video demos: http://whitehatsec.com/home/assets/videos/Top10WebHacks_Webinar031711.zip
Many notable and new Web hacking techniques were revealed in 2010. During this presentation, Jeremiah Grossman will describe the technical details of the top hacks from 2010, as well as some of the prevalent security issues emerging in 2011. Attendees will be treated to a step-by-step guided tour of the newest threats targeting today's corporate websites and enterprise users.
The top attacks in 2010 include:
• 'Padding Oracle' Crypto Attack
• Evercookie
• Hacking Auto-Complete
• Attacking HTTPS with Cache Injection
• Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution
• Universal XSS in IE8
• HTTP POST DoS
• JavaSnoop
• CSS History Hack In Firefox Without JavaScript for Intranet Portscanning
• Java Applet DNS Rebinding
Mr. Grossman will then briefly identify real-world examples of each of these vulnerabilities in action, outlining how the issue occurs, and what preventative measures can be taken. With that knowledge, he will strategize what defensive solutions will have the most impact.
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
Given at black hat and DEF CON 2010 by Wayne Huang and team.
https://www.defcon.org/html/defcon-18/dc-18-speakers.html#Huang
http://www.blackhat.com/html/bh-us-10/bh-us-10-briefings.html#Huang
DRIVESPLOIT: CIRCUMVENTING BOTH AUTOMATED AND MANUAL DRIVE-BY-DOWNLOAD DETECTION
This year saw the biggest news in Web security ever--Operation Aurora, which aimed at stealing source code and other intellectual properties and succeeded with more than 30 companies, including Google. Incidence response showed that the operation involved an IE 0-day drive-by-download, resulting in Google's compromise and leak of source code to jump points in Taiwan. The US Government is so concerned that they issued a demarche to the Chinese government.
Using real, live examples, we will show how easy it is to exploit injection-based, XSS-based, and CSRF-based vulnerabilities in FaceBook, Google, Digg, LinkedIn, and other popular websites, and inject drive-by downloads.
If drive-bys are so easy to inject into high-traffic websites, then the question becomes, how easy it is to make them undetectable by automated malware scanning services (such as Google's) and by human manual inspection? We will demonstrate how easy it is to defeat automated detection mechanisms and overview commonly used techniques.
We will reveal for the first time, in this conference, some very advanced techniques that are almost impossible to overcome by automated analysis in the past, now, and in the future. We will release Drivesploit, a drive-by download exploit framework implemented on top of Metasploit. We will go into depth on two particular techniques supported by Drivesploit's a) javascript obfuscation based on behavior-based fingerprinting, and b) javascript timelock puzzles. We will have live demos to show how this technique easily defeats both automated AND manual detection.
At the very beginning of our talk, we will be giving out a digg.com page, which we have infected with a drive-by download created with Drivesploit. Visiting this page with the right browser will trigger the exploit and download a malware that steals browser cookie files. The whole process will be undetectable by antivirus. The actual javascript drive-by code contains a secret phrase. We will give out an ipad to whomever from the audience that is able to correctly deobfuscate the javascript and give out the secret phrase.
Finally, we will present case studies on systems and processes that the largest organizations have put in place in order to fight against Web-based malware. We will also present case studies of our incidence response efforts with organizations hit by Web malware injections such as Google's aurora incident. Based in Taiwan, Co-speaker Wayne has been personally involved in such incidence response efforts since the late 90's.
All source codes related to POC exploits against FaceBook, Google, Digg, LinkedIn, etc, as well as source code of Drivesploit, will be released as open source at the conference.
Attendees will gain the following:
1. Understanding of drive-by downloads and associated terminologies.
2. Information about various drive-by download infection vectors.
3. Appreciation of tools helpful for drive-by analysis, including Malzilla, spikermonkey, rhino, burp and wepawet
4. Realize why drive-by downloads are hard to analyze and detect. Why antivirus fail, why behavior-based approaches fail, and why even manual efforts are difficult
5. Learning the Drivesploit framework and how it can be used to develop poc drive-bys
6. Learning two new deadly techniques: behavior-based browser finterprinting and javascript timelock puzzles
7. Learning how to implement above two using Drivesploit to defeat both automated and manual drive-by analysis
8. Knowledge about the available countermeasures to this threat
http://blog.whitehatsec.com/top-ten-web-hacking-techniques-of-2012/
Recorded Webinar: https://www.whitehatsec.com/webinar/whitehat_webinar_march2713.html
Every year the security community produces a stunning amount of new Web hacking techniques that are published in various white papers, blog posts, magazine articles, mailing list emails, conference presentations, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and their mobile platform equivilents. Beyond individual vulnerabilities with CVE numbers or system compromises, here we are solely focused on new and creative methods of Web-based attack. Now it its seventh year, The Top Ten Web Hacking Techniques list encourages information sharing, provides a centralized knowledge-base, and recognizes researchers who contribute excellent work. Past Top Tens and the number of new attack techniques discovered in each year:
Top Ten Web Hacking Techniques of 2008:
"What's possible, not probable"
The polls are closed, votes are in, and we have the winners making up the Top Ten Web Hacking Techniques of 2008! The competition was fierce with the newest and most innovative web hacking techniques to the test. This session will review the top ten hacks from 2008 - what they indicate about the security of the web, what they mean for businesses, and what might be used against us soon down the road.
2010: A Web Hacking Odyssey - Top Ten Hacks of the YearJeremiah Grossman
Many notable and new Web hacking techniques have already been revealed in 2009. During his session, Jeremiah Grossman will describe the technical details of the top ten from 2009, as well as some of the prevalent security issues emerging in 2010. By attending Mr. Grossman’s session, attendees will be treated to a step-by-step guided tour of the newest threats targeting today’s corporate websites and enterprise users. With that knowledge, Mr. Grossman will then strategize what defensive solutions will have the most impact.
Mr. Grossman will begin his presentation by providing the audience with definitions of the key terms and techniques used in his session. After laying this foundation, Mr. Grossman will move on to identifying the top ten attacks in 2009, including hacks involving Rich Internet Applications, Social Networking, Cloud Computing, Mobile Web Applications, Next Generation Web Browsers and HTML 5. Mr. Grossman will briefly identify real-world examples of each of these vulnerabilities in action, outlining how the issue occurs, as well as what preventative measures can be taken.
Mr. Grossman will also stress the importance of security professionals remaining proactive and continuing to move research forward, as analysis of attacks from years past only goes so far as hackers continue to push the envelop of what’s possible in the ever-changing Web security landscape.
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
Given at black hat and DEF CON 2010 by Wayne Huang and team.
https://www.defcon.org/html/defcon-18/dc-18-speakers.html#Huang
http://www.blackhat.com/html/bh-us-10/bh-us-10-briefings.html#Huang
DRIVESPLOIT: CIRCUMVENTING BOTH AUTOMATED AND MANUAL DRIVE-BY-DOWNLOAD DETECTION
This year saw the biggest news in Web security ever--Operation Aurora, which aimed at stealing source code and other intellectual properties and succeeded with more than 30 companies, including Google. Incidence response showed that the operation involved an IE 0-day drive-by-download, resulting in Google's compromise and leak of source code to jump points in Taiwan. The US Government is so concerned that they issued a demarche to the Chinese government.
Using real, live examples, we will show how easy it is to exploit injection-based, XSS-based, and CSRF-based vulnerabilities in FaceBook, Google, Digg, LinkedIn, and other popular websites, and inject drive-by downloads.
If drive-bys are so easy to inject into high-traffic websites, then the question becomes, how easy it is to make them undetectable by automated malware scanning services (such as Google's) and by human manual inspection? We will demonstrate how easy it is to defeat automated detection mechanisms and overview commonly used techniques.
