The document introduces the Browser Exploitation Framework (BeEF), which allows penetration testers to target client-side applications from within the context of the browser. BeEF can pivot through client systems to internal networks that are not directly exposed. It discusses how BeEF hooks browsers, its architecture including core components and extensions, and example command modules and use cases. It also provides instructions for customizing BeEF by developing new command modules and extensions.
ICEfaces EE - Enterprise-ready JSF Ajax FrameworkICEsoftTech
ICEfaces EE is a JSF/AJAX development framework that allows enterprises to quickly build rich web and mobile applications. It provides a certified code base that is fully tested and compatible with various Java EE technologies. ICEfaces EE offers subscriptions that provide access to the code base, components, support, and expertise to ensure robust and stable application performance. It also allows extending applications to mobile devices. Key benefits include certified and optimized software releases, support for various platforms, and assistance from technical experts.
Getting Started with Rails on GlassFish (Hands-on Lab) - Spark IT 2010Arun Gupta
This document provides an overview of getting started with Ruby on Rails development on GlassFish. It discusses installing JRuby, Rails, the GlassFish gem, and creating a sample Rails application with CRUD functionality. It also covers deploying Rails applications to GlassFish using directory deployment and WAR deployment, as well as options for monitoring and improving performance of Rails applications on GlassFish.
Alessio Soldano is a principal software engineer at JBoss/Red Hat who has been a committer to the JBoss WS project since 2007. He leads the JBoss Web Services team. JBoss WS provides integration of the Apache CXF web services framework with the JBoss Application Server. This integration allows CXF's features and compliance with web services specifications to be used within the JBoss AS container. Alessio demonstrated how to deploy basic web service endpoints and use WS-Security with the JBoss AS 7.1 container.
Powering the Next Generation Services with Java Platform - Spark IT 2010Arun Gupta
This document discusses the evolution and capabilities of the Java platform. It outlines the major releases of the Java Development Kit and Java EE over time. It also describes some of the key features and technologies available in the Java ecosystem today, including Java EE, JavaFX, RESTful and SOAP web services, dynamic languages support, and Project Jigsaw for modularity. The document promotes the Java platform as powering next generation applications and services.
The ServletContext represents the servlet context and allows communication between servlets and the servlet container. It provides access to context-wide resources such as initialization parameters, servlet context attributes, and logging. Some key things about the ServletContext:
- There is one instance per web application per Java Virtual Machine (JVM)
- Can be accessed by any servlet in the web application
- Contains information like context path, MIME types, etc.
- Allows servlets to share resources and configuration parameters
- Attributes set in the ServletContext are accessible by any servlet
So in summary, the ServletContext provides servlets with a way to share global data and configuration for a web application in a
The document discusses TorqueBox, an open-source application server for Ruby that allows Ruby applications to take advantage of features typically found in Java application servers. It provides high-level overviews of TorqueBox's development process, deployment descriptors, and rake tasks. Developers can easily install TorqueBox, deploy and undeploy applications using rake tasks, and configure applications via deployment descriptors. The hot deployment capabilities allow applications to be reloaded automatically when changes are detected.
ICEfaces EE - Enterprise-ready JSF Ajax FrameworkICEsoftTech
ICEfaces EE is a JSF/AJAX development framework that allows enterprises to quickly build rich web and mobile applications. It provides a certified code base that is fully tested and compatible with various Java EE technologies. ICEfaces EE offers subscriptions that provide access to the code base, components, support, and expertise to ensure robust and stable application performance. It also allows extending applications to mobile devices. Key benefits include certified and optimized software releases, support for various platforms, and assistance from technical experts.
Getting Started with Rails on GlassFish (Hands-on Lab) - Spark IT 2010Arun Gupta
This document provides an overview of getting started with Ruby on Rails development on GlassFish. It discusses installing JRuby, Rails, the GlassFish gem, and creating a sample Rails application with CRUD functionality. It also covers deploying Rails applications to GlassFish using directory deployment and WAR deployment, as well as options for monitoring and improving performance of Rails applications on GlassFish.
