Hacking (insecure) TYPO3 v9 site during TYPO3camp Mitteldeutschland 2019 (T3CMD). Demonstrating impact of Cross-Site Scripting, compromised HMAC signing using (disclosed) encryption key via Insecure Deserialization as well as SQL Injection via insecure TypoScript.
With the explosion of the public Internet and e-commerce, private computers and computer networks, if not adequately secured are increasingly vulnerable to damaging attacks. Hackers, viruses, vindictive employees and even human error all represent
clear and present dangers to networks. And all computer users from the most casual Internet surfers to large enterprises could be affected by network security breaches. However, security breaches can often be easily prevented. How? This white paper provides you an overview of the most common network security threats and its solution which protects you and your organization from threats, hackers and ensures that the
data traveling across your networks is safe.
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
This slide deck is structured to start from the basics of web application security and explores common web attacks. The first half is packed with theory, while we are all for jumping into exercises having a solid grasp of the fundamentals will be crucial to your success in webappsec.
The deck dives into XSS, CSRF and SQL injections. It briefly outlines others like XXE, SSRF, logic errors, broken session management, and so on.
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Cohesive Networks
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presentation 2016
LocusView Solutions, a Chicago-based subsidiary of the Gas Technology Institute (GTI), applied the NIST Cybersecurity Framework to pass penetration tests and compliance auditing in 2015.
LocusView provides a SaaS solutions to the natural gas industry, and wanted to go beyond standard regulatory compliance to save money and streamline the audit process.
As organizations spend more time and efforts to fight data breaches and fears of fallout from a data loss, IT teams like LocusView can begin comparing existing cybersecurity practices to the NIST Framework to quickly identify any gaps in pinpointing, assessing, and managing risks in their networks.
The NIST Framework was created for critical infrastructure — banking, aviation, defense — all organizations can easily apply the principles to their operations. While traditional audit-focused standards value policies and checklists, NIST’s risk-based approach focuses on business and customers.
As part of an in-depth audit, LocusView used the NIST Framework to ensure everything from customer data to cloud-based networks are truly secure.
Hacking (insecure) TYPO3 v9 site during TYPO3camp Mitteldeutschland 2019 (T3CMD). Demonstrating impact of Cross-Site Scripting, compromised HMAC signing using (disclosed) encryption key via Insecure Deserialization as well as SQL Injection via insecure TypoScript.
With the explosion of the public Internet and e-commerce, private computers and computer networks, if not adequately secured are increasingly vulnerable to damaging attacks. Hackers, viruses, vindictive employees and even human error all represent
clear and present dangers to networks. And all computer users from the most casual Internet surfers to large enterprises could be affected by network security breaches. However, security breaches can often be easily prevented. How? This white paper provides you an overview of the most common network security threats and its solution which protects you and your organization from threats, hackers and ensures that the
data traveling across your networks is safe.
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
This slide deck is structured to start from the basics of web application security and explores common web attacks. The first half is packed with theory, while we are all for jumping into exercises having a solid grasp of the fundamentals will be crucial to your success in webappsec.
The deck dives into XSS, CSRF and SQL injections. It briefly outlines others like XXE, SSRF, logic errors, broken session management, and so on.
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presen...Cohesive Networks
Protecting Vital Data With NIST Framework - Patrick Kerpan's Secure260 presentation 2016
LocusView Solutions, a Chicago-based subsidiary of the Gas Technology Institute (GTI), applied the NIST Cybersecurity Framework to pass penetration tests and compliance auditing in 2015.
LocusView provides a SaaS solutions to the natural gas industry, and wanted to go beyond standard regulatory compliance to save money and streamline the audit process.
As organizations spend more time and efforts to fight data breaches and fears of fallout from a data loss, IT teams like LocusView can begin comparing existing cybersecurity practices to the NIST Framework to quickly identify any gaps in pinpointing, assessing, and managing risks in their networks.
