This talk introduces and discusses a novel, mostly unpublished technique to successfully attack websites that are applied with state-of-the-art XSS protection. This attack labeled Mutation-XSS (mXSS) is capable of bypassing high-end filter systems by utilizing the browser and its unknown capabilities - every single f***** one of them. We analyzed the type and number of high-profile websites and applications that are affected by this kind of attack. Several live demos during the presentation will share these impressions and help understanding, what mXSS is, why mXSS is possible and why it is of importance for defenders as well as professional attackers to understand and examine mXSS even further. The talk wraps up several years of research on this field, shows the abhorrent findings, discusses the consequences and delivers a step-by-step guide on how to protect against this kind of mayhem - with a strong focus on feasibility and scalability.
This talk shares the various techniques I found whilst building the XSS cheat sheet. It contains auto executing vectors, AngularJS CSP bypasses and dangling markup attacks.
These are the slides from a talk "DNS exfiltration using sqlmap" held at PHDays 2012 conference (Russia / Moscow 30th–31st May 2012) by Miroslav Stampar.
This talk shares the various techniques I found whilst building the XSS cheat sheet. It contains auto executing vectors, AngularJS CSP bypasses and dangling markup attacks.
These are the slides from a talk "DNS exfiltration using sqlmap" held at PHDays 2012 conference (Russia / Moscow 30th–31st May 2012) by Miroslav Stampar.
[errata] For more information on DCSync and associated permissions, as well as AdminSDHolder and associated permissions, see Sean Metcalf's respective posts at https://adsecurity.org/?p=1729 and https://adsecurity.org/?p=1906 .
"An ACE Up the Sleeve: Designing Active Directory DACL Backdoors" was presented at BlackHat and DEF CON 2017.
IDA Vulnerabilities and Bug Bounty by Masaaki ChidaCODE BLUE
IDA Pro is an advanced disassembler software and often used in vulnerability research and malware analysis. IDA Pro is used to analyse software behavior in detail, if there was a vulnerability and the user is attacked not only can it have impact in a social sense but also impact legal proceedings. In this presentation I will discuss the vulnerabilities found and attacks leveraging the vulnerabilities and Hex-rays's remediation process and dialogue I had with them.
http://codeblue.jp/en-speaker.html#MasaakiChida
A story of the passive aggressive sysadmin of AEMFrans Rosén
# By Frans Rosén
Adobe Experience Manager is an enterprise CMS with a troubled history. It was created with the angle of high customization factor, enabling consulting firms to deploy it all over the world for huge customers.
Then came security.
Frans will go through some terrible default configuration mistakes, Adobe’s love for bad Flash and how a sysadmin accidentialy exposed an international multi billion dollar company using only sad thoughts.
# About speaker
Frans Rosén is a tech entrepreneur, bug bounty hunter and a Security Advisor at Detectify, a security service for developers. He’s a frequent blogger at Detectify Labs and a top ranked participant of bug bounty programs, receiving some of the highest bounty payouts ever on HackerOne.
Frans was recently featured as #2 on Hackread’s list of 10 Famous Bug Bounty Hunters of All Time and the results of his security research has been covered in numerous international publications such as Observer, BBC, Ars Technica, Wired and Mashable.
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
Microsoft's web browsers, Internet Explorer and Edge, have a feature called 'XSS filter' built in which protects users from XSS attacks. In order to deny XSS attacks, XSS filter looks into the request for a string resembling an XSS attack, compares it with the page and finds the appearance of it, and rewrites parts of the string if it appears in the page. This rewriting process of the string - is this done safely? The answer is no. This time, I have found a way to exploit XSS filter not to protect a web page, but to create an XSS vulnerability on a web page that is completely sane and free of XSS vulnerability. In this talk, I will describe technical details about possibilities of XSS attacks exploiting XSS filter and propose what website administrators should do to face this XSS filter nightmare.
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
ECMAScript 6, in short ES6, has been boiling in a copper pot for many years by now and step-by-step, browser vendors come forward to taste the first sips of this mystery soup. So, ES6 is no longer a theoretic language but already crawled across the doorstep and now lurks under your bed, ready for the nasty, waiting for the right moment to bite.
Now, what is this whole ES6 thing? How did it develop and who made it? And why is it now implemented in your favorite browser? And what does it mean for web-security and beyond?
This talk will answer these questions and showcase the new language from an attacker's perspective. You will see the new code constructs possible to be executed with ES6, new attack vectors and learn what you can do to tame that beast. Kafkaesque terminology such as expression interpolation, proper tail calls, computed properties, spread parameters, modules and tagged template strings will no longer be surprising you after attending this talk.
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
Containers are incredibly convenient to package applications and deploy them quickly across the data center.
This talk will introduce RunX, a new project under LF Edge that aims at bringing containers to the edge with extra benefits. At the core, RunX is an OCI-compatible container runtime to run software packaged as containers as Xen micro-VMs. RunX allows traditional containers to be executed with a minimal overhead as virtual machines, providing additional isolation and real-time support.
It also introduces new types of containers designed with edge and embedded deployments in mind. RunX enables RTOSes, and baremetal apps to be packaged as containers, delivered to the target using the powerful containers infrastructure, and deployed at runtime as Xen micro-VMs. Physical resources can be dynamically assigned to them, such as accelerators and FPGA blocks.
