login.
Web application security is not just installing a firewall, or scanning a website for ‘potential’ issues…Black-box penetration testing, simulating real attack scenarios, is still needed!It confirms potential vulnerabilities and excludes false positives, but it also guarantees that your defense measures are working effectively.bWAPP can help you to improve your web application security-testing skills…
It’s all about testing, testing, and testing…Would you be at ease with a pilot who has just read the manual of his plane, and skipped the testing phase?This guy is definitely not prepared for REAL attack scenarios
Some testimonials of ‘notorious’ people working in InfoSec.As you can see, they are all very happy with bWAPP . Look at this guy (Ed)...
Some testimonials of ‘notorious’ people working in InfoSec.As you can see, they are all very happy with bWAPP . Look at this guy (Ed)...
Let’s talk about the architecture, the core of bWAPP...bWAPP is a PHP application that uses a backend MySQL database.It can be hosted on Linux, Windows (or even on Mac) with Apache or IIS.It is also supported on WAMP or XAMPP.Another possibility is to download the bee-box… (more on that later)
Some features...It’s very easy to use and to understandThePHP code is well structured and documented, despite my terrible programming knowledge It has different security levels: starting with security level low, ending with security level highThere’s an option to create new users. Every bWAPP user has a password and a secret…A ‘resetapplication’ and ‘reset database’featureA manual intervention page, with a CAPTCHAEmail functionalities, for testing issues like SMTP and host header injections
More features...We have a local PHP settings fileA no-authentication and ‘Evil Bee’ modeThere’s even an ‘evil’ directory, with some nice attack scripts…We have a WSDL file. How to deal with that?And there are fuzzing possibilities… for detecting valid web pages or sessions…
I can hear you thinking…What makes bWAPP so unique?Well, it has over 70 web bugs! It covers all major known web vulnerabilities, including all risks from the OWASP Top 10 project.The focus is not just on one specific issue, like SQL injection or Cross-Site Scripting. No, we are trying to cover a wide range of vulnerabilities.The OWASP Top 10 provides an accurate snapshot of the current threat landscape in application security and reflects the collaborative efforts and insights of thousands of accomplished security engineers. To reflect the ongoing changes in technology and common online business practices, the list is periodically updated.
An overview of some included vulnerabilities...It has injection vulnerabilities like...
As you can see, we have it all!
Just select your bug and hack it!
So bWAPP is a test platform for improving your security-testing skills. bWAPP is not an application that tells you ‘how’ to test!If desired, we have a complete cheat sheet containing all the bWAPP solutions! This cheat sheet is also for free, the only thing we ask is to follow us on Twitter to stay updated on bWAPP. We also have an exclusive web security training course: Attacking & Defending Web Apps with bWAPP.
Some external links...There’s our homepage: the homepage of the ITSEC GAMES projectWe have the download location: the bWAPP source code is hosted on Sourceforge, there is also a Git (repository)And we have our blog, unfortunately not updated in a while , we are still looking for volunteers...
Every bee needs a home, meet our bee-box… (please,don’t confuse with the Belgacombbox)The bee-box is a custom Linux Ubuntu virtual machine (VM), pre-installed with bWAPP.It’s actually a LAMP environment.It is compatible with VMware Player, Workstation, Fusion, and with Oracle VirtualBox.bee-box requires zero installation!
The bee-box is also made deliberately insecure… (yes of course!)With the bee-box you have the opportunity to exploreall bWAPP vulnerabilities!The bee-box gives you several ways to hack and deface the bWAPP website. Currently there are 13 differentweb defacement possibilities!It's even possible to hack the bee-box to get full root access using a local privilege escalation exploit… awesome!Hacking, defacing and exploiting without going to jail... how cool is that?bee-box can also be downloaded from Sourceforge.
To play with bWAPP, local access on the bee-box is not needed. The only thing you need to do is to configure an IP address and some optional settings. Once it has a valid IP address, it is possible to access the bWAPP website from outside.
Some bee-box features...
bWAPP and bee-box are both part of the ‘ITSEC GAMES’ project. The ‘ITSEC GAMES’ are a funny approach to IT security education.IT security, ethical hacking, training and fun... all these ingredients are mixed together!Our objectives are to teach InfoSec courses from an educational and recreational point of view.We offer a wide range of InfoSec courses and workshops. Definitely a must for everysysadmin!