The NIST Framework was created for critical infrastructure — banking, aviation, defense — all organizations can easily apply the principles to their operations. While traditional audit-focused standards value policies and checklists, NIST’s risk-based approach focuses on business and customers.
As part of an in-depth audit, LocusView used the NIST Framework to ensure everything from customer data to cloud-based networks are truly secure.
This Slideshare presentation is a partial preview of the full business document. To view and download the full document, please go here:
http://flevy.com/browse/business-document/it-security-and-governance-template-312
This Word Document provides a template for an IT Security & Governance Policy and is easily customisable. Areas cover are: Security, Data Back-Up, Virus Protection, Internet & Email usage, Remote & 3rd Party Network Access, User-Account Management, Procurement, Asset Management and IS Service Continuity Planning
Protecting Intellectual Property and Data Loss Prevention (DLP)Arpin Consulting
Protecting Intellectual Property and Data Loss Prevention (DLP) – what makes your business unique, different, valuable, and attracts clients and customers - presented at the Boston Business Alliance 9/23/09
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Harry McLaren
Security Operations & MITRE ATT&CK
Description: A two topic talk covering the core functions of the blue team (security operations), common roles and the required skills to be successful. Then an overview of the threat-led knowledgebase MITRE ATT&CK and how to put it to good use for threat detection and response.
IT Security PowerPoint Presentation SlidesSlideTeam
Use IT security PowerPoint Presentation Slides to educate your audience about the cyber security. Incorporate professionally designed content-ready IT security PPT templates to showcase the techniques of protecting computers, networks, programs, and data from attacks that are aimed for exploitation. Demonstrate the preventive measures to protect information from being stolen, compromised or attacked with the help of IT security PowerPoint slideshow. Talk about various cybersecurity strategies which include identify management, risk management and incident management. This deck comprises of templates to create awareness regarding cyber security are cyber security seven preventive methods, cyber security framework, cyber security initiatives, cyber security tips, and more. Add relevant ready-to-use cyber security PPT templates to illustrate various tools such as software patches, firewalls, encryption, etc. These templates are completely editable. You can customize the template as per your convenience. Edit the color, text, icon, and font size as per your requirement. Download ready-made IT security PPT presentation to make your audience aware about the potential cyber threats. End the jitters with our It Security Powerpoint Presentation Slides. Don't give in to baseless apprehensions.
Integrating security into the development of an application or software is necessary to decrease its risk of susceptibility to attacks and exploits. Traditional methods of security testing were performed on a finished product. However, with the rise in the intensity and the number of attack vectors, it has become necessary for organizations to include it as a part of every phase of an SDLC.
Hacking (insecure) TYPO3 v9 site during TYPO3 Developer Days 2019 (T3DD19). Demonstrating impact of Cross-Site Scripting, compromised HMAC signing using (disclosed) encryption key via Insecure Deserialization as well as SQL Injection via insecure TypoScript.
Content Security Policy (CSP) is a web security standard introduced to prevent cross-site scripting and other code injection attacks resulting from malicious content being executed in the trusted web page context. TYPO3 v12 comes with integrated CSP support, policy modeling, and violation report handling.
This talk presents the basic concepts, common pitfalls, and potential solutions for using a secure and strict Content Security Policy.
Talk during TYPO3 Developer Days 2023: https://t3dd23.typo3.com/program/sessions/content-security-policy-concept-strategies-pitfalls-561
This Slideshare presentation is a partial preview of the full business document. To view and download the full document, please go here:
http://flevy.com/browse/business-document/it-security-and-governance-template-312
This Word Document provides a template for an IT Security & Governance Policy and is easily customisable. Areas cover are: Security, Data Back-Up, Virus Protection, Internet & Email usage, Remote & 3rd Party Network Access, User-Account Management, Procurement, Asset Management and IS Service Continuity Planning
Protecting Intellectual Property and Data Loss Prevention (DLP)Arpin Consulting
Protecting Intellectual Property and Data Loss Prevention (DLP) – what makes your business unique, different, valuable, and attracts clients and customers - presented at the Boston Business Alliance 9/23/09
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Harry McLaren
Security Operations & MITRE ATT&CK
Description: A two topic talk covering the core functions of the blue team (security operations), common roles and the required skills to be successful. Then an overview of the threat-led knowledgebase MITRE ATT&CK and how to put it to good use for threat detection and response.