This presentation will go through the architecture of RunX and the new deployment scenarios it enables. It will provide an overview of the integration with Yocto Project via the meta-virtualization layer and describe how to build a complete system with Xen and RunX.
The presentation will come with a live demo on embedded hardware.
Grails offers a number of options for implementing asynchronous and event-driven applications, from the low-level Servlet 3.0 async support to the Promise API abstraction, which supports GPars, RxJava 1 & 2. At the GORM level, there is also the async namespace, and RxGORM. Finally, a brand new events API shipped with Grails 3.3, which moves off Reactor, will help users to implement event-driven applications.
In this session, the speaker will walk the audience through such options.
Binder is what differentiates Android from Linux, it is most important internal building block of Android, it is a subject every Android programmer should be familiar with
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsAugust Detlefsen
This lecture gives pentesters and security tool developers an overview of the APIs available to extend the Burp Suite intercepting proxy. Using open-source examples developed by the author I illustrate a number of key areas for anyone wishing to create extensions for Burp Suite:
- Passive scanning
- Active scanning
- Identifying insertion points
- Request modification
The presentation includes code samples and links to actual open source Burp Suite plugins developed by the author.
Demos: http://www.youtube.com/playlist?list=PL3SqEmKhsxzzUIG1oIOUw3UeK0euTSTNH
Chess is a complex game: The number of permutations is just too great to compute the best possible move during a game. This is similar to pen testing in that we also have too many vulnerabilities to find and choose from not only on a 1 by 1 basis but also how we would chain them together like a real attacker.
Chess players must analyse efficiently to beat time constraints like pentesters but unlike pentesters they have been doing this for a long time.
The purpose of this talk is to expose the techniques chess players have been using for centuries and to illustrate how we can learn from these and apply them to pen testing. The talk will behighly practical and will show how these techniques have been incorporated into OWTF, not only with screenshots but also demos.
Have you ever had to spend valuable time in the middle of a test to prepare something you could have prepared in advance? Did you ever analyse a vulnerability/attack-path in depth only to find a significantly easier to exploit vulnerability hours/days after? Pen testing is very similar to playing chess: It is easy to get carried on and waste valuable analysis time on a line of attack that is just not the best option. Maybe mistakes like this will be a bit less likely after attending this talk.
Most learning materials for web app pentesting focus on “old school” apps. Maybe they have a little jQuery sprinkled in, but most of the heavy-lifting happens server-side. With the dawn of frontend frameworks like AngularJS, Vue, and React and Single-Page Applications, the way web apps are developed is changing, and pentesters need to keep up. This talk runs through common security issues with and approaches to testing these new apps.
Web 2016 (13/13) Securitatea aplicațiilor WebSabin Buraga
Tehnologii Web (prezentările aferente disciplinei predate de Sabin Buraga la Facultatea de Informatică, Universitatea A.I. Cuza din Iași) – detalii la http://profs.info.uaic.ro/~busaco/teach/courses/web/web-film.html
[errata] For more information on DCSync and associated permissions, as well as AdminSDHolder and associated permissions, see Sean Metcalf's respective posts at https://adsecurity.org/?p=1729 and https://adsecurity.org/?p=1906 .
"An ACE Up the Sleeve: Designing Active Directory DACL Backdoors" was presented at BlackHat and DEF CON 2017.
IDA Vulnerabilities and Bug Bounty by Masaaki ChidaCODE BLUE
IDA Pro is an advanced disassembler software and often used in vulnerability research and malware analysis. IDA Pro is used to analyse software behavior in detail, if there was a vulnerability and the user is attacked not only can it have impact in a social sense but also impact legal proceedings. In this presentation I will discuss the vulnerabilities found and attacks leveraging the vulnerabilities and Hex-rays's remediation process and dialogue I had with them.
http://codeblue.jp/en-speaker.html#MasaakiChida
A story of the passive aggressive sysadmin of AEMFrans Rosén
# By Frans Rosén
Adobe Experience Manager is an enterprise CMS with a troubled history. It was created with the angle of high customization factor, enabling consulting firms to deploy it all over the world for huge customers.
Then came security.
Frans will go through some terrible default configuration mistakes, Adobe’s love for bad Flash and how a sysadmin accidentialy exposed an international multi billion dollar company using only sad thoughts.
# About speaker
Frans Rosén is a tech entrepreneur, bug bounty hunter and a Security Advisor at Detectify, a security service for developers. He’s a frequent blogger at Detectify Labs and a top ranked participant of bug bounty programs, receiving some of the highest bounty payouts ever on HackerOne.
Frans was recently featured as #2 on Hackread’s list of 10 Famous Bug Bounty Hunters of All Time and the results of his security research has been covered in numerous international publications such as Observer, BBC, Ars Technica, Wired and Mashable.
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
Microsoft's web browsers, Internet Explorer and Edge, have a feature called 'XSS filter' built in which protects users from XSS attacks. In order to deny XSS attacks, XSS filter looks into the request for a string resembling an XSS attack, compares it with the page and finds the appearance of it, and rewrites parts of the string if it appears in the page. This rewriting process of the string - is this done safely? The answer is no. This time, I have found a way to exploit XSS filter not to protect a web page, but to create an XSS vulnerability on a web page that is completely sane and free of XSS vulnerability. In this talk, I will describe technical details about possibilities of XSS attacks exploiting XSS filter and propose what website administrators should do to face this XSS filter nightmare.