There’s just 1 thing to remember, the logon credentials are...
bee/bugIs that clear enough?
So pleasedon’t bug meanymore with questions about how to login to bWAPP…
Unfortunately we have more credentials to remember...This slide is for whizkids only ...That’s my brother, the mastermind behind bWAPP.He was even on Belgian television a few months ago...
The installation and configuration steps are pretty easy...
bWAPP uses form-based authentication, that may be an obstacle for some tools, sometimes a pain to configure…That’s why I implemented the A.I.M. mode.A.I.M., or ‘Authentication Is Missing’, is a no-authentication mode.It may be used for testing web scanners and crawlers, it bypasses authentication obstacles.Here are the steps to crawl all pages, and to detect all vulnerabilities without authentication:Change the IP address in the settings file to the IP address of the machine from where you are running the scanPoint your webscanner,crawler or attack tool to ‘aim.php’ pagePush the button: all hell breaks loose…
General application settings…There is a settings file: ‘settings.php’, located under the bWAPP admin folder.Some configurable settings are:Database connection and SMTP settingsThe A.I.M. mode (more on that on the next slide)The ‘Evil bee’ mode (bypasses the bWAPP security levels)Static credentials, used on some pages
An overview of the settings file...
Some worst case scenario options, our last hope...
Finally, time for a demo...
This is the main login form.Do you remember the credentials?That’s right: bee/bugFrom here it’s also possible to choose your security level....Here we have an overview of all vulnerabilities...They are arranged according to the OWASP Top 10 Project.
Let’s talk about web application penetration testing...
Penetration testing, or pentesting, is a method of evaluating computer, network or application security by simulating an attack.It is an active analysis of potential vulnerabilities.Ethical hacking techniques are confirming the potential vulnerabilities, excluding any false positives!Penetration tests are sometimes a component of afull security audit.
Web application pentesting is focusing on evaluatingthe security of a web application.The application is tested for known web vulnerabilities.Manual, automatic and semi-automatic tests are used.A source code analysis and a web server configuration review are optional (these are white-box testing techniques).
It’s all about identifying, exploiting, and reporting vulnerabilities!Some considerations…
A simple testing methodology could start with reconnaissance, vulnerability mapping, and exploitation. In this order, clockwise.
A more advanced testing methodology can flow in all directions, clockwise and counterclockwise.
Also very important is ‘what’ to test... OWASP can help us with that...OWASP, or the Open Web Application Security Project, is a worldwide non-profit organization focused on improving the security of software.They have freely-available articles, methodologies, documentation, tools, and technologies.OWASP is vendor neutral, they make no recommendations for commercial products or services!
Here are some active OWASP projects, starting with the OWASP Top 10 Project and the Testing Guide…---The OWASP Top 10 Project lists the 10 most severe web application security risks.TheTesting Guide shows you how to verify the security of your running application (ideal for pentesters).The Development Guide shows your project how to architect and build asecure application, and the Code Review Guide tells you how to verify the security of your application's source code.The Development Guide provides practical guidance and includes J2EE, ASP.NET, and PHP code samples. It covers an extensive array of application-level security issues, from SQL injection through modern concerns such as phishing, credit card handling, session fixation, cross-site request forgeries, compliance, and privacy issues.The Application Security Verification Standardcan be used to establish a level of confidence in the security of web applications. A level (~ score) is assigned to the web application: the ASVS defines four levels of verification, with each level increasing in breadth (= breedte) as the application moves up the levels.The standard provides a basis for testing application technical security controls, as well as any technical security controls in the environment, that are relied on to protect against vulnerabilities such as Cross-Site Scripting (XSS) and SQL injection.The Broken Web Applications (BWA) Project produces a VM running a variety of applications with known vulnerabilities (like bWAPP). Our bWAPP application will be included in the next version of BWA! Isn’t that cool? The Zed Attack Proxy, or ZAP, is an intercepting proxy…
The OWASP Top 10 Project lists the 10 most severe web application security risks.It is constantly updated, the latest version was released in 2013.The Top 10 Project is a good starting point for a web application penetration test. It covers aspects like ‘What to test?’, ‘How to test?’, and ‘How to prevent?’
