The document discusses security issues with AngularJS and summarizes four general attack vectors:
A1: Attacking the AngularJS sandbox by bypassing restrictions on dangerous objects and methods. Early versions had trivial bypasses but later versions required more creative techniques.
A2: Attacking the AngularJS sanitizer, which aims to sanitize HTML strings and remove XSS attacks. There were issues with both an older sanitizer version and the current version.
A3: Attacking the Content Security Policy (CSP) mode in AngularJS.
A4: Attacking vulnerabilities directly in the AngularJS codebase through techniques like sandbox bypasses.
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
ECMAScript 6, in short ES6, has been boiling in a copper pot for many years by now and step-by-step, browser vendors come forward to taste the first sips of this mystery soup. So, ES6 is no longer a theoretic language but already crawled across the doorstep and now lurks under your bed, ready for the nasty, waiting for the right moment to bite.
Now, what is this whole ES6 thing? How did it develop and who made it? And why is it now implemented in your favorite browser? And what does it mean for web-security and beyond?
This talk will answer these questions and showcase the new language from an attacker's perspective. You will see the new code constructs possible to be executed with ES6, new attack vectors and learn what you can do to tame that beast. Kafkaesque terminology such as expression interpolation, proper tail calls, computed properties, spread parameters, modules and tagged template strings will no longer be surprising you after attending this talk.
Introduction to GoLang by Amal Mohan N. This presentation is an introduction to GoLang - it's history, features, syntax, importance etc.
concurrency, go-routines, golang, google, gopher, introduction, programming
The document discusses security issues with AngularJS and summarizes four general attack vectors:
A1: Attacking the AngularJS sandbox by bypassing restrictions on dangerous objects and methods. Early versions had trivial bypasses but later versions required more creative techniques.
A2: Attacking the AngularJS sanitizer, which aims to sanitize HTML strings and remove XSS attacks. There were issues with both an older sanitizer version and the current version.
A3: Attacking the Content Security Policy (CSP) mode in AngularJS.
A4: Attacking vulnerabilities directly in the AngularJS codebase through techniques like sandbox bypasses.
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
ECMAScript 6, in short ES6, has been boiling in a copper pot for many years by now and step-by-step, browser vendors come forward to taste the first sips of this mystery soup. So, ES6 is no longer a theoretic language but already crawled across the doorstep and now lurks under your bed, ready for the nasty, waiting for the right moment to bite.
Now, what is this whole ES6 thing? How did it develop and who made it? And why is it now implemented in your favorite browser? And what does it mean for web-security and beyond?
This talk will answer these questions and showcase the new language from an attacker's perspective. You will see the new code constructs possible to be executed with ES6, new attack vectors and learn what you can do to tame that beast. Kafkaesque terminology such as expression interpolation, proper tail calls, computed properties, spread parameters, modules and tagged template strings will no longer be surprising you after attending this talk.
Introduction to GoLang by Amal Mohan N. This presentation is an introduction to GoLang - it's history, features, syntax, importance etc.
concurrency, go-routines, golang, google, gopher, introduction, programming
[2013 CodeEngn Conference 09] Park.Sam - 게임 해킹툴의 변칙적 공격 기법 분석GangSeok Lee
2013 CodeEngn Conference 09
게임 보안 제품의 보안성이 강화됨에 따라 해킹툴의 공격 기법 또한 다양해 지고 있다. 몇 몇 해킹툴은 게임에 접근하기 위해 OS의 디버깅 메커니즘 악용한다거나 시스템 프로세스로 위장하게 되는데 이와 같은 몇가지 변칙적인 기법에 대해 알아보고자 한다.
http://codeengn.com/conference/09
http://codeengn.com/conference/archive
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
- The document discusses scriptless attacks that can bypass traditional XSS defenses like NoScript and XSS filters by leveraging new HTML5 and CSS features.
- It presents several proof-of-concept attacks including using CSS to steal passwords, using SVG fonts to brute force CSRF tokens, and using custom fonts to leak sensitive information like passwords without using JavaScript.
- The attacks demonstrate that even without scripting, features in HTML5 and CSS can be abused to conduct traditional XSS attacks and undermine security defenses, so more work is needed to protect against side-channels and unwanted data leakage from the browser.
This document contains configuration examples for the Nginx web server. It shows how to use different location blocks to route requests based on the URL and return specific content. Location blocks can match the request URL exactly, use regular expressions to match parts of the URL, and specify a root directory to serve files under a specific path. The examples demonstrate how to configure Nginx to return different content based on the request URL and handle image file requests.
This document discusses securing EmberJS applications. It begins by introducing the author and their background working on client-side web security. It then provides an overview of the topics covered, which include cross-site request forgery (CSRF), cross-site scripting (XSS), and content security policy (CSP). It explains the architecture of single-page applications like EmberJS applications. It also illustrates common web attacks like CSRF and XSS, and describes approaches to mitigate these attacks in EmberJS applications, including the use of tokens and CSP.
Webinar: AngularJS and the WordPress REST APIWP Engine UK
The WordPress REST API, in conjunction with a JavaScript MVC framework such as AngularJS, opens up endless opportunities for developers to build new types of plugins and customize user experiences. This webinar goes in-depth into how to use AngularJS with the WordPress REST API. Together, these tools help you tie systems together to customize user experiences, build plugins, and advance your business in new, innovative ways that are only limited by your imagination!
What is covered in these slides:
-How to make custom admin interfaces using REST API & Angular JS
-2 practical examples of specific use cases:
-Starting point - Simple example of creating a customized post editor with AngularJS.
-End point - Using AngularJS to build a plugin admin screen using Ingot A/B testing plugin as an example.