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
ECMAScript 6, in short ES6, has been boiling in a copper pot for many years by now and step-by-step, browser vendors come forward to taste the first sips of this mystery soup. So, ES6 is no longer a theoretic language but already crawled across the doorstep and now lurks under your bed, ready for the nasty, waiting for the right moment to bite.
Now, what is this whole ES6 thing? How did it develop and who made it? And why is it now implemented in your favorite browser? And what does it mean for web-security and beyond?
This talk will answer these questions and showcase the new language from an attacker's perspective. You will see the new code constructs possible to be executed with ES6, new attack vectors and learn what you can do to tame that beast. Kafkaesque terminology such as expression interpolation, proper tail calls, computed properties, spread parameters, modules and tagged template strings will no longer be surprising you after attending this talk.
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
Containers are incredibly convenient to package applications and deploy them quickly across the data center.
This talk will introduce RunX, a new project under LF Edge that aims at bringing containers to the edge with extra benefits. At the core, RunX is an OCI-compatible container runtime to run software packaged as containers as Xen micro-VMs. RunX allows traditional containers to be executed with a minimal overhead as virtual machines, providing additional isolation and real-time support.
It also introduces new types of containers designed with edge and embedded deployments in mind. RunX enables RTOSes, and baremetal apps to be packaged as containers, delivered to the target using the powerful containers infrastructure, and deployed at runtime as Xen micro-VMs. Physical resources can be dynamically assigned to them, such as accelerators and FPGA blocks.
This presentation will go through the architecture of RunX and the new deployment scenarios it enables. It will provide an overview of the integration with Yocto Project via the meta-virtualization layer and describe how to build a complete system with Xen and RunX.
The presentation will come with a live demo on embedded hardware.
Grails offers a number of options for implementing asynchronous and event-driven applications, from the low-level Servlet 3.0 async support to the Promise API abstraction, which supports GPars, RxJava 1 & 2. At the GORM level, there is also the async namespace, and RxGORM. Finally, a brand new events API shipped with Grails 3.3, which moves off Reactor, will help users to implement event-driven applications.
In this session, the speaker will walk the audience through such options.
Binder is what differentiates Android from Linux, it is most important internal building block of Android, it is a subject every Android programmer should be familiar with
Cusomizing Burp Suite - Getting the Most out of Burp ExtensionsAugust Detlefsen
This lecture gives pentesters and security tool developers an overview of the APIs available to extend the Burp Suite intercepting proxy. Using open-source examples developed by the author I illustrate a number of key areas for anyone wishing to create extensions for Burp Suite:
- Passive scanning
- Active scanning
- Identifying insertion points
- Request modification
The presentation includes code samples and links to actual open source Burp Suite plugins developed by the author.
Demos: http://www.youtube.com/playlist?list=PL3SqEmKhsxzzUIG1oIOUw3UeK0euTSTNH
Chess is a complex game: The number of permutations is just too great to compute the best possible move during a game. This is similar to pen testing in that we also have too many vulnerabilities to find and choose from not only on a 1 by 1 basis but also how we would chain them together like a real attacker.
Chess players must analyse efficiently to beat time constraints like pentesters but unlike pentesters they have been doing this for a long time.
The purpose of this talk is to expose the techniques chess players have been using for centuries and to illustrate how we can learn from these and apply them to pen testing. The talk will behighly practical and will show how these techniques have been incorporated into OWTF, not only with screenshots but also demos.
Have you ever had to spend valuable time in the middle of a test to prepare something you could have prepared in advance? Did you ever analyse a vulnerability/attack-path in depth only to find a significantly easier to exploit vulnerability hours/days after? Pen testing is very similar to playing chess: It is easy to get carried on and waste valuable analysis time on a line of attack that is just not the best option. Maybe mistakes like this will be a bit less likely after attending this talk.
Most learning materials for web app pentesting focus on “old school” apps. Maybe they have a little jQuery sprinkled in, but most of the heavy-lifting happens server-side. With the dawn of frontend frameworks like AngularJS, Vue, and React and Single-Page Applications, the way web apps are developed is changing, and pentesters need to keep up. This talk runs through common security issues with and approaches to testing these new apps.
Web 2016 (13/13) Securitatea aplicațiilor WebSabin Buraga
Tehnologii Web (prezentările aferente disciplinei predate de Sabin Buraga la Facultatea de Informatică, Universitatea A.I. Cuza din Iași) – detalii la http://profs.info.uaic.ro/~busaco/teach/courses/web/web-film.html
Was Responsive Webdesign meint, ist klar: Ein Layout, das sich flexibel an die Bildschirmgröße des Clients anpasst. Für einen perfekten Auftritt auf dem Smartphone ebenso wie dem UltraHD-TV.
Was so schön klingt, birgt aber auch viele Fallstricke. Der Vortrag wird einige von ihnen Vorstellen: Von extravaganten Kundenwünschen, überraschender Browser-Inkompatibilität und der Verwendung von iFrames bis hin zu responsiven HTML-Newslettern. Abgerundet wird der Talk durch verschiedene Beispiele für den Workflow, Testing-Strategien und dem Thema SEO im Zusammenhang mit Responsive Webdesign.