We will reveal for the first time, in this conference, some very advanced techniques that are almost impossible to overcome by automated analysis in the past, now, and in the future. We will release Drivesploit, a drive-by download exploit framework implemented on top of Metasploit. We will go into depth on two particular techniques supported by Drivesploit's a) javascript obfuscation based on behavior-based fingerprinting, and b) javascript timelock puzzles. We will have live demos to show how this technique easily defeats both automated AND manual detection.
At the very beginning of our talk, we will be giving out a digg.com page, which we have infected with a drive-by download created with Drivesploit. Visiting this page with the right browser will trigger the exploit and download a malware that steals browser cookie files. The whole process will be undetectable by antivirus. The actual javascript drive-by code contains a secret phrase. We will give out an ipad to whomever from the audience that is able to correctly deobfuscate the javascript and give out the secret phrase.
Finally, we will present case studies on systems and processes that the largest organizations have put in place in order to fight against Web-based malware. We will also present case studies of our incidence response efforts with organizations hit by Web malware injections such as Google's aurora incident. Based in Taiwan, Co-speaker Wayne has been personally involved in such incidence response efforts since the late 90's.
All source codes related to POC exploits against FaceBook, Google, Digg, LinkedIn, etc, as well as source code of Drivesploit, will be released as open source at the conference.
Attendees will gain the following:
1. Understanding of drive-by downloads and associated terminologies.
2. Information about various drive-by download infection vectors.
3. Appreciation of tools helpful for drive-by analysis, including Malzilla, spikermonkey, rhino, burp and wepawet
4. Realize why drive-by downloads are hard to analyze and detect. Why antivirus fail, why behavior-based approaches fail, and why even manual efforts are difficult
5. Learning the Drivesploit framework and how it can be used to develop poc drive-bys
6. Learning two new deadly techniques: behavior-based browser finterprinting and javascript timelock puzzles
7. Learning how to implement above two using Drivesploit to defeat both automated and manual drive-by analysis
8. Knowledge about the available countermeasures to this threat
http://blog.whitehatsec.com/top-ten-web-hacking-techniques-of-2012/
Recorded Webinar: https://www.whitehatsec.com/webinar/whitehat_webinar_march2713.html
Every year the security community produces a stunning amount of new Web hacking techniques that are published in various white papers, blog posts, magazine articles, mailing list emails, conference presentations, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and their mobile platform equivilents. Beyond individual vulnerabilities with CVE numbers or system compromises, here we are solely focused on new and creative methods of Web-based attack. Now it its seventh year, The Top Ten Web Hacking Techniques list encourages information sharing, provides a centralized knowledge-base, and recognizes researchers who contribute excellent work. Past Top Tens and the number of new attack techniques discovered in each year:
Top Ten Web Hacking Techniques of 2008:
"What's possible, not probable"
The polls are closed, votes are in, and we have the winners making up the Top Ten Web Hacking Techniques of 2008! The competition was fierce with the newest and most innovative web hacking techniques to the test. This session will review the top ten hacks from 2008 - what they indicate about the security of the web, what they mean for businesses, and what might be used against us soon down the road.
2010: A Web Hacking Odyssey - Top Ten Hacks of the YearJeremiah Grossman
Many notable and new Web hacking techniques have already been revealed in 2009. During his session, Jeremiah Grossman will describe the technical details of the top ten from 2009, as well as some of the prevalent security issues emerging in 2010. By attending Mr. Grossman’s session, attendees will be treated to a step-by-step guided tour of the newest threats targeting today’s corporate websites and enterprise users. With that knowledge, Mr. Grossman will then strategize what defensive solutions will have the most impact.
Mr. Grossman will begin his presentation by providing the audience with definitions of the key terms and techniques used in his session. After laying this foundation, Mr. Grossman will move on to identifying the top ten attacks in 2009, including hacks involving Rich Internet Applications, Social Networking, Cloud Computing, Mobile Web Applications, Next Generation Web Browsers and HTML 5. Mr. Grossman will briefly identify real-world examples of each of these vulnerabilities in action, outlining how the issue occurs, as well as what preventative measures can be taken.
Mr. Grossman will also stress the importance of security professionals remaining proactive and continuing to move research forward, as analysis of attacks from years past only goes so far as hackers continue to push the envelop of what’s possible in the ever-changing Web security landscape.
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
This talk will show esoteric web application vulnerabilities in detail, these vulnerabilities would be missed in a quick review by most security consultants, but could lead to remote code execution, authentication bypass and purchasing items in merchants using Paypal as their payment gateway without actually paying. SQL injections are dead, and I don’t care: let's explore the world of null, nil and NULL; noSQL injections; host header injections that lead to phone call audio interception; paypal’s double spent and Rails’ MessageVerifier remote code execution.
--- Andres Riancho
Andrés Riancho is an application security expert that currently leads the community driven, Open Source, w3af project and provides in-depth Web Application Penetration Testing services to companies around the world.
In the research field, he discovered critical vulnerabilities in IPS appliances from 3com and ISS, contributed with SAP research performed at one of his former employers and reported vulnerabilities in hundreds of web applications.
His main focus has always been the Web Application Security field, in which he developed w3af, a Web Application Attack and Audit Framework used extensively by penetration testers and security consultants.
Andrés has spoken and hold trainings at many security conferences around the globe, like BlackHat (USA and Europe), SEC-T (Sweden),DeepSec (Austria), PHDays (Moscow), SecTor (Toronto), OWASP (Poland),CONFidence (Poland), OWASP World C0n (USA), CanSecWest (Canada),PacSecWest (Japan), T2 (Finland) and Ekoparty (Buenos Aires).
Andrés founded Bonsai Information Security, a web security focused consultancy firm, in 2009 in order to further research into automated Web Application Vulnerability detection and exploitation.
When you don't have 0days: client-side exploitation for the massesMichele Orru
Conference: InsomniHack (21 March 2014)
Talk speakers:
Michele Orru (@antisnatchor)
Krzysztof Kotowicz (@kkotowicz)
Talk abstract:
A bag of fresh and juicy 0days is certainly something you would love to get
as a Christmas present, but it would probably be just a dream you had one of those drunken nights.
Hold on! Not all is lost! There is still hope for pwning targets without 0days.
We will walk you through multiple real-life examples of client-side pwnage, from tricking the victim to take the bait, to achieving persistence on the compromised system.
The talk will be highly practical and will demonstrate how you can do proper client-side exploitation effectively, simply by abusing existing functionalities of browsers, extensions, legacy features, etc.
We'll delve into Chrome and Firefox extensions (automating various repetitive actions that you'll likely perform in your engagements), HTML applications, abusing User Interface expectations, (Open)Office macros and more. All the attacks are supposed to work on fully patched target software, with a bit of magic trickery as the secret ingredient.
You might already know some of these exploitation vectors, but you might need a way to automate your attacks and tailor them based on the victim language, browser, and whatnot. Either way, if you like offensive security, then this talk is for you.
Video recording of the talk: https://connect.ruhr-uni-bochum.de/p3g2butmrt4/
HTML5 is quickly gaining media attention and popularity among browser vendors and web developers. Having tremendous features, together with its sister specifications like Drag & Drop API, File API or Geolocation it allows developers to build rich web applications that easily blend with desktop & mobile environments.
The talk will be focused on finding the weakest link and combining several recent attack techniques to turn a security vulnerability into a successful exploit.
We'll show how to build a successful advanced UI-Redressing attack (also known as clickjacking), presenting the latest findings in this field, including malicious games and quizes. We'll work on file upload functionalities in current web applications and see how attackers might use HTML5 APIs for their advantage. Putting all these building blocks together will enable us to launch an attack and exploit even the otherwise unexploitable vulnerabilities.