[2013 CodeEngn Conference 09] Park.Sam - 게임 해킹툴의 변칙적 공격 기법 분석GangSeok Lee
2013 CodeEngn Conference 09
게임 보안 제품의 보안성이 강화됨에 따라 해킹툴의 공격 기법 또한 다양해 지고 있다. 몇 몇 해킹툴은 게임에 접근하기 위해 OS의 디버깅 메커니즘 악용한다거나 시스템 프로세스로 위장하게 되는데 이와 같은 몇가지 변칙적인 기법에 대해 알아보고자 한다.
http://codeengn.com/conference/09
http://codeengn.com/conference/archive
Scriptless Attacks - Stealing the Pie without touching the SillMario Heiderich
- The document discusses scriptless attacks that can bypass traditional XSS defenses like NoScript and XSS filters by leveraging new HTML5 and CSS features.
- It presents several proof-of-concept attacks including using CSS to steal passwords, using SVG fonts to brute force CSRF tokens, and using custom fonts to leak sensitive information like passwords without using JavaScript.
- The attacks demonstrate that even without scripting, features in HTML5 and CSS can be abused to conduct traditional XSS attacks and undermine security defenses, so more work is needed to protect against side-channels and unwanted data leakage from the browser.
This document contains configuration examples for the Nginx web server. It shows how to use different location blocks to route requests based on the URL and return specific content. Location blocks can match the request URL exactly, use regular expressions to match parts of the URL, and specify a root directory to serve files under a specific path. The examples demonstrate how to configure Nginx to return different content based on the request URL and handle image file requests.
This document discusses securing EmberJS applications. It begins by introducing the author and their background working on client-side web security. It then provides an overview of the topics covered, which include cross-site request forgery (CSRF), cross-site scripting (XSS), and content security policy (CSP). It explains the architecture of single-page applications like EmberJS applications. It also illustrates common web attacks like CSRF and XSS, and describes approaches to mitigate these attacks in EmberJS applications, including the use of tokens and CSP.
Webinar: AngularJS and the WordPress REST APIWP Engine UK
The WordPress REST API, in conjunction with a JavaScript MVC framework such as AngularJS, opens up endless opportunities for developers to build new types of plugins and customize user experiences. This webinar goes in-depth into how to use AngularJS with the WordPress REST API. Together, these tools help you tie systems together to customize user experiences, build plugins, and advance your business in new, innovative ways that are only limited by your imagination!
What is covered in these slides:
-How to make custom admin interfaces using REST API & Angular JS
-2 practical examples of specific use cases:
-Starting point - Simple example of creating a customized post editor with AngularJS.
-End point - Using AngularJS to build a plugin admin screen using Ingot A/B testing plugin as an example.
This document discusses the architecture of AngularJS applications. It outlines several key components of AngularJS architecture:
1. Configurations define everything needed for the system using a blueprint approach.
2. The routing system acts like a map to help users navigate between different routes, spots, trips, and days.
3. Pages define templates and controllers to determine how each room (page) looks and functions.
4. Directives define templates and controllers for reusable components.
5. Services provide reusable functionality like data access across the application similarly to companies or government agencies.
6. Filters decorate pages by hiding unwanted content to improve visuals.
AngularJS - Architecture decisionsin a large project Elad Hirsch
This document discusses architecture decisions for a large JavaScript project. It covers the project's technology stack including using Bower for frontend artifacts, ES6 classes for cleaner code, and RequireJS for asynchronous module loading. It also discusses design principles like separation of concerns, testing as a baseline, and enabling easier reusability of components. Specific Angular directives design topics are covered such as making directives singletons, handling state with $scope, and the compile and link functions.
This document discusses scalable application architecture. It covers topics like dynamic requirements, using a scalable communication layer with various package formats, handling multiple state mutation sources, building scalable teams, and lazy loading. It provides examples of component architecture using Angular, services, state management with ngrx/redux, immutability with ImmutableJS, and asynchronous logic with RxJS. The goal is to build modular, extensible applications that can handle complex requirements through separation of concerns and well-designed architecture.
Building an End-to-End AngularJS ApplicationDan Wahlin
This talk discusses how AngularJS can be used to build an end-to-end Customer Manager application. It covers structuring code and files, working with events, XHR interceptors, plus more.
This document discusses AngularJS application architecture best practices including:
- Separation of concerns by component type and feature
- Consistent syntax such as aliasing 'this' for nested functions
- Organizing the app by feature rather than type for larger apps
- Naming conventions for controllers, services, directives
- Using modules to aggregate dependencies
- Best practices for controllers, AJAX calls, unit testing, and end-to-end testing
In this meetup Eyal Vardi will talk about Angular 2.0 architecture. The session will focus on the main parts of Angular 2.0:
Application Bootstrap
Angular Compiler
Hierarchical Injector
Component Lifecycle Hooks
Change Detector
Renderer
Angular 2.0 & jQuery
Dynamic component creation
Tips & Tricks
Each part will be explained and analyzed. In some cases we will dive into Angular 2.0 source code. Our purpose is to list the Do's & Don’ts of Angular.
The session is mostly targeted for developers which already have some experience with Angular 2.0.
AngularJS 101 - Everything you need to know to get startedStéphane Bégaudeau
In this presentation, you will find everything need to get started with AngularJS.
For more details, have a look at my blog (http://stephanebegaudeau.tumblr.com) or follow me on twitter (@sbegaudeau)
AngularJS uses a compile function to parse HTML into DOM elements and compile directives. The compile function sorts directives by priority and executes their compile and link functions to connect the scope to the DOM. It recursively compiles child elements. This allows directives to manipulate DOM elements and register behavior.
Cross-Site Request Forgery (CSRF) is a type of malicious attack that tricks a user into unknowingly executing unwanted actions on a web application. The attacker creates hidden HTTP requests that get executed in the victim's browser using their authentication credentials. This allows the attacker to perform sensitive functions like changing passwords, making purchases, or posting comments on the victim's behalf. Defenses include using secret tokens or custom headers to validate requests and prevent CSRF attacks. The Firefox add-on CsFire also helps protect users by removing authentication information from cross-domain requests.
