Web browsers have become part of everyday life, and are relied upon by millions of internet citizens each day. The feature rich online world has turned the once simple web browser into a highly complex (and very often insecure) desktop application.
As browser vendors have extended functionality and support to new technologies, security researchers and hackers are continuously looking for new vulnerabilities. In this talk, Roberto and Scott will share results of their assiduous browser bug hunting. The talk will examine techniques used to discover critical and less severe vulnerabilities in some of the most popular browsers on the market.
This talk will focus heavily (but not exclusively) on the following areas:
- Memory corruption bugs;
- New approaches to DOM fuzzing;
- Old school techniques against new browser technology;
- Cross Context Scripting and injection attacks;
- SOP Bypass;
The presentation will conclude with a montage of on-stage demonstrations of previously unreleased vulnerabilities, including remote code execution, injections and other tailored browser exploits.
Cross Context Scripting (XCS) is a type of XSS (Cross Site Scripting) injection which occurs from an untrusted zone, typically a web page on the Internet into the context of a trusted browser zone.
XSS injection in a trusted browser zone can be 'lethal', as injected payload runs as privileged code. No SOP (Same-Origin Policy) restrictions are enforced and direct interfacing with the underlying OS is possible.
To exploit such bugs, there is no need to use ROP gadgets, spray the heap or attempt other complex techniques. At the opposite, only few elements are required for a successful exploit, such as the right injection point and a tailored exploit payload.
This presentation will examine XCS in details and will provide a demonstration of XCS exploits of both unpatched and patched vulnerabilities in Firefox, Opera, Maxthon and Avant browsers.
This talk intends to demonstrate how to improve web application security testing by combining browser automation framework and web proxy API.
The goal of this research is to bring a web proxy as close as possible to a browser to achieve a better security testing coverage, especially when dealing with complex client-side technology.
The presentation includes a montage of real case scenarios, showing how this approach can lead to the discovery of vulnerabilities which might otherwise go unnoticed.
I got 99 trends and a # is all of them or How we found over 100 200+ RCE vulnerabilities in Trend Micro software.
Presentation released at Hack In The Box 2017 Amsterdam, by Roberto Suggi Liverani @malerisch and Steven Seeley @steventseeley.
For more information, please visit: http://blog.malerisch.net or http://srcincite.io
Abstract:
Secure code practices, system hardening, due diligence and due care principles are paramount in mitigating application level DoS attacks. These attacks often result in significant damage against unprepared and vulnerable organisations.
The intent of this talk is to help organisations in strengthening their security posture against such attacks. The talk will explore most common application level DoS attacks and will provide recommendations for protecting applications, detecting attacks and how to react under stressful conditions.
Hundreds of Firefox addons are created every week. Millions of users download them. Some addons are even recommended by the Mozilla community, and users implicitly trust them. We don't trust a single one, and we will show you why.
This talk details how we have abused some of the most popular and recommended Firefox addons, with previously unreleased vulnerabilities. From the Mozilla download statistics, over 15 million users are potentially affected. Demos will cover remote code execution, local file disclosure and other tailored Firefox Addon exploits.
Don't panic - the Addons manager can be found under the 'Tools' tab in your Firefox menu. We expect to see a lot of people clicking the "Uninstall" button after this presentation.
When you don't have 0days: client-side exploitation for the massesMichele Orru
Conference: InsomniHack (21 March 2014)
Talk speakers:
Michele Orru (@antisnatchor)
Krzysztof Kotowicz (@kkotowicz)
Talk abstract:
A bag of fresh and juicy 0days is certainly something you would love to get
as a Christmas present, but it would probably be just a dream you had one of those drunken nights.
Hold on! Not all is lost! There is still hope for pwning targets without 0days.
We will walk you through multiple real-life examples of client-side pwnage, from tricking the victim to take the bait, to achieving persistence on the compromised system.
The talk will be highly practical and will demonstrate how you can do proper client-side exploitation effectively, simply by abusing existing functionalities of browsers, extensions, legacy features, etc.
We'll delve into Chrome and Firefox extensions (automating various repetitive actions that you'll likely perform in your engagements), HTML applications, abusing User Interface expectations, (Open)Office macros and more. All the attacks are supposed to work on fully patched target software, with a bit of magic trickery as the secret ingredient.
You might already know some of these exploitation vectors, but you might need a way to automate your attacks and tailor them based on the victim language, browser, and whatnot. Either way, if you like offensive security, then this talk is for you.
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
Cross Context Scripting (XCS) is a type of XSS (Cross Site Scripting) injection which occurs from an untrusted zone, typically a web page on the Internet into the context of a trusted browser zone.
XSS injection in a trusted browser zone can be 'lethal', as injected payload runs as privileged code. No SOP (Same-Origin Policy) restrictions are enforced and direct interfacing with the underlying OS is possible.