My presentation from Framsia.
Topics:
XSS (reflected, stored, dom-based)
CSRF
Clickjacking
Header based approaches (CSP, X-frame-options)
EcmaScript5
HTML5
Some slides borrowed from John Wilander http://www.slideshare.net/johnwilander/application-security-for-rias
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...CODE BLUE
Electron is a framework to create the desktop application on Windows,OS X, Linux easily, and it has been used to develop the popular applications such as Atom Editor, Visual Studio Code, and Slack.
Although Electron includes Chromium and node.js and allow the web application developers to be able to develop the desktop application with accustomed methods, it contains a lot of security problems such as it allows arbitrary code execution if even one DOM-based XSS exist in the application. In fact, a lot of vulnerabilities which is able to load arbitrary code in applications made with Electron have been detected and reported.
In this talk, I focus on organize and understand the security problems which tend to occur on development using Electron.
--- Yosuke Hasegawa
Secure Sky Technology Inc, Technical Adviser. Known for finding numerous vulnerablities in Internet Explorer、Mozilla Firefox and other web applications.He has also presented at Black Hat Japan 2008, South Korea POC 2008, 2010 and others.
OWASP Kansai Chapter Leader, OWASP Japan Board member.
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
Demonstration based session on HTTP headers relevant to security aspect of web applications. Target audience is web developers, and more attention is given to Java language.
Often, web developers keep hearing about "Same Origin Policy (SOP)" of browsers but live with half-knowledge or with several confusions. This session attempts to clear the misconceptions of SOP.
Slides of my talk at RuxCon 2013:
For those who do not listen Mayhem and black metal, the talk title
might seem a bit weird, and I can't blame you.
You know the boundaries of the Same Origin Policy, you know SQL
injection and time-delays,
you know BeEF. You also know that when sending cross-domain XHRs you
can still monitor the timing of the response: you might want to infer
on 0 or 1 bits depending if the response was delayed or not.
This means it's possible to exploit every kind of SQL injection,
blind or not blind, through an hooked browser, if you can inject a
time-delay
and monitor the response timing.
You don't need a 0day or a particular SOP bypass to do this,
and it works in every browser.
The potential of being faster than a normal single-host multi-threaded SQLi
dumper will be explored. Two experiments will be shown: WebWorkers as well
as multiple synched hooked browsers, which split the workload
communicating
partial results to a central server.
A pure JavaScript approach will be exclusively presented during this talk,
including live demos. Such approach would work for both internet facing
targets as well as
applications available in the intranet of the hooked browser.
The talk will finish discussing the implications of such an approach
in terms of Incident Response and Forensics,
showing evidence of a very small footprint.
XPC is a well-known interprocess communication mechanism used on Apple devices. Abusing XPC led to many severe bugs, including those used in jailbreaks. While the XPC bugs in Apple's components are harder and harder to exploit, did we look at non-Apple apps on macOS? As it turns out, vulnerable apps are everywhere - Anti Viruses, Messengers, Privacy tools, Firewalls, and more.
This presentation:
1.Explain how XPC/NSXPC work
2.Present you some of my findings in popular macOS apps (e.g. local privilege escalation to r00t)
3.Abuse an interesting feature on Catalina allowing to inject an unsigned dylib
4.Show you how to fix that vulnz finally!
The WhiteHat Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address to avert attack. WhiteHat has been publishing the report, which highlights the top ten vulnerabilities, vertical market trends and new attack vectors, since 2006.
The WhiteHat report presents a statistical picture of current website vulnerabilities, accompanied by WhiteHat expert analysis and recommendations. WhiteHat’s report is the only one in the industry to focus solely on unknown vulnerabilities in custom Web applications, code unique to an organization, within real-world websites.
This document contains various methods to hack or pentest the web-server and web-applications.
1. A person can use it as hand book for hacking websites.
2. All contents of these hand book is searched and taken out from various other websites & blogs...
3. Use these knowledge for education purpose only.
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...festival ICT 2016
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati attraverso i servizi gestiti. - by Hitachi Systems - festival ICT 2015
Relatore: Denis Cassinerio
Security Business Unit Director di Hitachi Systems CBT
[CB16] Esoteric Web Application Vulnerabilities by Andrés RianchoCODE BLUE
This talk will show esoteric web application vulnerabilities in detail, these vulnerabilities would be missed in a quick review by most security consultants, but could lead to remote code execution, authentication bypass and purchasing items in merchants using Paypal as their payment gateway without actually paying. SQL injections are dead, and I don’t care: let's explore the world of null, nil and NULL; noSQL injections; host header injections that lead to phone call audio interception; paypal’s double spent and Rails’ MessageVerifier remote code execution.
--- Andres Riancho
Andrés Riancho is an application security expert that currently leads the community driven, Open Source, w3af project and provides in-depth Web Application Penetration Testing services to companies around the world.
In the research field, he discovered critical vulnerabilities in IPS appliances from 3com and ISS, contributed with SAP research performed at one of his former employers and reported vulnerabilities in hundreds of web applications.
His main focus has always been the Web Application Security field, in which he developed w3af, a Web Application Attack and Audit Framework used extensively by penetration testers and security consultants.
Andrés has spoken and hold trainings at many security conferences around the globe, like BlackHat (USA and Europe), SEC-T (Sweden),DeepSec (Austria), PHDays (Moscow), SecTor (Toronto), OWASP (Poland),CONFidence (Poland), OWASP World C0n (USA), CanSecWest (Canada),PacSecWest (Japan), T2 (Finland) and Ekoparty (Buenos Aires).
Andrés founded Bonsai Information Security, a web security focused consultancy firm, in 2009 in order to further research into automated Web Application Vulnerability detection and exploitation.
When you don't have 0days: client-side exploitation for the massesMichele Orru
Conference: InsomniHack (21 March 2014)
Talk speakers:
Michele Orru (@antisnatchor)
Krzysztof Kotowicz (@kkotowicz)
Talk abstract:
A bag of fresh and juicy 0days is certainly something you would love to get
as a Christmas present, but it would probably be just a dream you had one of those drunken nights.
Hold on! Not all is lost! There is still hope for pwning targets without 0days.
We will walk you through multiple real-life examples of client-side pwnage, from tricking the victim to take the bait, to achieving persistence on the compromised system.
The talk will be highly practical and will demonstrate how you can do proper client-side exploitation effectively, simply by abusing existing functionalities of browsers, extensions, legacy features, etc.
We'll delve into Chrome and Firefox extensions (automating various repetitive actions that you'll likely perform in your engagements), HTML applications, abusing User Interface expectations, (Open)Office macros and more. All the attacks are supposed to work on fully patched target software, with a bit of magic trickery as the secret ingredient.
You might already know some of these exploitation vectors, but you might need a way to automate your attacks and tailor them based on the victim language, browser, and whatnot. Either way, if you like offensive security, then this talk is for you.
Video recording of the talk: https://connect.ruhr-uni-bochum.de/p3g2butmrt4/
HTML5 is quickly gaining media attention and popularity among browser vendors and web developers. Having tremendous features, together with its sister specifications like Drag & Drop API, File API or Geolocation it allows developers to build rich web applications that easily blend with desktop & mobile environments.
The talk will be focused on finding the weakest link and combining several recent attack techniques to turn a security vulnerability into a successful exploit.
We'll show how to build a successful advanced UI-Redressing attack (also known as clickjacking), presenting the latest findings in this field, including malicious games and quizes. We'll work on file upload functionalities in current web applications and see how attackers might use HTML5 APIs for their advantage. Putting all these building blocks together will enable us to launch an attack and exploit even the otherwise unexploitable vulnerabilities.
