In most companies security is driven by compliance regulations. The policies are designed to contain the security vulnerabilities each company is interested to comply with. These vulnerabilities can be measured only at the end, after the software has been developed, which is way too late. The result of this approach is a high number of insecure applications are still produced and injection is still King. Is there another way to create a more secure the software from the start? This presentation will look at security vulnerabilities from a different angle. We will decompose the vulnerabilities into the security controls that prevent them and developers are familiar with. We will flip the security from focusing on vulnerabilities (which can be measured only at the end, after the software has been developed) to focus on the security controls, which can be used from beginning in software development cycle. Recommended to all builders and security professionals interested to build a more secure software from the start.
The OAuth working group recently decided to discourage use of the implicit grant. But that’s just the most prominent recommendation the working group is about to publish in the upcoming OAuth 2.0 Security Best Current Best Practice (https://tools.ietf.org/html/draft-ietf-oauth-security-topics), which will elevate OAuth security to the next level. The code flow shall be used with PKCE only and tokens should be sender constraint to just mention a few. Development of this enhanced recommendations was driven by several factors, including experiences gathered in the field, security research results, the increased dynamics and sensitivity of the use cases OAuth is used protect and technological changes. This session will present the new security recommendations in detail along with the underlying rationales.
Getting Started in Pentesting the Cloud: AzureBeau Bullock
Webcast Recording: https://www.youtube.com/watch?v=fCbVMWvncuw
Increasingly, more organizations are migrating resources to being hosted in the cloud. With this comes a greater potential for misconfiguration if there isn’t a solid understanding of the attack surface. While there are many similarities between traditional on-premises pentesting and cloud-based pentesting, the latter is an animal of its own. This webcast will attempt to clear up some of the fogginess around cloud-based pentesting, specific to Microsoft Azure environments, including Microsoft 365.
In order to adequately determine the attack surface, the appropriate coverage areas will be highlighted. Differences between Azure resources and Microsoft 365 can oftentimes be confusing but knowing these differences is key to helping you pivot and escalate privileges. Conditional access policies are great for defining different scenarios for how users can authenticate securely but can also be misconfigured. There are security protections for stopping certain password attacks but some of these can be bypassed. Ultimately, a methodology for testing Azure environments along with tools and techniques will be presented in this talk.
Dirk-jan Mollema
How does one research the cloud? With solutions such as Azure AD and Office 365, the underlying platform architecture and designs are not publicly documented or accessible in the same way as on-premise. This makes analyzing the security of the platform harder for external researchers. In this talk I will explain the journey and discoveries of a year of trying to understand Azure AD, including the vulnerabilities discovered in the process. This ranges from gathering information about Azure AD via undocumented APIs to installing invisible backdoors and escalating privileges via limited roles or via the link with on-premise. While some of these vulnerabilities have been resolved, several of these are unintended consequences of Azure AD's architecture and thus are important to consider when evaluating the security of your Azure AD environment. A basic understanding of Azure AD, Office 365 and its terminology is assumed for this talk.
Weaponizing Corporate Intel: This Time, It's Personal!Beau Bullock
Strategically targeting a corporation requires deep knowledge of their technologies and employees. Successfully compromising an organization can depend on the quality of reconnaissance a tester performs up front. Often times testers only resort to using publicly available tools which can overlook critical assets.
In this presentation, we will begin by examining some commonly overlooked methods to discover external resources. Next, we will show how to discover employees of a target organization and quickly locate their social media accounts. Finally, we will strategically identify and weaponize personal information about the employees to target the organization directly using new attack techniques. Attendees will learn an external defense evasion method, a new process to gain credentialed access, and be the first to receive a newly released tool!
While the approach is designed to assist offensive security professionals, the presentation will be informative for technical and non-technical audiences; demonstrating the importance of security-awareness for everyone.
This document provides an overview of attacking Active Directory Federation Services (AD FS). It begins with an introduction to AD FS and how it works, allowing single sign-on for applications outside of Active Directory. It then discusses how to find AD FS servers on a network and potential vulnerabilities in default configurations. The document focuses on attacking identity provider adapters and the signing certificate as ways to impersonate the AD FS server and issue unauthorized tokens. It provides technical details on decrypting the signing certificate stored in the Windows Internal Database using the Distributed Key Manager.
Travelocalypse: It's Dangerous Business, Hacker, Going Out Your Front DoorBeau Bullock
How do you survive the treacherous landscapes of security conferences, work trips, and other types of travel? Do you suffer from over-packing syndrome? Overwhelmed by the zombie hordes trying make it through security to get to their flight on time? Is your Bluetooth on while reading this? Does your phone auto-join Attwifi when it is in range? If so, join us for tips and tricks by seasoned BHIS travelers and survive your next conference trip! We will cover epic backpack hacks, clothing choices, personal and digital security, and even how to enjoy your 5 hour layover at the airport.
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
Azure AD is everything but a domain controller in the cloud. This talk will cover what Azure AD is, how it is commonly integrated with Active Directory and how security boundaries extend into the cloud, covering sync account password recovery, privilege escalations in Azure AD and full admin account takeovers using limited on-premise privileges.
While Active Directory has been researched for years and the security boundaries and risks are generally well documented, more and more organizations are extending their network into the cloud. A prime example of this is Office 365, which Microsoft offers through their Azure cloud. Connecting the on-premise Active Directory with the cloud introduces new attack surface both for the cloud and the on-premise directory.
This talk looks at the way the trust between Active Directory and Azure is set up and can be abused through the Azure AD Connect tool. We will take a dive into how the synchronization is set up, how the high-privilege credentials for both the cloud and Active Directory are protected (and can be obtained) and what permissions are associated with these accounts.
