The document summarizes the PHP lifecycle when used with Apache. It describes the request process from the client request, Apache parsing the request and handling it, to PHP parsing, compiling and executing the script. It provides code examples from key points in the PHP parsing and execution process within the Zend engine. Sample requests are outlined from client to server processing and the PHP opcodes and execution.
This presentation illustrates a number of techniques to smuggle and reshape HTTP requests using features such as HTTP Pipelining that are not normally used by testers. The strange behaviour of web servers with different technologies will be reviewed using HTTP versions 1.1, 1.0, and 0.9 before HTTP v2 becomes too popular! Some of these techniques might come in handy when dealing with a dumb WAF or load balancer that blocks your attacks.
Presented @ BSides Manchester 2017 & SteelCon 2017
This presentation walks through essential points for developing and working with REST APIs or web services to communicate through various platforms. This also explains HTTP methods.
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4hackers.com
Presentation slides of Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified At XSS by Rafay Baloch. Ask all your question's related to the webcast here http://goo.gl/Vv10hJ. Don't forget to leave you feedback here https://goo.gl/YrBeic.
This presentation illustrates a number of techniques to smuggle and reshape HTTP requests using features such as HTTP Pipelining that are not normally used by testers. The strange behaviour of web servers with different technologies will be reviewed using HTTP versions 1.1, 1.0, and 0.9 before HTTP v2 becomes too popular! Some of these techniques might come in handy when dealing with a dumb WAF or load balancer that blocks your attacks.
Presented @ BSides Manchester 2017 & SteelCon 2017
This presentation walks through essential points for developing and working with REST APIs or web services to communicate through various platforms. This also explains HTTP methods.
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4hackers.com
Presentation slides of Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified At XSS by Rafay Baloch. Ask all your question's related to the webcast here http://goo.gl/Vv10hJ. Don't forget to leave you feedback here https://goo.gl/YrBeic.
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
Companion slides for Stormpath CTO and Co-Founder Les REST API Security Webinar. This presentation covers all the RESTful best practices learned building the Stormpath APIs. This webinar is full of best practices learned building the Stormpath API and supporting authentication for thousands of projects. Topics Include:
- HTTP Authentication
- Choosing a Security Protocol
- Generating & Managing API Keys
- Authorization & Scopes
- Token Authentication with JSON Web Tokens (JWTs)
- Much more...
Stormpath is a User Management API that reduces development time with instant-on, scalable user infrastructure. Stormpath's intuitive API and expert support make it easy for developers to authenticate, manage and secure users and roles in any application.
RESTful Architecture is effectively an implementation of Resource-Oriented architecture (ROA). ROA - is a good fit for Service oriented Architecture (SOA) implementation. Check out KickStartPros approach on RESTful API Design.
* REST = REpresentational State Transfer
* REST is Resource Based Representation. REST identifies things by JSON or XML & URIs.
* REST behavior/actions are identified by HTTP methods (GET, POST, PUT, DELETE).
* Using Uniform Interface Architecture with REST you can decouple Client (like Browser/Android App/iOS App) and Server.
* REST using Layered System and Cacheable Architecture gives better performance.
I will represent multiple case studies to convey the message that if you think limited, you will be limited. Bug bounty approach has degraded the quality of penetration testing, for both the customers as well as the practitioners. It is hard for the customer to differentiate between a good penetration testing and a quick and dirty top-10 or top-25 approach.
https://nsconclave.net-square.com/pentesters-mindset.html
Slides for Building Better Backdoors with WMI - DerbyCon 2017 - Legacy
Code:
https://github.com/0xbadjuju/PowerProvider/
https://github.com/0xbadjuju/WheresMyImplant
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
Companion slides for Stormpath CTO and Co-Founder Les REST API Security Webinar. This presentation covers all the RESTful best practices learned building the Stormpath APIs. This webinar is full of best practices learned building the Stormpath API and supporting authentication for thousands of projects. Topics Include:
- HTTP Authentication
- Choosing a Security Protocol
- Generating & Managing API Keys
- Authorization & Scopes
- Token Authentication with JSON Web Tokens (JWTs)
- Much more...