Native Cross-Platform-Apps mit Titanium Mobile und AlloyMayflower GmbH
Dank der Webtechnologien stehen Ihnen viele Möglichkeiten bereit, auf dem mobilen Markt präsent zu sein. Da sind unter anderem W3C Widgets, mobile Webseiten, Webapplikationen und als native App verpackte Webapplikationen. Eine weitere Möglichkeit stellt das Titanium-Mobile-SDK dar. Das Besondere: Mit Titanium erstellte Apps sind nativ. Aus nur einer Codebasis können Sie eine native Anwendung für iOS, Android, BlackBerry und Tizen generieren, sowie eine Webapplikation. Nativ bedeutet, die Apps werden nicht nur sehr schnell ausgeführt, sondern es stehen Ihnen für eine optimale Usability auch native UI Widgets zur Verfügung. Interessant ist das SDK daher nicht nur für Webentwickler, sondern auch für Entwickler, die ihre Apps bisher aufwändig individuell nativ entwickelt haben. Mit Titanium benötigen Sie lediglich JavaScript-Kenntnisse.
Warum gilt Management bei Entwicklern als notorisch schlecht? Wie kann es kommen, dass ein Entwickler der eben noch auf die Leitung schimpfte sich selbst identisch verhält, sobald er in die Funktion rückt? Wie würde gutes Management in der IT denn aussehen? Wir berichten über unserer naiven Fehler am Anfang, unsere Erfahren auf der agilen Reise und über das, bei dem wir heute angekommen sind. Und wir haben wirklich viel falsch gemacht.
Talk given in Bsides Lisbon 2015 by me and Herman Duarte.
Based on our experience on testing mobile applications, both on Android and iOS, we challenged ourselves on doing an assessment of both app stores' applications, using OWASP mobile top 10 as a reference in terms of vulnerabilities to search for.
As a criteria for choosing the apps to test, we focused on the most common mobile applications available in the Portuguese Android and iOS app stores, from several categories such as finance, social media, medical and security.
For this talk we expect to highlight the most interesting design choices both good and bad and what should be done to avoid such mistakes.
Wenn der größte Teil der Logik in JavaScript stattfindet, dann findet auch der größere Teil der Sicherheitsrisiken dort sein Zuhause. Und auch Angreifer finden mit JavaScript eine interessante neue Spielwiese, denn die Sprache selbst und auch Ihre Heimat in Browser und Node.js bringen neue Probleme.
Genau da setzt der Vortrag an: die verblüffenden Unterschiede von JavaScript zu anderen Sprachen, wenn es um Security geht. Die Risiken und auch die Besonderheiten von Browsern und anderen JavaScript-Engines wie Node.js. Die Security-Implikationen von JavaScript-Frameworks bis hin zu speziellen Problemen wie mXSS, ReDOS und HTML5-Security.
Aussagen wie "Pair Programming ist langsam", "Pair Programming ist nur was für Junior Entwickler zum Übertragen von Domainwissen", "Pair Programming verbrennt zu viele Resourcen und ist nichts für mein Projekt", "Meine Tasks sind zu komplex fürs Pair Programming" oder "Im Moment haben wir keine Zeit fürs Pair Programming, wir müssen liefern (fertig werden)" werden oft als Argumente gegen Pair Programming vorgebracht.
Mit diesem Talk/Webinar möchte Martin Ruprecht den Aussagen entgegentreten und seine Erfahrungen aus den letzten Kundenprojekten weitergeben und zeigen, wann Pair Programming sinnvoll eingesetzt werden kann und warum in jedem Projekt im Pair programmiert werden sollte.
Zielgruppe:
Wenn Sie Entwickler oder Projektverantwortlicher sind, dann ist dieser Talk/dieses Webinar genau richtig für Sie.
Über Martin Ruprecht:
Martin Ruprecht arbeitet seit mehreren Jahren bei Mayflower und ist JavaScript und PHP-Entwickler. Zuvor studierte er erfolgreich Medientechnik/Medieninformatik an der FH Deggendorf. Neben seiner Tätigkeit als Entwickler bei Mayflower organisiert Martin regelmäßig Coding Dojos in München, tritt auf Konferenzen auf und hält Vorträge und Workshops zum Thema JavaScript, Testing und Qualitätssicherung in Webprojekten.
Mit Maintenance umgehen können- Fixt du noch Bugs oder lieferst du schon neue...Mayflower GmbH
Nach dem erfolgreichen Launch einer Software gibt es immer das gleiche Dilemma: Neue Features konkurrieren mit Bugs und Anpassungen an der bestehenden Software, die aus dem operativen Betrieb kommen. Und die Gretchenfrage nach dem dringenden und dem wichtigsten stellt sich kontinuierlich und es braucht einen Mechanismus um diese zu Balancieren. Ich möchte die Auswirkungen von Maintenance parallel zur Produktentwicklung aufzeigen, die Folgeprobleme benennen und Strategien vorstellen um dieses Dilemma zu umgehen.
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
Some voices claim that "Angular is what HTML would have been if it had been designed for building web applications". While this statement may or may not be true, is certainly accounts as one of the bolder ones a JavaScript web framework can ever issue. And where boldness is glistening like a German Bratwurst sausage in the evening sun, a critical review from a grumpy old security person shouldn’t be too far away. This talk will have a stern, very stern look at AngularJS in particular and shed light on the security aspects of this ever-popular tool. Did the super-hero framework do everything right and follow its own super-heroic principles? Does AngularJS increase or rather decrease the attack surface of a web application? How does AngularJS play along with the Content Security Policy, and was it a good idea to combine this kind of security with futuristic feature creep? And what about AngularJS version 2.0? Beware that we won’t stop at glancing at the code itself, investigating security best practices, and verifying compatibility and other common things that contribute to robust security (or lack thereof). We will cross the moral border and see if the AngularJS team could notice rogue bug tickets. A pivotal question that everyone is wondering about is: Have they successfully kept evil minds like yours truly speaker here from introducing new security bugs into the code base? This talk is a reckoning with a modern JavaScript framework that promises a lot and keeps even more, not necessarily for the best for developers and users. We will conclude in deriving a general lesson learnt and hopefully agree that progress doesn't invariably mean an enhancement.