An overview of the OWASP security risks.On one, we have injection vulnerabilities.On two, we have authentication and session management issues.On three, we have Cross-Site Scripting, and so on…
This slide shows you the differences between the OWASP Top 10 2010 and OWASP Top 10 2013.We have some minor changes.Injections like SQLi, HTMLi,... are still on number 1...
So where to place the OWASP Top 10 Project in our testing methodology?
Well, that’s next to our vulnerability mapping phase... we will test the web application for vulnerabilities listed in the Top 10 Project.
An indispensable platform for a penetration tester is a distribution with all the attack tools included.An example is Kali Linux, formerly known as BackTrack.Kali Linux is a Debian-derived Linux distribution, designed for digital forensics and penetration testing.It’s maintained and funded by Offensive Security.
Many web application pentesting tools are included...
Animportant tool to test the security of a web application is an intercepting proxy.It is acting as a Man-in-the-Middle, located between the browser and the web application.With an intercepting proxy we have the ability to intercept and to modify the HTTP requests and responses.Some intercepting proxies also include integrated tools to discover vulnerabilities,and to crawl and brute force files and directories.
An example of an open source intercepting proxy is ZAP, or the Zed Attack Proxy.ZAP is an active OWASP project.The application is written in Java by a team of volunteers.We can also use ZAP as a pentesting tool for finding vulnerabilities: it provides automated scanning, as well as a set of tools to find security vulnerabilities manually.
Some functionalities...
I’ll demonstrate some features of ZAP on our bWAPP platform......A very powerful open source tool!
Let’s install ZAP,and exploresome features of ZAP on our bWAPP platform......A very powerful open source tool!
An alternative is to use a commercial web vulnerability scanner, like Netsparker.Very easy to use, and it also knows how to deal with modern web technologies like AJAX, HTML5 and Web Services.They even have a free ‘Community Edition’ for detecting SQL injection and Cross-Site Scripting (XSS). Very handy!
Here are the results of a bWAPP scan with Netsparker.
As you can see, a lot of vulnerabilities were detected.
Let's run an authenticated scan with Netsparker to detect injection issues.
We will do an exercise on Netsparker.Let's run a non-authenticated and authenticated scan with Netsparker to detect some vulnerabilities in bWAPP.I have a trial edition for you…
OK!Are you ready to exploit some bugs?
I will try to cover...
Let’s start with injections!Injection flaws occur when an application sends untrusted data to an interpreter.They are often found in SQL, OS commands, Xpath,XML parsers, SMTP headers, program arguments, etc.Injections are easy to discover when examining code, but rather difficult to discover via pentesting!Scanners and fuzzers can help in finding injection flaws.
Injection can result in...
According to the OWASP Top 10 Project, injection vulnerabilities are ranked number one.
SQL injection is very common in web applications.It occurs when user input is sent to a SQL interpreteras part of a query.The attacker tricks the interpreter into executing unintended SQL queries.
According to the OWASP Top 10 Project, injection vulnerabilities are ranked number one.
This image illustrates how a traditional login form works.A user is required to provide a valid ‘login’ and ‘password’.Check the insecure SQL query…
What if the user enters [’ or 1=1--], manipulating and breaking the original SQL query? You should know that [or 1=1] is always TRUE...Well, he will be able to login without a valid password!That’s a common example of SQL injection.
Let’s check the code...
Some simple SQL injection strings... used to bypass login forms.
Union injections: joining data from 2 different tables in the database.And stacked queries: executing multiple independent SQL queries.
Here is an ‘effective’ example of a stacked query... it is definitely his lucky day
We also have Blind Sql Injection...Blind SQL injection is a type of SQL injection attackthat asks the backend database true or false questions.It is often used when the web application is configured to show generic messages: when the database does not output data to the web page, or when the code vulnerable to SQL injection is not displayed.It is nearly identical to normal SQL injection, but the way the datais retrieved from the database differs…
Here is an example of boolean-based SQL injection.
And here is an example of time-based SQL injection.We are playing with the SQL SLEEP command...
Let’s do some SQL injection...
Let’s do some SQL injection...
Another injection issue is HTML injection.Itoccurs when a user inserts HTML code via a specific input field or parameter.A website is vulnerable because it does not validate the user-supplied data.HTML injection is very dangerous when it is stored permanently!HTML injections can lead to website defacements, phishing attacks and even client-side exploitation.Please, don’t underestimate the power of HTML injection!
