This document is an agenda for a talk about Web 2.0 security woes. The talk will discuss how Web 2.0 applications have changed some threats and vulnerabilities compared to previous generations of web applications. While some threats have changed form, many of the same types of vulnerabilities still exist. The talk will provide examples of cross-site scripting and hidden functionality vulnerabilities. It will also discuss steps that development teams and customers can take to help improve security, such as training, secure coding practices, and involvement of security personnel throughout the development life cycle.
Java EE Application Security With PicketLinkpigorcraveiro
In this presentation we will take a look at PicketLink, a security framework for Java EE and learn how its identity management, authentication and authorization features can be used to address the security requirements for all aspects of application development.
Claims-based identity refers to establishing a user's identity outside of an application and injecting identity information into the application in a secure manner. It allows applications to obtain authenticated user information programmatically or declaratively. While it improves the user experience and development process, claims-based identity does not solve all identity and access management use cases and some platforms require more custom work to implement it.
Five Things You Didn't Know About Firebase AuthPeter Friese
There’s no doubt about it: many apps need some way of authenticating the user, but most developers don’t get overly excited by the prospect of implementing a login/sign-up screen.
In this talk, you will learn what Firebase Auth is, why you should use it, and - if this didn’t get you excited yet - 5 things you probably didn’t know about Firebase Auth before.
In particular, we’re going to look at
- How Firebase Auth works, and why you should use it
- How to let users sign in without even having to come up with a password
- What Anonymous Auth is all about and why you should care
- How to make signing in on iOS more magical
This document provides an overview of configuring Spring Security for authentication and authorization in a stateless single-page application backed by a Java/Spring backend. It begins with creating a basic Spring web application with sample controllers. Adding Spring Security dependency automatically enables security and requires authentication. The document then discusses Spring Security architecture and components like filters, authentication manager, providers, and user details service. It provides code samples for configuring JWT authentication with a custom user details service and password encoder. It also covers configuring Spring Security for stateless operation with JWT tokens, enabling CORS, and adding a JWT filter. Finally, it discusses setting up role-based authorization with URL and annotation-based configurations.
This document provides a summary of a presentation on authentication and authorization services using SAML and XACML with JBoss Enterprise Application Platform 6. It introduces the speakers and provides an agenda that discusses challenges, governance, standards like SAML and XACML, and a code example using Picketlink in JBoss EAP 6. Key points covered include common authentication and authorization challenges for enterprises, using open standards like SAML and XACML to address these, and how tools like Picketlink can help with implementation.
The document discusses security and privacy issues related to web browsers. It outlines how targeted attacks on web browsers are increasingly motivated by financial gain. It then discusses common web browser vulnerabilities and how informed consent is important for privacy and security. The document proposes designs for enhancing user understanding of events like cookies with minimal distraction. It also discusses strengthening browser security against man-in-the-middle and eavesdropping attacks.
This document discusses the top 10 web hacking techniques of 2012. It provides an overview of each technique including CRIME, attacking memcached via SSRF, Chrome addon hacking, bruteforcing PHPSESSID, blended threats using JavaScript, cross-site port attacks, permanently backdooring HTML5 client-side applications using local storage, CAPTCHA re-riding attacks, gaining access to HttpOnly cookies in 2012 through Java applets, and attacking OData through HTTP verb tunneling and navigation properties. The document also discusses the history of past web hacking techniques and provides background information on topics like HttpOnly cookies, XST, and CAPTCHAs.
The document discusses cross-site scripting (XSS) attacks, which are one of the most common web application vulnerabilities. It describes different types of XSS attacks, including reflected XSS, stored XSS, and DOM-based XSS. The document also provides examples of how these attacks work and payloads that can be used. Additionally, it discusses how to prevent XSS vulnerabilities by validating input and output and eliminating dangerous insertion points.
Java EE Application Security With PicketLinkpigorcraveiro
In this presentation we will take a look at PicketLink, a security framework for Java EE and learn how its identity management, authentication and authorization features can be used to address the security requirements for all aspects of application development.
Claims-based identity refers to establishing a user's identity outside of an application and injecting identity information into the application in a secure manner. It allows applications to obtain authenticated user information programmatically or declaratively. While it improves the user experience and development process, claims-based identity does not solve all identity and access management use cases and some platforms require more custom work to implement it.
Five Things You Didn't Know About Firebase AuthPeter Friese
There’s no doubt about it: many apps need some way of authenticating the user, but most developers don’t get overly excited by the prospect of implementing a login/sign-up screen.
In this talk, you will learn what Firebase Auth is, why you should use it, and - if this didn’t get you excited yet - 5 things you probably didn’t know about Firebase Auth before.
In particular, we’re going to look at
- How Firebase Auth works, and why you should use it
- How to let users sign in without even having to come up with a password
- What Anonymous Auth is all about and why you should care
- How to make signing in on iOS more magical
This document provides an overview of configuring Spring Security for authentication and authorization in a stateless single-page application backed by a Java/Spring backend. It begins with creating a basic Spring web application with sample controllers. Adding Spring Security dependency automatically enables security and requires authentication. The document then discusses Spring Security architecture and components like filters, authentication manager, providers, and user details service. It provides code samples for configuring JWT authentication with a custom user details service and password encoder. It also covers configuring Spring Security for stateless operation with JWT tokens, enabling CORS, and adding a JWT filter. Finally, it discusses setting up role-based authorization with URL and annotation-based configurations.
This document provides a summary of a presentation on authentication and authorization services using SAML and XACML with JBoss Enterprise Application Platform 6. It introduces the speakers and provides an agenda that discusses challenges, governance, standards like SAML and XACML, and a code example using Picketlink in JBoss EAP 6. Key points covered include common authentication and authorization challenges for enterprises, using open standards like SAML and XACML to address these, and how tools like Picketlink can help with implementation.