CONFidence 2018: XSS is dead. We just don't get it (Mario Heiderich)PROIDEA
XSS is about twenty years old by now and appears to be alive and kicking. JavaScript alerts are still popping left and right and bug bounty programs are drowning in submissions. But is XSS really still a problem of our time? Or is it just an undead foul-smelling zombie vulnerability from the dark ages of string concatenation that doesn't wanna perish because we are just too f**** stubborn? This talk will be an hour-long rant (yes, swearwords, leave your kids at home), paired with a stroll through the history of XSS and related issues. We will go back into the year 1998 and see how it all started, how things developed, what we tried to do against it and how hard we failed every single time. We will also look at the future and predict what is about to happen next. Mostly nothing - but good to know, right? We will not only look at our own failures but also see how the entire infrastructure and monetization of the web contributed to us being simply not capable or even just willing to fix XSS. And we might as well see if any of those behavioral and structural patterns can be compared to other human failures - and see if there is something we all can learn. Or, at least, agree that we knew it all along and are all on the same page.
StHack 2014 - Mario "@0x6D6172696F" Heiderich - JSMVCOMFGStHack
There is a way to build common, classic web applications. You know, servers, databases, some HTML and a bit of JavaScript. Ye olde way.
Grandfather still knows. And there is a way to build hip and fancy, modern and light-weight, elastic and scalable client-side web applications. Sometimes with a server in the background, sometimes with a database ? but all the hard work is done by something new: JavaScript Model-View-Controller and templating frameworks.
Angular, Ember and CanJS, Knockout, Handlebars and Underscore? those aren't names of famous wrestlers but modern JavaScript fame-works that offer a boost in performance and productivity by taking care of many things web-app right there in the browser, where the magic happens. And more and more people jump on the bandwagon and implement those frameworks with great success. High time for a stern look from the security perspective, ain't it not?
This talk will show you how those frameworks work, how secure their core is and what kind of security issues spawn from the generous feature cornucopia they offer. Do their authors really know the DOM well enough to enrich it with dozens of abstraction layers? Or did they open a gate straight to JavaScript hell introducing a wide range of new injection bugs and coding worst-practices? Well, you'll know after this talk. You'll know?
Code quality; patch quality, Malcolm Tredinnick. Python user for 13 years. Linux user for even longer. Malcolm has worked with a wide variety of systems from banking and stock exchange interfaces, to multi-thousand server database-backed websites. These days, Malcolm's primary open source contributions are as a core developer for Django and advocate for Python.
All Open Source projects welcome patches from people willing to help fix bugs or implement feature requests. That's why we launch the source code into the wilds in the first place. If you are wanting to contribute, however, the process can seem a bit daunting, particularly when you are first starting out. Am I doing it properly? What will happen if I do it wrong? How can I do the best thing possible from the start? These are all typical worries. I've had them, others have had them and you're not alone if they cross your mind. In this talk, we will go over a few basic ideas for producing patch submissions that make things as easy as possible both for yourself and the code maintainers. How to help the maintainers help you. Malcolm has been a core maintainer for Django for over give years and has seen a few good and bad contributions in his time. These are the harmless and useful lessons that can be drawn from that experience.
Getting the basics right when starting to contribute patches to open source. The patches don't have to be perfect, but you should tuck your shirt in and use neat handwriting to get in the door.
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
Derbycon 2011
This talk is about methodologies and tools that we use or have coded that make our lives and pentest schedule a little easier, and why we do things the way we do. Of course, there will be a healthy dose of Metasploit in the mix.
Eko10 - Security Monitoring for Big Infrastructures without a Million Dollar ...Hernan Costante
Nowadays in an increasingly more complex and dynamic network its not enough to be a regex ninja and storing only the logs you think you might need. From network traffic to custom logs you won't know which logs will be crucial to stop the next attacker, and if you are not planning to spend a half of your security budget in a commercial solution we will show you a way to building you own SIEM with open source. The talk will go from how to build a powerful logging environment for your organization to scaling on the cloud and storing everything forever. We will walk through how to build such a system with open source solutions as Elasticsearch and Hadoop, and creating your own custom monitoring rules to monitor everything you need. The talk will also include how to secure the environment and allow restricted access to other teams as well as avoiding common pitfalls and ensuring compliance standards.
This presentation was given to a group of SFS students at GW. It's designed to be semi-case study driven on the problems I've encountered on assessments and how programming can help solve them.
== Abstract ==
Presented at Analysis of Security APIs
Satellite workshop of IEEE CSF
July 13th 2015, Verona, Italy
http://www.dsi.unive.it/~focardi/ASA8/#program
Browsers HTML sandbox is, by default, only protected by the "Same Origin Policy". Although this simple constraint gave companies a very flexible environment to play with, and was probably one of the key features that led the Web to success as we see it now, it is quite unsatisfactory from a security perspective. In fact, this solution does not face the problem of letting third party code access the whole data in the DOM when explicitly loaded and executed by the browser. This behaviour opens the door to malicious third party code attacks that can be achieved using either Cross Site Scripting (OWASP Top Ten Security risk #1 for many years) or second order attacks, such as malvertising software. In the past, several attempts to sandbox untrusted code have been made. In this talk we will focus on successes and failures of the most interesting open source sandboxing browser techniques.