To exploit such bugs, there is no need to use ROP gadgets, spray the heap or attempt other complex techniques. At the opposite, only few elements are required for a successful exploit, such as the right injection point and a tailored exploit payload.
This presentation will examine XCS in details and will provide a demonstration of XCS exploits of both unpatched and patched vulnerabilities in Firefox, Opera, Maxthon and Avant browsers.
This talk intends to demonstrate how to improve web application security testing by combining browser automation framework and web proxy API.
The goal of this research is to bring a web proxy as close as possible to a browser to achieve a better security testing coverage, especially when dealing with complex client-side technology.
The presentation includes a montage of real case scenarios, showing how this approach can lead to the discovery of vulnerabilities which might otherwise go unnoticed.
I got 99 trends and a # is all of them or How we found over 100 200+ RCE vulnerabilities in Trend Micro software.
Presentation released at Hack In The Box 2017 Amsterdam, by Roberto Suggi Liverani @malerisch and Steven Seeley @steventseeley.
For more information, please visit: http://blog.malerisch.net or http://srcincite.io
Abstract:
Secure code practices, system hardening, due diligence and due care principles are paramount in mitigating application level DoS attacks. These attacks often result in significant damage against unprepared and vulnerable organisations.
The intent of this talk is to help organisations in strengthening their security posture against such attacks. The talk will explore most common application level DoS attacks and will provide recommendations for protecting applications, detecting attacks and how to react under stressful conditions.
Hundreds of Firefox addons are created every week. Millions of users download them. Some addons are even recommended by the Mozilla community, and users implicitly trust them. We don't trust a single one, and we will show you why.
This talk details how we have abused some of the most popular and recommended Firefox addons, with previously unreleased vulnerabilities. From the Mozilla download statistics, over 15 million users are potentially affected. Demos will cover remote code execution, local file disclosure and other tailored Firefox Addon exploits.
Don't panic - the Addons manager can be found under the 'Tools' tab in your Firefox menu. We expect to see a lot of people clicking the "Uninstall" button after this presentation.
When you don't have 0days: client-side exploitation for the massesMichele Orru
Conference: InsomniHack (21 March 2014)
Talk speakers:
Michele Orru (@antisnatchor)
Krzysztof Kotowicz (@kkotowicz)
Talk abstract:
A bag of fresh and juicy 0days is certainly something you would love to get
as a Christmas present, but it would probably be just a dream you had one of those drunken nights.
Hold on! Not all is lost! There is still hope for pwning targets without 0days.
We will walk you through multiple real-life examples of client-side pwnage, from tricking the victim to take the bait, to achieving persistence on the compromised system.
The talk will be highly practical and will demonstrate how you can do proper client-side exploitation effectively, simply by abusing existing functionalities of browsers, extensions, legacy features, etc.
We'll delve into Chrome and Firefox extensions (automating various repetitive actions that you'll likely perform in your engagements), HTML applications, abusing User Interface expectations, (Open)Office macros and more. All the attacks are supposed to work on fully patched target software, with a bit of magic trickery as the secret ingredient.
You might already know some of these exploitation vectors, but you might need a way to automate your attacks and tailor them based on the victim language, browser, and whatnot. Either way, if you like offensive security, then this talk is for you.
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
Slides of my talk at RuxCon 2013:
For those who do not listen Mayhem and black metal, the talk title
might seem a bit weird, and I can't blame you.
You know the boundaries of the Same Origin Policy, you know SQL
injection and time-delays,
you know BeEF. You also know that when sending cross-domain XHRs you
can still monitor the timing of the response: you might want to infer
on 0 or 1 bits depending if the response was delayed or not.
This means it's possible to exploit every kind of SQL injection,
blind or not blind, through an hooked browser, if you can inject a
time-delay
and monitor the response timing.
You don't need a 0day or a particular SOP bypass to do this,
and it works in every browser.
The potential of being faster than a normal single-host multi-threaded SQLi
dumper will be explored. Two experiments will be shown: WebWorkers as well
as multiple synched hooked browsers, which split the workload
communicating
partial results to a central server.
A pure JavaScript approach will be exclusively presented during this talk,
including live demos. Such approach would work for both internet facing
targets as well as
applications available in the intranet of the hooked browser.
The talk will finish discussing the implications of such an approach
in terms of Incident Response and Forensics,
showing evidence of a very small footprint.
Given at BSides Nashville 2017. The modern Windows Operating System carries with it an incredible amount of legacy code. The Component Object Model (COM) has left a lasting impact on Windows. This technology is far from dead as it continues to be the foundation for many aspects of the Windows Operating System. You can find hundreds of COM Classes defined by CLSID (COM Class Identifiers). Do you know what they do? This talk seeks to expose tactics long forgotten by the modern defender. We seek to bring to light artifacts in the Windows OS that can be used for persistence. We will present novel tactics for persistence using only the registry and COM objects.