The document discusses security and privacy issues related to web browsers. It outlines how targeted attacks on web browsers are increasingly motivated by financial gain. It then discusses common web browser vulnerabilities and how informed consent is important for privacy and security. The document proposes designs for enhancing user understanding of events like cookies with minimal distraction. It also discusses strengthening browser security against man-in-the-middle and eavesdropping attacks.
This document discusses the top 10 web hacking techniques of 2012. It provides an overview of each technique including CRIME, attacking memcached via SSRF, Chrome addon hacking, bruteforcing PHPSESSID, blended threats using JavaScript, cross-site port attacks, permanently backdooring HTML5 client-side applications using local storage, CAPTCHA re-riding attacks, gaining access to HttpOnly cookies in 2012 through Java applets, and attacking OData through HTTP verb tunneling and navigation properties. The document also discusses the history of past web hacking techniques and provides background information on topics like HttpOnly cookies, XST, and CAPTCHAs.
The document discusses cross-site scripting (XSS) attacks, which are one of the most common web application vulnerabilities. It describes different types of XSS attacks, including reflected XSS, stored XSS, and DOM-based XSS. The document also provides examples of how these attacks work and payloads that can be used. Additionally, it discusses how to prevent XSS vulnerabilities by validating input and output and eliminating dangerous insertion points.
Presentation by Charl van der Walt at INFO SEC Africa 2001.
The presentation begins with a case study of a DoS attack launched on a number of high profile sites by the canadian teen "Mafiaboy". An explanation of DoS and DDoS given. The impact of DDoS in South Africa is also discussed. The presentation ends with a series of discussions on DDoS countermeasures.
This document summarizes security threats to machine clouds based on cursory testing of a machine cloud system. It finds that machine clouds are vulnerable due to exposed administrative interfaces, issues in the content management system layer like cross-site scripting, lack of transport layer encryption, and the ability for rogue machines to connect and execute malicious payloads. The growth of connected devices and their management via web-based interfaces introduces threats beyond traditional web applications. Proper security measures are needed to protect the integrity of machine clouds and the systems they connect.
A new look into web application reconnaissance SensePost
Presentation by Jurgens van der Merwe at ZaCon 2 in 2010.
This presentation is about Selenium, a browser automation framework and its applications in web reconnaissance. Examples of using Selenium with facebook are discussed.
Putting the tea back into cyber terrorismSensePost
Presentation by Charl van der Walt, Roelof Temmingh and Haroon Meer at BlackHat USA 2003.
This presentation is about targeted, effective, automated attacks that could be used in countrywide cyberterrorism. A worm that targets internal networks is discussed as an example of such an attack.
Presentation by Haroon Meer and Marco Slaviero at BlackHat USA in 2007.
This presentation is about timing attacks against web applications. Squeeza, a SQLi tool developed by Marco Slaviero that returns data through various channels (dns,timing,http error messages) is introduced. An attack called Cross site request timing is also discussed.
This document discusses the automation of penetration testing and vulnerability assessments. It introduces BiDiBLAH, a tool created by SensePost to automate parts of their assessment methodology. The document outlines which steps of the methodology can be easily automated by BiDiBLAH, such as footprinting, fingerprinting, targeting, vulnerability discovery with Nessus, and exploitation with Metasploit. More challenging areas for automation include steps with exceptions or non-standard processes. The document demonstrates BiDiBLAH performing automated tasks and discusses considerations for releasing the tool to balance security and usability.
Presentation by Marco Slaviero at the University of Pretoria to the Tuks Linux User Group in 2010.
The aim of this presentation is to promote information security. The presentation begins with a look at a few recent attacks. Cloud computing is briefly discussed. The presentation ends with a discussion on Amazon web services and its security.
Presentation by Dominic White at the ITweb security summit 2010.
This presentation is about online privacy. The presentation begins with a discussion on behavioral tracking, Ways to prevent tracking such as DNT, TPL,googleSharing and opt out are discussed. The presentation ends with a series of disclussions on evercookie and nevercookie.
Presentation by Marco Slaviero at the University of Pretoria to their masters class of 2008.
This presentation is an introduction to information security. The presentation starts with a look at the past and current state of network security. Penetration testing is discussed. SQL injection and XSS demonstrations are given
JavaScript is the most widely used language cross platforms. This talk will analyze the security concerns from past to present with a peek to the future of this important language. This talk was presented as Keynote at CyberCamp Espana 2014.
Moving The Web Forward (Chris Wilson WDS 2007 Keynote)Chris Wilson
Chris Wilson is a platform architect at Microsoft who has worked on Internet Explorer since the 1990s. He discusses the challenges of evolving the web in a way that moves standards forward while maintaining compatibility. Key challenges include balancing the needs of different groups like developers, users, and hackers. Wilson advocates for making the web more secure, stable, interoperable, and powerful through open standards developed collaboratively by browser vendors and the W3C.
The document discusses various web security topics such as Google hacking, session hijacking, cross-site scripting, and SQL injection. It provides an agenda covering vulnerability types, mitigation strategies, and tools for testing each vulnerability. Recommendations are given for securing websites against common attacks discovered through search engines.
Basic overview, testing, mitigation plan for popular web application vulnerabilities such as: XSS, CSRF, SQLi etc.
Updated "Web Security - Introduction" presentation.