My presentation from Framsia.
Topics:
XSS (reflected, stored, dom-based)
CSRF
Clickjacking
Header based approaches (CSP, X-frame-options)
EcmaScript5
HTML5
Some slides borrowed from John Wilander http://www.slideshare.net/johnwilander/application-security-for-rias
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...CODE BLUE
Electron is a framework to create the desktop application on Windows,OS X, Linux easily, and it has been used to develop the popular applications such as Atom Editor, Visual Studio Code, and Slack.
Although Electron includes Chromium and node.js and allow the web application developers to be able to develop the desktop application with accustomed methods, it contains a lot of security problems such as it allows arbitrary code execution if even one DOM-based XSS exist in the application. In fact, a lot of vulnerabilities which is able to load arbitrary code in applications made with Electron have been detected and reported.
In this talk, I focus on organize and understand the security problems which tend to occur on development using Electron.
--- Yosuke Hasegawa
Secure Sky Technology Inc, Technical Adviser. Known for finding numerous vulnerablities in Internet Explorer、Mozilla Firefox and other web applications.He has also presented at Black Hat Japan 2008, South Korea POC 2008, 2010 and others.
OWASP Kansai Chapter Leader, OWASP Japan Board member.
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
Demonstration based session on HTTP headers relevant to security aspect of web applications. Target audience is web developers, and more attention is given to Java language.
Often, web developers keep hearing about "Same Origin Policy (SOP)" of browsers but live with half-knowledge or with several confusions. This session attempts to clear the misconceptions of SOP.
Slides of my talk at RuxCon 2013:
For those who do not listen Mayhem and black metal, the talk title
might seem a bit weird, and I can't blame you.
You know the boundaries of the Same Origin Policy, you know SQL
injection and time-delays,
you know BeEF. You also know that when sending cross-domain XHRs you
can still monitor the timing of the response: you might want to infer
on 0 or 1 bits depending if the response was delayed or not.
This means it's possible to exploit every kind of SQL injection,
blind or not blind, through an hooked browser, if you can inject a
time-delay
and monitor the response timing.
You don't need a 0day or a particular SOP bypass to do this,
and it works in every browser.
The potential of being faster than a normal single-host multi-threaded SQLi
dumper will be explored. Two experiments will be shown: WebWorkers as well
as multiple synched hooked browsers, which split the workload
communicating
partial results to a central server.
A pure JavaScript approach will be exclusively presented during this talk,
including live demos. Such approach would work for both internet facing
targets as well as
applications available in the intranet of the hooked browser.
The talk will finish discussing the implications of such an approach
in terms of Incident Response and Forensics,
showing evidence of a very small footprint.
XPC is a well-known interprocess communication mechanism used on Apple devices. Abusing XPC led to many severe bugs, including those used in jailbreaks. While the XPC bugs in Apple's components are harder and harder to exploit, did we look at non-Apple apps on macOS? As it turns out, vulnerable apps are everywhere - Anti Viruses, Messengers, Privacy tools, Firewalls, and more.
This presentation:
1.Explain how XPC/NSXPC work
2.Present you some of my findings in popular macOS apps (e.g. local privilege escalation to r00t)
3.Abuse an interesting feature on Catalina allowing to inject an unsigned dylib
4.Show you how to fix that vulnz finally!
The WhiteHat Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address to avert attack. WhiteHat has been publishing the report, which highlights the top ten vulnerabilities, vertical market trends and new attack vectors, since 2006.
The WhiteHat report presents a statistical picture of current website vulnerabilities, accompanied by WhiteHat expert analysis and recommendations. WhiteHat’s report is the only one in the industry to focus solely on unknown vulnerabilities in custom Web applications, code unique to an organization, within real-world websites.
This document contains various methods to hack or pentest the web-server and web-applications.
1. A person can use it as hand book for hacking websites.
2. All contents of these hand book is searched and taken out from various other websites & blogs...
3. Use these knowledge for education purpose only.
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...festival ICT 2016
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati attraverso i servizi gestiti. - by Hitachi Systems - festival ICT 2015
Relatore: Denis Cassinerio
Security Business Unit Director di Hitachi Systems CBT
ICMP es un protocolo de la capa de Internet del modelo TCP/IP, el cual es muy indispensable para el funcionamiento de esta capa. En esta diapositiva se resume los varios tipos de mensajes ICMP que existe, por ejemplo cuando se hace un ping se esta mandando un tipo de mensaje ICMP (request).
Para mejor comprensión primero se examina los mensajes que hacen referencia a mensajes de error, luego a los mensajes de control, estos que son tan comunes, pero ocurren en el proceso de comunicación de la información.
Devfest istanbul'14 - Web Application Attacks and Trusting FrameworksMehmet Ince
Frameworks are undeniably one of the most important elements of frameworks. As we continue to witness a significant increase in number of framework-based attacks towards web applications each day, usage of Frameworks without considering security-related aspects continue to be the most drastic problem that developers face. Throughout the presentation; Mr. İnce will analyze one of the most commonly-used PHP web frameworks by highlighting important security considerations; followed by a real-time exploitation of discovered vulnerability in LAB environment.
Many notable and new web hacking techniques, discoveries and compromises were uncovered in 2008. During his session, the top 10 vulnerabilities present in 2008, as well as some of the prevalent security issues emerging in 2009. Attendees will virtually be able to walk through the vulnerabilities appearing on today’s corporate websites, learning real-world solutions to today’s web application security issues.
Moderator: Mike Stephenson, SC lab manager, SC Magazine
- Jeremiah Grossman, founder and chief technology officer, WhiteHat Security
I'm take picture from here and there by goggling not mentioning all source please let me know if anyone has any objection. This presentation was presented in “securITy” Information Security Conference at BASIS SoftExpo 2012
Top 10 Web Hacks
Every year the number and creativity of Web hacks increases, and the damage from these attacks rises exponentially, costing organizations millions every year.
Join this webinar to learn about the latest and most insidious Web-based attacks. The much anticipated list, now in its seventh year, represents exhaustive research conducted by a panel of experienced security industry professionals. Learn the latest of the worst in Web hacks, and how to protect your organization.
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan KuskosPROIDEA
Speakers: Matt Johansen, Johnathan Kuskos
Language: English
Every year the security community produces a stunning number of new Web hacking techniques. Now in its 9th year, the Top 10 Web Hacking Techniques list encourages information and knowledge sharing and recognizes researchers who contribute excellent work. In this talk, we will do a technical deep dive and take you through the Top 10 Web Hacks of 2014, as picked by an expert panel of judges. The full list is available here: https://blog.whitehatsec.com/top-10-web-hacking-techniques-of-2014/
CONFidence: http://confidence.org.pl/pl/
There is a serious misalignment of interests between Application Security vulnerability assessment vendors and their customers. Vendors are incentivized to report everything they possible can, even issues that rarely matter. On the other hand, customers just want the vulnerability reports that are likely to get them hacked. Every finding beyond that is a waste of time, money, and energy, which is precisely what’s happening every day.
How to Determine Your Attack Surface in the Healthcare SectorJeremiah Grossman
Do you know what an asset inventory is, why it's important, and how it can protect you from cybersecurity vulnerabilities?
In this webinar, you can expect to learn:
- How to prepare yourself and your staff against cybersecurity threats
- What an asset inventory is and why it's the next big thing in information security
- How to identify all your company's Internet-connected assets and which need to be defended
- Why keeping an up-to-date asset inventory is important
- How to obtain your own attack surface map
Exploring the Psychological Mechanisms used in Ransomware Splash ScreensJeremiah Grossman
The present study examined a selection of 76 ransomware splash screens collected from a variety of sources. These splash screens were analysed according to surface information, including aspects of visual appearance, the use of language, cultural icons, payment and payment types. The results from the current study showed that, whilst there was a wide variation in the construction of ransomware splash screens, there was a good degree of commonality, particularly in terms of the structure and use of key aspects of social engineering used to elicit payment from the victims. There was the emergence of a sub-set of ransomware that, in the context of this report, was termed ‘Cuckoo’ ransomware. This type of attack often purported to be from an official source requesting payment for alleged transgressions.
