This document outlines security guidelines for secure web development. It discusses best practices for input/output encoding, input validation, cache control, usage of tokens, proper session management, database security, file upload security, human/robot identification, security configuration, transport layer protection, user authorization, password policy, disabling HTTP TRACE methods, iframe security, and setting secure flags for cookies. Implementing these guidelines helps secure a web application from common vulnerabilities.
Application Security Part 1 Threat Defense In Client Server Applications ...Greg Sohl
This presentation grew out of my experience with testing client-server applications (web, disconnected thin client, etc.) for security issues. The knowledge was gained through research and experience. I gave the presentation to the Cedar Rapids .NET User Group (CRineta.org) in 2006.
URL filtering is a feature of most Next-Generation Firewalls (NGFW) and some Web Proxies. It compares web traffic against a URL filtering database to block employees from reaching malicious phishing sites and potentially other undesirable Internet locations such as gambling sites, adult sites, etc.
Phishing with Super Bait
Jeremiah Grossman, Founder and CTO, WhiteHat Security
The use of phishing/cross-site scripting (XSS) hybrid attacks for financial gain is spreading. ItÕs imperative that security professionals familiarize themselves with these new threats to protect their websites and confidential corporate information.
This isn't just another presentation about phishing scams or cross-site scripting. WeÕre all very familiar with each of those issues. Instead, weÕll discuss the potential impact when the two are combined to form new attack techniques. Phishers are beginning to exploit these techniques, creating new phishing attacks that are virtually impervious to conventional security measures. Secure sockets layer (SSL), blacklists, token-based authentication, browser same-origin policy, and monitoring / take-down services offer little protection. Even eyeballing the authenticity of a URL is unlikely to help.
By leveraging cross-site scripting, the next level of phishing scams will be launched not from look-alike web pages, but instead from legitimate websites! This presentation will demonstrate how these types of attacks are being achieved. We'll also demonstrate the cutting edge exploits that can effectively turn your browser into spyware with several lines of JavaScript. And, we'll give you the steps you need to take to protect your websites from these attacks.
Seminar on various security issues faced by PHP developers and ways to avoid them.
The Examples used in the seminar can be downloaded from -> http://www.sanisoft.com/blog/wp-content/uploads/2009/08/security.tar.gz
Application Security Part 1 Threat Defense In Client Server Applications ...Greg Sohl
This presentation grew out of my experience with testing client-server applications (web, disconnected thin client, etc.) for security issues. The knowledge was gained through research and experience. I gave the presentation to the Cedar Rapids .NET User Group (CRineta.org) in 2006.
URL filtering is a feature of most Next-Generation Firewalls (NGFW) and some Web Proxies. It compares web traffic against a URL filtering database to block employees from reaching malicious phishing sites and potentially other undesirable Internet locations such as gambling sites, adult sites, etc.
Phishing with Super Bait
Jeremiah Grossman, Founder and CTO, WhiteHat Security
The use of phishing/cross-site scripting (XSS) hybrid attacks for financial gain is spreading. ItÕs imperative that security professionals familiarize themselves with these new threats to protect their websites and confidential corporate information.
This isn't just another presentation about phishing scams or cross-site scripting. WeÕre all very familiar with each of those issues. Instead, weÕll discuss the potential impact when the two are combined to form new attack techniques. Phishers are beginning to exploit these techniques, creating new phishing attacks that are virtually impervious to conventional security measures. Secure sockets layer (SSL), blacklists, token-based authentication, browser same-origin policy, and monitoring / take-down services offer little protection. Even eyeballing the authenticity of a URL is unlikely to help.
By leveraging cross-site scripting, the next level of phishing scams will be launched not from look-alike web pages, but instead from legitimate websites! This presentation will demonstrate how these types of attacks are being achieved. We'll also demonstrate the cutting edge exploits that can effectively turn your browser into spyware with several lines of JavaScript. And, we'll give you the steps you need to take to protect your websites from these attacks.
Seminar on various security issues faced by PHP developers and ways to avoid them.
The Examples used in the seminar can be downloaded from -> http://www.sanisoft.com/blog/wp-content/uploads/2009/08/security.tar.gz
logout.php Session Data after Logout Username Email . $_.docxsmile790243
logout.php
Session Data after Logout
Username Email " . $_SESSION['appusername'] . "
" .