Web services present unique challenges for penetration testing due to their complexity and differences from traditional web applications. There is a lack of standardized testing methodology and tools for web services. Many penetration testers are unsure how to properly scope and test web services. Existing tools have limitations and testing environments must often be built from scratch. A thorough understanding of web service standards and frameworks is needed to effectively test for vulnerabilities from both the client and server side.
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...André Goliath
This document summarizes a talk about transitioning from JavaEE monoliths to microservices architecture in 6 months. It discusses the reasons for moving to microservices (faster development and deployment, lower costs), and the challenges including organizing configuration, communication between services, and deployment. It then outlines the steps taken to implement microservices at a company, including setting up continuous integration, using Spring Boot and Cloud, and establishing vertical feature teams to overcome organizational barriers. The key lessons are that the transition does not require a "big bang", can start with a single service, and works best by automating the development and deployment process from development to production.
Secure Enterprise APIs for Mobile, Cloud & Open Web
APIs present enterprises with many business opportunities but they also create new attack vectors that hackers can potentially exploit. APIs share many of the same threats that plague the Web but APIs are fundamentally different from Web sites and have an entirely unique risk profile that must be addressed.
By adopting a secure API architecture from the beginning, it is possible to address both old and new threats. In this webinar, Scott Morrison – CTO at Layer 7 Technologies – will explain in detail how an enterprise can pursue its API publishing strategy without compromising the security of its on-premise systems and data.
You Will Learn
How APIs increase the attack surface
What key types of risk are introduced by APIs
How enterprises can mitigate each of these risks
Why it is crucial to separate API implementation and security into distinct tiers
Presented By
Scott Morrison, CTO, Layer 7 Technologies
Caleb Sima is the founder and CTO of SPI Dynamics, a security company. He has over 11 years of experience in security and is a frequent speaker on topics like exploiting web security vulnerabilities and hacking web applications. The document discusses various web application vulnerabilities like SQL injection, cross-site scripting, and session hijacking, and provides examples of exploiting these vulnerabilities on real websites.
The document discusses cross-site scripting (XSS) vulnerabilities. It defines XSS as allowing malicious scripts to be served to users from a vulnerable website. There are different types of XSS vulnerabilities including those without storage and with storage of malicious scripts on the website. The document provides examples of XSS vulnerabilities and discusses how they can be used to steal user credentials and track users. It also outlines challenges in preventing XSS vulnerabilities.
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
This document discusses challenges with testing web services and proposes improvements. It notes that current tools, methodologies, and testing environments for assessing web service security are inadequate. The document advocates aligning web service testing with the Penetration Testing Execution Standard methodology. It also highlights new attacks against web services and demos tools like Metasploit modules for assessing web services and the Damn Vulnerable Web Services testing environment.
The document provides best practices for secure web development. It emphasizes that security should be considered from the beginning as part of requirements gathering and architecture design. Key recommendations include never trusting incoming data, using products with known security histories, helping users make secure choices when possible, and conducting thorough code reviews. The document is intended to help developers build applications that can withstand malicious use.
The document provides an overview of web development. It discusses how the web was created in 1989 by Tim Berners-Lee and the initial technologies of HTTP, HTML, and URLs. It then explains how a basic web application works with a browser connecting to a web server to request and receive HTML files and other resources. The document also summarizes key concepts in web development including front-end versus back-end code, common programming languages and frameworks, database usage, and standards that allow interoperability across systems.
Presentation by Charl van der Walt at INFO SEC Africa 2001.
The presentation begins with a case study of a DoS attack launched on a number of high profile sites by the canadian teen "Mafiaboy". An explanation of DoS and DDoS given. The impact of DDoS in South Africa is also discussed. The presentation ends with a series of discussions on DDoS countermeasures.
This document summarizes security threats to machine clouds based on cursory testing of a machine cloud system. It finds that machine clouds are vulnerable due to exposed administrative interfaces, issues in the content management system layer like cross-site scripting, lack of transport layer encryption, and the ability for rogue machines to connect and execute malicious payloads. The growth of connected devices and their management via web-based interfaces introduces threats beyond traditional web applications. Proper security measures are needed to protect the integrity of machine clouds and the systems they connect.
A new look into web application reconnaissance SensePost
Presentation by Jurgens van der Merwe at ZaCon 2 in 2010.
This presentation is about Selenium, a browser automation framework and its applications in web reconnaissance. Examples of using Selenium with facebook are discussed.
Putting the tea back into cyber terrorismSensePost
Presentation by Charl van der Walt, Roelof Temmingh and Haroon Meer at BlackHat USA 2003.
This presentation is about targeted, effective, automated attacks that could be used in countrywide cyberterrorism. A worm that targets internal networks is discussed as an example of such an attack.
Presentation by Haroon Meer and Marco Slaviero at BlackHat USA in 2007.
This presentation is about timing attacks against web applications. Squeeza, a SQLi tool developed by Marco Slaviero that returns data through various channels (dns,timing,http error messages) is introduced. An attack called Cross site request timing is also discussed.
This document discusses the automation of penetration testing and vulnerability assessments. It introduces BiDiBLAH, a tool created by SensePost to automate parts of their assessment methodology. The document outlines which steps of the methodology can be easily automated by BiDiBLAH, such as footprinting, fingerprinting, targeting, vulnerability discovery with Nessus, and exploitation with Metasploit. More challenging areas for automation include steps with exceptions or non-standard processes. The document demonstrates BiDiBLAH performing automated tasks and discusses considerations for releasing the tool to balance security and usability.
Presentation by Marco Slaviero at the University of Pretoria to the Tuks Linux User Group in 2010.
The aim of this presentation is to promote information security. The presentation begins with a look at a few recent attacks. Cloud computing is briefly discussed. The presentation ends with a discussion on Amazon web services and its security.
