This was the slide representation for my training session at OWASP Seasides 2020. This entails all the workflow for the session, but please understand that this is not a lab manual and won't entail the details on Step-by-step execution of the attack. You can find my youtube video pertaining to this session here
https://www.youtube.com/watch?v=ZhZAKWpykTo
30 Tools for Modern .NET Web Development in 60 Minutes (Jonathan Tower)ITCamp
Are you a .NET developer interested in crafting high-quality, modern web applications? I've got 30 tools I want to show you in just 60 short minutes. I'll introduce you to these 30 tools that I think will help make your software and life better.
Buckle your seat belts and come prepared to jot down some notes on the items that will be the most helpful to you. You might want to reference them later, because we'll be moving fast!
Cross Browser Automation Testing Using WatirSarah Elson
We are living in an era where software development demands for automation. Software development methodologies such as RAD(Rapid Application Development), Agile and so on requires you to incorporate automation testing as a part of your release cycle. There exist numerous test automation frameworks used for automation testing. Today, I will be picking up Watir an open source, selenium-based web driver used for browser automation. Cross browser automation testing using Watir would help you to ensure a good rendering user interface of your web app. If you are a beginner to automation testing and are unaware of basics then don’t worry as I will also be talking about browser automation, cross browser automation, parallel testing and what makes Watir special than other several tools and libraries. Without further ado, here we go!
30 Tools for Modern .NET Web Development in 60 Minutes (Jonathan Tower)ITCamp
Are you a .NET developer interested in crafting high-quality, modern web applications? I've got 30 tools I want to show you in just 60 short minutes. I'll introduce you to these 30 tools that I think will help make your software and life better.
Buckle your seat belts and come prepared to jot down some notes on the items that will be the most helpful to you. You might want to reference them later, because we'll be moving fast!
Cross Browser Automation Testing Using WatirSarah Elson
We are living in an era where software development demands for automation. Software development methodologies such as RAD(Rapid Application Development), Agile and so on requires you to incorporate automation testing as a part of your release cycle. There exist numerous test automation frameworks used for automation testing. Today, I will be picking up Watir an open source, selenium-based web driver used for browser automation. Cross browser automation testing using Watir would help you to ensure a good rendering user interface of your web app. If you are a beginner to automation testing and are unaware of basics then don’t worry as I will also be talking about browser automation, cross browser automation, parallel testing and what makes Watir special than other several tools and libraries. Without further ado, here we go!
Explore the process of creating an iOS cordova native plugin using Objective-C even if you have never touched native code. This quick guide is recommended for anyone interested in mobile hybrid app development, rapid prototyping using HTML5, CSS and JavaScript. Extend your app capabilities beyond web technology and utilize device sensors and API's to create a unique user mobile app experience. Enjoy!
Code Examples: https://github.com/nolanerck/commandbox-vs-node
JavaScript is everywhere, and with that so is Node.js. Developers feel they have to have Node installed for a modern development workflow. Did you know that all the core features of Node now exist in a pure CFML workflow? Everything you’ve heard about from the JavaScript/Node world can be done with CommandBox! Package management, installing dependencies, command line tooling, flipping between run-time environments, automated build and testing processes are often mentioned as tasks made easier with Node. Modern CFML developers can have all of these same benefits without ever installing Node! It all can be done from CommandBox and this preso will show you how!
Hacking Vulnerable Websites to Bypass FirewallsNetsparker
These slides were used by our security researcher Sven Morgenroth during the live demo of how to hack web applications and bypass firewalls. You can watch the live demo here: https://www.netsparker.com/blog/web-security/vulnerable-web-applications-developers-target/#livedemo
Learn the core fundamentals of JavaScript and how to use JavaScript creating web applications.
GET the Course - https://www.udemy.com/javascript-code-course/?couponCode=SLIDESHARE
Learn JavaScript Language Fundamentals and start coding JavaScript Today.
Source Code is included so you can try the code.
Resources and tips are provided throughout the course when appropriate.
Modern JavaScript focused means that we do cover current syntax as well as foundational code. No frameworks or JavaScript libraries you can do it all with regular vanilla JavaScript.
All you need is a browser to see JavaScript in action and with a few lines of code you can do a whole lot. It’s easy let us show you.
Course covers
Setup you working development environment and get ready to write some code.
What JavaScript is and how code works. Tools and resources used to write JavaScript
How to create JavaScript Code and run it in your browser
Comments and debugging with the console
Variables and how to create and store values in code
Declaring variables assigning values
Using let and const as variables
Strings Numbers and Boolean data types
Other data types null, undefined
Best practices and rules to name variables
Using JavaScript windows methods alert and prompt
Creating template literals
Challenge #1 Using Template literals in code
JavaScript type conversion and how it works
JavaScript Operators
Comparison and Assignment operators
Challenge #2 to create a Miles to Kilometers Converter
Truthy or Falsy
JavaScript Conditions if else statements
JavaScript Conditions else if statements
Using Short ternary operator
Conditions with Multiple conditions and logical operators
Challenge #3 - Hello Greeter
JavaScript Switch statement
JavaScript Functions
JavaScript Functions arguments and default values
JavaScript Functions return values
JavaScript click events on elements
Function declaration vs expression
Function scope global vs local
Function recursion
IIFE (Immediately Invoked Function Expression)
ES6 Arrow format
JavaScript Objects
Object Method and const
Functions to create Objects
JavaScript Arrays
Array methods to do more with arrays
Array filter
JavaScript Loops and iteration
forEach, object and array data
Challenge #4 - Loops Array builder
JavaScript Map
No libraries, no shortcuts just learning JavaScript making it DYNAMIC and INTERACTIVE web application.