IT Security PowerPoint Presentation SlidesSlideTeam
Use IT security PowerPoint Presentation Slides to educate your audience about the cyber security. Incorporate professionally designed content-ready IT security PPT templates to showcase the techniques of protecting computers, networks, programs, and data from attacks that are aimed for exploitation. Demonstrate the preventive measures to protect information from being stolen, compromised or attacked with the help of IT security PowerPoint slideshow. Talk about various cybersecurity strategies which include identify management, risk management and incident management. This deck comprises of templates to create awareness regarding cyber security are cyber security seven preventive methods, cyber security framework, cyber security initiatives, cyber security tips, and more. Add relevant ready-to-use cyber security PPT templates to illustrate various tools such as software patches, firewalls, encryption, etc. These templates are completely editable. You can customize the template as per your convenience. Edit the color, text, icon, and font size as per your requirement. Download ready-made IT security PPT presentation to make your audience aware about the potential cyber threats. End the jitters with our It Security Powerpoint Presentation Slides. Don't give in to baseless apprehensions.
Integrating security into the development of an application or software is necessary to decrease its risk of susceptibility to attacks and exploits. Traditional methods of security testing were performed on a finished product. However, with the rise in the intensity and the number of attack vectors, it has become necessary for organizations to include it as a part of every phase of an SDLC.
Hacking (insecure) TYPO3 v9 site during TYPO3 Developer Days 2019 (T3DD19). Demonstrating impact of Cross-Site Scripting, compromised HMAC signing using (disclosed) encryption key via Insecure Deserialization as well as SQL Injection via insecure TypoScript.
Content Security Policy (CSP) is a web security standard introduced to prevent cross-site scripting and other code injection attacks resulting from malicious content being executed in the trusted web page context. TYPO3 v12 comes with integrated CSP support, policy modeling, and violation report handling.
This talk presents the basic concepts, common pitfalls, and potential solutions for using a secure and strict Content Security Policy.
Talk during TYPO3 Developer Days 2023: https://t3dd23.typo3.com/program/sessions/content-security-policy-concept-strategies-pitfalls-561
Getting to Know Security and Devs: Keys to Successful DevSecOpsFranklin Mosley
In the past, security was seen as function of the ‘security’ organization. With DevOps, we aim to break down these silos, and make security a shared responsibility. What do Security and Development teams need know about each other to work together more effectively?
Widespread security flaws in web application development 2015mahchiev
Widespread security flaws in web application development
*SQL Injection - Hands-On Example
*Cross - Site Scripting (XSS)
*Cross Site Request Forgery
*HTTP Strict Transport Security
The security phoenix - from the ashes of DEV-OPS Appsec California 2020NSC42 Ltd
Title:
The Security Phoenix
Subtitle:
From the ashes of DEVOPS
Synopsis:
The talk will take the audience on a path to integrate security in development covering aspect like SDLC, People and Technology, Metrix, and maturity matrix. The Talk will focus on several aspect like:
• Visibility of vulnerabilities in production
• Traceability of software built and source of the component
• Visualization of vulnerabilities and target (Divide in quarter, Build vs Fix)
• Maturity matrix and path to evolution with KCI
• Advanced concepts like breaking the build, license to operate
If time is available, the talk will explore some additional lesson learned
rough length: Compressed 25+5 min long version 30 min
Audience Take Away:
● How to build a cybersecurity programme with people and technology at the heart
● How and why to trace component and how they are built
● Why visibility in production and traceability is important
● How to set targets for product teams and what to measure in various phases
● How to involve risk assessment and where to apply governance
● Use cases to visualize vulnerabilities
Cyber Security Workshop @SPIT- 3rd October 2015Nilesh Sapariya
Got Invited for conducting the workshop on ‘Cyber Security’ at top notch engineering college.