Presentation by Dominic White at the ITweb security summit 2010.
This presentation is about online privacy. The presentation begins with a discussion on behavioral tracking, Ways to prevent tracking such as DNT, TPL,googleSharing and opt out are discussed. The presentation ends with a series of disclussions on evercookie and nevercookie.
Presentation by Marco Slaviero at the University of Pretoria to their masters class of 2008.
This presentation is an introduction to information security. The presentation starts with a look at the past and current state of network security. Penetration testing is discussed. SQL injection and XSS demonstrations are given
JavaScript is the most widely used language cross platforms. This talk will analyze the security concerns from past to present with a peek to the future of this important language. This talk was presented as Keynote at CyberCamp Espana 2014.
Moving The Web Forward (Chris Wilson WDS 2007 Keynote)Chris Wilson
Chris Wilson is a platform architect at Microsoft who has worked on Internet Explorer since the 1990s. He discusses the challenges of evolving the web in a way that moves standards forward while maintaining compatibility. Key challenges include balancing the needs of different groups like developers, users, and hackers. Wilson advocates for making the web more secure, stable, interoperable, and powerful through open standards developed collaboratively by browser vendors and the W3C.
The document discusses various web security topics such as Google hacking, session hijacking, cross-site scripting, and SQL injection. It provides an agenda covering vulnerability types, mitigation strategies, and tools for testing each vulnerability. Recommendations are given for securing websites against common attacks discovered through search engines.
Basic overview, testing, mitigation plan for popular web application vulnerabilities such as: XSS, CSRF, SQLi etc.
Updated "Web Security - Introduction" presentation.
Web services present unique challenges for penetration testing due to their complexity and differences from traditional web applications. There is a lack of standardized testing methodology and tools for web services. Many penetration testers are unsure how to properly scope and test web services. Existing tools have limitations and testing environments must often be built from scratch. A thorough understanding of web service standards and frameworks is needed to effectively test for vulnerabilities from both the client and server side.
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...André Goliath
This document summarizes a talk about transitioning from JavaEE monoliths to microservices architecture in 6 months. It discusses the reasons for moving to microservices (faster development and deployment, lower costs), and the challenges including organizing configuration, communication between services, and deployment. It then outlines the steps taken to implement microservices at a company, including setting up continuous integration, using Spring Boot and Cloud, and establishing vertical feature teams to overcome organizational barriers. The key lessons are that the transition does not require a "big bang", can start with a single service, and works best by automating the development and deployment process from development to production.
Secure Enterprise APIs for Mobile, Cloud & Open Web
APIs present enterprises with many business opportunities but they also create new attack vectors that hackers can potentially exploit. APIs share many of the same threats that plague the Web but APIs are fundamentally different from Web sites and have an entirely unique risk profile that must be addressed.
By adopting a secure API architecture from the beginning, it is possible to address both old and new threats. In this webinar, Scott Morrison – CTO at Layer 7 Technologies – will explain in detail how an enterprise can pursue its API publishing strategy without compromising the security of its on-premise systems and data.
You Will Learn
How APIs increase the attack surface
What key types of risk are introduced by APIs
How enterprises can mitigate each of these risks
Why it is crucial to separate API implementation and security into distinct tiers
Presented By
Scott Morrison, CTO, Layer 7 Technologies
Caleb Sima is the founder and CTO of SPI Dynamics, a security company. He has over 11 years of experience in security and is a frequent speaker on topics like exploiting web security vulnerabilities and hacking web applications. The document discusses various web application vulnerabilities like SQL injection, cross-site scripting, and session hijacking, and provides examples of exploiting these vulnerabilities on real websites.
The document discusses cross-site scripting (XSS) vulnerabilities. It defines XSS as allowing malicious scripts to be served to users from a vulnerable website. There are different types of XSS vulnerabilities including those without storage and with storage of malicious scripts on the website. The document provides examples of XSS vulnerabilities and discusses how they can be used to steal user credentials and track users. It also outlines challenges in preventing XSS vulnerabilities.
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
This document discusses challenges with testing web services and proposes improvements. It notes that current tools, methodologies, and testing environments for assessing web service security are inadequate. The document advocates aligning web service testing with the Penetration Testing Execution Standard methodology. It also highlights new attacks against web services and demos tools like Metasploit modules for assessing web services and the Damn Vulnerable Web Services testing environment.
The document provides best practices for secure web development. It emphasizes that security should be considered from the beginning as part of requirements gathering and architecture design. Key recommendations include never trusting incoming data, using products with known security histories, helping users make secure choices when possible, and conducting thorough code reviews. The document is intended to help developers build applications that can withstand malicious use.
The document provides an overview of web development. It discusses how the web was created in 1989 by Tim Berners-Lee and the initial technologies of HTTP, HTML, and URLs. It then explains how a basic web application works with a browser connecting to a web server to request and receive HTML files and other resources. The document also summarizes key concepts in web development including front-end versus back-end code, common programming languages and frameworks, database usage, and standards that allow interoperability across systems.
- Introduction to Web Security
- Why Is Security So Important?
- Web Security Considerations
- Web Security Approaches
- Secure Socket Layer (SSL) and Transport Layer Security (TLS)
- Secure Electronic Transaction (SET)
- Recommended Reading
- Problems
Social Enterprise Rises! …and so are the Risks - DefCamp 2012DefCamp
The document discusses social enterprise software and associated security risks. It provides an overview of social enterprise software, why organizations use it, and common deployment models. It then discusses some common security risks like data loss, exploitation of vulnerabilities, and social engineering. The document outlines strategies for risk mitigation and examines several case studies of vulnerabilities found in social enterprise software solutions. It emphasizes that even large vendors can overlook application security and stresses the importance of verification testing.