This talk is about why I believe having the ability to write tools and/or scripts can help elevate a Pen Testers game to the next level.
The talk is case study driven by the different scenarios I've encountered on assessments and the scripts or tools that have been developed as a result.
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...44CON
Presented by: Julien Voisin and Thibault Koechlin
Suhosin is a great PHP module, but unfortunately, it’s getting old, new ways have been found to compromise PHP applications, and some aren’t working anymore; and it doesn’t play well with the shiny new PHP 7. As a secure web-hosting company, we needed a reliable and future-proof solution to address the flow of new vulnerabilities that are published every day. This is why we developed Snuffleupagus, a new (and open-source!) PHP security module, that provides several features that we needed: passively killing several PHP-specific bug classes, but also implementing virtual-patching at the PHP level, allowing to patch vulnerabilities in a precise, false-positive-free, ultra-low overhead way, without even touching the applications’ code.
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Mario Heiderich
The clipboard is one of the most commonly used tools across operating systems, window managers and devices. Pressing Ctrl-C and Ctrl-V has become so fundamentally important to productivity and usability that we cannot get rid of it anymore. We happily and often thoughtlessly copy things from one source and paste them into another. URLs into address-bars, lengthy commands into console windows, text segments into web editors and mail interfaces. And we never worry about security when doing so. Because what could possibly go wrong, right?
But have we ever asked ourselves what the clipboard content actually consists of? Do we really know what it contains? And are we aware of the consequences a thoughtless copy&paste interaction can have? Who else can control the contents of the clipboard? Is it really just us doing Ctrl-C or is there other forces in the realm who are able to infect what we believe to be clean, who can desecrate what we trust so blindly that we never question or observe it?
This talk is about the clipboard and the technical details behind it. How it works, what it really contains – and who can influence its complex range of contents. We will learn about a new breed of targeted attacks, including cross-application XSS from PDF, ODT, DOC and XPS that allow to steal website accounts faster than you can click, turn your excel sheet into a monster and learn about ways to smuggle creepy payload that is hidden from sight until it executes. Oh, and we’ll also see what can be done about that and what defensive measures we achieved to create so far.
Dev and Blind - Attacking the weakest Link in IT SecurityMario Heiderich
The developer is an easy and valuable target for malicious minds. The reasons for that are numerous and hard to come by. This talk delivers examples, proof, discussion and awkward moments in a pretty special way.
Everybody hates developers – especially web developers. And why not? The cracks and crevices of their APIs and implementations are the reason that vulnerabilities in web applications are still a widespread issue – and will continue to be in the foreseeable future.
Bashing and blaming them for their wrongdoings is fun – boy, they are stupid in their mistakes! But has anyone ever dared to have an open on stage battle with an actual developer?
And who of the developers dares to face their collective nemesis – the attacker? Can there be life where matter and anti-matter collide? We will know about this soon – because this is what this talk is going to be about. Developer versus attacker – vulnerability versus defense. Be prepared for swearing, violence and people leaving the stage prematurely in tears.
Embracing GenAI - A Strategic ImperativePeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe.
For more information, visit-www.vavaclasses.com
Palestine last event orientationfvgnh .pptxRaedMohamed3
An EFL lesson about the current events in Palestine. It is intended to be for intermediate students who wish to increase their listening skills through a short lesson in power point.
The Roman Empire A Historical Colossus.pdfkaushalkr1407
The Roman Empire, a vast and enduring power, stands as one of history's most remarkable civilizations, leaving an indelible imprint on the world. It emerged from the Roman Republic, transitioning into an imperial powerhouse under the leadership of Augustus Caesar in 27 BCE. This transformation marked the beginning of an era defined by unprecedented territorial expansion, architectural marvels, and profound cultural influence.
The empire's roots lie in the city of Rome, founded, according to legend, by Romulus in 753 BCE. Over centuries, Rome evolved from a small settlement to a formidable republic, characterized by a complex political system with elected officials and checks on power. However, internal strife, class conflicts, and military ambitions paved the way for the end of the Republic. Julius Caesar’s dictatorship and subsequent assassination in 44 BCE created a power vacuum, leading to a civil war. Octavian, later Augustus, emerged victorious, heralding the Roman Empire’s birth.
Under Augustus, the empire experienced the Pax Romana, a 200-year period of relative peace and stability. Augustus reformed the military, established efficient administrative systems, and initiated grand construction projects. The empire's borders expanded, encompassing territories from Britain to Egypt and from Spain to the Euphrates. Roman legions, renowned for their discipline and engineering prowess, secured and maintained these vast territories, building roads, fortifications, and cities that facilitated control and integration.
The Roman Empire’s society was hierarchical, with a rigid class system. At the top were the patricians, wealthy elites who held significant political power. Below them were the plebeians, free citizens with limited political influence, and the vast numbers of slaves who formed the backbone of the economy. The family unit was central, governed by the paterfamilias, the male head who held absolute authority.