Cross Site Scripting - Mozilla Security Learning CenterMichael Coates
This document discusses cross-site scripting (XSS) vulnerabilities. It covers the business risks of XSS, including account compromise and malware installation. It explains how XSS works by giving an example of a reflected XSS attack. It then discusses different XSS attack points and variations. The document outlines mitigation techniques like output encoding and content security policies. It provides examples of how these defenses work to prevent XSS exploits. Finally, it discusses tools like the OWASP XSS prevention cheat sheet and upcoming security training sessions.
This document summarizes recent trends in web application security vulnerabilities. Client-side attacks like XSS remain prominent along with emerging threats involving mobile and cloud technologies. Old vulnerabilities persist in widely used software like PHP and Apache. The growth of IoT and "smart" devices introduces many new insecure products. Overall, new technologies are often released without security testing, while older software houses long-standing flaws. The document concludes that as applications and networks grow more complex, so too will security issues, requiring continued research and vigilance.
[2.1] Web application Security Trends - Omar GanievOWASP Russia
This document summarizes recent trends in web application security vulnerabilities. Client-side attacks like XSS remain prominent along with emerging threats involving cloud computing, big data, and the Internet of Things. Old vulnerabilities persist in widely used software while new issues are found in new technologies. Overall, the growth of web applications and their interactions creates many new attack surfaces despite ongoing security improvements, ensuring hackers will continue finding novel ways to exploit systems.
Site Security Policy - Yahoo! Security Weekguest9663eb
The document discusses how browsers can provide additional security for web applications through implementing a proposed "Site Security Policy". This would allow website administrators to define security rules that browsers enforce, restricting the capabilities of web content to help prevent cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. Specific policies proposed include restricting where script code can be loaded from to prevent XSS, and controlling what domains can initiate requests to prevent CSRF. The approach is meant to work alongside existing security best practices and provide another layer of defense. It is designed to be backward compatible and not break existing websites or browsers that do not support the new policies.
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
The document discusses various cybersecurity topics including vulnerabilities, threats, attacks, and countermeasures. It provides an overview of the Open Web Application Security Project (OWASP) which focuses on improving application security. It also summarizes common web vulnerabilities like cross-site scripting (XSS), SQL injection, buffer overflows, and cross-site request forgery (CSRF). Recommendations are given to prevent these vulnerabilities.
This presentation by Mike Shame of Qualys the basics of Web Application Security and how to safeguard your web infrastructure against the most prevalent online threats and security risks, such as: cross-site scripting (XSS) attacks, SQL injection, directory traversals, and other web vulnerabilities. Learn how to proactively identify critical web application vulnerabilities and take corrective actions to minimize risks.
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Divyanshu
Browser exploitation| Reporting vulnerability in top browsers and finding CVE.
Session in Null Bangalore Meet 23 November 2019 Null/OWASP/G4H combined meetup
Thanks to respective researchers for their work.
OWASP Khartoum - Top 10 A5 - 7th meeting - Cross Site Request ForgeryOWASP Khartoum
Cross Site Request Forgery (CSRF) is a type of attack that forces a logged-in user's browser to send a forged HTTP request to a vulnerable web application, including the user's session cookie and any other authentication information. The document discusses CSRF attacks, provides detection and protection techniques, and notes that CSRF is listed as the fifth most critical vulnerability in the OWASP Top 10 list. Protection techniques discussed include using tokens or nonces, checking the HTTP referrer, using double submit cookies, and implementing challenge-response authentication.
Web security: Securing Untrusted Web Content in BrowsersPhú Phùng
This document summarizes a seminar on securing untrusted web content at browsers. It discusses how 92% of websites use JavaScript, which can pose security issues if third-party scripts are malicious or compromised. The seminar presents an approach using lightweight self-protecting JavaScript that enforces security policies without browser modifications. This is done by sandboxing untrusted code execution and intercepting API calls according to enforcement rules defined in policy files. Real-world attacks are also examined that were carried out by injecting malicious code into third-party scripts on major websites.
Automatically detecting security vulnerabilities in WordPressFresh Consulting
This document summarizes common security vulnerabilities in WordPress like SQL injection, cross-site request forgery (CSRF), and cross-site scripting (XSS). It explains these vulnerabilities are on the OWASP Top 10 list of most critical web application security risks. SQL injection occurs when untrusted data is executed as commands without proper authorization. CSRF forces a victim's browser to generate requests an application sees as legitimate. XSS happens when untrusted data is displayed on a page without validation, allowing scripts to be executed in a victim's browser. The document also notes using components with known vulnerabilities can undermine defenses. It provides commands to install and analyze a WordPress demo site for these issues.
1) HTML5 and new web standards like Content Security Policy and cross-origin resource sharing improve security by enabling enforcement of policies like script isolation in the client instead of through server-side filtering.
2) Script injection vulnerabilities like cross-site scripting can be solved using these new client-side techniques rather than incomplete server-side simulations.
3) Mashups can be made more secure by using CORS to retrieve validated data instead of injecting code, and postMessage with isolated iframes to communicate with legacy APIs.
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafePhilippe De Ryck
The slides from an overview presentation of how the Web, and Web security, have changed in the last few years. This talk has been given at various public and private venues. Get in touch if you want to invite me to your company or tech group!
Rich Web App Security - Keeping your application safeJeremiah Grossman
The document discusses securing web applications from common vulnerabilities like cross-site scripting (XSS) and cross-site request forgery (CSRF). It outlines various techniques attackers use to exploit these issues, such as injecting malicious scripts into user input or forging unauthorized requests. The document then provides recommendations for developers to prevent these attacks, such as carefully validating and encoding all user input, and authenticating that requests are intended by the user.