This document provides an overview of key concepts related to web services including web clients (browsers), web servers, and security issues. It discusses how browsers make requests to servers and display pages using URLs. It also covers important client-side issues like security vulnerabilities from downloaded content, cookies, and privacy. On the server side, it recommends the Apache web server and discusses choosing, installing, and configuring a server as well as common modules to extend functionality.
The document discusses Web 2.0 technologies and provides an overview of a LiveQuotes product as an example. It describes LiveQuotes as a publishing server and subscribing client that provides real-time stock quote data over the web in an asynchronous and scalable manner. It also outlines future plans to expand LiveQuotes and develop additional Web 2.0 applications and platforms.
Best And Worst Practices Building Ria with Adobe and MicrosoftJosh Holmes
Come listen to leading Rich Internet Applications (RIA) experts from Microsoft and Adobe discuss many of the best and worst practices when building RIAs. RIAs provide a similar user experience to traditional desktop applications combined with the ease of deployment of web/browser based applications. This produces a fair amount of confusion because there are a number of potentially conflicting practices depending on whether you approach your RIA as a desktop or a web application. This session dives into the definition of RIA and walks through the best and worst practices that have appeared over and over again. We will explore architectural patterns and practices such as state management, fault tolerance, service composition, communications protocols and message formats and goes into details on how RIAs can be developed using runtime environments such as Adobe AIR or Microsoft Silverlight.
For more read our blogs at
http://www.jamesward.com
http://www.joshholmes.com
JAXLondon 2015 "DevOps and the Cloud: All Hail the (Developer) King"Daniel Bryant
Last year we talked about DevOps, what it was, why it was important and how to get started. Boy, was it scary. Now we’re wiser. More battle-scarred. The scale of the challenge for application writers exploiting cloud and DevOps is clearer, but so is the path forward. Understanding the DevOps approach is important but equally you must understand specific deployment technologies. How to exploit them and how they effect the design of applications. Whether creating simple applications or sophisticated microservice architectures many of the challenges are the same.
Presented at JAXLondon 2015 with Steve Poole
DevOps and the cloud: all hail the (developer) king - Daniel Bryant, Steve PooleJAXLondon_Conference
1) The document discusses the rise of microservices and DevOps approaches in application development and deployment. It notes both the promises and challenges of these approaches, including increased complexity and the need for new tooling.
2) It describes lessons learned from early adoption of microservices, such as the problems that can arise from shared data stores and monolithic upgrades.
3) The document advocates for a "safety first" mindset with DevOps, emphasizing the importance of security, compliance, and understanding where data is located in cloud environments.
This document summarizes a presentation about Objection, a Python framework that bundles Frida scripts to enable runtime mobile exploration on iOS and Android without needing a jailbroken or rooted device. It includes demos of using Objection to bypass jailbreak detection, extract data from NSUserDefaults, explore the filesystem, bypass SSL pinning, and monitor class methods. Objection aims to make Frida easier to use on mobile by compiling scripts and bundling common functionality.
Vulnerabilities in TN3270 based ApplicationSensePost
A talk given at Hack in the Box Amsterdam and later DerbyCon in 2014 about a new class of vulnerabilities in TN3270 exposed applications by @singe (Dominic White). A video of the talk is available at https://www.youtube.com/watch?v=3HFiv7NvWrM and code can be found at https://github.com/sensepost
Improvement in Rogue Access Points - SensePost Defcon 22SensePost
A supporting slide deck for SensePost's Defcon 22 talk. It contains more useful written information, that the picture heavy version we presented at the conference. You can see the conference video at https://www.youtube.com/watch?v=i2-jReLBSVk and can get the code at https://github.com/sensepost/mana
This document summarizes the Heartbleed vulnerability that was announced in April 2014. It allowed attackers to read portions of a server's memory and extract private keys and user cookies. The vulnerability was in OpenSSL and affected many major companies. It was possible due to a buffer over-read in the OpenSSL implementation of the TLS Heartbeat Extension. While initially many were vulnerable, within a month most major sites and services had patched the vulnerability. The event highlighted issues with OpenSSL's code quality and maintenance and increased funding to address these issues. It also demonstrated the need for rapid patching of 0-day vulnerabilities and the importance of defense in depth strategies.
Botconf 2013 - DNS-based Botnet C2 Server DetectionSensePost
This document discusses using spatial statistics and machine learning classifiers to detect botnet command and control (C2) servers through DNS lookups. It aims to accurately detect botnet traffic with no prior knowledge, being lightweight, fast, and adaptable. The document examines using spatial measures like nearest neighbors analysis and Moran's and Geary's indices on the locations of IP addresses for DNS lookups. This is used to train classifiers to distinguish between benign and fast-flux botnet domains. The classifiers achieved over 95% accuracy and were shown to have minimal performance impact when processing 20,000 domains in under 13 seconds.
Home automation systems provide a centralized control and monitoring function for heating, ventilation and air conditioning (HVAC), lighting and physical security systems. The central control panel and various household devices such as security sensors and alarm systems are connected with each other to form a mesh network over wireless or wired communication links and act as a “smart home”. As you arrive home, the system can automatically open the garage door, unlock the front door and disable the alarm, light the downstairs, and turn on the TV. According to a study by the consulting firm AMA Research, in 2011, the UK home automation market was worth around £65 million with 12% increase on the previous year. The total number of home automation system installations in the UK is estimated to be 189000 by now. The home automation market in the US was worth approximately $3.2 billion in 2010 and is expected to exceed $5.5 billion in 2016.