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
Ransomware is center stage, as campaigns are practically guaranteed financial gain. Cyber-criminals profit hundreds of millions of dollars by selling our data back to us. If you look closely, the ransomware economic dynamics closely follow the real-world kidnapping and ransom industry. We’ll explore the eerie similarities, where ransomware is headed, and strategies we can bring to the fight.
What the Kidnapping & Ransom Economy Teaches Us About RansomwareJeremiah Grossman
Ransomware is center stage, as campaigns are practically guaranteed financial gain. Cyber-criminals profit hundreds of millions of dollars by selling our data back to us. If you look closely, the ransomware economic dynamics closely follow the real-world kidnapping and ransom industry. We’ll explore the eerie similarities, where ransomware is headed, and strategies we can bring to the fight.
In the past two decades of tech booms, busts, and bubbles, two things have not changed - hackers are still nding ways to breach security measures in place, and the endpoint remains the primary target. And now, with cloud and mobile computing, endpoint devices have become the new enterprise security perimeter, so there is even more pressure to lock them down.
Companies are deploying piles of software on the endpoint to secure it - antivirus, anti- malware, desktop rewalls, intrusion detection, vulnerability management, web ltering, anti-spam, and the list goes on. Yet with all of the solutions in place, high pro le companies are still being breached. The recent attacks on large retail and hospitality organizations are prime examples, where hackers successfully used credit-card-stealing-malware targeting payment servers to collect customer credit card information.
Ransomware is Here: Fundamentals Everyone Needs to KnowJeremiah Grossman
If you’re an IT professional, you probably know at least the basics of ransomware. Instead of using malware or an exploit to exfiltrate PII from an enterprise, bad actors instead find valuable data and encrypt it. Unless you happen to have an NSA-caliber data center at your disposal to break the encryption, you must pay your attacker in cold, hard bitcoins—or else wave goodbye to your PII. Those assumptions aren’t wrong, but they also don’t tell the whole picture.
During this event we’ll discuss topics such as:
Why Ransomware is Exploding
The growth of ransomware, as opposed to garden-variety malware, is enormous. Hackers have found that they can directly monetize the data they encrypt, which eliminates the time-consuming process of selling stolen data on the Darknet. In addition, the use of ransomware requires little in the way of technical skill—because attackers don’t need to get root on a victim’s machine.
Who the Real Targets Are
Two years ago, the most newsworthy victims of ransomware were various police departments. This year, everyone is buzzing about hospitals. Is this a deliberate pattern? Probably not. Enterprises are so ill-prepared for ransomware that attackers have a green field to wreak havoc. Until the industry shapes up, bad actors will target ransomware indiscriminately.
Where Ransomware Stumbles
Although ransomware is nearly impossible to dislodge when employed correctly, you may be surprised to find that not all bad actors have the skill to do it. Even if ransomware targets your network, you may learn that your attackers have used extremely weak encryption—or that they’ve encrypted files that are entirely non-critical.
As far as ransomware is concerned, forewarned is forearmed. Once you know how attackers deliver ransomware, who they’re likely to attack, and the weaknesses in the ransomware deployment model, you’ll be able to understand how to protect your enterprise.
This year WhiteHat SecurityTM celebrates its fteenth anniversary, and the eleventh year that we have produced the Web Applications Security Statistics Report. The stats shared in this report are based on the aggregation of all the scanning and remediation data obtained from applications that used the WhiteHat SentinelTM service for application security testing in 2015. As an early pioneer in the Application Security Market, WhiteHat has a large and unique collection of data to work with.
Where Flow Charts Don’t Go -- Website Security Statistics Report (2015)Jeremiah Grossman
WhiteHat Security’s Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address in order to conduct business online safely.
Website security is an ever-moving target. New website launches are common, new code is released constantly, new web technologies are created and adopted every day; as a result, new attack techniques are frequently disclosed that can put every online business at risk. In order to stay protected, enterprises must receive timely information about how they
can most efficiently defend their websites, gain visibility into
the performance of their security programs, and learn how they compare with their industry peers. Obtaining these insights
is crucial in order to stay ahead and truly improve enterprise website security.
To help, WhiteHat Security has been publishing its Website Security Statistics Report since 2006. This report is the only one that focuses exclusively on unknown vulnerabilities in custom web applications, code that is unique to an organization, and found in real-world websites. The underlying data is hundreds of terabytes in size, comprises vulnerability assessment results from tens of thousands of websites across hundreds of the most well- known organizations, and collectively represents the largest and most accurate picture of website security available. Inside this report is information about the most prevalent vulnerabilities, how many get fixed, how long the fixes can take on average, and how every application security program may measurably improve. The report is organized by industry, and is accompanied by WhiteHat Security’s expert analysis and recommendations.
No More Snake Oil: Why InfoSec Needs Security GuaranteesJeremiah Grossman
Ever notice how everything in InfoSec is sold “as is”? No guarantees, no warrantees, no return policies. For some reason in InfoSec, providing customers with a form of financial coverage for their investment is seen as gimmicky, but the tides and times are changing. This talk discusses use cases on why guarantees are a must have and how guarantees benefit customers as well as InfoSec as a whole.
In this report, we put this area of application security understanding to the test by measuring how various web programming languages and development frameworks actually perform in the field. To which classes of attack are they most prone, how often and for how long; and, how do they fare against popular alternatives? Is it really true that the most popular modern languages and frameworks yield similar results in production websites?
By analyzing the vulnerability assessment results of more than 30,000 websites under management with WhiteHat Sentinel, we begin to answer these questions. These answers may enable the application security community to ask better and deeper questions, which will eventually lead to more secure websites. Organizations deploying these technologies can have a closer look at particularly risk-prone areas. Software vendors may focus on areas that are found to be lacking. Developers can increase their familiarity with the strengths and weaknesses of their technology stack. All of this is vitally important because security must be baked into development frameworks and must be virtually transparent. Only then will application security progress be made.
In this report, we put this area of application security understanding to the test by measuring how various web programming languages and development frameworks actually perform in the field. To which classes of attack are they most prone, how often and for how long; and, how do they fare against popular alternatives? Is it really true that the most popular modern languages and frameworks yield similar results in production websites?
By analyzing the vulnerability assessment results of more than 30,000 websites under management with WhiteHat Sentinel, we begin to answer these questions. These answers may enable the application security community to ask better and deeper questions, which will eventually lead to more secure websites. Organizations deploying these technologies can have a closer look at particularly risk-prone areas. Software vendors may focus on areas that are found to be lacking. Developers can increase their familiarity with the strengths and weaknesses of their technology stack. All of this is vitally important because security must be baked into development frameworks and must be virtually transparent. Only then will application security progress be made.
http://blackhat.com/us-13/briefings.html#Grossman
Online advertising networks can be a web hacker’s best friend. For mere pennies per thousand impressions (that means browsers) there are service providers who allow you to broadly distribute arbitrary javascript -- even malicious javascript! You are SUPPOSED to use this “feature” to show ads, to track users, and get clicks, but that doesn’t mean you have to abide. Absolutely nothing prevents spending $10, $100, or more to create a massive javascript-driven browser botnet instantly. The real-world power is spooky cool. We know, because we tested it… in-the-wild.