Continuous intrusion: Why CI tools are an attacker’s best friendsNikhil Mittal
Slides of the talk I gave at BlackHat Europe and DeepSec 2015. Continuous Integration (CI) tools provide an excellent attack surface due to the no/poor security controls, distributed build management capability, and level of access/privileges in an enterprise.
This talk looks at the CI tools from an attacker's perspective and to use them as portals for getting a foothold and lateral movement. We will see how to execute attacks like command and script execution, credentials stealing, privilege escalation to not only compromise the build process but the underlying operating system and even entire Windows domains. No memory corruption bugs will be exploited and only the features of the CI tools will be used.
20+ ways to bypass your mac os privacy mechanismsCsaba Fitzl
"TotallyNotAVirus.app" would like to access the camera and spy on you. To protect your privacy, Apple introduced Transparency, Consent, and Control (TCC) framework that restricts access to sensitive personal resources: documents, camera, microphone, emails, and more. Granting such access requires authorization, and the mechanism's main design concern was clear user consent.
In this talk, we will share multiple techniques that allowed us to bypass this prompt, and as a malicious application, get access to protected resources without any additional privileges or user's consent. Together, we submitted over 40 vulnerabilities just to Apple through the past year, which allowed us to bypass some parts or the entire TCC. We also found numerous vulnerabilities in third-party apps (including Firefox, Signal, and others), which allowed us to avoid the OS restrictions by leveraging the targeted apps' privileges.
In the first part of the talk, we will give you an overview of the TCC framework, its building blocks, and how it limits application access to private data. We will explore the various databases it uses and discuss the difference between user consent and user intent.
Next, we will go through various techniques and specific vulnerabilities that we used to bypass TCC. We will cover how we can use techniques like process injection, mounting, application behavior, or simple file searches to find vulnerabilities and gain access to the protected resources.
The audience will leave with a solid understanding of the macOS privacy restrictions framework (TCC) and its weaknesses. We believe there is a need to raise awareness on why OS protections are not 100% effective, and in the end, users have to be careful with installing software on their machines. Moreover - as we're going to publish several exploits - red teams will also benefit from the talk.
These slides were prepared by Ziyahan Albeniz for the presentation "Make CSRF Great Again" which he delivered at the NOPcon on the 11th of May 2017.
In this presentation Netsparker's security reseacher Ziyahan explains all the technical details and the ins & outs of the CSRF attack. During the presentation Ziyahan also uses two real live CSRF issues, one in Yandex browser and one in Grammarly online service, which he discovered as an example.
The video of the full presentation in Turkish is available here: https://www.youtube.com/watch?v=5bDbZ7_mjng
Understanding Data Mining in the Social Media Marketing AgeSherman Mohr Jr.
Our preferences, comments, sharing, and online community involvement is being analyzed. The analysis is so subtle that most participants don't even notice. We learn in this session how marketers are gathering, extracting, analyzing and then building advertising campaigns around social media participation.
Slides of my talk at RuxCon 2013:
For those who do not listen Mayhem and black metal, the talk title
might seem a bit weird, and I can't blame you.
You know the boundaries of the Same Origin Policy, you know SQL
injection and time-delays,
you know BeEF. You also know that when sending cross-domain XHRs you
can still monitor the timing of the response: you might want to infer
on 0 or 1 bits depending if the response was delayed or not.
This means it's possible to exploit every kind of SQL injection,
blind or not blind, through an hooked browser, if you can inject a
time-delay
and monitor the response timing.
You don't need a 0day or a particular SOP bypass to do this,
and it works in every browser.
The potential of being faster than a normal single-host multi-threaded SQLi
dumper will be explored. Two experiments will be shown: WebWorkers as well
as multiple synched hooked browsers, which split the workload
communicating
partial results to a central server.
A pure JavaScript approach will be exclusively presented during this talk,
including live demos. Such approach would work for both internet facing
targets as well as
applications available in the intranet of the hooked browser.
The talk will finish discussing the implications of such an approach
in terms of Incident Response and Forensics,
showing evidence of a very small footprint.
Given at BSides Nashville 2017. The modern Windows Operating System carries with it an incredible amount of legacy code. The Component Object Model (COM) has left a lasting impact on Windows. This technology is far from dead as it continues to be the foundation for many aspects of the Windows Operating System. You can find hundreds of COM Classes defined by CLSID (COM Class Identifiers). Do you know what they do? This talk seeks to expose tactics long forgotten by the modern defender. We seek to bring to light artifacts in the Windows OS that can be used for persistence. We will present novel tactics for persistence using only the registry and COM objects.