Zigbee and Z-wave wireless communication protocols are the most common used RF technology in home automation systems. Zigbee is based on an open specification (IEEE 802.15.4) and has been the subject of several academic and practical security researches. Z-wave is a proprietary wireless protocol that works in the Industrial, Scientific and Medical radio band (ISM). It transmits on the 868.42 MHz (Europe) and 908.42MHz (United States) frequencies designed for low-bandwidth data communications in embedded devices such as security sensors, alarms and home automation control panels. Unlike Zigbee, no public security research on Z-Wave protocol was available before our work. Z-wave protocol was only mentioned once during a DefCon 2011 talk when the presenter pointed the possibility of capturing the AES key exchange phase without a demonstration.
The Z-Wave protocol is gaining momentum against the Zigbee protocol with regards to home automation. This is partly due to a faster, and somewhat simpler, development process. Another benefit is that it is less subjected to signal interference compared to the Zigbee protocol, which operates on the widely populated 2.4 GHz band shared by both Bluetooth and Wi-Fi devices.
Z-wave chips have 128-bit AES crypto engines, which are used by access control systems, such as door locks, for authenticated packet encryption. An open source implementation of the Z-wave protocol stack, openzwave , is available but it does not support the encryption part as of yet. Our talk will show how the Z-Wave protocol can be subjected to attacks.
This document discusses common defensive strategies and how attackers bypass them. It notes that while best practices like passwords, patching, and anti-virus are important, they also introduce commonalities that attackers learn to exploit. The document recommends that defenders study attack techniques to prioritize risks and design defenses that differentiate from standard approaches in order to limit widespread exploitation.
This document discusses smart card security and summarizes research into vulnerabilities in the .NET smart card platform. It provides an overview of smart card applications and operating systems, then discusses attacks against smart cards that have been reported in the news. The document focuses on analyzing the security of .NET smart cards, including how the HiveMod tool was created to aid vulnerability research by allowing visualization and manipulation of .NET smart card binaries. It demonstrates how the tool could be used to spoof a digital signature and bypass the application firewall as a proof of concept attack. Responses from vendors are presented, and the conclusion discusses remaining security challenges but also potential for patching vulnerabilities.
Presentation by Grorg Christian Pranschkle at ZaCon 2 in 2010.
This presentation is about SNMP security The presentation begins with an overview of SNMP. SNMP security weaknesses and SNMP security in cisco apps are discussed. Frisk-0 a tool for SNMP Hacking developed by the presenter is also discussed.
Presentation by Jaco van Gaan at IIA in 2001.
This presentation is about the use of ethical hackers in business. The presentation begins with a series of discussions about hackers, what they do, how they do it and the different types of hackers.
Presentation by Haroon Meer at ReCon in 2005.
This presentation is about web application security. Various web application attacks like XSS, SQLi and directory traversal are discussed. The wikto and crowbar tools developed by sensepost are also discussed.
Major global information security trends - a summarySensePost
Presentation by Luc de Graeve at internetix in 2004.
This presentation is a summery of global information security trends in the business environment .The presentation begins with an introduction to major global trends. Legal Issues, threats, technologies and solutions are discussed
Presentation by Charl der Walt and Francesco Geremla at The ITweb security summit in 2009.
This presentation is about the methodology behind version 2 of Sensepost's threat modeling tool, the corporate threat modeller.
Presentaion by Charl van der Walt at the ITweb security summit 2010.
This presentation is an introduction to the security summit 2010. It introduces all the speakers.
Presentation by Charl de Walt in 2001.
The presentation aims to educate people that IT security is relevant to SA business. The presentation begins with examples of defaced SA company websites. Various attacks such as DDoS and semantic attacks are discussed. The presentation ends with a discussion on IP manipulation
Presentation by Luc de Graeve at the Gordon institute of business science in 2001.
This presentation is about security in e-commerce and is aimed at making people aware of what hackers do, how they do it and the financial implications of their actions. The presentation begins with a few examples of defaced websites and ends with a discussion on risk and assessment.
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsDianaGray10
Join us to learn how UiPath Apps can directly and easily interact with prebuilt connectors via Integration Service--including Salesforce, ServiceNow, Open GenAI, and more.
The best part is you can achieve this without building a custom workflow! Say goodbye to the hassle of using separate automations to call APIs. By seamlessly integrating within App Studio, you can now easily streamline your workflow, while gaining direct access to our Connector Catalog of popular applications.
We’ll discuss and demo the benefits of UiPath Apps and connectors including:
Creating a compelling user experience for any software, without the limitations of APIs.
Accelerating the app creation process, saving time and effort
Enjoying high-performance CRUD (create, read, update, delete) operations, for
seamless data management.
Speakers:
Russell Alfeche, Technology Leader, RPA at qBotic and UiPath MVP
Charlie Greenberg, host
AppSec PNW: Android and iOS Application Security with MobSFAjin Abraham
Mobile Security Framework - MobSF is a free and open source automated mobile application security testing environment designed to help security engineers, researchers, developers, and penetration testers to identify security vulnerabilities, malicious behaviours and privacy concerns in mobile applications using static and dynamic analysis. It supports all the popular mobile application binaries and source code formats built for Android and iOS devices. In addition to automated security assessment, it also offers an interactive testing environment to build and execute scenario based test/fuzz cases against the application.
This talk covers:
Using MobSF for static analysis of mobile applications.
Interactive dynamic security assessment of Android and iOS applications.
Solving Mobile app CTF challenges.
Reverse engineering and runtime analysis of Mobile malware.
How to shift left and integrate MobSF/mobsfscan SAST and DAST in your build pipeline.