Alessio Soldano is a principal software engineer at JBoss/Red Hat who has been a committer to the JBoss WS project since 2007. He leads the JBoss Web Services team. JBoss WS provides integration of the Apache CXF web services framework with the JBoss Application Server. This integration allows CXF's features and compliance with web services specifications to be used within the JBoss AS container. Alessio demonstrated how to deploy basic web service endpoints and use WS-Security with the JBoss AS 7.1 container.
Powering the Next Generation Services with Java Platform - Spark IT 2010Arun Gupta
This document discusses the evolution and capabilities of the Java platform. It outlines the major releases of the Java Development Kit and Java EE over time. It also describes some of the key features and technologies available in the Java ecosystem today, including Java EE, JavaFX, RESTful and SOAP web services, dynamic languages support, and Project Jigsaw for modularity. The document promotes the Java platform as powering next generation applications and services.
The ServletContext represents the servlet context and allows communication between servlets and the servlet container. It provides access to context-wide resources such as initialization parameters, servlet context attributes, and logging. Some key things about the ServletContext:
- There is one instance per web application per Java Virtual Machine (JVM)
- Can be accessed by any servlet in the web application
- Contains information like context path, MIME types, etc.
- Allows servlets to share resources and configuration parameters
- Attributes set in the ServletContext are accessible by any servlet
So in summary, the ServletContext provides servlets with a way to share global data and configuration for a web application in a
The document discusses TorqueBox, an open-source application server for Ruby that allows Ruby applications to take advantage of features typically found in Java application servers. It provides high-level overviews of TorqueBox's development process, deployment descriptors, and rake tasks. Developers can easily install TorqueBox, deploy and undeploy applications using rake tasks, and configure applications via deployment descriptors. The hot deployment capabilities allow applications to be reloaded automatically when changes are detected.
Java EE 6 and GlassFish v3: Paving the path for futureArun Gupta
Java EE 6 and GlassFish v3 aim to pave the path for the future by right-sizing the Java EE platform, making it more extensible, and easier to develop on. Key changes include introducing profiles like the Web Profile, pruning unused technologies, embracing open source frameworks, and continuing to improve the annotation-based programming model. GlassFish v3 is the reference implementation of Java EE 6 and includes new features like modular architecture, embeddability, and RESTful monitoring and management interfaces.
Java EE 6 and GlassFish v3: Paving the path for futureArun Gupta
This session provides an overview of Java EE 6 and GlassFish v3. Using multiple simple-to-understand samples it explains the value propositionprovided by Java EE 6.
You're on another typical JavaEE-based project, and you find yourself writing the same old infrastructure code - again. Are you wondering if there's a easier way to incorporate the basics such as configuration, logging, HTTP, and email into your application? If so, then this presentation is for you. By using a number of Java-based utilities from Apache and similar projects, you can learn how to stop re-inventing the wheel.
We'll start with a simple Java application and add the ability to use:
Apache Commons Lang for String handling
Apache Commons Configuration to configure an application
Apache Velocity Templates and Apache Commons Email to format and send email messages
Apache Commons IOUtils to simplify File and Stream I/O
Apache POI to generate Excel spreadsheets
Joda Time to simplify Date/Time handling
SLF4J and Logback to log messages
Jasypt to encrypt sensitive data
By learning to leverage these utilities, attendees can simplify their applications by reducing/eliminating infrastructure code.
The document provides instructions for configuring MySQL replication between a master and slave server. It describes setting up the master server with a server ID and binary logging. It also covers dumping the master database to include replication metadata. On the slave server, it describes configuring a server ID and relay log, as well as optionally enabling binary logging. The replication user is then created on the master and granted privileges before adjusting any firewall rules.
Running your Java EE applications in the CloudArun Gupta
This document discusses running Java EE 6 applications in the cloud using various platforms. It provides an overview of Java EE 6 and how it is well-suited for cloud deployments. It then discusses specific implementations on Amazon EC2, RightScale, Elastra, Joyent, and GlassFish distributions and roadmaps.
This document provides information about FLOW3, a PHP-based web application platform. It discusses what FLOW3 is, its key features like being well-suited for enterprise applications and having easy-to-read source code. It also covers FLOW3's advanced features like object persistence with Doctrine2 and support for test-driven development. The document describes requirements to use FLOW3 like supported operating systems and databases. It includes steps for downloading, installing, and testing a FLOW3 application. It demonstrates creating a sample blog application in FLOW3 and interacting with the database. Finally, it discusses FLOW3 packages, application contexts, and ways to fine-tune applications.