With a few lines of HTML5 and javascript code we’ll demonstrate just how you can easily commandeer browsers to perform DDoS attacks, participate in email spam campaigns, crack hashes and even help brute-force passwords. Put simply, instruct browsers to make HTTP requests they didn’t intend, even something as well-known as Cross-Site Request Forgery. With CSRF, no zero-days or malware is required. Oh, and there is no patch. The Web is supposed to work this way. Also nice, when the user leaves the page, our code vanishes. No traces. No tracks.
Before leveraging advertising networks, the reason this attack scenario didn’t worry many people is because it has always been difficult to scale up, which is to say, simultaneously control enough browsers (aka botnets) to reach critical mass. Previously, web hackers tried poisoning search engine results, phishing users via email, link spamming Facebook, Twitter and instant messages, Cross-Site Scripting attacks, publishing rigged open proxies, and malicious browser plugins. While all useful methods in certain scenarios, they lack simplicity, invisibility, and most importantly -- scale. That’s what we want! At a moment’s notice, we will show how it is possible to run javascript on an impressively large number of browsers all at once and no one will be the wiser. Today this is possible, and practical.
WhiteHat Security’s Website Security Statistics Report provides a one-of-a-kind perspective on the state of website security and the issues that organizations must address in order to conduct business online safely.
Website security is an ever-moving target. New website launches are common, new code is released constantly, new Web technologies are created and adopted every day; as a result, new attack techniques are frequently disclosed that can put every online business at risk. In order to stay protected, enterprises must receive timely information about how they can most efficiently defend their websites, gain visibility into the performance of their security programs, and learn how they compare with their industry peers. Obtaining these insights is crucial in order to stay ahead and truly improve enterprise website security.
To help, WhiteHat Security has been publishing its Website Security Statistics Report since 2006. This report is the only one that focuses exclusively on unknown vulnerabilities in custom Web applications, code that is unique to an organization, and found in real-world websites. The underlying data is hundreds of terabytes in size, comprises vulnerability assessment results from tens of thousands of websites across hundreds of the most well-known organizations, and collectively represents the largest and most accurate picture of website security available. Inside this report is information about the most prevalent vulnerabilities, how many get fixed, how long the fixes can take on average, and how every application security program may measurably improve. The report is organized by industry, and is accompanied by WhiteHat Security’s expert analysis and recommendations.
Through its Software-as-a-Service (SaaS) offering, WhiteHat Sentinel, WhiteHat Security is uniquely positioned to deliver the depth of knowledge that organizations require to protect their brands, attain compliance, and avert costly breaches.
WhiteHat Security, the Web security company, today released the twelfth installment of the WhiteHat Security Website Security Statistics Report. The report reviewed serious vulnerabilities* in websites during the 2011 calendar year, examining the severity and duration of the most critical vulnerabilities from 7,000 websites across major vertical markets. Among the findings in the report, WhiteHat research suggests that the average number of serious vulnerabilities found per website per year in 2011 was 79, a substantial reduction from 230 in 2010 and down from 1,111 in 2007. Despite the significant improvement in the state of website security, organizational challenges in creating security programs that balance breadth of coverage and depth of testing leave large-scale attack surfaces or small, but very high-risk vulnerabilities open to attackers.
The report examined data from more than 7,000 websites across over 500 organizations that are continually assessed for vulnerabilities by WhiteHat Security’s family of Sentinel Services. This process provides a real-world look at website security across a range of vertical markets, including findings from the energy and non-profit verticals for the first time this year. The metrics provided serve as a foundation for improving enterprise application security online.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
4. 400+ enterprise customers
•Start-ups to Fortune 500
Flagship offering “WhiteHat Sentinel Service”
•1000’s of assessments performed annually
Recognized leader in website security
•Quoted thousands of times by the mainstream press
4
5. About the Top Ten
“Every year the Web security community produces a stunning
amount of new hacking techniques published in various white
papers, blog posts, magazine articles, mailing list emails, etc. Within
the thousands of pages are the latest ways to attack websites, Web
browsers, Web proxies, and so on. Beyond individual vulnerability
instances with CVE numbers or system compromises, we're talking
about brand new and creative methods of Web-based attack.”
5
6. New Techniques
2009 (80)
Creating a rogue CA certificate
2008 (70)
GIFAR (GIF + JAR)
2007 (83)
XSS Vulnerabilities in Common Shockwave Flash Files
2006 (65)
Web Browser Intranet Hacking / Port Scanning
6
7. 2010
69 new techniques
1) 'Padding Oracle' Crypto Attack
2) Evercookie
3) Hacking Auto-Complete
4) Attacking HTTPS with Cache Injection
5) Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution
6) Universal XSS in IE8
7) HTTP POST DoS
8) JavaSnoop
9) CSS History Hack In Firefox Without JavaScript for Intranet Portscanning
10) Java Applet DNS Rebinding
http://jeremiahgrossman.blogspot.com/2011/01/top-ten-web-hacking-techniques-of-2010.html
7
8. Bypassing CSRF with Clickjacking
and HTTP Parameter Pollution
5
Clickjacking is when an attacker invisibly hovers an object
(button, link, etc.) below a user's mouse. When the user
clicks on something they visually see, they're instead
really clicking on something the attacker wanted them to.
HTTP Parameter Pollution is where an attacker submits
multiple input parameters (query string, post data,
cookies, etc.) with the same name. Upon receipt
applications may react in unexpected ways and open up
avenues of server-side and client-side exploitation. By
cleverly leveraging these two former Top Ten attacks,
CSRF attacks can be carried out against a user even
when recommended token defenses are in use.
Lavakumar Kuppan (@lavakumark)
http://blog.andlabs.org/2010/03/bypassing-csrf-protections-with.html
8
9. Clickjacking (Top Ten 2009)
Think of any button – image, link, form, etc. – on any website – that can appear
between the Web browser walls. This includes wire transfer on banks, DSL router
buttons, Digg buttons, CPC advertising banners, Netflix queue.
Next consider that an attacker can invisibly hover these buttons below the user's
mouse, so that when a user clicks on something they visually see, they're actually
clicking on something the attacker wants them to.
What could the bad guy do with that ability?
9
10. Hover Invisible IFRAMEs
HTML, CSS, and JavaScript
may size, follow the mouse
and make transparent third-
party IFRAME content.
<iframe
src="http://victim/page.html"
scrolling="no"
frameborder="0"
style="opacity:.1;filter: alpha(opacity=.1); -moz-opacity 1.0;">!
</iframe>
10
11. HTTP Parameter Pollution (HPP) - Top Ten 2009
If an attacker submit multiple input parameters (query string, post data, cookies,
etc.) of the same name, the application may react in unexpected ways and open
up new avenues of server-side and client-side exploitation.
GET /foo?par1=val1&par1=val2 HTTP/1.1
User-Agent: Mozilla/5.0
Host: Host
Accept: */*
POST /foo HTTP/1.1
User-Agent: Mozilla/5.0
Host: Host
Accept: */*
par1=val1&par1=val2
POST /index.aspx?par1=val1&par1=val2 HTTP/1.1
User-Agent: Mozilla/5.0
Host: Host
Cookie: par1=val3; par1=val4
Content-Length: 19
par1=val5&par1=val6
11
16. Simple parameter injection
void private executeBackendRequest(HTTPRequest request) {
String amount=request.getParameter("amount");
String beneficiary=request.getParameter("recipient");
HttpRequest("http://backend.com/servlet/actions","POST",
"action=transfer&amount="+amount+"&recipient="+beneficiary);
}
Malicious URL:
http://target.com/page?amount=1000&recipient=Jeremiah%26action%3dwithdraw
Translates to:
action=transfer&amount=1000&recipient=Jeremiah&action=withdraw
It is possible the attack could work if proper authorization controls are not in place and
the application uses the last occurrence of the action parameter (IBM Lotus Domino,
PHP / Apache, etc.)