Conversational agents, or chatbots, are increasingly used to access all sorts of services using natural language. While open-domain chatbots - like ChatGPT - can converse on any topic, task-oriented chatbots - the focus of this paper - are designed for specific tasks, like booking a flight, obtaining customer support, or setting an appointment. Like any other software, task-oriented chatbots need to be properly tested, usually by defining and executing test scenarios (i.e., sequences of user-chatbot interactions). However, there is currently a lack of methods to quantify the completeness and strength of such test scenarios, which can lead to low-quality tests, and hence to buggy chatbots.
To fill this gap, we propose adapting mutation testing (MuT) for task-oriented chatbots. To this end, we introduce a set of mutation operators that emulate faults in chatbot designs, an architecture that enables MuT on chatbots built using heterogeneous technologies, and a practical realisation as an Eclipse plugin. Moreover, we evaluate the applicability, effectiveness and efficiency of our approach on open-source chatbots, with promising results.
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
Essentials of Automations: Exploring Attributes & Automation ParametersSafe Software
Building automations in FME Flow can save time, money, and help businesses scale by eliminating data silos and providing data to stakeholders in real-time. One essential component to orchestrating complex automations is the use of attributes & automation parameters (both formerly known as “keys”). In fact, it’s unlikely you’ll ever build an Automation without using these components, but what exactly are they?
Attributes & automation parameters enable the automation author to pass data values from one automation component to the next. During this webinar, our FME Flow Specialists will cover leveraging the three types of these output attributes & parameters in FME Flow: Event, Custom, and Automation. As a bonus, they’ll also be making use of the Split-Merge Block functionality.
You’ll leave this webinar with a better understanding of how to maximize the potential of automations by making use of attributes & automation parameters, with the ultimate goal of setting your enterprise integration workflows up on autopilot.
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving
Manufacturing custom quality metal nameplates and badges involves several standard operations. Processes include sheet prep, lithography, screening, coating, punch press and inspection. All decoration is completed in the flat sheet with adhesive and tooling operations following. The possibilities for creating unique durable nameplates are endless. How will you create your brand identity? We can help!
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...Alex Pruden
Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security.
Paper Link: https://eprint.iacr.org/2024/257
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
What is an RPA CoE? Session 1 – CoE VisionDianaGray10
In the first session, we will review the organization's vision and how this has an impact on the COE Structure.
Topics covered:
• The role of a steering committee
• How do the organization’s priorities determine CoE Structure?
Speaker:
Chris Bolin, Senior Intelligent Automation Architect Anika Systems
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyScyllaDB
Freshworks creates AI-boosted business software that helps employees work more efficiently and effectively. Managing data across multiple RDBMS and NoSQL databases was already a challenge at their current scale. To prepare for 10X growth, they knew it was time to rethink their database strategy. Learn how they architected a solution that would simplify scaling while keeping costs under control.
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor IvaniukFwdays
At this talk we will discuss DDoS protection tools and best practices, discuss network architectures and what AWS has to offer. Also, we will look into one of the largest DDoS attacks on Ukrainian infrastructure that happened in February 2022. We'll see, what techniques helped to keep the web resources available for Ukrainians and how AWS improved DDoS protection for all customers based on Ukraine experience
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfChart Kalyan
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
2. Agenda
Who are we are?
What is this talk about?
Web Application Security & Web 2.0
What changed?
What stayed the same?
What can be done?
Questions
3. Who are we?
SensePost
Formed in 2001
Security assessment services to finance, industrial,
mining, telecoms
Written a few papers..
Spoken at a number of conferences (BlackHat, Defcon,
…)
Contributed to a handful of books
Done some Training
www.sensepost.com/blog
4. What is this talk about?
Not …
About the relationship between Security and Compliance
Btw, it‟s a love / hate marriage … just like the rest of us
A Developer-Bashing Campaign
Developers are good at making something magical, from chains of
code
Promoting internet-less-ness (since the internet is too
dangerous)
Some SPers are more paranoid than others though
A technical presentation
So please don‟t run away
Is:
Clear up the misconception that Web 2.0 is securer
Educate on how to limit your risk when deploying a web
application
5. Web Application Security
Why target?
Traditional perimeter security had matured
Websites (and web services) are commonly used to share
information …
Always on
Easy target
6. Web 2.0
Better user experience
More interaction
More functionality
But what about security?
Things got bad!
… REALLY bad!
7. What changed? … Likely Targets
Likely Targets
1.0
Intruder interacts with website
therefore, the website is the target
Website
Maintainer
Visitors
8. What changed? … Likely Targets
Likely Targets
2.0
Intruder still interacts with website, but
Intruder can interact with other users, through the targeted
website
therefore, other website users are targets as well Normal Visitors
Website
Maintainer
Contributing Visitors
Visitors
9. The complete compromise of the hosting
environment is not a prerequisite to the
complete compromise of client systems.