"" . $_SESSION['appemail'] . "
";
?>
ZAP Scanning Report for loginAuthReport.odt
ZAP Scanning Report
Summary of Alerts
Risk Level
Number of Alerts
High
2
Medium
1
Low
5
Informational
3
Alert Detail
High (Warning)
Cross Site Scripting (Reflected)
Description
Cross-site Scripting (XSS) is an attack technique that involves echoing attacker-supplied code into a user's browser instance. A browser instance can be a standard web browser client, or a browser object embedded in a software product such as the browser within WinAmp, an RSS reader, or an email client. The code itself is usually written in HTML/JavaScript, but may also extend to VBScript, ActiveX, Java, Flash, or any other browser-supported technology.
When an attacker gets a user's browser to execute his/her code, the code will run within the security context (or zone) of the hosting web site. With this level of privilege, the code has the ability to read, modify and transmit any sensitive data accessible by the browser. A Cross-site Scripted user could have his/her account hijacked (cookie theft), their browser redirected to another location, or possibly shown fraudulent content delivered by the web site they are visiting. Cross-site Scripting attacks essentially compromise the trust relationship between a user and the web site. Applications utilizing browser object instances which load content from the file system may execute code under the local machine zone allowing for system compromise.
There are three types of Cross-site Scripting attacks: non-persistent, persistent and DOM-based.
Non-persistent attacks and DOM-based attacks require a user to either visit a specially crafted link laced with malicious code, or visit a malicious web page containing a web form, which when posted to the vulnerable site, will mount the attack. Using a malicious form will oftentimes take place when the vulnerable resource only accepts HTTP POST requests. In such a case, the form can be submitted automatically, without the victim's knowledge (e.g. by using JavaScript). Upon clicking on the malicious link or submitting the malicious form, the XSS payload will get echoed back and will get interpreted by the user's browser and execute. Another technique to send almost arbitrary requests (GET and POST) is by using an embedded client, such as Adobe Flash.
Persistent attacks occur when the malicious code is submitted to a web site where it's stored for a period of time. Examples of an attacker's favorite targets often include message board posts, web mail messages, and web chat software. The unsuspecting user is not required to interact with any additional site/link (e.g. an attacker site or a malicious link sent via email), just simply view the web page containing the code.
URL
http://localhost/week4/authcheck.php
Parameter
username
Attack
</td><script>alert(1);</script><td>
Solution
Phase ...
Module 13 (web based password cracking techniques)Wail Hassan
Password cracking doesn't have to involve fancy tools, but it's a fairly tedious process. If the target doesn't lock you out after a specific number of tries, you can spend an infinite amount of time trying every combination of alphanumeric characters. It's just a question of time and bandwidth before you break into a system.
The most common passwords found are password, root, administrator, admin, operator, demo, test, webmaster, backup, guest, trial, member, private, beta, [company_name] or [known_username].
Cross site scripting (XSS) is a type of computer security vulnerability typically found in web applications, but in proposing defensive measures for cross site scripting the websites validate the user input and determine if they are vulnerable to cross site scripting. The major considerations are input validation and output sanitization.
There are lots of defense techniques introduced nowadays and even though the coding methods used by developers are evolving to counter attack cross site scripting techniques, still the security threat persist in many web applications for the following reasons:
• The complexity of implementing the codes or methods.
• Non-existence of input data validation and output sanitization in all input fields of the application.
• Lack of knowledge in identifying hidden XSS issues etc.
This proposed project report will briefly discuss what cross site scripting is and highlight the security features and defense techniques that can help against this widely versatile attack.
Business need of IT systems to get integrated. Why legacy systems are feeling modern technologies like SOA can help them to keep alive by providing the integration solution.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
3. Agenda
Security Configuration
Transport Layer Protection
User Authorization and Access Period
Password Policy
HTTP TRACE Methods
Iframe Security
Cookies Security
4. Input/output Encoding
It is recommended to encode output based on input parameters and
encode data that is received as input when you write it out as HTML.
This technique is effective on data that was not validated for some reason
during input.
By using techniques such as URL Encode and HTML Encode, you can
prevent malicious script from executing.
Input should be validated as strictly as possible on arrival, given the kind of
content which it is expected to contain.
All HTML Meta characters, including <> " ' and =, should be replaced with
the corresponding HTML entities (< > etc).
5. Input Validation
The application should strictly validate all user inputs at the server level and
display customized error.