Continuous intrusion: Why CI tools are an attacker’s best friendsNikhil Mittal
Slides of the talk I gave at BlackHat Europe and DeepSec 2015. Continuous Integration (CI) tools provide an excellent attack surface due to the no/poor security controls, distributed build management capability, and level of access/privileges in an enterprise.
This talk looks at the CI tools from an attacker's perspective and to use them as portals for getting a foothold and lateral movement. We will see how to execute attacks like command and script execution, credentials stealing, privilege escalation to not only compromise the build process but the underlying operating system and even entire Windows domains. No memory corruption bugs will be exploited and only the features of the CI tools will be used.
20+ ways to bypass your mac os privacy mechanismsCsaba Fitzl
"TotallyNotAVirus.app" would like to access the camera and spy on you. To protect your privacy, Apple introduced Transparency, Consent, and Control (TCC) framework that restricts access to sensitive personal resources: documents, camera, microphone, emails, and more. Granting such access requires authorization, and the mechanism's main design concern was clear user consent.
In this talk, we will share multiple techniques that allowed us to bypass this prompt, and as a malicious application, get access to protected resources without any additional privileges or user's consent. Together, we submitted over 40 vulnerabilities just to Apple through the past year, which allowed us to bypass some parts or the entire TCC. We also found numerous vulnerabilities in third-party apps (including Firefox, Signal, and others), which allowed us to avoid the OS restrictions by leveraging the targeted apps' privileges.
In the first part of the talk, we will give you an overview of the TCC framework, its building blocks, and how it limits application access to private data. We will explore the various databases it uses and discuss the difference between user consent and user intent.
Next, we will go through various techniques and specific vulnerabilities that we used to bypass TCC. We will cover how we can use techniques like process injection, mounting, application behavior, or simple file searches to find vulnerabilities and gain access to the protected resources.
The audience will leave with a solid understanding of the macOS privacy restrictions framework (TCC) and its weaknesses. We believe there is a need to raise awareness on why OS protections are not 100% effective, and in the end, users have to be careful with installing software on their machines. Moreover - as we're going to publish several exploits - red teams will also benefit from the talk.
These slides were prepared by Ziyahan Albeniz for the presentation "Make CSRF Great Again" which he delivered at the NOPcon on the 11th of May 2017.
In this presentation Netsparker's security reseacher Ziyahan explains all the technical details and the ins & outs of the CSRF attack. During the presentation Ziyahan also uses two real live CSRF issues, one in Yandex browser and one in Grammarly online service, which he discovered as an example.
The video of the full presentation in Turkish is available here: https://www.youtube.com/watch?v=5bDbZ7_mjng
Understanding Data Mining in the Social Media Marketing AgeSherman Mohr Jr.
Our preferences, comments, sharing, and online community involvement is being analyzed. The analysis is so subtle that most participants don't even notice. We learn in this session how marketers are gathering, extracting, analyzing and then building advertising campaigns around social media participation.
"La Cocina de las Ideas", conferencia sobre creatividad dada el 10 de septiem...Gustavo Martin
· Resumen de la conferencia dada el 10 de septiembre de 2014 en Guayaquil, Ecuador.
· MKT Night, Primer Encuentro de #MarketerosNocturnos en Ecuador.
_
Los siguientes "slides" son un compendio de las principales reflexiones y conceptos pronunciados durante mi conferencia llamada "La Cocina de las Ideas". La misma se llevó a cabo con la intervención del público a través de diferentes dinámicas.
Yendo y viniendo constantemente del mundo de la gastronomía al mundo de las ideas, la ponencia se dividió en 3 pasos –entrada, plato principal y postre–, como si fuera un menú por pasos.
_
Puedes ver más en www.gussmartin.com o bien, contáctame en Twitter: @GussMartin
En TOKYOTO Luggage diseñamos maletas de cabina para destacar y ser mirado.
Nuestras señas de identidad son la exclusividad e invención de nuestros modelos, manteniendo siempre estrechos lazos con las tendencias del mercado y la moda.
Nos dirigimos a un público divertido, con espíritu libre, que le gusta diferenciarse a través de complementos sorprendentes y distinguidos.
¿Tú lo eres?
A Comprehensive Approach to Secure Group Communication in Wireless NetworksDavid González Romero
A basic slideshow complemented with some other slides I used for illustrating my master's thesis at the Illinois Institute of Technology in the field of cryptography and network security.
Charla 'Desmitificando el AntiVirus' Abraham Pasamar, Navaja Negra 2014 #NN4ed CON
Demo:
* Pruebas crypter
* Ataque ingenieria social: email+word con macro (downloader de Malware protegido con crypter FUD)
Video 1/
http://youtu.be/wPPmRgQNF24
* Ataque 0day con Sandworm (powerpoint)
Video 2/
https://www.youtube.com/watch?v=5hJddep-y80
Video 3/
https://www.youtube.com/watch?v=gZAndZB0Jqk
Nice performance using Sf2 cache wrapping Sf1 applicationMarc Weistroff
In collaboration with Emmanuel Cohen.