The talk will outline how a zero day in common setups was discovered through which on-premise users with limited privileges could take over the highest administration account in Azure and potentially compromise all cloud assets.
We will also take a look at the Azure AD architecture and common roles, and how attackers could backdoor or escalate privileges in cloud setups.
Lastly we will look at how to prevent against these kind of attacks and why your AD Connect server is perhaps one of the most critical assets in the on-premise infrastructure.
In most companies security is driven by compliance regulations. The policies are designed to contain the security vulnerabilities each company is interested to comply with. These vulnerabilities can be measured only at the end, after the software has been developed, which is way too late. The result of this approach is a high number of insecure applications are still produced and injection is still King. Is there another way to create a more secure the software from the start? This presentation will look at security vulnerabilities from a different angle. We will decompose the vulnerabilities into the security controls that prevent them and developers are familiar with. We will flip the security from focusing on vulnerabilities (which can be measured only at the end, after the software has been developed) to focus on the security controls, which can be used from beginning in software development cycle. Recommended to all builders and security professionals interested to build a more secure software from the start.
The OAuth working group recently decided to discourage use of the implicit grant. But that’s just the most prominent recommendation the working group is about to publish in the upcoming OAuth 2.0 Security Best Current Best Practice (https://tools.ietf.org/html/draft-ietf-oauth-security-topics), which will elevate OAuth security to the next level. The code flow shall be used with PKCE only and tokens should be sender constraint to just mention a few. Development of this enhanced recommendations was driven by several factors, including experiences gathered in the field, security research results, the increased dynamics and sensitivity of the use cases OAuth is used protect and technological changes. This session will present the new security recommendations in detail along with the underlying rationales.
Getting Started in Pentesting the Cloud: AzureBeau Bullock
Webcast Recording: https://www.youtube.com/watch?v=fCbVMWvncuw
Increasingly, more organizations are migrating resources to being hosted in the cloud. With this comes a greater potential for misconfiguration if there isn’t a solid understanding of the attack surface. While there are many similarities between traditional on-premises pentesting and cloud-based pentesting, the latter is an animal of its own. This webcast will attempt to clear up some of the fogginess around cloud-based pentesting, specific to Microsoft Azure environments, including Microsoft 365.
In order to adequately determine the attack surface, the appropriate coverage areas will be highlighted. Differences between Azure resources and Microsoft 365 can oftentimes be confusing but knowing these differences is key to helping you pivot and escalate privileges. Conditional access policies are great for defining different scenarios for how users can authenticate securely but can also be misconfigured. There are security protections for stopping certain password attacks but some of these can be bypassed. Ultimately, a methodology for testing Azure environments along with tools and techniques will be presented in this talk.
Dirk-jan Mollema
How does one research the cloud? With solutions such as Azure AD and Office 365, the underlying platform architecture and designs are not publicly documented or accessible in the same way as on-premise. This makes analyzing the security of the platform harder for external researchers. In this talk I will explain the journey and discoveries of a year of trying to understand Azure AD, including the vulnerabilities discovered in the process. This ranges from gathering information about Azure AD via undocumented APIs to installing invisible backdoors and escalating privileges via limited roles or via the link with on-premise. While some of these vulnerabilities have been resolved, several of these are unintended consequences of Azure AD's architecture and thus are important to consider when evaluating the security of your Azure AD environment. A basic understanding of Azure AD, Office 365 and its terminology is assumed for this talk.
Weaponizing Corporate Intel: This Time, It's Personal!Beau Bullock
Strategically targeting a corporation requires deep knowledge of their technologies and employees. Successfully compromising an organization can depend on the quality of reconnaissance a tester performs up front. Often times testers only resort to using publicly available tools which can overlook critical assets.
In this presentation, we will begin by examining some commonly overlooked methods to discover external resources. Next, we will show how to discover employees of a target organization and quickly locate their social media accounts. Finally, we will strategically identify and weaponize personal information about the employees to target the organization directly using new attack techniques. Attendees will learn an external defense evasion method, a new process to gain credentialed access, and be the first to receive a newly released tool!
While the approach is designed to assist offensive security professionals, the presentation will be informative for technical and non-technical audiences; demonstrating the importance of security-awareness for everyone.
This document provides an overview of attacking Active Directory Federation Services (AD FS). It begins with an introduction to AD FS and how it works, allowing single sign-on for applications outside of Active Directory. It then discusses how to find AD FS servers on a network and potential vulnerabilities in default configurations. The document focuses on attacking identity provider adapters and the signing certificate as ways to impersonate the AD FS server and issue unauthorized tokens. It provides technical details on decrypting the signing certificate stored in the Windows Internal Database using the Distributed Key Manager.
Travelocalypse: It's Dangerous Business, Hacker, Going Out Your Front DoorBeau Bullock
How do you survive the treacherous landscapes of security conferences, work trips, and other types of travel? Do you suffer from over-packing syndrome? Overwhelmed by the zombie hordes trying make it through security to get to their flight on time? Is your Bluetooth on while reading this? Does your phone auto-join Attwifi when it is in range? If so, join us for tips and tricks by seasoned BHIS travelers and survive your next conference trip! We will cover epic backpack hacks, clothing choices, personal and digital security, and even how to enjoy your 5 hour layover at the airport.
I'm in your cloud... reading everyone's email. Hacking Azure AD via Active Di...DirkjanMollema
Azure AD is everything but a domain controller in the cloud. This talk will cover what Azure AD is, how it is commonly integrated with Active Directory and how security boundaries extend into the cloud, covering sync account password recovery, privilege escalations in Azure AD and full admin account takeovers using limited on-premise privileges.