Arun Gupta: London Java Community: Java EE 6 and GlassFish 3 Skills Matter
This document discusses Java EE 6 and GlassFish 3. It outlines that Java EE 6 and GlassFish 3 aim to provide a light-weight, extensible, and powerful platform. Key goals for Java EE 6 include making it more flexible, extensible by embracing open source frameworks, and easier to use and develop on. GlassFish 3 is the open source reference implementation of Java EE 6 and includes new features like clustering and centralized administration.
This document summarizes common Ruby on Rails security issues and best practices for addressing them. It covers potential information leaks from application setup and deployment, cross-site scripting vulnerabilities from unsanitized user input, session fixation issues, cross-site request forgery problems, SQL injection protection, preventing JavaScript hijacking, securing mass assignment, and security risks related to third-party Rails plugins. The document provides explanations of each issue and recommendations for configuration and code changes to enhance the security of Rails applications.
OSGi-enabled Java EE Applications using GlassFish at JCertif 2011Arun Gupta
This document discusses OSGi-enabled Java applications in GlassFish. It provides an overview of OSGi and how it is used in GlassFish to provide modularity. Key points include:
- OSGi allows applications to be broken into modules or bundles that can be installed, uninstalled, started and stopped dynamically without restarting the container.
- In GlassFish, all modules are OSGi bundles which run on top of the OSGi framework. This provides stronger modularity compared to a non-OSGi application server.
- Benefits of using OSGi in GlassFish include demanding stronger modularity, enabling custom tailored application servers, and lazy loading of bundles based on usage patterns.
This document discusses a PHP push notification system using MQTT protocol. It requires a Mosquitto MQTT server, Node.js, and Socket.io module to function. The client code connects to the Node.js server via Socket.io and subscribes to topics to listen for notifications. The Node.js code acts as a broker, connecting to the MQTT server and filtering websocket data based on topics. It listens for new notifications from MQTT and sends them to clients via websockets.
Applet Returns: The new generation of Java Plug-insSerge Rehem
This article will reveal the most important changes in the Java Plug-in architecture since JDK1.6update10, showing practical examples why we believe Applets are definitively back.
Java EE 6 & GlassFish = Less Code + More Power at CEJUGArun Gupta
The document discusses Java EE 6 and GlassFish, which provide developers with more power and flexibility while requiring less code. Key features of Java EE 6 like EJB 3.1, CDI, and JSF 2.0 incorporate more annotations and reduce the need for deployment descriptors. GlassFish is the open source reference implementation of Java EE 6 and offers benefits like modularity, embeddability, and support for cloud computing. Future versions of Java EE and GlassFish will focus on continued standards-based innovation.
The document provides an overview and agenda for a presentation on Immutant, an application server for Clojure powered by JBoss AS7. The presentation will introduce Immutant, discuss why it was created, demonstrate its capabilities through a sample tweet analysis application, and dive into its API and development process. Key points include that Immutant aims to simplify deployment of non-trivial Clojure applications, leverage the services of JBoss AS7 like messaging and caching, and treat integrated application components as a single versioned application.
This document discusses various web vulnerabilities and exploitation techniques. It begins with an overview of trends in web vulnerabilities and exploitation shifting towards client-side attacks. It then details several exemplary web vulnerability hunting techniques, including cross-interface attacks exploiting backend login consoles, SQLXSSI attacks that fuse SQL injection and XSS, document rendering attacks, flaws in web widget interfaces, persistent redirection attacks, and declarative security manipulation. The goal is to understand different attack methods and surfaces for testing web applications.
Dear Hiring Manager,
This is Pavani from Horizon ITS..
I am sending you my candidate profile for the below requirement,
Please review his/her resume once,Thanks you
Pavani
678 248 5839
pavani@horizoninfots.com
The document discusses various web application frameworks and technologies for building Java-based web applications. It summarizes the pros and cons of different languages and frameworks for web development like Java, PHP, Ruby on Rails. It also discusses specific frameworks for Java like Struts, Spring, and Hibernate. Popular companies using Java for web applications are also listed along with strategies for scaling Java web apps.