10. What changed? … Page Interaction
Page Interaction
1.0
User makes request … Server replies
User‟s browser loads any additional page resources defined
within the server response
2.0
User makes request … Server replies
User interacts with webpage,
Scripts performing their own requests to the web server
Use web services for lookups
Scripts have their own lifetime
11. What changed? … Page Interaction
Example: CAPTCHA
Username junaid 1.0
Validation performed
Password **********
upon submission
2.0
Code alotocibil
Validation can be
Login performed during
field population
12. What changed? … Building Blocks
Components
Pages can be comprised of:
Resources (images, stylesheets)
Scripts (JavaScript, Flash)
Web services
Authentication and Authorisation, the Authz, has to be
enforced across all components
Otherwise there is a loophole to access sensitive data
13. What changed? … Building Blocks
Example: Uniform Enforcement of the Authz
Website
Attacker
getAllFriendMessages(“junai
Access Denied
d”)
getMessagesByFriend(“junaid”, “ian”) Msg #1 … Msg #n
Similar issue identified on a client‟s system which
was built on Drupal
14. Securely developed frameworks do not
always lead to securely developed
applications
(But they do provide a good foundation)
15. What changed? … Building Blocks
Components
Pages can be comprised of:
Resources (images, stylesheets)
Scripts (JavaScript, Flash)
Web services
Authentication has to be enforced across all components
Otherwise there is a loophole to access sensitive data
Application Complexity
Some development teams #FAIL to recognise where trust
boundaries are located
16. What changed? … Building Blocks
Example: Error Message Information Exposure
Username junaid
ian The developers failed to
recognise that this particular
Password ********** web service fell outside one
of the trust boundaries
Login
Authentication
Failed
<auth><result>Incorrect Password</result></auth>
Authentication
Failed
<auth><result>Account Locked</result></auth>
17. What stayed the same?
Fact remains …
Many didn‟t get security right with Web 1.0 applications
Needless to say, many still don‟t get security right with
Web 2.0 applications
Web 2.0 has allowed for new variations of older
attacks
You may have fixed the known issues, but others could
still exist
18. What stayed the same?
Example: Vanilla Cross-site Scripting
What is your name? junaid Submit
Attacker
…
<p>Hello junaid!</p>
… Website
What is your name? <script>alert(‘junaid’)</script> Submit
Attacker
…
<p>Hello
<script>alert(„junaid‟)</script>!</p> Website
…
19. What stayed the same?
Example: Cross-site Scripting (into JavaScript)
What is your name? <script>alert(‘junaid’)</script> Submit
Attacker
…
<script>var
name=„scriptalert(‟junaid‟)/script‟;
Document.write(name);</script> Website
…
What is your name? Blah’;alert(‘junaid’);var tmp=‘ Submit
Attacker
…
<script>var name=„Blah‟;alert(‟junaid‟);var tmp=„‟;
Document.write(name);</script> Website
…
20. What stayed the same?
Fact remains …
Many didn‟t get security right with Web 1.0 applications
Needless to say, many still don‟t get security right with Web 2.0
applications
Web 2.0 has allowed for new variations of older attacks
You may have fixed the known issues, but others could still
exist
Hidden functionality … never remains a secret!
In Web 1.0, we searched for files hidden within the web
directory
In Web 2.0, we investigate web services in order to locate
hidden methods
21. What stayed the same?
Example: Hidden web service methods
Web Service
Attacker
… contents of myfile.txt
getFile(“myfile.txt”)
…
getFile(“../../../../boot.ini”) Access Denied
Validation routines recognised that the requested file existed outside of the uploads
getFileByPath(“c:boot.ini”) … contents of boot.ini …
Though undocumented, the getFileByPath() method existed and could be used to retrie
22. What can be done?
As a Development House:
Security Education / Training
Industry has failed to teach this during a programmer‟s early
years (High School and University)
Developers need to understand where things usually go wrong
Defensive Coding
Never trust user input
Make fewer assumptions
Don‟t rely on exceptions to occur whenever the application is not
used correctly
Source code reviews
Correct your Systems Development Life Cycle
Security audits are not to be conducted prior to deployment
Involve security officers to observe the project as it progresses
23. What can be done?
As a Customer:
You get what you pay for
Smaller budget » less development time » pressured
developers » possibly more bugs
Make security a requirement
Like most things in life … you won‟t get it unless you ask for it
Use experienced Development Houses
If the team has had one of their applications pentested
before, then they are likely to understand what gets exploited
If they make use of a common (custom) framework between all
their projects, then security changes are commonly applied to all
versions
24. Security is a journey, not a destination.
(So remember to buckle up, and enjoy the ride)
User experience got betterWebsites are more interactiveWebsites have way more functionalitySecurity went down-hill, and things got badREALLY BAD!
Normal websites were composed from a specific set of resourcesA webpage would simply have text and pull in imagesAny additional functionality would be provided by directing the user to make a request to a specific script
Web 1.0Validation was only performed once the user submitted the dataVerification routines were only invoked at this timeWeb 2.0-Validation is sometimes performed concurrently while the user is still populating the required fields-Usually means that validation routines are available as a web serviceWhile the website attempted to use CAPTCHA as a mechanism to keep bots / automated scripts out … but providing the web service, they provided a routine which bots could use to read and check the CAPTCHA alone … without clocking-up authentication failuresIf you think this is not an issue for CAPTCHA, then know that we’ve seen more bad implementations of this regarding username-lookups (thereby allowing intruders to enumerate users on the system)
Normal websites were composed from a specific set of resourcesA webpage would simply have text and pull in imagesAny additional functionality would be provided by directing the user to make a request to a specific script
getAllFriendMessages(“junaid”)-Attempting to get messages for junaid from all friendsYou must be logged inOnly for authenticated usersgetMessagesByFriend(“junaid”, “ian”)-Attempt to get messages for junaid from a specific friend, ian-Results received-authentication not enforced
Normal websites were composed from a specific set of resourcesA webpage would simply have text and pull in imagesAny additional functionality would be provided by directing the user to make a request to a specific script
Normal websites were composed from a specific set of resourcesA webpage would simply have text and pull in imagesAny additional functionality would be provided by directing the user to make a request to a specific script
Normal websites were composed from a specific set of resourcesA webpage would simply have text and pull in imagesAny additional functionality would be provided by directing the user to make a request to a specific script
Normal websites were composed from a specific set of resourcesA webpage would simply have text and pull in imagesAny additional functionality would be provided by directing the user to make a request to a specific script