Stormpath is a User Management API that reduces development time with instant-on, scalable user infrastructure. Stormpath's intuitive API and expert support make it easy for developers to authenticate, manage and secure users and roles in any application.
RESTful Architecture is effectively an implementation of Resource-Oriented architecture (ROA). ROA - is a good fit for Service oriented Architecture (SOA) implementation. Check out KickStartPros approach on RESTful API Design.
* REST = REpresentational State Transfer
* REST is Resource Based Representation. REST identifies things by JSON or XML & URIs.
* REST behavior/actions are identified by HTTP methods (GET, POST, PUT, DELETE).
* Using Uniform Interface Architecture with REST you can decouple Client (like Browser/Android App/iOS App) and Server.
* REST using Layered System and Cacheable Architecture gives better performance.
I will represent multiple case studies to convey the message that if you think limited, you will be limited. Bug bounty approach has degraded the quality of penetration testing, for both the customers as well as the practitioners. It is hard for the customer to differentiate between a good penetration testing and a quick and dirty top-10 or top-25 approach.
https://nsconclave.net-square.com/pentesters-mindset.html
Slides for Building Better Backdoors with WMI - DerbyCon 2017 - Legacy
Code:
https://github.com/0xbadjuju/PowerProvider/
https://github.com/0xbadjuju/WheresMyImplant
Create your own PHP extension, step by step - phpDay 2012 VeronaPatrick Allaert
Ever been interested by contributing to the PHP core team?
In this workshop you will not only learn how (easy it is) to create your own PHP extension from scratch but you will also strengthen your knowledge of PHP by disecting its internals.
After this workshop, you will be able to create an extension on your own, whether it is to optimize the most CPU intensive parts of your code, to create new bindings to C libraries or just to leverage your PHP knowledge.
And what if PHP was a web framework for the C developer?
This workshop requires a bit of C knowledge and preferably a *nix system.
[2012 CodeEngn Conference 06] pwn3r - Secuinside 2012 CTF 예선 문제풀이GangSeok Lee
2012 CodeEngn Conference 06
Secuinside는 코스콤에서 주최, 연합해킹그룹 HARU, 고려대 정보보호대학원에서 주관하는 국제 해킹대회 및 보안컨퍼런스로써 얼마전 개최된 해킹대회 예선전 문제들을 풀기위해 사용한 분석기술과 ASLR과 NX를 우회하는 새로운 익스플로잇 기술에 대해서 소개한다.
http://codeengn.com/conference/06
How to measure and optimize performance of applications that use Zend Framework 1.x. A talk presented at the New York City Zend Framework Meetup (http://www.meetup.com/ZendFramework-NYCmetro/) on August 23, 2011.
Everyone talks about raising the bar on the quality of code, but it’s hard to implement when you have no clue where to start. This talk is geared toward all levels of developers, and will teach you how to improve by using the right tools effectively – a must-attend for any PHP developer who wants to scale up their quality.
Michelangelo will tell us about Quality Assurance for PHP in general and show how different QA-related actions can be performed using PhpStorm IDE. The webinar will cover topics including:
Revision control
Syntax checking
Code documentation
Unit Testing with PHPUnit
Measuring code health with a variety of tools
Profiling and debugging with Xdebug
Automation with Phing
Team work and more.
Finding and fixing bugs is a major chunk of any developers time. This talk describes the basic rules for effective debugging in any language, but shows how the tools available in PHP can be used to find and fix even the most elusive error
DevConf 2016
"Развитие ветки PHP-7", Дмитрий Стогов (Zend Technologies)
Я расскажу о внутреннем устройстве PHP-7.0, изменениях готовящихся в PHP-7.1 и планах на PHP-7.2.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.