Sardar Patel Institute of Technology, Andheri on 3rd October, 2015.
Student feedback:-
https://drive.google.com/file/d/0B_uWWP1uW7TFWVdTanJFdTlqNkE/view?usp=sharing
Appreciation letter:-
https://drive.google.com/file/d/0B_uWWP1uW7TFMkVVUTR4V1JTN2c/view?usp=sharing
The goal of this Network Hacking Training is to help you master an ethical hacking methodology that can be used in a penetration testing or ethical hacking situation. You walk out the door with ethical hacking skills that are highly in demand.
See More: https://bit.ly/2GSgGY2
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp
Security? It's simple. We have Security Team... Security of our environment, application, development it's their security. We follow Best Practices, we implementing their's suggestions (or not...).
But maybe today, in June 2018, where GDPR is a fact, we should look a little bit more in details for the security aspects. Well know and less known risks, vulnerability assessments, secure coding, secure testing,
Let's discuss: SEC/DEV/OPS/SDLC/OSSTMM/OWASP/ITIL and few other acronyms. Use freely available knowledge and specially prepared environment to check and test our security before we touch out Visual Studio, PowerShell, CLI, Visual Studio Code, or even JSON. Be #SecureByDesign
"Designing Secure Infrastructure for High Growth Product" by Rendra Perdana (...Tech in Asia ID
Rendra Perdana is a Security and System Engineering enthusiast. He loves to build, tune and securing technology platform.
***
This slide was shared at Tech in Asia Product Development Conference 2017 (PDC'17) on 9-10 August 2017.
Get more insightful updates from TIA by subscribing techin.asia/updateselalu
With agile and faster delivery becoming a norm, building security into the software is the best way to deliver secure software at the pace of DevOps. Then, what are the different people aspects, processes, practices and tools that uphold security seamlessly?
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Erkang Zheng
Explores the challenges of DevSecOps from both an organizational culture and a technical implementation angle. Shares the security manifesto that drives the security team mindset and operating model at LifeOmic, and how JupiterOne leverages data, graph, and query to answer security and compliance questions in an automated, code-driven way. Including asset inventory, cloud resource visibility, permission reviews, vulnerability analysis, artifacts and evidence collection.
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...Cristian Garcia G.
Hoy por hoy el tráfico que llega a las aplicaciones web de las compañías en su mayoría es tráfico SSL con lo cual tenemos diferentes opciones para abordar la problemática de visibilidad y control del tráfico cifrado; confiar en todo el tráfico SSL y dejarlo pasar sin inspeccionar o incrementar la capacidad de los dispositivos de seguridad. ¿Qué camino tomar?
No menos importante, son todos aquellos ataques que llegan a las aplicaciones Core de la compañía de actores que buscan poner en riesgo la integridad, disponibilidad y seguridad de la misma como por ejemplo Bots y ataques de DDoS.
¿Se encuentra usted protegido contra amenazas avanzadas?
Demystify Information Security & Threats for Data-Driven Platforms With Cheta...Chetan Khatri
Pragmatic presentation on Penetration testing for Data-Driven Platforms.
Agenda:
- Motivation
- Information Security - Ethics.
- Encryption
- Authentication
- Information Security & Potential threats with Open Source World.
- Find vulnerabilities.
- Checklist before using any Open Source library.
- Vulnerabilities report.
- Penetration Testing for Data-Driven Developments.
Einstieg in Security-Bewertungen mittels statischer Code-Analyse, neue Möglichkeiten und auch ihre Grenzen - PsalmPHP, SonarCloud, RIPS Tech, DeepCode.ai, Snyk.io
TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"Oliver Hader
Keynote zum TYPO3camp 2018 in München mit einem Rückblick der Errungenschaften der zurückliegenden zehn Jahre, einem Überblick über wichtige Features von TYPO3 v9 und einem Ausblick in technologische Themen und einen möglichen zukünftigen Working-Mode bei der Entwicklung des TYPO3 Kernsystems.