Cloud-powered Continuous Integration and Deployment architectures - Jinesh VariaAmazon Web Services
The presentation will discuss some architectural patterns in continuous integration, deployment and optimization and I will share some of the lessons learned from Amazon.com.
The goal of the presentation is to convince you that if you invest your time where you get the maximum learning from your customers, automate everything else in the cloud (CI + CD + CO), you get fast feedback and will be able to release early, release often and recover quickly from your mistakes. Dynamism of the cloud allows you to increase the speed of your iteration and reduce the cost of mistakes so you can continuously innovate while keeping your cost down.
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
With the release of the OWASP TOP 10 2017 we saw new issues rise as contenders of most common issues in the web landscape. Much of the OWASP documentation displays issues, and remediation advice/code relating to Java, C++, and C#; however not much relating to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the popular use of NodeJS and its libraries/frameworks. This talk will introduce you to the OWASP Top 10 explaining JavaScript client and server-side vulnerabilities.
Be ef presentation-securitybyte2011-michele_orruMichele Orru
Outline:
What the hell is BeEF? ✴Cutting
Target enumeration and analysis ✴Devouring
Internal net fingerprint Exploiting internal services through the hooked browser Keylogging, browser pwnage
✴Digesting Persistence, tunneling sqlmap/Burp through BeEF proxy XSSrays integration
✴Future development and ideas
The document provides an introduction to JBoss Seam by discussing the history of Java web applications and where Seam fits within that evolution. It notes that early Java web apps used JSP/Servlet models, which were improved by MVC frameworks like Struts, but these frameworks required many configuration files and the front-end and back-end were unaware of each other. Meanwhile, other languages like PHP and Ruby on Rails made deployment and testing easier through conventions over configuration and features like scaffolding. JBoss Seam aims to address these issues and provide a richer experience for modern web applications.
Building Content Applications with JCR and OSGiCédric Hüsler
This document outlines an agenda for a presentation on building content applications with the Java Content Repository (JCR) and OSGi. The presentation will cover getting to know the JCR API, common implementations like Jackrabbit and Apache Sling, developing RESTful applications on JCR with OSGi, and future developments like JCR 333 and Jackrabbit 3. Hands-on examples will also be provided to demonstrate server-side OSGi development and using the Apache Sling Scripting Engine.
Java EE 6 and GlassFish v3: Paving the path for futureArun Gupta
Java EE 6 and GlassFish v3 aim to pave the path for the future by right-sizing the Java EE platform, making it more extensible, and easier to develop on. Key changes include introducing profiles like the Web Profile, pruning unused technologies, embracing open source frameworks, and continuing to improve the annotation-based programming model. GlassFish v3 is the reference implementation of Java EE 6 and includes new features like modular architecture, embeddability, and RESTful monitoring and management interfaces.
Java EE 6 and GlassFish v3: Paving the path for futureArun Gupta
This session provides an overview of Java EE 6 and GlassFish v3. Using multiple simple-to-understand samples it explains the value propositionprovided by Java EE 6.
You're on another typical JavaEE-based project, and you find yourself writing the same old infrastructure code - again. Are you wondering if there's a easier way to incorporate the basics such as configuration, logging, HTTP, and email into your application? If so, then this presentation is for you. By using a number of Java-based utilities from Apache and similar projects, you can learn how to stop re-inventing the wheel.
We'll start with a simple Java application and add the ability to use:
Apache Commons Lang for String handling
Apache Commons Configuration to configure an application
Apache Velocity Templates and Apache Commons Email to format and send email messages
Apache Commons IOUtils to simplify File and Stream I/O
Apache POI to generate Excel spreadsheets
Joda Time to simplify Date/Time handling
SLF4J and Logback to log messages
Jasypt to encrypt sensitive data
By learning to leverage these utilities, attendees can simplify their applications by reducing/eliminating infrastructure code.
The document provides instructions for configuring MySQL replication between a master and slave server. It describes setting up the master server with a server ID and binary logging. It also covers dumping the master database to include replication metadata. On the slave server, it describes configuring a server ID and relay log, as well as optionally enabling binary logging. The replication user is then created on the master and granted privileges before adjusting any firewall rules.
Running your Java EE applications in the CloudArun Gupta
This document discusses running Java EE 6 applications in the cloud using various platforms. It provides an overview of Java EE 6 and how it is well-suited for cloud deployments. It then discusses specific implementations on Amazon EC2, RightScale, Elastra, Joyent, and GlassFish distributions and roadmaps.