The document discusses common web application security vulnerabilities and best practices for prevention. It covers topics like cross-site scripting (XSS), SQL injection, insecure direct object references, command injection, cross-site request forgery (CSRF), and improper password storage. The document provides examples of each vulnerability and recommendations for prevention, including input validation, prepared statements, encryption, hashing passwords, and other techniques. The objectives are to create awareness of web security issues and how developers can build more secure applications using secure coding practices.
XSS (cross-site scripting) is a common web vulnerability that allows attackers to inject client-side scripts. The document discusses various types of XSS attacks and defenses against them. It covers:
1) Reflected/transient XSS occurs when untrusted data in URL parameters is immediately displayed without sanitization. Stored/persistent XSS occurs when untrusted data is stored and later displayed. DOM-based XSS manipulates the DOM.
2) Defenses include HTML/URL encoding untrusted data before displaying it, validating all inputs, and using context-specific encoding for HTML elements, attributes, JavaScript, and URLs.
3) The OWASP Java Encoder Project and Microsoft Anti
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMagno Logan
The document discusses various web application vulnerabilities from the OWASP Top 10 list, including cross-site scripting (XSS), SQL injection, remote file inclusion, insecure direct object references, and cross-site request forgery (CSRF). It provides examples of each vulnerability type and recommendations for prevention. It also introduces Mutillidae, a deliberately vulnerable web application that can be used to demonstrate these vulnerabilities in a controlled environment.
The document summarizes the OWASP 2013 top 10 list of web application security risks. It provides descriptions and examples for each of the top 10 risks: 1) Injection, 2) Broken Authentication and Session Management, 3) Cross-Site Scripting (XSS), 4) Insecure Direct Object References, 5) Cross-Site Request Forgery (CSRF), 6) Security Misconfiguration, 7) Sensitive Data Exposure, 8) Missing Function Level Access Control, 9) Using Components with Known Vulnerabilities, and 10) Unvalidated Redirects and Forwards. Protection strategies are also outlined for each risk.
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
Webinar: Designing a schema for a Data WarehouseFederico Razzoli
Are you new to data warehouses (DWH)? Do you need to check whether your data warehouse follows the best practices for a good design? In both cases, this webinar is for you.
A data warehouse is a central relational database that contains all measurements about a business or an organisation. This data comes from a variety of heterogeneous data sources, which includes databases of any type that back the applications used by the company, data files exported by some applications, or APIs provided by internal or external services.
But designing a data warehouse correctly is a hard task, which requires gathering information about the business processes that need to be analysed in the first place. These processes must be translated into so-called star schemas, which means, denormalised databases where each table represents a dimension or facts.
We will discuss these topics:
- How to gather information about a business;
- Understanding dictionaries and how to identify business entities;
- Dimensions and facts;
- Setting a table granularity;
- Types of facts;
- Types of dimensions;
- Snowflakes and how to avoid them;
- Expanding existing dimensions and facts.
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on integration of Salesforce with Bonterra Impact Management.
Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
OpenID AuthZEN Interop Read Out - AuthorizationDavid Brossard
During Identiverse 2024 and EIC 2024, members of the OpenID AuthZEN WG got together and demoed their authorization endpoints conforming to the AuthZEN API
2. About Me – Philippe De Ryck
2
§ Postdoctoral Researcher @ DistriNet (KU Leuven)
§ Focus on (client-side) Web security
§ Responsible for the Web Security training program
§ Dissemination of knowledge and research results
§ Target audiences include industry and researchers
§ Main author of the Primer on Client-Side Web Security
§ 7 attacker models, broken down in 10 capabilities
§ 13 attacks and their countermeasures
§ Overview of security best practices
3. iMinds-DistriNet, KU Leuven
3
§ Headcount:
§ 10 professors
§ 65 researchers
§ Research Domains
§ Secure Software
§ Distributed Software
§ Part of the iMinds Security Department
§ Together with COSIC and ICRI
§ Academic and industrial collaboration in 30+ national and
European projects
https://distrinet.cs.kuleuven.be
8. Towards a Client-centric Web
8
§ The browser has become an application platform
§ Think of browser-based OSes
§ Think of Chrome’s packaged apps
§ Wide set of typical OS features are coming to the Web
§ Client-side storage
§ Access to system information
§ System-level notifications
§ Real-time communication
9. Client-Side Web Security
9
§ Browser security policies govern client-side behavior
§ Default policies apply to all applications running in the browser
§ Same-origin policy restricts interactions within the browser
§ Depended upon by numerous countermeasures
§ Modern client-side security policies are server-driven
§ Tailored towards a specific web application
§ Prevent unauthorized actions within the browser
§ Often preceded by autonomous client-side countermeasures
11. Overview
11
§ Cross-Site Request Forgery
§ Technicalities and common countermeasures
§ Mitigating CSRF in AngularJS applications
§ Cross-Site Scripting
§ Technicalities and common countermeasures
§ XSS and JS MVC frameworks
§ Content Security Policy
§ CSP as a second line of defense
§ Compatibility of AngularJS with CSP
12. Overview
12
§ Cross-Site Request Forgery
§ Technicalities and common countermeasures
§ Mitigating CSRF in AngularJS applications
§ Cross-Site Scripting
§ Technicalities and common countermeasures
§ XSS and JS MVC frameworks
§ Content Security Policy
§ CSP as a second line of defense
§ Compatibility of AngularJS with CSP
13. Cross-Site Request Forgery Illustrated
13
some-shop.com
hackedblog.com
Login as Philippe
Hello Philippe
Show orders
List of orders
Show latest blog post
Latest blog post
Change email address
Sure thing, Philippe
14. The Essence of CSRF
14
§ The server is confused about the intentions of the user
§ Malicious sites can trigger unintended requests from the browser
§ Consequence of the ambient authority carried by the cookie
§ Common vulnerability
§ Illustrated by cases at Google, Facebook, eBay, …
§ Ranked #8 on OWASP top 10 (2013)
§ Countermeasures require explicit action by the developer
§ Often only focus on POST / PUT / DELETE
17. CSRF Defense 1: HTML tokens
17
§ Hide token within the page, and check upon form submission
§ Same-Origin Policy keeps this token out of reach for the attacker
some-shop.com
hackedblog.com
Account details page
Account details
Change email address
Sure thing, Philippe
Show latest blog post
Latest blog post
Change email address
CSRF token sadness L
!