Das Open-Source Content-Management-System TYPO3 hat sich vor allem im europäisch-deutschsprachigen Raum als verlässliches Content-Management-System für eine umfangreiche Bandbreite an Anwendungsfällen etabliert – so findet das System gleichermaßen bei regionalen Vereinen, wie auch bei börsennotierten Unternehmen Anklang. In der Geschichte von TYPO3 wurden seit 1997 zahlreiche Kernkomponenten sukzessive modernisiert, bereinigt und erweitert.
Die Analysemuster Event Sourcing und Command Query Responsibility Segregation stammen aus dem Domain-Driven Design Umfeld und definieren bisherige Prozesse der Datenverarbeitung neu. Zunächst wird eine Anwendung in zwei Bereiche aufgeteilt – zum einen für ausschließlich modifizierende Vorgänge (Write Model) und zum anderen für ausschließlich abfragende Vorgänge (Read Model), beispielsweise zur Darstellung in einer Benutzerschnittstelle. Die Kommunikation innerhalb der Anwendungsdomäne erfolgt nur noch über Befehle (Commands) und Ereignisse (Events), welche sich auf Änderungen beziehen, die tatsächlich eingetreten sind. Anstatt also bei Modifikationen jeweils lediglich den Endzustand in der Datenbank abzuspeichern, werden nun alle aufgetretenen Ereignisse gespeichert. Durch das Abspielen aller Events kann somit zu einem beliebigen Zeitpunkt wieder der eigentliche Endzustand hergestellt werden. Mittels sogenannter Projektionen wird dieser in bekannter Form in der Datenbank gespeichert, oder kann zusätzlich auch als HTML im Dateisystem abgelegt werden.
Diese Arbeit analysiert die Anwendungsmöglichkeiten von Event Sourcing innerhalb des Content-Management-Systems, um damit das Gesamtsystem robuster und verlässlicher zu gestalten – der besondere Fokus liegt dabei auch auf der Reduzierung der technischen Komplexität von Arbeitsumgebungen (Workspaces) in TYPO3. Die Abläufe und Konsequenzen daraus werden anhand von implementierten Prototypen erläutert, die sich auf generische Datenmodelle beziehen, sowie auf eine spezifische Anwendung unter Einsatz des Model-View-Controller-Frameworks Extbase.
Talk at TYPO3 Conference 2016 in Bologna/Italy. Basic insights into hacking websites with SqlMap and BeEF XSS and considerations to prevent that. Screencasts of SQLi and XSS at https://www.youtube.com/watch?v=VIGVlmaKqxY & https://www.youtube.com/watch?v=WBDWWv5zdUQ
Session at TYPO3camp Vienna 2016 about development aspects behind the scenes in the TYPO3 project. Topics are Backend Apps, Job & Messaging Queue, Event Sourcing & CQRS
Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...Oliver Hader
Bei der Entwicklung von Web Applikationen führt die zunehmende Verlagerung von ursprünglich serverseitiger Logik in den Web-Browser zu neuen Herausforderungen und neuen Lösungsansätzen. Dieser Beitrag vergleicht das JavaScript Framework AngularJS mit dem noch relativ neuen Web Components Standard unter Einbeziehung des Polymer Frameworks. Zur Bewertung werden alltägliche und durchschnittliche Aufgaben aus der Web- Entwicklung betrachtet und für die beiden zu untersuchenden Projekte bewertet. Der Fokus liegt dabei auch auf Individualisierbarkeit, Verlässlichkeit und Alltagstauglichkeit für Web-Entwickler.
WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJSOliver Hader
Kurzer Überblick und Einführung in das Thema WebGL & 3D Darstellung im Browser im Rahmen eines Vortrags am Institut für Informationssysteme der Hochschule Hof - iisys in Kooperation mit der Open Web User Group Oberfranken und dem IT-Cluster Oberfranken. Vortrag vom 30.06.2015
Kurzer Überblick und Einführung in das Thema HTML5 Web Components im Rahmen eines Vortrags am Institut für Informationssysteme der Hochschule Hof - iisys in Kooperation mit der Open Web User Group Oberfranken und dem IT-Cluster Oberfranken. Vortrag vom 30.06.2015
Die Zahl von unerlaubten Cyber-Aktivitäten hat in den letzten Jahren stark zugenommen. Viele Teilaspekte des täglichen Lebens werden im privaten und beruflichen Umfeld inzwischen überwiegend über Web-Technologien gehandhabt. Angriffsversuche auf diese Anwendungen und die bereitgestellten Informationen finden im Alltag automatisiert statt. Es gibt jedoch einige grundlegende Maßnahmen, um die Verwundbarkeit von Web Applikationen zu reduzieren, welche bereits bei der Konzeption und Entwicklung berücksichtigt werden sollten. Da sich Bedrohungsszenarien ändern und sich die jeweils angewandte Methodik weiterentwickelt, ist der Begriff „Sicherheit“ im Allgemeinen jedoch als fortlaufender Prozess anzusehen.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
2. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 2
▪Research & Development
▪Security Team Lead
▪50% TYPO3 GmbH
▪50% freelance software engineer
▪#hof #cycling #paramedic #in.die.musik
~# whoami
Oliver Hader
@ohader
3. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 3
▪ session probably recorded
▪ real attack vectors are shown
▪ hackers probably knew already
▪ official security fixes available
▪ report to security@typo3.org
Disclaimer
4. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
Agenda
4
▪ Attack technique basics (XSS, SQLi, deserialization)
▪ Attack tools/simulation (SQLmap, BeEF, BoNeSi)
▪ Phar Stream Vulnerability & Wrapper
▪ CVSSv3 vulnerability scoring
▪ TYPO3 Security Team
▪ Capture the Flag
Agenda
⏳
5. What is your agenda?
Do you have questions?
5TYPO3 Developer Days 2019 - Hacking TYPO3 - oliver.hader@typo3.org
6. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
Web Application
Security Basics
6
7. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
Web Application Security
7
▪ CIA/compliance triad
▪ confidentiality
▪ private, personal, sensitive information
▪ integrity
▪ manipulation of information (“fake news”)
▪ availability
▪ denial of service
▪ online bank account
▪ blocking information flow https://www.ibm.com/blogs/cloud-computing/2018/01/16/drive-compliance-cloud/
8. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 8
Hacking Playground
CONFIDENTIALITY - unauthorised access to information
9. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 9
Hacking Playground
INTEGRITY - e.g. manipulated information
10. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 10
Hacking Playground
AVAILABILITY - information/service not available
11. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 11
Web Application Security
Open Web Application Security Project - TOP 10 vulnerabilities
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
TYPO3 core TYPO3 3rd party extensionsPHP world
TYPO3vulnerabilitiesinpast5years
12. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 12
Web Application Security
attack chains - multiple components might be affected
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
19. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 19
Cross-Site Scripting - basics
XSS with Fluid - f:format.html relies on TypoScript being available
20. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 20
Cross-Site Scripting - basics
ViewHelper without any escaping == potentially vulnerable to XSS
21. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 21
http://typo3v9-hack.ddev.site:3000/ui/panel // admin & joh316
22. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 22
XSS exploitation
23. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 23
Browser Exploitation Framework in action
24. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 24
Browser Exploitation Framework in action
27. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
SQL injection basics
27
▪ SELECT … WHERE uid=10 AND pid>0;
▪ SELECT … WHERE uid=10 AND 1=1 -- AND pid>0; // bool true
▪ SELECT … WHERE uid=10 AND 1=0 -- AND pid>0; // bool false
▪ SELECT … WHERE uid=10 AND SLEEP(10) -- AND pid>0; // time
▪ comment literals (MySQL)
▪ --
▪ #
▪ /* data */
28. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
SQL injection basics
28
▪ SELECT … WHERE uid=10 AND pid>0;