While Active Directory has been researched for years and the security boundaries and risks are generally well documented, more and more organizations are extending their network into the cloud. A prime example of this is Office 365, which Microsoft offers through their Azure cloud. Connecting the on-premise Active Directory with the cloud introduces new attack surface both for the cloud and the on-premise directory.
This talk looks at the way the trust between Active Directory and Azure is set up and can be abused through the Azure AD Connect tool. We will take a dive into how the synchronization is set up, how the high-privilege credentials for both the cloud and Active Directory are protected (and can be obtained) and what permissions are associated with these accounts.
The talk will outline how a zero day in common setups was discovered through which on-premise users with limited privileges could take over the highest administration account in Azure and potentially compromise all cloud assets.
We will also take a look at the Azure AD architecture and common roles, and how attackers could backdoor or escalate privileges in cloud setups.
Lastly we will look at how to prevent against these kind of attacks and why your AD Connect server is perhaps one of the most critical assets in the on-premise infrastructure.
I presented this at a user group in Sweden, as a compilation discussion of practical customer experiences with WIndows Azure. The slides led the discussion. Enjoy.
By leveraging services in the cloud, businesses can host new applications and services in a cost effective manner. Existing systems can also leverage the cloud in its entirety or for specific aspects of the system to reduce infrastructure management costs and to support potential scale-out requirements as usage increases. Windows Azure offers many services from application hosting, storage, content delivery, messaging, caching and security. Pricing each of these services to estimate your costs requires some thoughtfulness around how you will use each service within your architecture, and some predictions about the number of users, payload traffic and number of transactions. How then can you estimate your costs, or price your own offering to customers when there are so many variables? Pricing is not a perfect science and each business will have its own level of tolerance for cost absorption vs. costs to be deferred to customers. In this session we will break down the pricing model of the cloud, look at ways to quantify your service using various architectural examples, and look at ways you can track usage, validate costs and ultimately collect your costs across the core Windows Azure features to gain perspective on what you need to charge your customers for those services, along with some ideas on how to project revenue.
Cloudy with a Chance of APT was presented at Blackhat USA 2021 by Doug Bienstock and Josh Madeley. The talk discusses advanced techniques recently observed in the wild to persistently access Microsoft 365 and steal data. The technique also highlights prevoiusly unseen extensions of these techniques that defenders should prepare to see in the future.
Azure Key Vault with a PaaS Architecture and ARM Template DeploymentRoy Kim
This is a presentation I held at a local Azure user group. The session abstract: Azure Key Vault is a tool for securely storing and accessing secrets. We will go through a popular Azure PaaS Architecture pattern using Key Vault to store a password. I will demo and walk through the general configuration of a dedicated Azure Function app, Azure SQL and Key Vault that was deployed with automation. I will then go through fairly advanced techniques and best practices on how to deploy Azure Key Vault and a password secret with ARM templates. Finally, a very brief look at my Azure DevOps Pipeline to deploy the ARM template. You will come away with an understanding of an applied use case of leveraging Azure Key vault for a PaaS solution in better managing a password secret.
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS'sMongoDB
Long live RDBMs! For years they have been a staple of large data set storage, manipulation & retrieval. But what if I told you that we were able to simplify every aspect of our new ODS; from data maintenance and implementation to API design, scalability and maintainability by doing one simple thing?
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
John DaSilva, Identity Architect, Ping Identity
Brian Campbell, Portfolio Architect, Ping Identity
If you asked yourself the question, "What is OAuth and will it solve my mobile device SSO headaches?” then this is the session for you! In this bootcamp, you will learn the basic foundations of OAuth, the drivers (the “why”) behind it, the use cases, the protocol flow and basic terminology. Once we have a basic understanding of OAuth, we will explore various implementation strategies for OAuth 2.0. We’ll dissect the Web Server, User Agent and Native Application use cases, and describe how to configure OAuth in PingFederate Authorization Server. We will even take a look at the up and coming OpenID Connect specification. Bring your laptop; a configuration of PingFederate that you can set up and temporary product licenses will be supplied.
O365Con19 - O365 Identity Management and The Golden Config - Chris GoosenNCCOMMS
This document discusses Microsoft's "Golden Config" approach to securing identities in Office 365 and Azure Active Directory (Azure AD). It provides an overview of Azure AD identity types, explains why additional security is needed beyond passwords alone given growing cybersecurity threats, and outlines the five steps and various policies that make up the Golden Config's recommended practices for strengthening credentials, reducing attack surfaces, automating threat response, increasing security awareness, and enabling complete end-user security. These include enforcing multi-factor authentication, managing privileged access, monitoring sign-ins and risks, and carefully planning deployments.
Secure API Services in Node with Basic Auth and OAuth2Stormpath
In this presentation, Lead Developer Evangelist Randall Degges will go over how API authentication works via HTTP Basic Auth and OAuth2 (Client Credentials), and will show you how to secure an Express.js API service with both of them using Stormpath!
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
This document discusses the top 10 web application security vulnerabilities as identified by OWASP (Open Web Application Security Project). It provides an overview of each vulnerability, examples, and recommendations for countermeasures. The vulnerabilities covered are injection, broken authentication and session management, cross-site scripting (XSS), insecure direct object references, security misconfiguration, sensitive data exposure, missing function level access control, cross-site request forgery (CSRF), using components with known vulnerabilities, and unvalidated redirects and forwards. The document emphasizes using features in Oracle Application Development Framework (ADF) to help address many of these vulnerabilities.