!
18. CSRF Defense 1: HTML tokens
18
§ Hide token within the page, and check upon form submission
§ Same-Origin Policy keeps this token out of reach for the attacker
<form action=“submit.php”>
<input type=“hidden” name=“token”
value=“qasfj8j12adsjadu2223” />
…
</form>
TOKEN-BASED APPROACH
19. CSRF Defense 2: Origin Header
19
§ Check the origin header sent by the browser
§ Automatically added to state-changing requests (POST, PUT, DELETE)
some-shop.com
hackedblog.com
Change email address
Origin: some-shop.com
Sure thing, Philippe
Show latest blog post
Latest blog post
Change email address
Origin: hackedblog.com
Stranger danger! L
20. CSRF Defense 3: Transparent Tokens
20
§ Transparent token stored in cookie, checked in header
§ Security depends on the ability to read the cookie from JavaScript
some-shop.com
First request
Set-Cookie: session=…
Set-Cookie: CSRF-Token=123
Cookie: session=…
Cookie: CSRF-Token=123
Only the JS code on the page can
copy cookie value into header
X-CSRF-Token: 123
21. var csrf = require('csurf');
app.use(csrf());
app.use("/", function(req, res, next) {
res.cookie('XSRF-TOKEN', req.csrfToken());
next();
});
TRANSPARENT TOKENS
CSRF Defense 3: Transparent Tokens
21
§ Transparent token stored in cookie, checked in header
§ Security depends on the ability to read the cookie from JavaScript
§ By default, GET, HEAD and OPTIONS are not covered
Enabled by default for ‘XSRF-TOKEN’
TRANSPARENT TOKENS
22. Overview
22
§ Cross-Site Request Forgery
§ Technicalities and common countermeasures
§ Mitigating CSRF in AngularJS applications
§ Cross-Site Scripting
§ Technicalities and common countermeasures
§ XSS and JS MVC frameworks
§ Content Security Policy
§ CSP as a second line of defense
§ Compatibility of AngularJS with CSP
23. Overview
23
§ Cross-Site Request Forgery
§ Technicalities and common countermeasures
§ Mitigating CSRF in AngularJS applications
§ Cross-Site Scripting
§ Technicalities and common countermeasures
§ XSS and JS MVC frameworks
§ Content Security Policy
§ CSP as a second line of defense
§ Compatibility of AngularJS with CSP
24. Cross-Site Scripting (XSS)
24
§ Injection of attacker-controlled script into victim application
§ Very common Web vulnerability
§ Ranked #3 in OWASP’s top 10 (2013)
§ Referred to as the buffer overflow of the Web
§ Why is XSS such a big deal?
§ Attacker can run code with your application’s privileges
§ Full access to page’s contents and resources
§ Full use of granted permissions
§ Launch platform for attack escalation (e.g. malware)
27. Cross-Site Scripting Payloads
27
§ XSS payload is often benign, just to show a proof of exploit
§ XSS payloads are only limited by your creativity
§ Session hijacking
§ Defacement
§ Undermining defenses (e.g. CSRF)
§ Keylogging
§ Network scanning
§ …
§ Can be used to launch a more elaborate attack
28. Apache.org Compromise
28
1. Report bug with obscured URL
containing reflected XSS attack
http://tinyurl.com/XXXXXXX
2. Admin opens link,
compromising their session
3. Attacker disable notifications
for a hosted project
4. Attacker changes upload
path to location that can
execute JSP files
5. Attacker added new bug
reports with JSP attachments
6. Attacker browses and copies
filesystem through JSP. Installs
backdoor JSP with webserver
privileges
http://blogs.apache.org/infra/entry/apache_org_04_09_2010
29. Apache.org Compromise
29
7. Attacker installs JAR to
collect passwords on login
8. Triggered logins by sending
out password reset mails
9. One of the passwords
matched an SSH account with
full sudo access
10. The accessible machine
had user home folders, with
cached subversion credentials
11. From the subversion
machine, privilege escalation
was unsuccessful
http://blogs.apache.org/infra/entry/apache_org_04_09_2010
30. Different Types of XSS
30
§ Different types of script injection
§ Persistent: stored data used in the response
§ Reflected: part of the URI used in the response
§ DOM-based: data used by client-side scripts
http://www.example.com/search?q=<script>alert(‘XSS’);</script>
<h1>You searched for<script>alert(‘XSS’);</script></h1>
REFLECTED XSS
31. Different Types of XSS
31
§ Different types of script injection
§ Persistent: stored data used in the response
§ Reflected: part of the URI used in the response
§ DOM-based: data used by client-side scripts
http://www.example.com/search?name=<script>alert(‘XSS’);</script>
<script>
name = document.URL.substring(document.URL.indexOf("name=")+5);
document.write(“<h1>Welcome “ + name + “</h1>”);
</script>
<h1>Welcome <script>alert(‘XSS’);</script></h1>
DOM-BASED XSS
32. Mitigating XSS
32
§ Secure coding practices
§ Do not rely on simple filters (e.g. removing <, >, &, “, ‘)
§ Use context-sensitive output encoding
• HTML body <h1>DATA</h1>
• HTML attributes <div id=‘DATA’>
• Stylesheet context body { background-color: DATA; }
• Script context alert(“DATA”);
• URL context <a href=“http://example.com?arg=DATA”>
§ Additional layers of defense
§ Browsers incorporate reflective XSS filters
§ Content Security Policy allows servers to prevent inline script execution
33. Overview
33
§ Cross-Site Request Forgery
§ Technicalities and common countermeasures
§ Mitigating CSRF in AngularJS applications