▪ SELECT uid,pid,header WHERE uid=10
UNION SELECT username,password,3
FROM be_users WHERE SUBSTR(username, 1, 1) = ‘a’
LIMIT 1,1
-- AND pid>0;
▪ … FROM be_users WHERE SUBSTR(username, 2, 1) = ‘d’ …
▪ … FROM be_users WHERE SUBSTR(username, 3, 1) = ‘m’ …
▪ … FROM be_users WHERE SUBSTR(username, 4, 1) = ‘i’ …
▪ … FROM be_users WHERE SUBSTR(username, 5, 1) = ’n’ …
29. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 29
SQL injection QueryBuilder WHERE
SELECT `uid`, `header` FROM `tt_content` WHERE `uid` = TEST;
30. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 30
SQL injection QueryBuilder WHERE
SELECT `uid`, `header` FROM `tt_content` WHERE `uid` = 0;
31. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 31
SQL injection QueryBuilder WHERE
(prepared statement)
SELECT `uid`, `header` FROM `tt_content` WHERE `uid` = :dcValue1;
✔
32. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 32
SQL injection QueryBuilder WHERE
… WHERE `header` LIKE ‘%a%_%b%';
33. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 33
SQL injection QueryBuilder WHERE
… WHERE `header` LIKE ‘%a%_%b%’;
✔
44. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 44
Insecure Deserialization - Basics
__destruct() or __wakeup() methods are executed on deserialization
45. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 45
Insecure Deserialization - Basics
user submitted payload to be deserialized
46. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 46
allowed_classes introduced with PHP 7.0 (Polyfill available)
47. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
Insecure Deserialization - TYPO3-CORE-SA-2019-020
47
▪ https://typo3.org/security/advisory/typo3-core-sa-2019-020/
▪ https://blog.ripstech.com/2019/typo3-overriding-the-database/
▪ overrideVals[<table>][l10n_diffsource]=<serialized payload>
▪ addressed on June 25th, 2019
48. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 48
Insecure Deserialization - Basics
__destruct() saves content to filesystem
49. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 49
Remote Code Execution #1
making use of FileCookieJar as attack container
50. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 50
Remote Code Execution #1
prepare attack against TYPO3 backend
51. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 51
Remote Code Execution #1
actual attack payload that shall be executed
52. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 52
Remote Code Execution #1
XSRF token needs to be know (valid backend user required)
53. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 53
Remote Code Execution #1
output of injected & executed /typo3/hack.php
54. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 54
Remote Code Execution #1
… new admin user h4ck3r31 …
56. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
Other™ random topics
56
▪ File Upload
▪ check/deny extensions (file deny pattern)
▪ check mime-types - image/png, text/html, …
▪ Extbase controller actions
▪ user/group access needs individual handling
▪ classic: logged in user can access profile data of others
▪ Directory Traversal
▪ zip bundle.zip ../malicious.php
▪ depends on how it is extracted
57. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
phar://…
57
58. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 58
https://packagist.org/packages/typo3/phar-stream-wrapper
59. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 59
▪ usually used like
require_once('phar://bundle.phar/vendor/autoload.php');
$service = new BundleService();
▪ Phar archives are vulnerable to insecure deserialisation
▪ all Phar archives in every PHP version (since 5.3)
▪ using “phar://“ stream wrapper is required here
▪ however, applies to regular file calls as well
▪ is_file(), file_exists(), fopen(), file_get_contents(), …
▪ is_file($_GET[‘fileName’]) // … user submitted data
60. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 60
demo web application
61. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 61
file does exist - correct
62. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 62
result of implicit insecure deserialization
64. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 64
building hybrid Phar archive
65. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 65
PharStreamWrapper in TYPO3 core
66. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 66
▪ TYPO3CMSCoreIOPharStreamWrapperInterceptor
▪ TYPO3 core - Phar only in typo3conf/ext/ directories
▪ TYPO3PharStreamWrapper…PharExtensionInterceptor
▪ Phar only with file extension “.phar”
▪ TYPO3PharStreamWrapper…PharMetaDataInterceptor
▪ Phar only without serialized objects in meta-data
67. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
Vulnerability
Reporting
CVSSv3, Mitre & Co.