Instant Security & Scalable User Management with Spring BootStormpath
The document discusses the challenges of implementing user management and authentication in applications. It shows how traditional approaches require developers to implement many aspects of user management including the data store, user models, pages for signup and login, and integration with social providers and single sign-on. Stormpath is presented as a solution that handles these challenges by taking over user management and allowing applications to authenticate users without implementing any of these aspects themselves. The document includes a demonstration of Stormpath's capabilities.
This document discusses insecure data storage on iOS devices. It provides details on how attackers can gain access to sensitive information stored by applications via insecure means such as weak WiFi passwords, jailbreaking, or physical theft. The types of sensitive information commonly found includes authentication credentials, financial data, personal information about the owner. It also lists specific locations within the file system where different types of application data, settings, logs and other information are stored.
WATCH WEBINAR: https://youtu.be/558MFgH1t9g
JSON Web tokens (JWTs) are used massively in API-based applications as access tokens or to transport information across services. Unfortunately, JWT are often mis-used and incorrectly handled. Massive data breaches have occurred in the last 18 months due to token leakage and lack of proper of validation.
This session focuses on best practices and real world examples of JWT usage, where we cover:
- Typical scenarios where using JWT is a good idea
- Typical scenarios where using JWT is a bad idea!
- Principles of Zero trust architecture and why you should always validate
- Best practices to thoroughly validate JWTs and potential vulnerabilities if you don’t.
- Use cases when encryption may be required for JWT
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Will Tran
UAA, as a core component of Cloud Foundry, is responsible for authenticating and authorizing requests between platform users (e.g. those that push apps) and platform components (e.g. the cloud controller). But when it came to doing auth for the apps you push and the end users of those apps, using the built-in UAA wasn't the best fit, and you could easily end up shooting yourself in the foot. Until now. This talk will guide you though UAA's new multi-tenancy features, and show you how to use the built-in UAA to create arbitrary authorization scenarios for your products without the danger of affecting the security of the core platform. With this level of freedom, you'll have complete and fine-grained control over who is allowed to access your product's components, and how those components are allowed to interact with one another.
The document summarizes a meeting about connecting on-premises identities to Azure Active Directory. It discusses the options of Azure PTA, ADFS, and desktop SSO. It provides details on how Pass-Through Authentication and Desktop SSO work, including the setup process and runtime flows. It also compares PTA and SSO to ADFS, covering what each option offers and required ports.
Mobile Authentication for iOS Applications - Stormpath 101Stormpath
Want to build user authentication into your iOS apps quickly and securely?
In this presentation, iOS Developer Evangelist Edward Jiang will go over OAuth, best practices, and how to easily integrating Facebook, Google, and email logins into your app using Stormpath's iOS SDK!
Topics Covered:
- Stormpath Customer Identity Management
- What does authentication mean?
- Common methods of mobile authentication
- OAuth Token Authentication
- Building Login & Registration with Stormpath
- Making authenticated network requests
- Add Facebook / Google login with one line of code
- Technical Q&A
Slides from the talk Token vs Cookies at Devoxx Morocco 2015.
Introduction of Json Web Token JWT and comparison with (classic) Cookie handling.
Find the demo project used during of this talk on github: https://github.com/madmas/TokenVsCookies
API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy
The document discusses modern application security issues related to APIs. It begins with an overview of common API security risks like SQL injection, XSS, and CSRF. It then focuses on how application security has changed with the transition to modern architectures that are API-focused, use cloud infrastructure, and follow DevOps practices. Key changes discussed include less abstraction layers, clients handling more responsibility, and APIs exposing more data and endpoints directly. The document also summarizes the OWASP API security project and proposed API security top 10 risks. Real attack examples are provided to illustrate broken authorization and authentication vulnerabilities.
30-45-min tech talk given at user groups or technical conferences to introducing developers to integrating with Google APIs from Python .
ABSTRACT
Want to integrate Google technologies into the web+mobile apps that you build? Google has various open source libraries & developer tools that help you do exactly that. Users who have run into roadblocks like authentication or found our APIs confusing/challenging, are welcome to come and make these non-issues moving forward. Learn how to leverage the power of Google technologies in the next apps you build!!
I presented this at a user group in Sweden, as a compilation discussion of practical customer experiences with WIndows Azure. The slides led the discussion. Enjoy.
By leveraging services in the cloud, businesses can host new applications and services in a cost effective manner. Existing systems can also leverage the cloud in its entirety or for specific aspects of the system to reduce infrastructure management costs and to support potential scale-out requirements as usage increases. Windows Azure offers many services from application hosting, storage, content delivery, messaging, caching and security. Pricing each of these services to estimate your costs requires some thoughtfulness around how you will use each service within your architecture, and some predictions about the number of users, payload traffic and number of transactions. How then can you estimate your costs, or price your own offering to customers when there are so many variables? Pricing is not a perfect science and each business will have its own level of tolerance for cost absorption vs. costs to be deferred to customers. In this session we will break down the pricing model of the cloud, look at ways to quantify your service using various architectural examples, and look at ways you can track usage, validate costs and ultimately collect your costs across the core Windows Azure features to gain perspective on what you need to charge your customers for those services, along with some ideas on how to project revenue.
Cloudy with a Chance of APT was presented at Blackhat USA 2021 by Doug Bienstock and Josh Madeley. The talk discusses advanced techniques recently observed in the wild to persistently access Microsoft 365 and steal data. The technique also highlights prevoiusly unseen extensions of these techniques that defenders should prepare to see in the future.