§ Cross-Site Scripting
§ Technicalities and common countermeasures
§ XSS and JS MVC frameworks
§ Content Security Policy
§ CSP as a second line of defense
§ Compatibility of AngularJS with CSP
34. XSS and JS MVC Frameworks
34
§ JS MVC frameworks change the underlying architecture
§ Highly dynamic front ends
§ Data-oriented back ends
§ Difficult to match to traditional XSS countermeasures
§ Two important aspects with regard to XSS
§ Server-involvement in templating
§ Client-side data processing
35. Server-Side Template Composition
35
§ Traditional web back end with JS MVC front end
§ Server-composed view, with dynamic client-side features
§ Keep doing context-aware XSS protection on the server
<script src=“knockout-2.3.0.js"></script>
<div data-bind="x:alert(1)" />
<script>
ko.applyBindings();
</script>
KNOCKOUT.JS EXAMPLE
https://code.google.com/p/mustache-security/ (Mario Heiderich)
36. Server-Side Template Composition
36
§ Traditional web back end with JS MVC front end
§ Server-composed view, with dynamic client-side features
§ Keep doing context-aware XSS protection on the server
<script src=“knockout-2.3.0.js"></script>
<div data-bind="x:alert(1)" />
<script>
ko.applyBindings();
</script>
KNOCKOUT.JS EXAMPLE
https://code.google.com/p/mustache-security/ (Mario Heiderich)
37. Server-Side Template Composition
37
§ Traditional web back end with JS MVC front end
§ Server-composed view, with dynamic client-side features
§ Keep doing context-aware XSS protection on the server
§ JavaScript MVC frameworks change how the DOM works
<graph class="visitor-graph">
<axis position="left"></axis>
<axis position="bottom"></axis>
<line name="typical-week" line-data="model.series.typicalWeek"></line>
<line name="this-week" line-data="model.series.thisWeek"></line>
<line name="last-week" line-data="model.series.lastWeek"></line>
</graph>
EXTENDING THE DOM
38. Server-Side Template Composition
38
§ Traditional web back end with JS MVC front end
§ Server-composed view, with dynamic client-side features
§ Keep doing context-aware XSS protection on the server
§ JavaScript MVC frameworks change how the DOM works
§ Extensions through elements, attributes, etc.
§ New interfaces
§ Often in combination with templating
§ This seems problematic …
39. Mustache Security {{ }}
39
§ Project dedicated to JS MVC security pitfalls
§ Assuming there is an injection vector
§ Assuming there is conventional XSS filtering in place
§ What can an attacker do?
§ New behavior often breaks existing security assumptions
§ Bypass currently used security mechanisms
§ Script injection possible whenever a data attribute is allowed
https://code.google.com/p/mustache-security/ (Mario Heiderich)
40. Mustache Security Examples
40
https://code.google.com/p/mustache-security/ (Mario Heiderich)
<script src=“jquery-1.7.1.min.js"></script>
<script src=“kendo.all.min.js"></script>
<div id="x"># alert(1) #</div>
<script>
var template = kendo.template($("#x").html());
var tasks = [{ id: 1}];
var dataSource = new kendo.data.DataSource({ data: tasks });
dataSource.bind("change", function(e) {
var html = kendo.render(template, this.view());
});
dataSource.read();
</script>
KENDOUI EXAMPLE
41. Mustache Security Examples
41
https://code.google.com/p/mustache-security/ (Mario Heiderich)
<script src=“jquery-1.7.1.min.js"></script>
<script src=“kendo.all.min.js"></script>
<div id="x"># alert(1) #</div>
<script>
var template = kendo.template($("#x").html());
var tasks = [{ id: 1}];
var dataSource = new kendo.data.DataSource({ data: tasks });
dataSource.bind("change", function(e) {
var html = kendo.render(template, this.view());
});
dataSource.read();
</script>
KENDOUI EXAMPLE
44. Separating Front End and Back End
44
§ Beware of server-side composition of templates
§ Generally a bad idea, because of dynamic behavior
§ If you must do this, AngularJS 1.2+ enforces quite a good sandbox
§ Separating the front end from the back end
§ Server provides client-side application as static files
§ Server offers data through a well-designed API
§ Client-side application contains the dynamic behavior
§ More security responsibilities for the client-side application
45. XSS and JS MVC Frameworks
45
§ JS MVC frameworks change the underlying architecture
§ Highly dynamic front ends
§ Data-oriented back ends
§ Difficult to match to traditional XSS countermeasures
§ Two important aspects with regard to XSS
§ Server-involvement in templating
§ Client-side data processing
46. Mitigating XSS in AngularJS
46
§ AngularJS is a client-side technology
§ Generally cooperates with a RESTful back end
§ RESTful back end is purely data-driven
§ Applying context-sensitive output encoding
§ Back end has no idea where data will be used …
§ So it should be done on the client then?
§ So how does it work in AngularJS?
49. Example: Allowing User-Provided Images
49
<textarea ng-model=“x”></textarea>
<div ng-bind-html=”x"></div>
ANGULARJS TEMPLATE
<img src=”http://some-shop.com/coolcar.png" />
USER INPUT
Error: [$sce:unsafe] Attempting to use
an unsafe value in a safe context.
GENERATED HTML
57. Strict Contextual Escaping
57
§ AngularJS tries to protect you from injection attacks
§ Let it, it’s really good at it!