16
17. Example Scenario
http://example/updateEmail.jsp
Client-Side
<form method="POST">
<input type="text" name="email" value=””></input>
<input type="hidden" name=”csrf-token” value="a0a0a0a0a0a"/>
</form>
Server-Side
if (req.parameter("email").isSet() && req.parameter("csrf-token").isValid()) {
// process the form and update the email ID
} else {
// display an empty form to the user (CSRF token included)
}
17
18. Bringing it all together
<iframe src=”http://example/updateEmail.jsp?email=evil@attacker.com”>
HTTP request via user submitted form via Clickjacking. The form was not filled out by
the victim, meaning the email parameter in the POST body is blank. Now the
QueryString contains the attacker entered value for the ‘email’ parameter.
POST /updateEmail.jsp?email=evil@attackermail.com
HTTP/1.1
Host: www.example.com
email=&csrf-token=a0a0a0a0a0
When the server side JSP code calls req.parameter("email"), the value that is returned
is the one in the QueryString (HPP first occurrence) and not the POST body. Since
this value can be controlled by the attacker, he can trick the victim in to updating his
account with the attacker’s mail ID.
18
19. Attacking HTTPS with Cache Injection
4
No matter what type of encryption is used to defend a
network, sooner or later the password, key, or certificate
needs to be stored. If an attacker is able to tamper with
the storage mechanism, even the strongest encryption
mechanism can fail. The researchers demonstrated how
to attack storage mechanisms by tampering with SSL
session and break into Wifi networks using WPA. They
also showed how to exploit SSL warning inconsistencies
and caching mechanisms to trick the user into accepting a
bad certs and steal their username & password.
Elie Bursztein (@ELIE), Baptiste Gourdin
(@bapt1ste), Dan Boneh
http://www.youtube.com/watch?v=bt0Qh9c59_c
http://elie.im/talks/bad-memories
19
20. RFC1918 Caching Security - (Top Ten 2009)
Public Wifi
HTTP
Internet
Airpwn
Victims
coffee shops, airplanes,
corp guest networks Bad Guy
• Victim(s) located on a RFC 1918 network with a Bad Guy
• Bad Guy may take the opportunity to read victim’s Web mail, steal creds, etc.
• Bad Guy man-in-the-middles HTTP (Airpwn) to inject IFRAMEs to RFC-1918 IPs
• MitM IFRAMEs to include JavaScript malware (BeEF). Or ...
• Inject JavaScript malware into popular Web widget URLs. (Ad servers, counters, etc.)
• Cache content in the browser for a really long time, beyond current session!
http://www.bindshell.net/tools/beef/
http://airpwn.sourceforge.net/Airpwn.html
21. Situation
• 43% of the Alexa top 100,000 use external javascript libraries
• Injecting a malicious javascript library into the browser cache
allows the attacker to compromise a website protected by SSL
• The malicious library stays in the cache until the user clears it.
Moving to a “safe” location doesn’t help
21
22. Impact
• One poisoned injection leads to multiple breaches
• Multiples websites share the same external library such as
Google Analytics
• Injecting a malicious version of one of these shared libraries
allows the attacker to target all the websites that use it
22
23. Browser Defense -- sort of
• The only defense against cache injection is the SSL warning
displayed by the browser when a bad certificate is supplied
• Corner cases that allows an attacker to alter the way SSL
certificate warning are displayed
• These alterations make caching attack efficient as the user is
more likely to click through the tampered warning
23
24. Video Demo
• The following demos show how caching injection attacks
works against Internet Explorer 8 and Firefox 3.6
• These demos were done in real time against real sites with
their real certificates
24
25. Hacking Auto-Complete
3
This research encompasses a set of techniques where a
malicious website may surreptitiously obtain their visitors
names, job title, workplace, physical address, telephone
number, email addresses, usernames, passwords, search
terms, social security numbers, credit card numbers, and
on and on by simulating JavaScript keystroke events in
Web browsers HTML form auto-complete / autofill
functionality.
Jeremiah Grossman (@jeremiahg)
http://jeremiahgrossman.blogspot.com/2010/08/breaking-browsers-hacking-auto-complete.html
http://jeremiahgrossman.blogspot.com/2010/07/i-know-who-your-name-where-you-work-and.html
http://jeremiahgrossman.blogspot.com/2010/09/safari-autofill-hack-lives.html
http://jeremiahgrossman.blogspot.com/2010/07/in-firefox-we-cant-read-auto-complete.html
25
26. I want to know your name, who
you work for, where you live, your
email address, etc.
Right at the moment you a visit a website. Even if you’ve never
been there before, let alone entered information.
26
28. Address Card Autofill works even when
you’ve NEVER entered personal data on
ANY WEBSITE.
28
29. Demo
var event = document.createEvent('TextEvent');
event.initTextEvent('textInput', 1, 1, null, char);
input.value = ""; Step 1) Dynamically create
input.selectionStart = 0; input fields with the pre-set
input.selectionEnd = 0; attribute names.
input.focus();
input.dispatchEvent(event);! Step 2) Cycle through the
! alphabet initiating text events
setTimeout(function() { until a form value populates.
if (input.value.length > 1) {
// capture the value; Step 3) Profit! -- Steal data
} with JavaScript.
}, 500); *transparency is even more fun!*
Safari
v4 / v5
29
31. AutoComplete: User-supplied form values are shared across
different websites by attribute “name”. For example, email
addresses entered into a field on website A populates the autofill for
the same field name on website B, C, D, etc.
<input type="text" name="email">
31
32. DEMO - Down, Down, Enter
// hit down arrow an incrementing number of times.
// separate with time to allow the GUI to keep pace
for (var i = 1; i <= downs; i++) {
time += 30; // time padding
keyStroke(this, 40, time); // down button
}
! !
time += 15; // time padding
keyStroke(this, 13, time); // enter button
// initiate keystroke on a given object
function keyStroke(obj, code, t) {
//create new event and fire
var e = document.createEventObject();
e.keyCode = code;
setTimeout(function() {obj.fireEvent("onkeydown", e); }, t);
} // end keyStroke
Security Basis, and an Internet Explorer data stealer
http://webreflection.blogspot.com/2008/09/security-basis-and-internet-explorer.html
Andrea Giammarchi, Ajaxian Staff
32
33. Search terms
Credit card numbers and CCVs
Aliases
Contact information
Answers to secret questions
Usernames
Email addresses
...
33
34. AutoComplete is NOT enabled by default, but Internet
Explorer asks if the user if they would like to enable
the feature after filling out a non-password form.
34
36. Saving Passwords
Many Web Browsers have “password managers,” which provide
a convenient way to save passwords on a “per website” basis.
<form method="post" action="/">
E-Mail: <input type="text" name="email"><br />
Password: <input type="password" name="pass"><br />
<input type="submit" value="Login">
</form>
36
37. If a website with a saved password is vulnerable to XSS, the
payload can dynamically create login forms, which executes the
browser’s password auto-complete feature. Since the payload is
on the same domain the username / password can be stolen.
function stealCreds() {
var string = "E-Mail: " + document.getElementById("u").value;
string += "nPassword: " + document.getElementById("p").value;
return string;
}
document.write('<form method="post" action="/">E-Mail: <input
id="u" type="text" name="email" value=""><br>Password: <input
id="p" type="password" name="password" value=""></form>');
setTimeout('alert(stealCreds())', 2000);
* * DEMO
37
38. What to do...
Disable Auto-Complete in the Web browser
Remove persistent data
(History, Form Data, Cookies, LocalStorage, etc.)