67
69. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
How to report a security vulnerability?
69
▪ always report via mail to security@typo3.org (Security Team)
▪ don’t post potential attacks to Forge, Twitter, … (public media)
▪ inform security team in case vulnerabilities are leaked
▪ please be patient & wait for feedback
▪ approx first response time is ~8 hours
70. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
Responsible Disclosure Workflow
70
▪ report vulnerability to vendor (here: security team)
▪ wait for feedback, questions or confirmation of this issue
▪ ask for status updates in case there is no activity
▪ declare deadline for full disclosure (e.g. 90 days)
▪ in case vendor does not take actions - public disclosure
▪ vendors (should) have interest to release security bulletins
▪ hiding vulnerability caused feeling of false security
71. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 71
Responsible Disclosure Workflow
https://blog.ripstech.com/2019/typo3-overriding-the-database/
73. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 73
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
74. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 74
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
75. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 75
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
76. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
CVSSv3 example #1
76
▪ CVE-2013-1937
▪ phpMyAdmin Reflected Cross-site Scripting Vulnerability
▪ “Reflected cross-site scripting (XSS) vulnerabilities are present on
the tbl_gis_visualization.php page in phpMyAdmin 3.5.x, before
version 3.5.8. These allow remote attackers to inject arbitrary
JavaScript or HTML via the (1) visualizationSettings[width] or (2)
visualizationSettings[height] parameters.”
77. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 77
CVSSv3 example #1
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
78. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
CVSSv3 example #2
78
▪ CVE-2016-1645
▪ Google Chrome PDFium JPEG 2000 Remote Code Execution
Vulnerability
▪ “Allows remote attackers to execute arbitrary code on vulnerable
installations of Google Chrome. User interaction is required to
exploit this vulnerability in that the victim must visit a malicious
page or open a malicious file. Flaw exists within the handling of
JPEG 2000 images. Specially crafted JPEG 2000 image embedded
inside a PDF can force Google Chrome to write memory past the
end of an allocated object. Attacker can leverage this vulnerability
to execute arbitrary code under the context of the current process.”
79. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 79
CVSSv3 example #2
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
80. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 80
https://typo3.org/security/advisory/typo3-psa-2019-007/
81. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 81
https://typo3.org/security/advisory/typo3-psa-2019-007/
82. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 82
https://nvd.nist.gov/vuln/detail/CVE-2019-11831
83. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 83
https://nvd.nist.gov/vuln/detail/CVE-2019-11831
84. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
TYPO3
Security Team
84
85. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 85
▪ triage and answer reports
▪ communicate with reporters (individuals, pen-testers)
▪ forward information to maintainers (core, extension author, …)
▪ frankly remind people in case activity is kind of low
▪ coordinate releases & release dates
▪ compile information into security bulletins / announcements
▪ educate & raise awareness in teams & community
86. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
Capture the
Flag
86
87. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 87
https://www.root-me.org/en/Challenges/Web-Server/
88. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 88
https://ctf.hacker101.com/ctf
89. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org 89
▪ https://www.root-me.org/en/Challenges/Web-Server/SQL-
injection-Error # might work with SQLmap
▪ https://ctf.hacker101.com/ctf/launch/7 # check public API
90. TYPO3 Developer Days 2019 - Web Application Security Workshop - oliver.hader@typo3.org
References
90
▪ Running an SQL Injection Attack: // “Computerphile“, nice series
https://www.youtube.com/watch?v=ciNHn38EyRc
▪ WordPress WPDB SQL Injection: // nice, on “custom” escaping
https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-
sql-injection-technical.html
▪ CVSSv3 Examples:
https://www.first.org/cvss/v3.0/examples