This document provides information about FLOW3, a PHP-based web application platform. It discusses what FLOW3 is, its key features like being well-suited for enterprise applications and having easy-to-read source code. It also covers FLOW3's advanced features like object persistence with Doctrine2 and support for test-driven development. The document describes requirements to use FLOW3 like supported operating systems and databases. It includes steps for downloading, installing, and testing a FLOW3 application. It demonstrates creating a sample blog application in FLOW3 and interacting with the database. Finally, it discusses FLOW3 packages, application contexts, and ways to fine-tune applications.
Arun Gupta: London Java Community: Java EE 6 and GlassFish 3 Skills Matter
This document discusses Java EE 6 and GlassFish 3. It outlines that Java EE 6 and GlassFish 3 aim to provide a light-weight, extensible, and powerful platform. Key goals for Java EE 6 include making it more flexible, extensible by embracing open source frameworks, and easier to use and develop on. GlassFish 3 is the open source reference implementation of Java EE 6 and includes new features like clustering and centralized administration.
This document summarizes common Ruby on Rails security issues and best practices for addressing them. It covers potential information leaks from application setup and deployment, cross-site scripting vulnerabilities from unsanitized user input, session fixation issues, cross-site request forgery problems, SQL injection protection, preventing JavaScript hijacking, securing mass assignment, and security risks related to third-party Rails plugins. The document provides explanations of each issue and recommendations for configuration and code changes to enhance the security of Rails applications.
OSGi-enabled Java EE Applications using GlassFish at JCertif 2011Arun Gupta
This document discusses OSGi-enabled Java applications in GlassFish. It provides an overview of OSGi and how it is used in GlassFish to provide modularity. Key points include:
- OSGi allows applications to be broken into modules or bundles that can be installed, uninstalled, started and stopped dynamically without restarting the container.
- In GlassFish, all modules are OSGi bundles which run on top of the OSGi framework. This provides stronger modularity compared to a non-OSGi application server.
- Benefits of using OSGi in GlassFish include demanding stronger modularity, enabling custom tailored application servers, and lazy loading of bundles based on usage patterns.
This document discusses a PHP push notification system using MQTT protocol. It requires a Mosquitto MQTT server, Node.js, and Socket.io module to function. The client code connects to the Node.js server via Socket.io and subscribes to topics to listen for notifications. The Node.js code acts as a broker, connecting to the MQTT server and filtering websocket data based on topics. It listens for new notifications from MQTT and sends them to clients via websockets.
Applet Returns: The new generation of Java Plug-insSerge Rehem
This article will reveal the most important changes in the Java Plug-in architecture since JDK1.6update10, showing practical examples why we believe Applets are definitively back.
Java EE 6 & GlassFish = Less Code + More Power at CEJUGArun Gupta
The document discusses Java EE 6 and GlassFish, which provide developers with more power and flexibility while requiring less code. Key features of Java EE 6 like EJB 3.1, CDI, and JSF 2.0 incorporate more annotations and reduce the need for deployment descriptors. GlassFish is the open source reference implementation of Java EE 6 and offers benefits like modularity, embeddability, and support for cloud computing. Future versions of Java EE and GlassFish will focus on continued standards-based innovation.
The document provides an overview and agenda for a presentation on Immutant, an application server for Clojure powered by JBoss AS7. The presentation will introduce Immutant, discuss why it was created, demonstrate its capabilities through a sample tweet analysis application, and dive into its API and development process. Key points include that Immutant aims to simplify deployment of non-trivial Clojure applications, leverage the services of JBoss AS7 like messaging and caching, and treat integrated application components as a single versioned application.
This document discusses various web vulnerabilities and exploitation techniques. It begins with an overview of trends in web vulnerabilities and exploitation shifting towards client-side attacks. It then details several exemplary web vulnerability hunting techniques, including cross-interface attacks exploiting backend login consoles, SQLXSSI attacks that fuse SQL injection and XSS, document rendering attacks, flaws in web widget interfaces, persistent redirection attacks, and declarative security manipulation. The goal is to understand different attack methods and surfaces for testing web applications.
Dear Hiring Manager,
This is Pavani from Horizon ITS..