NoScript (Firefox Extension), 1Password, etc.
<form autocomplete="off">
<input type="text" autocomplete="off" />
38
39. Evercookie
2
Evercookie is a javascript API available that produces
extremely persistent cookies in a browser. Its goal is to
identify a client even after they've removed standard
cookies, Flash cookies (Local Shared Objects or LSOs),
and others. Evercookie accomplishes this by storing the
cookie data in several types of storage mechanisms that
are available on the local browser. Additionally, if evercookie
has found the user has removed any of the types of cookies
in question, it recreates them using each mechanism
available.
Samy Kamkar (@samykamkar)
http://samy.pl/evercookie/
39
41. Evercookies
1) Standard HTTP Cookies 6) Internet Explorer userData storage
2) Flash Cookies (LSOs) 7) Storing cookies in Web cache
3) Silverlight Isolated Storage 8) Storing cookies in HTTP ETags
4) Storing cookies in RGB values of auto- 9) HTML5 Session Storage
generated, force-cached PNGs using
HTML5 Canvas tag to read pixels 10) HTML5 Local Storage
(cookies) back out
11) HTML5 Global Storage
5) Storing cookies in Web History
12) HTML5 Database Storage via SQLite
6)window.name caching
41
42. The API
• Persistent cookies via Javascript API
• Recreates after deletion
• Combines different storage mechanisms
• Easy to use!
var ec = new evercookie();
ec.set(“uniqueid”, “31337”); // set uniqueid = 31337
// get our evercookie data back
ec.get(“uniqueid”, function(val) { alert (“ID is “ + val) } );
42
43. PNGs Cache
Cookie stored in RGB values of auto-generated, force-cached PNGs
using HTML5 Canvas Tag to read pixels back out
Pixel 0x0 = 0x4f5741 OWA
Pixel 0x1 = 0x535000 SP0
43
44. Killing Evercookies (Video)
1) Open a new tab, then close all other windows and tabs.
2) Delete Silverlight Isolated Storage
• Go to http://www.silverlight.net/
• Right click the Silverlight application (any app will do)
• Silverlight Preferences > Application Storage > Delete all...
• Click "Yes"
• * Optionally disable "Enable application storage"
3) Delete Flash Local Shared Objects (LSO)
• Go got the Flash "Website Storage Settings panel"
• Click "Delete all sites"
• Click "Confirm"
4) Clear Browsing Data
• - Wrench > Tools > Clear Browsing Data...
• - Select all options
• - Clear data from this period: Everything
• - Click "Clear Browsing data"
http://singe.za.net/blog/archives/1014-Killing-the-Evercookie.html
http://jeremiahgrossman.blogspot.com/2010/10/killing-evercookie-google-chrome-wo.html
44
45. Other Protections
• Nevercookie - The evercookie killer
Firefox plugin to extend Firefox’s Private Browsing
http://nevercookie.anonymizer.com/
• Use a virtual machine. (On your neighbor’s WiFi Network)
45
46. Other Worries...
• System/browser timing
• GPU timing via plugins/accelerators (w/Flash)
• MAC address accessible via Java or ActiveX!
46
47. 'Padding Oracle' Crypto Attack
1
In 2002 a powerful side-channel attack, ‘padding
oracle’ (NOT THE DATABASE!), was described targeting
AES CBC-mode encryption with PKCS#5 padding. If
there is an oracle which on receipt of a ciphertext,
decrypts it and replies whether the padding is correct,
shows how to use that oracle to decrypt data without
knowing the encryption key. The new techniques allow
attackers to use a ‘padding oracle’ to decrypt and encrypt
messages of any length without knowing the secret key
and exploit popular web development frameworks
including ASP.NET.
Juliano Rizzo (@julianor)
Thai Duong (@thaidn)
http://usenix.org/events/woot10/tech/full_papers/Rizzo.pdf
http://netifera.com/research/
http://www.gdssecurity.com/l/b/2010/09/14/automated-padding-oracle-attacks-with-padbuster/
http://www.youtube.com/watch?v=yghiC_U2RaM
http://threatpost.com/en_us/blogs/padding-oracle-crypto-attack-affects-millions-aspnet-apps-091310
47
49. Padding Oracle Attack Basics
An application uses a query string parameter to pass an encrypted username,
company id, and role id of a user. The parameter is encrypted using CBC mode,
and each value uses a unique initialization vector (IV) pre-pended to the ciphertext.
When the application is sent an encrypted value, it responds in one of three ways:
1)Valid ciphertext, properly padded and valid data (200 OK)
2)Invalid ciphertext, improper padding (500 Internal Server Error)
3)Valid ciphertext, properly padded and invalid data (200 OK - custom error)
User’s name (BRIAN), company id (12), and role id (2). The value, in plaintext, can
be represented as BRIAN;12;2;
http://site/app.jsp?UID=7B216A634951170FF851D6CC68FC9537858795A28ED4AAC6
49
52. First block of ciphertext pre-pended with an IV of all NULL values.
Request: http://site/app.jsp?UID=0000000000000000F851D6CC68FC9537
Response: 500 - Internal Server Error
52
53. Last byte of the initialization vector incremented by one.
Request: http://app/home.jsp?UID=0000000000000001F851D6CC68FC9537
Response: 500 - Internal Server Error
53
54. Incrementing the last byte in the IV up to FF will produce a valid padding sequence for a
single byte of padding (0×01). Only one value will produce the correct padding byte and
have different response than the other 255.
Request: http://site/app?UID=000000000000003CF851D6CC68FC9537
Response: 200 OK
If [Intermediary Byte] ^ 0x3C == 0×01,
then [Intermediary Byte] == 0x3C ^ 0×01,
so [Intermediary Byte] == 0x3D
54
55. To crack the 7th byte, the 7th and 8th byte must equal 0×02 for valid padding. Since we
already know that the last intermediary value byte is 0x3D, we can update the 8th IV byte
to 0x3F (which will produce 0×02) and then focus on brute forcing the 7th byte (starting
with 0×00 and working our way up through 0xFF).
55
56. Work backwards through the entire block until every byte of the intermediary value is
cracked and uncovering the decrypted value one byte at a time. The final byte is cracked
using an IV that produces an entire block of just padding (0×08).
"The first stage of the attack takes a few thousand requests, but
once it succeeds and the attacker gets the secret keys, it's totally
stealthy.The cryptographic knowledge required is very basic."
- Julian Rizzo
56
57. <VIDEO>
"It turns out that the vulnerability in ASP.NET is the most critical amongst
other frameworks. In short, it totally destroys ASP.NET security,"
-Thai Duong
57
58. Impact & Prevention
Vulnerable Frameworks
ASP.Net, CAPTCHAs, JavaServer Faces, OWASP ESAPI,
Ruby On Rails, etc.
Prevention
•Encrypt-then-MAC (sign) and validate-then-decrypt
•Patch!
58
59. What have we learned?
• Encryption attacks took the top spot for the 2nd year in a row.
• Web Browser privacy? Web browser security? Not so much.
• “Top Ten” attacks from previous years are being improved.
• Several attack techniques from previous years are now
actively being used maliciously in the wild.
59
60. Thank You...
• Sponsors: OWASP, Black Hat, WhiteHat
Security
• Panel of Experts: Ed Skoudis, Giorgio
Maone, Caleb Sima, Chris Wysopal, Jeff
Willams, Charlie Miller, Dan Kaminsky,
Steven Christey (Mitre), and Arian Evans
• All the security researchers for their
contributions
• Everyone in the Web Application Security
community who assisted
Blog: http://jeremiahgrossman.blogspot.com/
Twitter: http://twitter.com/jeremiahg
Email: jeremiah@whitehatsec.com
60