Culturally, the Romans were eclectic, absorbing and adapting elements from the civilizations they encountered, particularly the Greeks. Roman art, literature, and philosophy reflected this synthesis, creating a rich cultural tapestry. Latin, the Roman language, became the lingua franca of the Western world, influencing numerous modern languages.
Roman architecture and engineering achievements were monumental. They perfected the arch, vault, and dome, constructing enduring structures like the Colosseum, Pantheon, and aqueducts. These engineering marvels not only showcased Roman ingenuity but also served practical purposes, from public entertainment to water supply.
Instructions for Submissions thorugh G- Classroom.pptxJheel Barad
This presentation provides a briefing on how to upload submissions and documents in Google Classroom. It was prepared as part of an orientation for new Sainik School in-service teacher trainees. As a training officer, my goal is to ensure that you are comfortable and proficient with this essential tool for managing assignments and fostering student engagement.
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
This slides describes the basic concepts of ICT, basics of Email, Emerging Technology and Digital Initiatives in Education. This presentations aligns with the UGC Paper I syllabus.
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
1. The innerHTML Apocalypse
How mXSS attacks change everything we believed to know so far
A presentation by Mario Heiderich
mario@cure53.de || @0x6D6172696F
2. Our Fellow Messenger
● Dr.-Ing. Mario Heiderich
● Researcher and Post-Doc, Ruhr-Uni Bochum
– PhD Thesis on Client Side Security and Defense
● Founder of Cure53
– Penetration Testing Firm
– Consulting, Workshops, Trainings
– Simply the Best Company of the World
● Published author and international speaker
– Specialized in HTML5 and SVG Security
– JavaScript, XSS and Client Side Attacks
● HTML5 Security Cheatsheet
– @0x6D6172696F
– mario@cure53.de
3. Research Focus
●
Everything inside <>
● HTML 2.0 – 5.1
● JavaScript / JScript, VBS
● Plug-ins and Controls
● Editable Rich-Text
● SVG, MathML, XLS, XDR
● CSS, Scriptless Attacks
● ES5 / ES6
● DOM Clobbering
● No binary stuff. My brain
cannot :)
● Offense
● Injection Scenarios
● Active File formats
● Parser Analysis
● Archeology & Legacy Porn
● Defense
● XSS Filter / WAF / IDS
● CSP, DOM-based XSS Filter
● DOM Policies
● DOM + Trust & Control
4. Why?
●
HTML on its way to ultimate power
●
Websites and Applications
●
Instant Messengers and Email Clients
●
Local documentation and presentations
● Router Interfaces and coffee-machine UIs
● Medical Devices – according to this source
● Operating systems, Win8, Tizen
● HTML + DOM + JavaScript
● “I mean look at friggin' Gmail!”
● I measured the amount of JavaScript on 27th of Jan. 2013
● It was exactly 3582,8 Kilobytes of text/javascript
5. Defense
● Several layers of defense over the years
● Network-based defense, IDS/IPS, WAF
● Server-side defense, mod_security, others
● Client-side defense, XSS Filter, CSP, NoScript
● “We bypassed, they fixed.”
● A lot of documentation, sometimes good ones too!
● Hundreds of papers, talks, blog posts
● Those three horsemen are covered quite well!
6. Horsemen?
●
Reflected XSS
● The White Horse – “Purity”. Easy to
understand, detect and prevent.
●
Stored XSS
● The Red Horse – “War”. Harder to
detect and prevent – where
rich-text of benign nature is
needed.
● DOMXSS
● The Black Horse – “Disease”.
Harder to comprehend. Often
complex, hard to detect and
prevent.
10. Assumptions
● Reflected XSS comes via URL / Parameters
● We can filter input properly
● Persistent XSS comes via POST / FILE
● We can filter output properly
● Tell good HTML apart from bad
● DOMXSS comes from DOM properties
● No unfiltered usage of DOMXSS sources
● We can be more careful with DOMXSS sinks
● We can create safer JavaScript business logic
● Following those rules + handling Uploads properly + setting
some headers mitigates XSS. Right?
11. That telling apart...
● Advanced filter libraries
● OWASP Antisamy / XSS Filter Project
● HTML Purifier
● SafeHTML
● jSoup
● Many others out there
● Used in Webmailers, CMS, Social Networks
● Intranet, Extranet, WWW, Messenger-Tools, Mail-Clients
● They are the major gateway between
● Fancy User-generated Rich-Text
● And a persistent XSS
● Those things work VERY well!
● Without them working well, shit would break
12. “But what if we can fool those tools? Just ship
around them. Every single one of them?”
14. Decades Ago...
● MS added a convenient DOM property
● It was available in Internet Explorer 4
● Allowed to manipulate the DOM...
● … without even manipulating it...
● … but have the browser do the work!
● element.innerHTML
● Direct access to the elements HTML content
● Read and write of course
● Browser does all the nasty DOM stuff internally
15. Look at this
// The DOM way
var myId = "spanID";
var myDiv = document.getElementById("myDivId");
var mySpan = document.createElement('span');
var spanContent = document.createTextNode('Bla');
mySpan.id = mySpanId;
mySpan.appendChild(spanContent);
myDiv.appendChild(mySpan);
// The innerHTML way
var myId = "spanID";
var myDiv = document.getElementById("myDivId");
myDiv.innerHTML = '<span id="'+myId+'">Bla</span>';
16. Compared
● Pro
● It's easy
● It's fast
● It's now a standard
● It just works
● It's got a big
brother.. outerHTML
● Contra
● Bit bitchy with tables
● Slow on older
browsers
● No XML
● Not as “true” as real
DOM manipulation
18. Rich Text Editors
● The basically exist because of innerHTML
● And of course contentEditable
● And they are everywhere
● CMS
● Webmailers
● Email Clients
● Publishing Tools
20. Internals
● We might be naïve and assume:
● ƒ(ƒ(x)) ≡ ƒ(x)
● Idempotency
● An elements innerHTML matches it's actual content
● But it doesn't
● It's non-idempotent and changes!