At a key moment for online press in France, a major French news company chooses PHP and Symfony to extend its popular web site. We will present the architecture we designed at Sensio Labs to meet a very good performance requirement. We used Symfony2 kernel wrapping symfony 1.4 and relied on loose-coupled applications serving content from heterogeneous backend sources.
Mozilla: Under the Hood
The browser has in many ways become a mini-operating system, attempting to harness all the internet’s power and complexity while making it simple enough so that anyone with minimal computer skills can visit websites and communicate with people all over the world. The technical challenges of developing and testing software in this kind of environment are immense, given the rapid changes going on in the internet space and the fact that the browser is called upon to parse as many as 1 trillion pages full of dynamic content. As time has gone on, many websites have gone from looking like static pages to resembling applications, which presents it own set of difficulties. Given these challenges, how does Mozilla ensure high quality and usability of every browser release? I will explore Mozilla under the hood and illuminate how Mozilla works to meet these challenges by introducing some of the tools that Mozilla uses to test its products. I will also demonstrate how Mozilla leverages help from the community as well as gives back to the community as part of the open development process.
Mark Wodrich, Microsoft
Jasika Bawa, Microsoft
In the Windows 10 Fall Creators Update, we introduced Windows Defender Exploit Guard (WDEG)—a feature suite that enables you to reduce the attack surface of applications while allowing you to balance security with productivity in a realistic manner. With WDEG's smart attack surface reduction (ASR) rules and exploit protection, we are looking to provide security hardening for popularly used applications without losing sight of the complex environments being managed in most organizations. But what are these security hardening options? And how do we anticipate they will be put to work?
In this talk, we will discuss why and how we embarked upon the WDEG journey, starting all the way from our passionate Enhanced Mitigation Experience Toolkit (EMET) customers, through the conception of the WDEG feature set, to the internal mechanics behind the rich set of protections it offers. We will also demonstrate how WDEG's smart ASR rules and exploit mitigation settings can be used to reduce the likelihood of exploitation of commonplace legacy applications, now directly from Windows 10.
JavaScript is the most widely used language cross platforms. This talk will analyze the security concerns from past to present with a peek to the future of this important language. This talk was presented as Keynote at CyberCamp Espana 2014.
Building a Real-World Application with Adobe Flex 2dcoletta
Virtual Ubiquity is building the first real word processor for the web, and we're using Adobe Flex 2 and the Flash Player as the platform. Why did we choose that platform? What does it feel like to an old-school C++ developer? What happens when you try to use it for a real-world app? How do you work around the inevitable problems?
Similar to Window Shopping Browser - Bug Hunting in 2012 (20)
Black Search Engine Optimisation (SEO), often referred as negative SEO, is a term that covers sabotage techniques aiming to reduce a web site's ranking in search engine results. Black SEO techniques are typically used in business and socio-political contexts, such as information warfare.
The presentation will focus on the use of these techniques to discredit a web site by making it vanish from the major search engine result pages. The discussion will also cover how to exploit common web application vulnerabilities such as Cross Site Scripting, SQL injection and other popular exploitation methods to leverage black SEO attacks. Examples will be included to demonstrate each method of exploitation, and how the vulnerabilities can be used to impact revenues and the reputation of business and political targets.
Black SEO attacks represent a unique class of threats and from a security perspective, any threat which can incur a potential loss should be considered a risk. So far, some of these techniques have only existed as a discussion topic in the SEO industry. Consequently, the intent of my presentation is to bring this complex topic to light to the security community.
When performing a security testing, I often sit in a room with other QA and Software testers.
During that time, it is likely I receive questions such as: "Roberto, are you hacking this? Are you breaking
this again? What exactly are you testing?"
Whi l e talking to them I realise there is an information gap between us, especially when they share
information which is essential for my testing and crucial to identify security vulnerabilities.
After a good number of security tests, I came to a conclusion that people in our industry do not realise that
software testing and security testing have a lot to share.
This talk intends to reduce that information gap and provides an introduction to security software testing,
methodologies, and most importantly offers some food for thought to stimulate synergy between security
and software testers
From the infection phase to the command & control functionalities, this talk is a 360 degrees analysis of a recent Russian botnet distribution package. Particular features of this botnet are communication over HTTP protocol and use of PHP and Mysql.
This presentation introduces some of the web spam techniques used against search engines. This talk is complimentary to the presentation "Black SEO Exposed". Some real examples are discussed and illustrated, including exploitation of web application vulnerabilities.