I am sending you my candidate profile for the below requirement,
Please review his/her resume once,Thanks you
Pavani
678 248 5839
pavani@horizoninfots.com
The document discusses various web application frameworks and technologies for building Java-based web applications. It summarizes the pros and cons of different languages and frameworks for web development like Java, PHP, Ruby on Rails. It also discusses specific frameworks for Java like Struts, Spring, and Hibernate. Popular companies using Java for web applications are also listed along with strategies for scaling Java web apps.
Cloud-powered Continuous Integration and Deployment architectures - Jinesh VariaAmazon Web Services
The presentation will discuss some architectural patterns in continuous integration, deployment and optimization and I will share some of the lessons learned from Amazon.com.
The goal of the presentation is to convince you that if you invest your time where you get the maximum learning from your customers, automate everything else in the cloud (CI + CD + CO), you get fast feedback and will be able to release early, release often and recover quickly from your mistakes. Dynamism of the cloud allows you to increase the speed of your iteration and reduce the cost of mistakes so you can continuously innovate while keeping your cost down.
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
With the release of the OWASP TOP 10 2017 we saw new issues rise as contenders of most common issues in the web landscape. Much of the OWASP documentation displays issues, and remediation advice/code relating to Java, C++, and C#; however not much relating to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the popular use of NodeJS and its libraries/frameworks. This talk will introduce you to the OWASP Top 10 explaining JavaScript client and server-side vulnerabilities.
Be ef presentation-securitybyte2011-michele_orruMichele Orru
Outline:
What the hell is BeEF? ✴Cutting
Target enumeration and analysis ✴Devouring
Internal net fingerprint Exploiting internal services through the hooked browser Keylogging, browser pwnage
✴Digesting Persistence, tunneling sqlmap/Burp through BeEF proxy XSSrays integration
✴Future development and ideas
The document provides an introduction to JBoss Seam by discussing the history of Java web applications and where Seam fits within that evolution. It notes that early Java web apps used JSP/Servlet models, which were improved by MVC frameworks like Struts, but these frameworks required many configuration files and the front-end and back-end were unaware of each other. Meanwhile, other languages like PHP and Ruby on Rails made deployment and testing easier through conventions over configuration and features like scaffolding. JBoss Seam aims to address these issues and provide a richer experience for modern web applications.
Building Content Applications with JCR and OSGiCédric Hüsler
This document outlines an agenda for a presentation on building content applications with the Java Content Repository (JCR) and OSGi. The presentation will cover getting to know the JCR API, common implementations like Jackrabbit and Apache Sling, developing RESTful applications on JCR with OSGi, and future developments like JCR 333 and Jackrabbit 3. Hands-on examples will also be provided to demonstrate server-side OSGi development and using the Apache Sling Scripting Engine.
This document discusses JBoss Web Services and how it integrates Apache CXF into JBoss Application Server. It provides an overview of how JBoss WS works at runtime and during deployment. Key points include that JBoss WS allows CXF to be used on JBoss AS, addresses classloading issues, and provides features like web service reference injection. It also demonstrates configuring security using the WS-Security UT Profile and JAAS login modules.
This document discusses JBoss Web Services and how it integrates Apache CXF into JBoss Application Server. It provides an overview of how JBoss Web Services works at runtime and during deployment. It also discusses how services and subsystems are implemented in AS7 and provides an example of the web services subsystem. The document demonstrates configuring security domains for WS-Security and outlines links for additional documentation.
The document discusses several key technologies for developing Java web applications, including Java Servlet technology, WebWork framework, Spring framework, and Apache Maven build tool. It provides an overview of how each technology addresses common problems like stateless communication, business logic implementation, view generation, and data access overhead. Examples are given showing how WebWork and Spring can be used together with Maven to build a simple "Hello World" application that follows the MVC pattern and leverages dependency injection.
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
This document discusses challenges with testing web services and proposes improvements. It notes that current tools, methodologies, and testing environments for assessing web service security are inadequate. The document advocates aligning web service testing with the Penetration Testing Execution Standard methodology. It also highlights new attacks against web services and demos tools like Metasploit modules for assessing web services and the Damn Vulnerable Web Services testing environment.