Azure Key Vault with a PaaS Architecture and ARM Template DeploymentRoy Kim
This is a presentation I held at a local Azure user group. The session abstract: Azure Key Vault is a tool for securely storing and accessing secrets. We will go through a popular Azure PaaS Architecture pattern using Key Vault to store a password. I will demo and walk through the general configuration of a dedicated Azure Function app, Azure SQL and Key Vault that was deployed with automation. I will then go through fairly advanced techniques and best practices on how to deploy Azure Key Vault and a password secret with ARM templates. Finally, a very brief look at my Azure DevOps Pipeline to deploy the ARM template. You will come away with an understanding of an applied use case of leveraging Azure Key vault for a PaaS solution in better managing a password secret.
MongoDB.local Dallas 2019: Pissing Off IT and Delivery: A Tale of 2 ODS'sMongoDB
Long live RDBMs! For years they have been a staple of large data set storage, manipulation & retrieval. But what if I told you that we were able to simplify every aspect of our new ODS; from data maintenance and implementation to API design, scalability and maintainability by doing one simple thing?
CIS13: Bootcamp: Ping Identity OAuth and OpenID Connect In Action with PingFe...CloudIDSummit
John DaSilva, Identity Architect, Ping Identity
Brian Campbell, Portfolio Architect, Ping Identity
If you asked yourself the question, "What is OAuth and will it solve my mobile device SSO headaches?” then this is the session for you! In this bootcamp, you will learn the basic foundations of OAuth, the drivers (the “why”) behind it, the use cases, the protocol flow and basic terminology. Once we have a basic understanding of OAuth, we will explore various implementation strategies for OAuth 2.0. We’ll dissect the Web Server, User Agent and Native Application use cases, and describe how to configure OAuth in PingFederate Authorization Server. We will even take a look at the up and coming OpenID Connect specification. Bring your laptop; a configuration of PingFederate that you can set up and temporary product licenses will be supplied.
O365Con19 - O365 Identity Management and The Golden Config - Chris GoosenNCCOMMS
This document discusses Microsoft's "Golden Config" approach to securing identities in Office 365 and Azure Active Directory (Azure AD). It provides an overview of Azure AD identity types, explains why additional security is needed beyond passwords alone given growing cybersecurity threats, and outlines the five steps and various policies that make up the Golden Config's recommended practices for strengthening credentials, reducing attack surfaces, automating threat response, increasing security awareness, and enabling complete end-user security. These include enforcing multi-factor authentication, managing privileged access, monitoring sign-ins and risks, and carefully planning deployments.
Secure API Services in Node with Basic Auth and OAuth2Stormpath
In this presentation, Lead Developer Evangelist Randall Degges will go over how API authentication works via HTTP Basic Auth and OAuth2 (Client Credentials), and will show you how to secure an Express.js API service with both of them using Stormpath!
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
This document discusses the top 10 web application security vulnerabilities as identified by OWASP (Open Web Application Security Project). It provides an overview of each vulnerability, examples, and recommendations for countermeasures. The vulnerabilities covered are injection, broken authentication and session management, cross-site scripting (XSS), insecure direct object references, security misconfiguration, sensitive data exposure, missing function level access control, cross-site request forgery (CSRF), using components with known vulnerabilities, and unvalidated redirects and forwards. The document emphasizes using features in Oracle Application Development Framework (ADF) to help address many of these vulnerabilities.
Instant Security & Scalable User Management with Spring BootStormpath
The document discusses the challenges of implementing user management and authentication in applications. It shows how traditional approaches require developers to implement many aspects of user management including the data store, user models, pages for signup and login, and integration with social providers and single sign-on. Stormpath is presented as a solution that handles these challenges by taking over user management and allowing applications to authenticate users without implementing any of these aspects themselves. The document includes a demonstration of Stormpath's capabilities.
This document discusses insecure data storage on iOS devices. It provides details on how attackers can gain access to sensitive information stored by applications via insecure means such as weak WiFi passwords, jailbreaking, or physical theft. The types of sensitive information commonly found includes authentication credentials, financial data, personal information about the owner. It also lists specific locations within the file system where different types of application data, settings, logs and other information are stored.
WATCH WEBINAR: https://youtu.be/558MFgH1t9g
JSON Web tokens (JWTs) are used massively in API-based applications as access tokens or to transport information across services. Unfortunately, JWT are often mis-used and incorrectly handled. Massive data breaches have occurred in the last 18 months due to token leakage and lack of proper of validation.
This session focuses on best practices and real world examples of JWT usage, where we cover:
- Typical scenarios where using JWT is a good idea
- Typical scenarios where using JWT is a bad idea!
- Principles of Zero trust architecture and why you should always validate
- Best practices to thoroughly validate JWTs and potential vulnerabilities if you don’t.
- Use cases when encryption may be required for JWT
Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Will Tran
UAA, as a core component of Cloud Foundry, is responsible for authenticating and authorizing requests between platform users (e.g. those that push apps) and platform components (e.g. the cloud controller). But when it came to doing auth for the apps you push and the end users of those apps, using the built-in UAA wasn't the best fit, and you could easily end up shooting yourself in the foot. Until now. This talk will guide you though UAA's new multi-tenancy features, and show you how to use the built-in UAA to create arbitrary authorization scenarios for your products without the danger of affecting the security of the core platform. With this level of freedom, you'll have complete and fine-grained control over who is allowed to access your product's components, and how those components are allowed to interact with one another.
The document summarizes a meeting about connecting on-premises identities to Azure Active Directory. It discusses the options of Azure PTA, ADFS, and desktop SSO. It provides details on how Pass-Through Authentication and Desktop SSO work, including the setup process and runtime flows. It also compares PTA and SSO to ADFS, covering what each option offers and required ports.
Mobile Authentication for iOS Applications - Stormpath 101Stormpath
Want to build user authentication into your iOS apps quickly and securely?