All user input and output should be checked to ensure it is both
appropriate and expected.
Input validation should be done on the client-side as well as on the server-
side because a secure web application can’t rely on client side validation.
6. Cache Control
It is recommended to use all cache control tags.
Improper cache control may lead an attacker to gain access the
authenticated page of another user from the history of the browser.
Logging out from an application obviously does not clear the browser
cache of any sensitive information that might have been stored.
7. Usage of Tokens
Attackers can create forged HTTP requests and tricks a victim into
submitting them via images tags, XSS or numerous other technologies.
It is recommended to include an unpredictable token in the body or URL
of each HTTP request especially when using forms or making asynchronous
request.
Cross-site request forgery can be prevented using the security tokens.
8. Proper Session Management
It is recommended that every page should have a logout link.
Logout should destroy all server side session state and client side cookies.
Attacker uses leaks or flaws in the authentication or session management
functions (e.g., exposed accounts, passwords, session IDs) to impersonate
users.
9. Database Level Security
An attacker can steal data from the database by asking a series of True
and False questions through SQL statements.
It is advised that Proper Authorization mechanism should be implemented
to restrict unauthorized users.
The two recommended complementary and successful methods of
mitigating SQL Injection attacks:
Parameterized queries using bound, typed parameters
Careful use of parameterized stored procedures.
10. File Upload Security
An attacker can upload malicious files which may lead to Remote Code
Execution and the total defacement of the Web Application.
It is recommended to restrict file types accepted for upload: check the file
extension and only allow certain files to be uploaded.
Use a white list approach instead of a blacklist.
Change the permissions on the upload folder so the files within it are not
executable. If possible, rename the files that are uploaded.
11. Human/Robot Identification
Attackers can consume web application resources to a point where other
legitimate users can no longer access or use the application.
Attackers can also lock users out of their accounts or even cause the
entire application to fail. Even attacker can make the server unavailable.
It is recommended to implement CAPTCHA's in the Form for carrying out
transactions.
12. Security Configuration
It is recommended to disable or limit detailed error handling.
In particular, don’t displays debug information to end users.
The error messages should not contain any relative or absolute file path .
Direct access to any physical directories that contains image/ JavaScript/
media should not be allowed to list respective directory contents.
13. Transport Layer Protection
It is recommended to deploy the web application on https to maintain the
confidentiality of user credentials and authentication token, to prevent
MiTM attacks.
it provides a digitally signed certificate for website/web application
security from malicious attacks.
This is subject to the business requirement of SSL (Secure Socket Layer)
deployments of respective application.
14. User Authorization and Access Period
An attacker could perform malicious activity on behalf of a user without
his/her knowledge just by luring a victim to click on an evil page
containing invisible iframe of the victim domain.
Apply a lockout period for respective user i.e. automatic logout for being
idle for a certain time period for logged in users and account to be locked
after certain login attempts.
15. Password Policy
It is recommended to use a complex password so that it could not be
guessed easily. Also the password cracking algorithms like Brute force
attack could not crack the user password.
Password should be at least 8 chars long containing at least 1 Uppercase,
1 Lowercase, 1 Number and 1 special character e.g. Rex@(4*91
Also for forgot password feature, there should be a process where user
submit his/her email id and a link should be sent to respective email with
expiration period.
16. HTTP TRACE Methods
TRACE method can bypass HTTP Only Protection on the cookie and an
attacker can steal cookies. It is recommended to disable all unnecessary
HTTP Methods on the Server side.
17. Iframe Security
An attacker could perform malicious activity on behalf of a user without
his/her knowledge just by luring a victim to click on an evil page
containing invisible iframe of the victim domain. It is recommended to use
x-frame-options having the following two possible values:
Same origin - The document will be rendered (shown) in a frame only if the
frame and its parent have the same origin.
Deny - The document may not be rendered inside a frame.
18. Cookies Security
The attacker can access the cookies in a non-encrypted method or
access the cookies via non HTTP methods like JavaScript or if the user has
not logged out of his account then the attacker may be able to access
the account.
It is recommended to encrypt cookies and set HttpOnly attribute for them.
Also secure flag should be set for all cookies. This can be done on
application level and server level.
19. Is your web application secure?
Working in web doesn’t guarantee 100% security since the
web & malwares are expanding day by day but the
above guidelines will definitely help in securing your
application from most common security vulnerabilities.