Play Framework: Intro & High-Level OverviewJosh Padnick
This document provides an introduction to the Play Framework for Java web application development. It discusses the challenges of traditional Java web development, including long redeploy times, complex XML configurations, and impedance mismatch between HTTP and Java EE. It then introduces the concepts of reactive and modern web development. The document outlines the goals of the Play Framework to improve both performance and productivity. Key aspects of the Play Framework are discussed, including its focus on developer productivity, built-in support for RESTful APIs, and stateless and scalable architecture. The presentation concludes with a live coding demonstration of basic Play Framework features.
This document summarizes the qualifications of Yue Chao Qin, including over 10 years of experience as a Senior Software Engineer with skills in Java EE, Spring, AngularJS, databases, and more. Qin has led technical teams and mentored junior developers on projects involving web and mobile applications. Current responsibilities include developing systems for logistics management at the US Postal Service.
The document discusses the key components and steps for creating and deploying a Java web application. It covers:
1. The main steps to develop a web application including coding components, adding deployment descriptors, compiling, packaging, deploying, and accessing the application.
2. The web components included in the TomEE distribution like JSF, JSP, Servlets.
3. How TomEE+ adds additional components like JAX-RS and JAX-WS.
4. An overview of asynchronous servlets in JavaEE7 which allow non-blocking I/O to improve scalability compared to traditional synchronous approaches.
Web application penetration testing lab setup guideSudhanshu Chauhan
This document provides guidance on setting up a basic environment for conducting web application penetration testing. It outlines both hardware and software requirements, including recommended tools. It then walks through installing a base OS, browsers, programming languages, web servers, and various security tools. It also provides an overview of the testing process, including information gathering, automated scanning, manual testing, and reporting.
Slides of my "Open Innovation in Software Means Open Source Software" talk, OSS Watch, Oxford Dec.12th, 2009 (http://www.oss-watch.ac.uk/events/2009-12-07_business/programme.xml). Also at http://transfersummit.com/programme/60 and accompanying article on the H online, http://x42.ch/03.10.01
4. Egg shell
- Many environments have hardened exteriors but less protected
interiors
http://www.flickr.com/photos/sidereal/2355999910/sizes/o/in/
photostream/
5. Effectiveness
Web(Server(
• <html>( • SELECT(*(
• <?php(
Web(Browser( Database(
OWASP 5
- How effective can your penetration testing be if all your doing is
assessing a single external system ...
6. without putting it in the context of the whole environment?
http://forums.untangle.com/runkel/Logical-Network-Diagram.gif
7. Metasploit / SET
Growth *
2011
2010
2009
2008
2007
*nb: not real statistics OWASP 7
I call this the state of modern pen testing, you can’t just knock on
the perimeter, you have to pivot through clients
8. Shrinking attack
surfaces
- offsite SMTP
- 3rd party (or different) location web hosting
- VPNs
- Proxies
- Small to zero attack surface
.. The attack surface is shrinking.
9. Where’s the data?
OWASP 9
- Internal systems are where the information is held, or via web
portals to *aaS providers .. and
- We can't gain access to these systems and their information
without pivoting through a client.
10. Patched?
OWASP 10
- Metasploit, in particular combined with SET, is effective at
providing this pivot point
- What if the target environment is patched? Against known
Metasploit exploits.
11. Between full blown exploitation
and pure social engineering
OWASP 11
- This is the advantage point the BeEF has, to happily sit in the
browser.
12. Lots of HTTP
OWASP 12
- Lots of websites (@jeremiahg mentioned ~30mil new websites a
month)
13. Got BeEF?
- So what is BeEF? For those who don't know, it's the Browser
Exploitation Framework
14. PHP BeEF
OWASP 14
- Originally announced on ha.ckers.org in 2006 based entirely
PHP by Wade Alcorn
15. Top 10 2010 - A2 - XSS
OWASP 15
- In it's old incarnation BeEF was a great tool to demonstrate just
how nasty XSS flaws could be (Instead of the typical alert(1);
dialog)
16. Method of pivoting, method of
penetration
OWASP 16
- and trying to become an all-round go-to platform for client-side
exploitation development.