In this presentation, iOS Developer Evangelist Edward Jiang will go over OAuth, best practices, and how to easily integrating Facebook, Google, and email logins into your app using Stormpath's iOS SDK!
Topics Covered:
- Stormpath Customer Identity Management
- What does authentication mean?
- Common methods of mobile authentication
- OAuth Token Authentication
- Building Login & Registration with Stormpath
- Making authenticated network requests
- Add Facebook / Google login with one line of code
- Technical Q&A
Slides from the talk Token vs Cookies at Devoxx Morocco 2015.
Introduction of Json Web Token JWT and comparison with (classic) Cookie handling.
Find the demo project used during of this talk on github: https://github.com/madmas/TokenVsCookies
API Security - OWASP top 10 for APIs + tips for pentestersInon Shkedy
The document discusses modern application security issues related to APIs. It begins with an overview of common API security risks like SQL injection, XSS, and CSRF. It then focuses on how application security has changed with the transition to modern architectures that are API-focused, use cloud infrastructure, and follow DevOps practices. Key changes discussed include less abstraction layers, clients handling more responsibility, and APIs exposing more data and endpoints directly. The document also summarizes the OWASP API security project and proposed API security top 10 risks. Real attack examples are provided to illustrate broken authorization and authentication vulnerabilities.
30-45-min tech talk given at user groups or technical conferences to introducing developers to integrating with Google APIs from Python .
ABSTRACT
Want to integrate Google technologies into the web+mobile apps that you build? Google has various open source libraries & developer tools that help you do exactly that. Users who have run into roadblocks like authentication or found our APIs confusing/challenging, are welcome to come and make these non-issues moving forward. Learn how to leverage the power of Google technologies in the next apps you build!!
Discover how to build APIs using the Apigee API Services toolkit. Deep dive into Apigee's API Serives solution, API design and management technology including OAuth and security, persistence & caching, Node.js and more.
The journey of Moving from AWS ELK to GCP Data PipelineRandy Huang
This is a real case from VMfive to shifting ELK architecture from AWS. Currently GCP Data Pipeline provide us more efficiency and stable environment for running our service.
Creating a World-Class RESTful Web Services APIDavid Keener
Companies like Amazon, Google and Yahoo have published web services API's that empower developers to create mash-ups, add-ons and full-scale applications. The creation of such API's, however, is not exclusively the domain of large, multi-national corporations. Learn how to architect, build and field a well-designed and scalable RESTful web services API that will allow your business to leverage the capabilities of the developer community. This presentation includes real-life examples from the Grab Networks RESTful API, which provides access to information about the hundreds of thousands of news videos available through Grab Networks' distribution network.
Gluecon 2017 - GoMake | Flying Dreams: Real-Time Communication from the Edge ...Jonathan Barton
Creating flexible, resilient access to real-time sensor data can be challenging – especially when your device targets can literally disappear off the face of the Earth! See how groups of students and instructors are using the goMake API to talk with high-altitude balloon telemetry as it skirts the edge of the stratosphere, and the design considerations involved in making this a scalable platform for project-based STEM learning that aims to instill a sense of wonder.
Gimel is a data abstraction framework built on Apache Spark - providing unified Data Access via API & SQL to different technologies such as kafka, elastic, HBASE, Rest API, File, Object stores, Relational , etc.
We spoke about this recently in the "cloud track" in the "Scale By The Bay" Conference.
https://www.scale.bythebay.io/schedule
https://sched.co/e55D
Youtube - https://www.youtube.com/watch?v=cy8g2WZbEBI&ab_channel=FunctionalTV
https://youtu.be/m6_0iI4XDpU
Build an AI/ML-driven image archive processing workflow: Image archive, analy...wesley chun
Google provides a diverse array of services to realize the ambition of solving real business problems, like constrained resources. An image archive & analysis plus report generation use-case can be realized with just GWS (Google Workspace) & GCP (Google Cloud) APIs. The principle of mixing-and-matching Google technologies is applicable to many other challenges faced by you, your organization, or your customers. These slides are from the half-hour presentation about this case study.
Gimel at Dataworks Summit San Jose 2018Romit Mehta
Gimel is PayPal's data platform that provides a unified interface for accessing and analyzing data across different data stores and processing engines. The presentation provides an overview of Gimel, including PayPal's analytics ecosystem, the challenges Gimel addresses around data access and application lifecycle, and a demo of how Gimel simplifies a flights cancelled use case. It also discusses Gimel's open source journey and integration with ecosystems like Spark and Jupyter notebooks.
Gimel Data Platform is an analytics platform developed by PayPal that aims to simplify data access and analysis. The presentation provides an overview of Gimel, including PayPal's analytics ecosystem, the challenges Gimel addresses in data access and application lifecycle management, a demo of a sample flights cancelled use case using Gimel, and PayPal's plans to open source Gimel.
Walls Within Walls: What if your attacker knows parkour?Greg Castle
What happens if an attacker escapes a container and compromises your node? Is it game over for the whole cluster, or can you limit the blast radius? Whether it be for defense in depth or multi-tenancy, it is important to understand the security boundaries in your cluster. In this talk, we’ll discuss various isolation approaches and evaluate them through the eyes of an attacker who has compromised a node and is looking to propagate.
We’ll deep dive on ‘node isolation’: using Kubernetes scheduling to execute workloads on separate nodes, and demonstrate live attacks and defences to educate about strengths and weaknesses of this strategy. We’ll also discuss progress made by SIG-Auth in this area over the past few releases. After this talk you will understand when node isolation is or isn't an appropriate security mechanism, the steps to implement it, and what some alternatives are.