● And that's usually even very good!
● Performance
● Bad markup that messes up structure
● Illegal markup in a sane DOM tree
21. Examples
● We have a little test-suite for you
● Let's see some examples
● And why non-idempotency is actually good
IN: <div>123 OUT: <div>123</div>
IN: <Div/class=abc>123 OUT: <div class="abc">123</div>
IN: <span><dIV>123</span> OUT: <span><div>123</div></span>
22. Funny Stuff
● So browsers change the markup
● Sanitize, beautify, optimize
● There's nothing we can do about it
● And it often helps
● Some funny artifacts exist...
● Comments for instance
● Or try CDATA sections for a change...
IN: <!-> OUT: <!----->
IN: <!--> OUT: <!---->
IN: <![CDATA]> OUT: <!--[CDATA]-->
24. It was back in 2006...
● .. when a fellow desk-worker noticed a
strange thing. Magical, even!
25. The Broken Preview
● Sometimes print preview was bricked
● Attribute content bled into the document
● No obvious reason...
● Then Yosuke Hasegawa analyzed the problem
● One year later in 2007
● And discovered the first pointer to mXSS
28. Pretty bad
● But not new
● Still, works like a charm!
● Update: A patch is on the way!
● Update II: Patch is out!
● But not new
● Did you like it though?
● Because we have “new” :)
29. Unknown Elements
● Again, we open our test suite
● Requires IE9 or older
● Two variations – one of which is new
● The other discovered by LeverOne
32. Not Entirely Bad
● Few websites allow xmlns
● Everybody allows (or will allow) <article> though
● Harmless HTML5
● Alas it's a HTML4 browser – as is IE in older document
modes
● Wait, what are those again?
● <meta http-equiv="X-UA-Compatible" content="IE=IE5" />
● Force the browser to fall-back to an old mode
● Old features, old layout bugs...
● And more stuff to do with mutations
34. Style Attributes
● Everybody loves them
● It's just CSS, right?
● XSS filters tolerate them
● But watch their content closely!
● No CSS expressions
● No behaviors (HTC) or “scriptlets” (SCT)
● Not even absolute positioning...
● ...or negative margins, bloaty borders
35. Let's have a look
● And use our test suite again
● All IE versions, older Firefox
37. “And there's so many variations!”
And those are just for you, fellow conference attendees,
they are not gonna be on the slides
So enjoy!
38. HTML Entities
● Chrome messed up with <textarea>
● Found and reported by Eduardo
● Firefox screwed up with SVG
<svg><style><img src=x onerror=alert(1)></svg>
● IE has problems with <listing>
● <listing><img src=x onerror=alert(1)></listing>
● Let's have another look again and demo...
● Also...text/xhtml!
● All CDATA will be decoded!
● That's also why inline SVG and MathML add more fun
39. Who is affected?
● Most existing HTML filters and sanitizers
● Thus the software they aim to protect
● HTML Purifier, funny, right?
● JSoup, AntiSamy, HTMLawed, you name it!
● Google Caja (not anymore since very recently)
● All tested Rich-Text Editors
● Most existing Web-Mailers
● This includes the big ones
● As well as open source tools and libraries
● Basically anything that obeys standards...
● .. and doesn't know about the problem
46. How to Protect?
● Fancy Websites
● Enforce standards mode
● Avoid getting framed, use
XFO
● <!doctype html>
● Use CSP
● Motivate users to upgrade
browsers
● Avoid SVG and MathML
● Actual Websites
● Patch your filter!
● Employ strict white-lists
● Avoid critical characters in
HTML attribute values
● Be extremely paranoid about
user-generated CSS
● Don't obey to standards
● Know the vulnerabilities
And for Pentesters?
Inject style attributes + backslash or ampersand and
you have already won.
Nothing goes? Use the back-tick trick.
47. Alternatives
● mXSS Attacks rely on mutations
● Those we can mitigate in the DOM
● Behold... TrueHTML
● Here's a small demo
● We intercept any innerHTML access
● And serialize the markup... XML-style
● Mitigates a large quantity of attack vectors
● Not all though
● Know thy CDATA sections
● Avoid SVG whenever possible
● Inline-SVG is the devil :) And MathML isn't much better...
48. Takeaway?
● So, what was in it for you?
● Pentester: New wildcard-bug pattern
● Developer: Infos to protect your app
● Browser: Pointer to a problem-zone to watch
● Specifier: Some hints for upcoming specs
49.
50. Wrapping it up
● Today we saw
● Some HTML, DOM and browser history
● Some old yet unknown attacks revisited
● Some very fresh attacks
● A “pentest joker”
● Some guidelines on how to defend
● The W3C's silver bullet. For 2015 maybe.
51. The End
● Questions?
● Comments?
● Can I have a drink now?
● Credits to
● Gareth Heyes, Yosuke Hasegawa, LeverOne,
● Eduardo Vela, Dave Ross, Stefano Di Paola