- The framework allows a penetration tester to select specific
modules in real time to target against a hooked browser within its
current context (which will provide different, unique, attack
vectors)
17. Moving to the future
- These days BeEF is developed in Ruby (like Metasploit), with
stacks of Javascript (we roll jquery in there for command modules
too)
22. Our dev team rely on modern agile development
techniques, including a Continuous Integration service via
Jenkins, utilising Rake test unit, selenium, capybara etc etc
23. BeEF Trilogy (“Who is your father?”)
OWASP 23
Beef is currently made up of 3 main components:
http://img4.cookinglight.com/i/2009/01/0901p40f-beef-patty-
m.jpg?300:300
24. Firstly is the core..
http://www.imdb.com/media/rm1627756544/tt0298814
25. Hooking methods
Central API for Extensions & Modules
Filters Database models
Core
Primary client-side JS Ruby extensions
Server-side asset handling Web servicing
OWASP 25
! - The Core
! ! - Central API
! ! - Filters
! ! - Primary client-side javascript
! ! - Server-side asset handling and web servicing
! ! - Ruby extensions
! ! - Database models
! ! - Hooking methods to load and manage arbitrary extensions
and command modules
27. Web UI XSSRays
Console Proxy/Requester
Extensions
Demo pages Metasploit
Event handling Browser initialisation
OWASP 27
! - Extensions
! ! - Where you need to provide fairly tightly coupled functionality
into the core, the extensions provide the developer with various
API firing points, such as mounting new URL points. Currently
beef has extensions for the admin web ui, the console, demo
pages, event handling, initialisation of hooked browsers,
metasploit, proxy, requester and the xssrays functionality.
29. Recon
Browser Persistence
Command Modules
Debugging Network
Host Router Miscellaneous
OWASP 29
! - Command Modules
! ! - Command modules are where individually packaged HTML/
JS packages are stored, currently these are broken down into the
following categories: browser, debugging, host, misc, network,
persistence, recon, router. Anything you want to do in Javascript,
HTML, Java, <insert arbitrary browser acceptable language> can
be done.
30. It always starts with Hooking
OWASP 30
The first step in getting a browser into the framework is to
get it to execute the BeEF payload, there’s a few methods of
achieving this:
31. Hooking Browsers
XSS
Social Engineering (i.e. tiny URL, or phishing via
email)
Embedding the payload (think drive-by-
download)
Maintaining persistence after already being
hooked (think Tab BeEF Injection)
OWASP 31
35. Hooking Mobile Devices
http://www.youtube.com/watch?v=5SVu6VdLWgs
OWASP 35
http://www.youtube.com/watch?
v=5SVu6VdLWgs
36. Teach a man to Fish
BeEF...
So lets look at how we can customise BeEF .. first we’ll look
at a simple command module
37. RouterPwn.com
Compilation of ready to run JS/HTML exploits
against many consumer routers
Designed to be run on smart phones
Great candidate for a collection of BeEF
Command Modules
OWASP 37
RouterPwn, from websec.ca’s Roberto Salgado
38. Each module resides of at least 3 files, the config file (in
yaml format), the ruby module file, and the javascript file.
The files are populated into categories, as touched on
before.
39. Each config file contains the category, the name, a
description, the authors and targeting configuration (This
allows you to specify things like Safari only, or “user notify”
for iPhone and Safari etc)
40. The module’s ruby file, in it’s simplest form, is used to
configure what options are configurable, via the
self.options method - and what to do with returned results.
41. And here is most of the javascript content. We utilise eruby
for variable substitution (as can be seen where we’re
pulling in the previously set ip and dns settings).
You can also notice in this javascript we use a JS object
called beef. This is the core beef library within the
framework, and has a lot of functionality in-built, such as
creating invisible iframes.
42. Here you can see what the user is presented with in the UI.
43. Introducing “Chipmunking” ..named, at least at the
moment, in reference to movie posters, in particular, this
movie poster...
so QR codes are .. everywhere..
44. I mean .. Everywhere .. and they’re only becoming more
ubuiquitous
45. So lets put together a new extension for BeEF .. lets build a
custom hook point (URL) that if you (or your victims) visit it,
will be hooked into BeEF, and immediately presented with a
full-screen iFrame of the target site .. we’ll then use the
current QRCode Extension into BeEF to generate this QR
code for us too..
46. Similar to command modules, extensions require a few
files.
The config file (again, a yaml file)
and then the extension ruby file itself.