A quick demo...
Cross-Site Scripting, or XSS, occurs when an attacker injects a script into a web application.The script doesn’t run on the website, but in a victim’s browser.The website just delivers the script to the victim.A website is vulnerable because it does not validate the user-supplied data.XSS is very dangerous when it is stored permanently!Usually JavaScript is injected, but it may also include HTML, Flash, or any other type of code that the browser may execute.XSScan lead to website defacements, phishing attacks, session hijacking, and even client-side exploitation. So please, don’t underestimate the power of XSS!
Cross-Site Scripting, or XSS, occurs when an attacker injects a script into a web application.The script doesn’t run on the website, but in a victim’s browser.The website just delivers the script to the victim.A website is vulnerable because it does not validate the user-supplied data.Usually JavaScript is injected, but it may also include HTML, Flash, or any other type of code that the browser may execute.
We distinguish two types of XSS flaws: Reflected and Stored.With Reflected XSS, a user is tricked into clicking on a link containing the JavaScript code, or tricked into browsing to a malicious website containing the code.With Stored XSS, the JavaScript code is stored permanently on the vulnerable website. More dangerous!
According to the OWASP Top 10 Project, Cross-Site Scripting vulnerabilities are ranked number three.
XSS is easy to detect...We will hijack a user session...
We will...XSS is easy to detect...
XSS is easy to detect...We will hijack a user session...
Denial-of-Service attacks, or DoS attacks.With a DoS attack an attacker attempts to prevent legitimate users from accessing the application, server or network.This happens by consuming network bandwidth, server sockets, threads, or CPUresources.Another type of DoS attack is a Distributed Denial-of-Service attack, or DDoS attack.DoS and DDoS attacks are popular techniques used by hacktivists.
Newer layer 7 DoS attacks are more powerful!They are often called “Low-bandwidth application layer DoS”.It’s possible to make a server unreachable with only 1 web client.Here, we are stressing the web application or web server (and not the hardware or network).
Some layer 7 DoS methods...
I have good news... our bee-box is vulnerable to some DoS attacks!
I have good news... our bee-box is vulnerable to some DoS attacks!
Let’s talk aboutUnrestricted File Uploads, and web shells.File upload flawsoccur when an attacker can upload files without any restrictions, or bybypassing weak restrictions.The first step in many attacks is to get some code to the system.An unrestricted file upload flawhelps the attacker… now the attack only needs to find a way to get the code executed.
Let’s talk about evil web shells.Web shells are malicious web pages that provide an attacker functionality on a web server.They make use of server-side scripting languages likePHP, ASP, ASPX, JSP, CFM, Perl,...Some web shell functionalities...
Here are some external attack vectors for using and uploading web shells...You can test each of these vulnerabilities on our bWAPP platform!
Our last demo for today...We will generate a payload, a web shell, and we will upload the web shell using a file upload flaw in bWAPP......We have shell access again!...From our shell, it is even possible to escalate our privileges... and to get root access!
Another hands-on lab...
Another web issue... File Inclusions.File inclusion flaws occur when an attacker includesa file, usually through a script on the web server.Again, the vulnerability occurs due to the use of user-supplied input without proper validation.There are 2 types of file inclusion flaws: Local File Inclusion (LFI) and Remote File Inclusion (RFI)
Let’s check the PHP code...
File inclusion can lead to...
According to the OWASP Top 10 Project, file inclusion vulnerabilities are ranked number seven.
Our last exercise for today......We have shell access again!...From our shell, it is even possible to escalate our privileges... and to get root access!
So during this presentation we defaced our website, compromised the server, even compromised a client, made the server unreachable, hijacked a session, and stole somecredentials…
So during this presentation/workshop we defaced your website, compromised your server, compromised your clients, made your server unreachable, hijacked your session, and stole your credentials…
And we have so much more bugs to exploit…It’s definitely time to improve your web security.Defense is needed: firewalls and vulnerabilityscanners are not the ultimate solution. Testing, penetration testing, is required!It confirms potential vulnerabilities, excludes false positives, and guarantees that your defense measures are working effectively.Downloading bWAPP is a first start, it will help you to improve your web application security-testing skills!Remember: every bee needs a superbee. Are you that superbee?
Thank you very much for attending this presentation!Are there any questions?
Thank you very much for attending this presentation!Are there any questions?