This talk highlights potential attacks against web application using Ajax and XHR technology. The first part of the talk introduces Ajax and related technologies. Second part of the talk focuses on potential attacks and consequences, including some scenario where SOP (Same of origin) policy is bypassed.
This talk is a generic but comprehensive overview of security mechanism, controls and potential attacks in modern browsers. The talk focuses also on new technologies, such as HTML5 and related APIs to highlight new attack scenario against browsers.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
Window Shopping Browser - Bug Hunting in 2012
1. Window Shopping:
Browser Bug Hunting in 2012
Roberto Suggi Liverani / Scott Bell –
Security-Assessment.com
HITB2012AMS
2. Who Are We?
Roberto Suggi Liverani (@malerisch)
Principal Security Consultant
Security-Assessment.com – www.security-assessment.com
Blog and research: http://blog.malerisch.net/p/security-research.html
Scott Bell
Principal Security Consultant
Security-Assessment.com - www.security-assessment.com
6. Firefox - Use-After-Free < 11
Severity:
Exploit: Remote Code Execution (no DEP)
Credits: Scott Bell & Blair Strang
Status: Patched in FF 11 (win7)
CVE: 2012-0454
Vendor Response:
Bug fixed but took a long time
Mozilla developers struggled to replicate and fix this bug
Approach: modded version of cross_fuzz
cross_fuzz - http://lcamtuf.coredump.cx/cross_fuzz/
7. What product are you selling me?
UAF (Use-After-Free)
Referencing memory after it has been freed can cause a program to:
Crash
Use unexpected values
Execute arbitrary code
8. FF Use-After-Free
Modified cross_fuzz
Added more entropy via:
Randomising call parameter
count
Removing toggle_gc()
Changing ‘document.
designMode=on'
be controlled by the parent
window
Changing fuzz variables
9. FF Use-After-Free
Modified cross_fuzz
Implemented HTMLGen to generate different HTML each run
Waited for the DOM to load in child windows before crawling.
This cuts out timing issues/different fuzz path results.
Removed phases - only leaving some e.g. tweak_properties()
using only
one phase
10. FF Use-After-Free
Minimising
JSLOG – Firefox Extension (Blair Strang)
Used JSLOG to dump DOM operations
Observed browser behaviour around the time of crash
Followed browser behaviour in the debugger
A lot of late nights :)
11. FF Use-After-Free
Minimising
Noted consistencies at the time of crash
Referenced consistencies with JSLOG output
Manually tried various scenarios based upon what we observed
Result
Reduced very complex HTML test case to a simple HTML template
Thousands of JavaScript DOM operations reduced to few
14. FF Use-After-Free – PoC 3/3
3. Parent closes child while
File open dialog is open
PARENT
1. Parent spawns child
CHILD
2. Parent performs click on form
file open dialog spawns
15. FF Use-After-Free Analysis
Analysing
An obvious Use-after-free
Windows heap manager writes the pattern 0xFEEEFEEE to
HeapFree'd locations
Looks pretty exploitable too, crashes on a CALL :)
16. FF Use-After-Free - Analysis
Analysing
Crazy unknown stack trace - doesn't really help
Speculation: seems to be going through some Windows internals
17. FF Use-After-Free
Conclusion
Very ‘timing sensitive’
Need for specific heap layout
No DEP/ASLR bypass
DEMO – Firefox Use After Free Code Execution
If anyone is interested in improving current exploit, please contact us
18. Maxthon - XCS and SOP Bypass
Severity:
Exploit: Remote Code Execution
Credits: Roberto Suggi Liverani
CVE: n/a
Status: Unpatched!
Vendor Response:
13/02/2012 - bugs reported to multiple contacts
21/02/2012 - reception of report confirmed but no further reply
21/02/2012 - chased them, no reply
02-05/2012 - 11 new releases following the report – 1 bug silently fixed
Approach: targeted – looking for injection points
19. What product are you selling me?
XCS or Cross-zone scripting
Cross Zone Scripting coined for IE
http://en.wikipedia.org/wiki/Cross-zone_scripting
XCS coined for Firefox and injection in chrome://
What is XCS?
An XSS in a privileged browser zone
An intrinsic Same-Origin Policy (SOP) bypass :-)
Each browser has a privileged zone:
FF - chrome://
Chrome - chrome://
Opera - opera://
Maxthon - mx://
Avant - browser://
20. XCS
Browser privileged/trusted zone
Access to internal API interfaces:
File system, browser settings, bookmarks, storage, etc.