§ ng-bind will never produce HTML
<textarea ng-model=“x”></textarea>
<div ng-bind=”x"></div>
ANGULARJS TEMPLATE
<div ng-bind=”x">
<img src=”http://some-shop.com/coolcar.png"
onerror=“alert(1)” />
</div>
GENERATED HTML
58. Strict Contextual Escaping
58
§ AngularJS tries to protect you from injection attacks
§ Let it, it’s really good at it!
§ ng-bind-html can produce HTML, but not without protection
<textarea ng-model=“x”></textarea>
<div ng-bind-html=”x"></div>
ANGULARJS TEMPLATE
Error: [$sce:unsafe] Attempting to use
an unsafe value in a safe context.
GENERATED HTML
59. Strict Contextual Escaping
59
§ AngularJS tries to protect you from injection attacks
§ Let it, it’s really good at it!
§ ng-bind-html can produce HTML, but not without protection
§ Enable automatic sanitization with ngSanitize
§ Removes dangerous features from content
61. Strict Contextual Escaping
61
§ AngularJS tries to protect you from injection attacks
§ Let it, it’s really good at it!
§ ng-bind-html can output raw trusted HTML
§ $sce.trustAsHtml() allows you to mark HTML as trusted
§ Only use if you are really sure it’s trusted, and checked twice
64. Overview
64
§ Cross-Site Request Forgery
§ Technicalities and common countermeasures
§ Mitigating CSRF in AngularJS applications
§ Cross-Site Scripting
§ Technicalities and common countermeasures
§ XSS and JS MVC frameworks
§ Content Security Policy
§ CSP as a second line of defense
§ Compatibility of AngularJS with CSP
65. Overview
65
§ Cross-Site Request Forgery
§ Technicalities and common countermeasures
§ Mitigating CSRF in AngularJS applications
§ Cross-Site Scripting
§ Technicalities and common countermeasures
§ XSS and JS MVC frameworks
§ Content Security Policy
§ CSP as a second line of defense
§ Compatibility of AngularJS with CSP
67. The Essence of CSP
67
§ CSP reduces the harm of content injection vulnerabilities
§ By telling the client where resources should be loaded from
§ By disabling “dangerous features” by default
§ Policy is delivered as an HTTP header by the server
§ Compatible browsers will enforce the policy on the response
§ A policy consists of a set of directives
§ Each directive controls a different kind of resource
69. How CSP Started …
69
§ CSP started as a research paper by the Mozilla team
§ Aim to give administrator control over appearance of site
§ Aim to give users some confidence where data is sent to
§ Even in the presence of an attacker that controls content
§ Policy consists of 9 URI directives giving control over:
§ Source of fonts, images, media, object, script, styles, frames
§ Source of ancestor frames
§ Destination of XHR requests
70. And what CSP Is Now
70
§ CSP has been well received, and evolved quickly
§ Addition of plugin types, sandbox, child contexts, form destinations
§ Additional spec adds UI Security Directives
§ Deprecates X-FRAME-OPTIONS header
§ Additional features to overcome implementation hurdles
§ Widely supported by browsers
§ Chrome makes CSP mandatory for its components
§ Browser extensions and packaged apps
71. A Selective View on CSP
71
§ By default, CSP will:
§ Prevent resources from being loaded from non-whitelisted locations
§ default-src
§ Specifies the default sources of all content
§ Can be overwritten with more specific directives for each type
§ img-src
§ Specifies the sources of images
§ font-src, media-src, object-src, …
72. A Selective View on CSP
72
§ By default, CSP will:
§ Prevent resources from being loaded from non-whitelisted locations
§ Inline content from being executed
§ The use of eval()
§ What is considered inline content?
§ Script blocks embedded in HTML
§ Event handlers that are added as an HTML attribute
§ Style blocks embedded in HTML
§ Style info added with the style attribute
73. A Selective View on CSP
73
§ By default, CSP will:
§ Prevent resources from being loaded from non-whitelisted locations
§ Inline content from being executed
§ The use of eval()
§ What is considered inline content?
§ Script blocks embedded in HTML
§ Event handlers that are added as an HTML attribute
§ Style blocks embedded in HTML
§ Style info added with the style attribute
WAIT … WHAT?
74. Examples of Inline Content Problems
74
<script>
function run() {
alert(’booh!');
}
</script>
<a href="#" onclick="run()">…</a>
INLINE SCRIPT
75. Examples of Inline Content Problems
75
<script>
function run() {
alert(’booh!');
}
</script>
<a href="#" onclick="run()">…</a>
INLINE SCRIPT
76. Examples of Inline Content Problems
76
<script src="myscript.js"></script>
<a href="#" id="myLink">...</a>
EXTERNALIZED SCRIPT
function run() {
alert('booh!');
}
document.addEventListener('DOMContentReady',
function () {
document.getElementById('myLink')
.addEventListener('click', run);
});
EXTERNALIZED SCRIPT
77. Lifting Content Restrictions in CSP
77
§ script-src and style-src support the lifting of restrictions
§ By specifying ‘unsafe-inline’ and ‘unsafe-eval’
§ Not recommended, as this renders protection useless
§ CSP 1.1 supports nonces and hashes
§ Inline script and style blocks can be allowed
Content-Security-Policy:
script-src ‘self’ ‘nonce-RANDOM’;
EXAMPLE POLICY WITH A NONCE
<script nonce=“RANDOM”>…</script>
EXAMPLE USE OF A NONCE
78. Lifting Content Restrictions in CSP
78
§ script-src and style-src support the lifting of restrictions
§ By specifying ‘unsafe-inline’ and ‘unsafe-eval’
§ Not recommended, as this renders protection useless
§ CSP 1.1 supports nonces and hashes