The Powerful and Comprehensive API for Mobile App Development and TestingBitbar
Watch a live presentation at http://offer.bitbar.com/the-powerful-and-comprehensive-api-for-mobile-app-development-and-testing
Testdroid provides a very powerful and useful API for its users to manage all aspects of mobile development and testing automatically. This powerful API caters your needs to instantly access our device farm, manage your projects, your test runs and results, plus many other things that will make your mobile app, game and web testing smoother, faster and less stressful on real Android and iOS devices.
Stay tuned and join our upcoming webinars at http://bitbar.com/testing/webinars/
What's new in App Engine and intro to App Engine for BusinessChris Schalk
This is a presentation given by Devfest Madrid 2010 by Google Developer Advocate Chris Schalk on "What's new in Google App Engine and Intro to App Engine for Business"
Getting Started with API Management – Why It's Needed On-prem and in the CloudRevelation Technologies
APIs are one of the main elements of cloud services. All major cloud service providers expose REST APIs to allow you to programmatically access their services and capabilities. SOAP and REST are the two most common ways of exposing APIs, whether to external, partner, cloud, or internal developers.
The concept of API management is to publish these web APIs for consumption, and includes capabilities such as monitoring, security, and documentation.
This presentation introduces basic concepts of APIs, API management, cloud REST services, and a brief walkthrough of WSO2 API Manager and Oracle API Gateway to see how you can centrally publish, expose, and secure APIs, essentially virtualizing your backend services.
Google App Engine for Java allows developers to build and deploy web applications without managing servers. It provides services for web apps, data storage, authentication, email, and tasks. While it supports many features, it currently lacks support for custom domains on some services, long-running background processes, streaming, and FTP access. The free account has quotas that refresh daily, including a 10MB app size limit and 3000 file limit per app. The document then demonstrates the App Engine dashboard and tools for viewing apps, datastore, and deploying a Java WAR file.
Google Cloud Computing for Java Developers: Platform and Monetization was a presentation given by Chris Schalk at TheEdge 2010 conference in Tel Aviv, Israel on December 16, 2010. The presentation introduced Google App Engine and other Google cloud technologies, discussed monetizing applications, and provided an overview of the Google Prediction API and BigQuery.
Similar to Shopify’s $25k Bug Report, and the Cluster Takeover That Didn’t Happen (20)
HijackLoader Evolution: Interactive Process HollowingDonato Onofri
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
Ready to Unlock the Power of Blockchain!Toptal Tech
Imagine a world where data flows freely, yet remains secure. A world where trust is built into the fabric of every transaction. This is the promise of blockchain, a revolutionary technology poised to reshape our digital landscape.
Toptal Tech is at the forefront of this innovation, connecting you with the brightest minds in blockchain development. Together, we can unlock the potential of this transformative technology, building a future of transparency, security, and endless possibilities.
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
Shopify’s $25k Bug Report, and the Cluster Takeover That Didn’t Happen
1. Shopify’s $25K
Bug Report
and the cluster takeover
that didn’t happen
Shane Lawrence
Security Infrastructure Engineer
Twitter: @shaneplawrence
Github: @shane-lawrence
Shopify
Greg Castle
GKE Security Tech Lead
Twitter: @mrgcastle
Github: @destijl
Google
North America 2018
2. A production security story
Introduction Bug report Detection TakeawaysExchange Attack & defense
8. Security report and responses
7:39pm
Report (goo.gl/dqynDa)
from André Baptista
(0xacb): vuln in
Exchange app
7:50pm
Incident declared
8:00pm
Cloudsec and app dev
teams contacted
8:43pm
Merged commit to
disable vulnerable
feature
9:27pm
Investigation and
cleanup started
(rotate credentials,
contact Google,
investigate logs)
1 hour
10. Image of
page
Request
screenshot
Request storefront
What is
Exchange?
Marketplace for buying
& selling stores
Webpage
3. Test store
Test store frontpage
2. Screenshot service
Headless browser
1. Exchange app
Create listing
Screenshots
14. Attack:
Weaponize SSRF
Existing workflow
Image of
page
Request
screenshot
Request storefront
2. Screenshot service
Headless browser
1. Exchange app
Create listing
Screenshots
Webpage
4. Metadata service
3. Test store
Test store frontpage
15. Webpage
4. Metadata service
1. Exchange app
Create listing
Screenshots
Request
screenshot
Request storefront
3. Test store
Exploit page
2. Screenshot service
Headless browser
Attack:
Weaponize SSRF
Got token for the VM’s Google
service account
16. Request token
4. Metadata server
Default SA token
v1
Attack:
Weaponize SSRF
Got token for the VM’s Google
service account
1. Exchange app
Create listing
Screenshots
Webpage
Request storefront
3. Test store
Exploit page
2. Screenshot service
Headless browser
Request
screenshot
17. Sidebar: What is this Google SA?
Node (VM)
Metadata server
Service
account
Pod
Token
Token
Google
APIs
19. 403: header
required
4. Metadata server
Default SA token
v1
1. Exchange app
Create listing
Screenshots
Defense:
Require header
Metadata server requires header:
Metadata-Flavor: Google
Webpage
Request storefront
3. Test store
Exploit page
Request
screenshot
2. Screenshot service
Headless browser
20. Token
4. Metadata server
Default SA token
v1
v1beta1
1. Exchange app
Create listing
Screenshots
Attack: Use old
API version
Beta API: no request
header required :(
Webpage
Request storefront
3. Test store
Exploit page
Request
screenshot
2. Screenshot service
Headless browser
Image of
token
21. Defense: Disable old API versions
• Beta API known issue: APIs still in use
• Disabled by default in new 1.12+ clusters
• Opt-in now: “disable-legacy-endpoints=true”
• goo.gl/JsdJbL for details
22. Defense: Least priv on token
• Default SA least privilege from 1.10+
• May vary if users have granted extra privs
• Shopify had minimal privs for log/mon/debug
• Token not useful to researcher
23. 5. Metadata server
Default SA token
v1
v1beta1
kube-env
Request
screenshot
Request storefront
Webpage
2. Screenshot service
Headless browser
kube-env
1. Exchange app
Create listing
Screenshots
Attack: What
other metadata?