Some references from the past
Opera XSS found in opera:history
RCE exploit in opera:config (Kuza55 / Stefano Di Paola / Aviv Raff)
FF addons research with Nick Freeman
Multiple RCE exploits released in FF addons
XCS exploits are 100% reliable
21. A bit about Maxthon
Developed by: Maxthon International (China)
Architecture
Supports Trident and Webkit layout engines
Focus on performance and extra features
Some stats - according to Maxthon
130 million users
Users spread over 120 countries
500,000,000 downloads in 2k10
22. Maxthon – The bugs
Cross Context Scripting
about:history zone
Feed Reader (about:reader) and RSS Viewer
Bookmark Toolbar and Bookmark Sidebar
Incorrect Executable File Handling
Same-Origin Policy (SOP) Bypass
DNS Poisoning/MiTM – i.maxthon.com
Remote Code Execution possible in 5 different ways!
23. Maxthon - XCS via location.hash
Injection via location.hash
Maliciouspage.html – performs redirection
Injected payload executes in about:history
24. Maxthon XCS in RSS
Injection via <title>, <link>, <description> tags
26. Maxthon – Further bugs
External Tools Direct Invokation
Maxthon can invoke executables
window.open("file://C:/windows/system/cmd32.exe");
pop up blocker -> but if user accepts, exe is called
SOP Bypass
Tested window.open() with following results:
From: http:// - window.open(‘file://….’)
Prompts a popup blocker, if the user allows the pop up, the file://
window is opened
From: http:// - window.open(‘about://*’)
spawns a new window
From: http:// - window.open(‘mx://res/*’)
forbidden by SOP
28. Maxthon – i.maxthon.com (2/2)
Design Issues
i.maxthon.com = trusted domain
i.maxthon.com allows direct access to privileged APIs
No control on resolution of IP address
No use of SSL
MiTM Bug
DNS poisoning
Force resolution of i.maxthon.com to a controlled IP address
HTTP MiTM
i.maxthon.com served over HTTP – malicious proxy which alters
page content
Other implications
XSS in real i.maxthon.com site
30. Avant Browser – XCS & SOP Bypass
Severity:
Exploit: History Stealing, XSS, misc
Credits: Roberto Suggi Liverani
CVE: n/a
Status: Unpatched!
Vendor Response:
07/03/2012 - had to post 10 posts to a forum to get a contact!
14/03/2012 - reception of report confirmed but no further reply
14/03/2012 - chased them, no reply
03-05/2012 - 2 new releases following the report, one bug silently fixed
Approach: targeted - looking for injection points
31. Avant Browser
Avant Browser - Avant Force (China)
Custom web browser application
Designed to expand services provided by IE
From FAQ: Is Avant Browser a secure browser? Yes, Avant Browser is
secure. Since it's based on Internet Explorer, Avant Browser is as
secure as Internet Explorer. Avant Browser supports all SSL secured
websites. Avant Browser's encryption length is the same as Internet
Explorer's.
Two versions: lite (only IE) & ultimate (IE, FF, Chrome)
More downloads than Chrome, IE and Opera in CNET
32. A bit about Avant (1/3)
Firefox
wrapped
version Arguments
passed to
firefox.exe
Avant.exe -
parent of
firefox.exe
33. A bit about Avant (2/3)
Interesting files
"C:Program FilesAvant Browserres" folder:
Observations
home.tpl is rendered at browser:home
rss.tpl is rendered at browser://localhost/lst?url/path/to/rss/feed
Such pages use privileged JavaScript function
window.AFRunCommand()
Pages provided examples on how to call privileged functions and
aided exploitation
34. A bit about Avant (3/3)
Testing AFRunCommand()
Undocumented Avant browser function
Try{}/Catch{} no output
Bruteforce only option – passing a single parameter:
60003 - window.external.HistoryUrls() - [used in exploit]
60011 - prompt for download
10021 - add to ad block specified site
3 - spawns an empty tab
10010 - reloads the page
10013 - search for keywords
10014 - pop up blocker
10016 - download a video (argument passed as URL)
10017 - add task for download scheduler
10025 - search keywords
35. Avant Browsers – The bugs
Same-Origin Policy (SOP) Bypass
browser:home
Cross Context Scripting
browser:home – Most Visited And History Tabs
Stored Cross Site Scripting
Feed Reader (browser://localhost/lst?*)
37. Avant Browser – Showcase
XCS in browser:home – History Stealing
Injection via <title> HTML element
Cross Site Scripting Payload Rendered In browser:home Privileged
Zone
38. Avant Browser – Stored XSS via RSS
Injection via <title>, <link> and <description> tags
41. Some background
nsIScriptableUnescapeHTML.parseFragment()
Critical function used to filter and sanitise data
Mostly used in the context of filtering data in chrome:// priv zone
Recommended and deemed safe to use for addons devs
Wizzrss (FF addon) found to be vulnerable using a bypass