§ Inline script and style blocks can be allowed
Content-Security-Policy:
script-src ‘self’ ‘nonce-a8qzj1r’;
EXAMPLE POLICY WITH A NONCE
<script nonce=“a8qzj1r”>…</script>
EXAMPLE USE OF A NONCE
79. CSP Examples
79
Goal: Load no external resources
Content-Security-Policy:
default-src ‘self’;
EXAMPLE POLICY
Goal: Load all content over HTTPS
Content-Security-Policy:
default-src https: ‘unsafe-inline’ ‘unsafe-eval’;
EXAMPLE POLICY
80. CSP Violation Reports
80
§ CSP can report violations back to the resource server
§ Allows for fine-tuning of the CSP policy
§ Gives insights in actual attacks
§ Enabled by using the report-uri directive
§ Points to a handler on the server that can process reports
Content-Security-Policy:
default-src 'self';
report-uri http://some-shop.com/csp-report.cgi
EXAMPLE POLICY
82. CSP and JS MVC Frameworks
82
§ Default behavior of MVC frameworks is not CSP compatible
§ Dependent on string-to-code functionality
§ Requires unsafe-eval in CSP, which kind of misses the point
83. CSP and JS MVC Frameworks
83
§ Default behavior of MVC frameworks is not CSP compatible
§ Dependent on string-to-code functionality
§ Requires unsafe-eval in CSP, which kind of misses the point
§ AngularJS offers a special CSP mode
§ Simply specify ng-csp alongside your app
§ Include one tiny stylesheet for CSP compliance
<html ng-app ng-csp> … </html>
CSP-COMPLIANT ANGULARJS
84. AngularJS and CSP
84
§ So CSP prevents inline scripts from running …
<html ng-app ng-csp>
<body ng-controller="MyController">
<h1 onclick="alert(0)">Click me</h1>
<h1 ng-click="$event.view.alert(1)">Click me</h1>
<h1 ng-mouseover=
"$event.target.ownerDocument.defaultView.alert(2)”>
Hover me
</h1>
</body>
</html>
INLINE CODE IN ANGULARJS
https://code.google.com/p/mustache-security/ (Mario Heiderich)
85. AngularJS and CSP
85
§ So CSP prevents inline scripts from running …
<html ng-app ng-csp>
<body ng-controller="MyController">
<h1 onclick="alert(0)">Click me</h1>
<h1 ng-click="$event.view.alert(1)">Click me</h1>
<h1 ng-mouseover=
"$event.target.ownerDocument.defaultView.alert(2)”>
Hover me
</h1>
</body>
</html>
INLINE CODE IN ANGULARJS
https://code.google.com/p/mustache-security/ (Mario Heiderich)
Refused to execute inline event handler because it violates
the following Content Security Policy directive: "script-src
'self' http://ajax.googleapis.com 'nonce-bleh'". Either the
'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce
('nonce-...') is required to enable inline execution.
86. AngularJS and CSP
86
§ So CSP prevents inline scripts from running …
<html ng-app ng-csp>
<body ng-controller="MyController">
<h1 onclick="alert(0)">Click me</h1>
<h1 ng-click="$event.view.alert(1)">Click me</h1>
<h1 ng-mouseover=
"$event.target.ownerDocument.defaultView.alert(2)”>
Hover me
</h1>
</body>
</html>
INLINE CODE IN ANGULARJS
https://code.google.com/p/mustache-security/ (Mario Heiderich)
87. AngularJS and CSP
87
§ So CSP prevents inline scripts from running …
<html ng-app ng-csp>
<body ng-controller="MyController">
<h1 onclick="alert(0)">Click me</h1>
<h1 ng-click="$event.view.alert(1)">Click me</h1>
<h1 ng-mouseover=
"$event.target.ownerDocument.defaultView.alert(2)”>
Hover me
</h1>
</body>
</html>
INLINE CODE IN ANGULARJS
https://code.google.com/p/mustache-security/ (Mario Heiderich)
88. AngularJS and CSP
88
§ So how does angular process event handlers?
§ Parse ‘ng’-attributes
§ Create anonymous functions, connected with events
§ Wait for event handler to fire
§ Technically, not inline, and no eval()
§ CSP 1.2.x has a strong sandbox
§ No more references to dangerous objects (e.g. window)
$element.onclick = function($event) {
$event[‘view’][‘alert’](‘1’)
}
https://code.google.com/p/mustache-security/ (Mario Heiderich)
89. Overview
89
§ Cross-Site Request Forgery
§ Technicalities and common countermeasures
§ Mitigating CSRF in AngularJS applications
§ Cross-Site Scripting
§ Technicalities and common countermeasures
§ XSS and JS MVC frameworks
§ Content Security Policy
§ CSP as a second line of defense
§ Compatibility of AngularJS with CSP
90. Overview
90
§ Cross-Site Request Forgery
§ Technicalities and common countermeasures
§ Mitigating CSRF in AngularJS applications
§ Cross-Site Scripting
§ Technicalities and common countermeasures
§ XSS and JS MVC frameworks
§ Content Security Policy
§ CSP as a second line of defense
§ Compatibility of AngularJS with CSP
91. Action Points for Tomorrow
91
1. Check whether your APIs are vulnerable to CSRF attacks
§ Enable CSRF mitigation through transparent tokens
2. Make sure you refrain from server-side templating
§ Let your AngularJS application deal with templating and security
§ Communicate with data-driven APIs
§ Use a proxy to transform existing endpoints into such APIs
§ Enable CSRF mitigation through transparent tokens
3. Look into deploying CSP
§ Start with a small application, with little third-party dependencies
§ Use the reporting feature to dry-run a policy before deploying
§ Share your findings!
92. Building Secure Single Page Applications
92
§ Single day training at the OWASP AppSec.eu conference
§ Covers various front end and back end security topics
§ Including the topics from this evening in more depth
§ Hands-on sessions using AngularJS and Express
https://2015.appsec.eu/trainings
93. Securing your AngularJS Application
Philippe De Ryck
philippe.deryck@cs.kuleuven.be
/in/philippederyck
https://distrinet.cs.kuleuven.be/people/philippe