Metadata server = trust
bootstrap for nodes
Export static key from
“kube-env”
Image of
kube-env
3. Test store
Exploit page
40. Lessons learned: K8s advice
• Follow cloud provider hardening advice (GKE: g.co/gke/hardening)
• Block off/filter access to any privileged network endpoints
• Run RBAC and Node Authorization (GKE default)
• Apply least privilege for K8s service accounts
• Audit role bindings, especially upgraded clusters
• Collect API logs and have them available to query (GKE default)
41. Links and references
Shopify bug bounty: hackerone.com/shopify
Bug report details: goo.gl/dqynDa
GKE disable old APIs: goo.gl/JsdJbL
GKE metadata conceal: goo.gl/u6rrMT
K8s API audit logs: goo.gl/d8YebH
GKE logging: g.co/gke/auditlogging
Shane Lawrence
Security Infrastructure Engineer
Twitter: @shaneplawrence
Github: @shane-lawrence
Shopify
Greg Castle
GKE Security Tech Lead
Twitter: @mrgcastle
Github: @destijl
Google
44. Example log queries
• Broad strokes to get you started
• No standard language for queries like this
• SQL seems most standard
• But includes some BigQuery-isms for unpacking repeated fields
• Validation/tweaking on production clusters needed
• Mostly intended to point out interesting values and fields
45. RBAC Changes (excl system)
SELECT
timestamp,
protopayload_auditlog.methodName AS method,
protopayload_auditlog.resourceName AS resource,
protopayload_auditlog.authenticationInfo.principalEmail AS suid,
authzinfo.granted AS granted,
protopayload_auditlog.requestMetadata.callerIp AS saddr
FROM
`gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`,
UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo
WHERE
protopayload_auditlog.methodName LIKE " io.k8s.authorization.rbac.v1%"
AND NOT protopayload_auditlog.authenticationInfo.principalEmail LIKE " system:%"
LIMIT 100
Similarly, use these methodName strings for specific changes to roles or bindings:
“io.k8s.authorization.rbac.v1.roles.%”
“io.k8s.authorization.rbac.v1.rolebindings.%”
“io.k8s.authorization.rbac.v1.clusterroles.%”
“io.k8s.authorization.rbac.v1.clusterrolebindings.%”
46. Creating CSRs via K8s API
SELECT
timestamp,
protopayload_auditlog.methodName AS method,
protopayload_auditlog.resourceName AS resource,
protopayload_auditlog.authenticationInfo.principalEmail AS suid,
authzinfo.granted AS granted,
protopayload_auditlog.requestMetadata.callerIp AS saddr
FROM
`gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`,
UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo
WHERE
protoPayload_auditlog.resourceName LIKE
"certificates.k8s.io/v1beta1/certificatesigningrequests%"
LIMIT 100
47. Unauth’d web requests
SELECT
timestamp,
protopayload_auditlog.methodName AS method,
protopayload_auditlog.resourceName AS resource,
protopayload_auditlog.authenticationInfo.principalEmail AS suid,
authzinfo.granted AS granted,
protopayload_auditlog.requestMetadata.callerIp AS saddr
FROM
`gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`,
UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo
WHERE
protopayload_auditlog.authenticationInfo.principalEmail = " system:anonymous"
LIMIT 100
48. Kubelet bootstrap identity calls
(GKE specific)
SELECT
timestamp,
protopayload_auditlog.methodName AS method,
protopayload_auditlog.resourceName AS resource,
protopayload_auditlog.authenticationInfo.principalEmail AS suid,
authzinfo.granted AS granted,
protopayload_auditlog.requestMetadata.callerIp AS saddr
FROM
`gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`,
UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo
WHERE protopayload_auditlog.authenticationInfo.principalEmail LIKE " kubelet"
LIMIT 100
49. Node authenticated requests
SELECT
timestamp,
protopayload_auditlog.methodName AS method,
protopayload_auditlog.resourceName AS resource,
protopayload_auditlog.authenticationInfo.principalEmail AS suid,
authzinfo.granted AS granted,
protopayload_auditlog.requestMetadata.callerIp AS saddr
FROM
`gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`,
UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo
WHERE protopayload_auditlog.authenticationInfo.principalEmail LIKE " system:node%"
LIMIT 100
50. Calls outside IP range
SELECT
timestamp,
protopayload_auditlog.methodName AS method,
protopayload_auditlog.resourceName AS resource,
protopayload_auditlog.authenticationInfo.principalEmail AS suid,
authzinfo.granted AS granted,
protopayload_auditlog.requestMetadata.callerIp AS saddr
FROM
`gcastle-gke-dev.kubecon2018.cloudaudit_googleapis_com_activity_*`,
UNNEST(protopayload_auditlog.authorizationInfo) AS authzinfo
WHERE
NOT protopayload_auditlog.requestMetadata. callerIp="127.0.0.1"
AND NOT protopayload_auditlog.requestMetadata. callerIp="::1"
AND protopayload_auditlog.requestMetadata. callerIp NOT LIKE "8.8%"
LIMIT 100