42. Standard Case - Filtering
HTML Payload
Processed by parseFragment() becomes:
<script> is stripped out
Only HTML payload remains
Safe to append in chrome:// DOM
43. Bypass Test Case
HTML payload
Processed by parseFragment() becomes:
With user interaction payload can be triggered in
privileged browser zone – chrome://
44. DEMO – Code Execution in WizzRSS FF addon -
nsIScriptableUnescapeHTML.parseFragment() bypass
demo video kindly provided by @0x7674 (Nick Freeman)
45. Opera Use-After-Free < 11.52
Severity:
Exploit: Crash
Credits: Roberto Suggi Liverani
CVE: 2011-4152
Status: Patched in Opera 11.52
Vendor Response:
Recognised as a memory corruption bug
Not a security issue since no exploit is provided
But Opera kept asking for an exploit
Approach: using own fuzzers
46. Opera Use-After-Free < 11.52
Simplified test-case
Clone, remove, append
Use of contenteditable
attribute for <em> and
<strong> lead to crash
Crash works if heap spray()
occurs
Couldn’t find an exploit
Opera’s position:
not exploitable
48. FF/Opera – XCS via bookmarks
Severity:
Impact: Code Execution
Credits: Roberto Suggi Liverani
Firefox - Status: Patched in FF 11
Bug reported by someone else
Opera - Status: Won’t fix
Opera Vendor Response:
Multiple exploit steps required – won’t fix
Approach: looking at injection in and from bookmarks
49. In a few words
Ancient bug: reported in 2k5 by M. Krax
User is lured into bookmarking a:
Malicious javascript: URI + payload
User clicks on malicious bookmark
Focus on standard web page – Impact: UXSS
Focus on privileged browser zone – Impact: XCS
Many ways to fool users:
Security controls on status bar can be partially fooled
JavaScript can be compressed and obfuscated
Code can be hidden – e.g. Opera NULL byte issue in view source -
@Agarri_FR
50. DEMO - XCS via bookmarks
Opera and Firefox
Brendan Eich – 2k5
There’s nothing wrong with using javascript: URLs in chrome.
What’s good for content is good for chrome, often enough.
51. Conclusions
Disclosure Fail
Some browser vendors still do not understand how
reporting and security disclosure works
Bug complexity vs. impact
Injection bugs are simple but impact can be significant
No need to find memory corruption bugs to achieve code execution
Delegated security
Presenting browsers as secure as IE or Chrome give false sense of
security to end-users
52. Special thanks
Blair Strang
Thanks to the SA team for inspiration
Advisories and exploit code for today’s demonstrations
will be released in the near future
Thanks for coming along, and enjoy the rest of the con
If you have questions, come find us later on!
Roberto Suggi Liverani - @malerisch
http://blog.malerisch.net
Scott Bell – scott.bell@security-assessment.com
53. References
cross_fuzz
http://lcamtuf.coredump.cx/cross_fuzz/
http://lcamtuf.blogspot.co.nz/2011/01/announcing-crossfuzz-potential-
0-day-in.html
Firefox Use-after-free
http://www.mozilla.org/security/announce/2012/mfsa2012-12.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0454
https://bugzilla.mozilla.org/show_bug.cgi?id=684555
Firefox nsiscriptable CVE
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1585
Opera Use After Free
http://malerisch.net/docs/advisories/opera_use_after_free_crash_poc.
html
54. References
Cross Context Scripting in Firefox addons
http://malerisch.net/docs/cross_context_scripting/Cross_Context_Scrip
ting_with_Firefox.html
Exploiting Firefox Extensions
http://www.slideshare.net/robertosl81/exploiting-firefox-extensions
WizzRSS – Security Advisory
http://www.security-
assessment.com/files/advisories/WizzRSS_Firefox_Extension_Privileg
ed_Code_Injection.pdf
Opera fail:
José Antonio Vázquez (@0xde1) - http://www.enred20.org/node/27
http://my.opera.com/securitygroup/blog/2011/10/19/about-the-svg-font-
manipulation-vulnerability-that-was-fixed-in-11-52#comments
55. References
Spoof Status Bar:
https://bug338459.bugzilla.mozilla.org/attachment.cgi?id=222524
Don't allow bookmarking an evaluated+loaded javascript:
URL
https://bugzilla.mozilla.org/show_bug.cgi?id=371179
Opera Stored XSS
http://seclists.org/fulldisclosure/2008/Oct/394
Avant Forum Contact
http://forum.avantbrowser.com/viewtopic.php?f=21&t=31119&p=18272
4&hilit=report+security#p182724
Heap Spraying Demystified
https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-
part-11-heap-spraying-demystified/
56. References
Blog – Roberto Suggi Liverani
http://blog.malerisch.net/
Twitter account - @malerisch
https://twitter.com/malerisch
Security-Assessment.com Research
http://www.security-assessment.com/page/archive.htm
Nick Freeman – Publications
http://atta.cked.me/publications