Step by step learning with all steps included.
Beginner JavaScript knowledge is required as the course covers only JavaScript relevant to the building of the game. Also HTML and CSS knowledge is essential as scope of this course is all JavaScript focused.
Along with friendly support in the Q&A to help you learn and answer any questions you may have.
Using Apache Brooklyn to manage your application stack. Brooklyn is a cloud agnostic orchestrator that can deploy an application to any cloud (including the creation of infrastructure) without changing the blueprint.
Explore the process of creating an iOS cordova native plugin using Objective-C even if you have never touched native code. This quick guide is recommended for anyone interested in mobile hybrid app development, rapid prototyping using HTML5, CSS and JavaScript. Extend your app capabilities beyond web technology and utilize device sensors and API's to create a unique user mobile app experience. Enjoy!
Code Examples: https://github.com/nolanerck/commandbox-vs-node
JavaScript is everywhere, and with that so is Node.js. Developers feel they have to have Node installed for a modern development workflow. Did you know that all the core features of Node now exist in a pure CFML workflow? Everything you’ve heard about from the JavaScript/Node world can be done with CommandBox! Package management, installing dependencies, command line tooling, flipping between run-time environments, automated build and testing processes are often mentioned as tasks made easier with Node. Modern CFML developers can have all of these same benefits without ever installing Node! It all can be done from CommandBox and this preso will show you how!
Hacking Vulnerable Websites to Bypass FirewallsNetsparker
These slides were used by our security researcher Sven Morgenroth during the live demo of how to hack web applications and bypass firewalls. You can watch the live demo here: https://www.netsparker.com/blog/web-security/vulnerable-web-applications-developers-target/#livedemo
Learn the core fundamentals of JavaScript and how to use JavaScript creating web applications.
GET the Course - https://www.udemy.com/javascript-code-course/?couponCode=SLIDESHARE
Learn JavaScript Language Fundamentals and start coding JavaScript Today.
Source Code is included so you can try the code.
Resources and tips are provided throughout the course when appropriate.
Modern JavaScript focused means that we do cover current syntax as well as foundational code. No frameworks or JavaScript libraries you can do it all with regular vanilla JavaScript.
All you need is a browser to see JavaScript in action and with a few lines of code you can do a whole lot. It’s easy let us show you.
Course covers
Setup you working development environment and get ready to write some code.
What JavaScript is and how code works. Tools and resources used to write JavaScript
How to create JavaScript Code and run it in your browser
Comments and debugging with the console
Variables and how to create and store values in code
Declaring variables assigning values
Using let and const as variables
Strings Numbers and Boolean data types
Other data types null, undefined
Best practices and rules to name variables
Using JavaScript windows methods alert and prompt
Creating template literals
Challenge #1 Using Template literals in code
JavaScript type conversion and how it works
JavaScript Operators
Comparison and Assignment operators
Challenge #2 to create a Miles to Kilometers Converter
Truthy or Falsy
JavaScript Conditions if else statements
JavaScript Conditions else if statements
Using Short ternary operator
Conditions with Multiple conditions and logical operators
Challenge #3 - Hello Greeter
JavaScript Switch statement
JavaScript Functions
JavaScript Functions arguments and default values
JavaScript Functions return values
JavaScript click events on elements
Function declaration vs expression
Function scope global vs local
Function recursion
IIFE (Immediately Invoked Function Expression)
ES6 Arrow format
JavaScript Objects
Object Method and const
Functions to create Objects
JavaScript Arrays
Array methods to do more with arrays
Array filter
JavaScript Loops and iteration
forEach, object and array data
Challenge #4 - Loops Array builder
JavaScript Map
No libraries, no shortcuts just learning JavaScript making it DYNAMIC and INTERACTIVE web application.
Step by step learning with all steps included.
Beginner JavaScript knowledge is required as the course covers only JavaScript relevant to the building of the game. Also HTML and CSS knowledge is essential as scope of this course is all JavaScript focused.
Along with friendly support in the Q&A to help you learn and answer any questions you may have.
Using Apache Brooklyn to manage your application stack. Brooklyn is a cloud agnostic orchestrator that can deploy an application to any cloud (including the creation of infrastructure) without changing the blueprint.
Over 200 Pages of resources and code snippets to learn JavaScript and JavaScript DOM manipulation. JavaScript is the most popular web programming language and this eBook will help you learn more about JavaScript Coding
This is a presentation I prepared for a local meetup. The audience is a mix of web designers and developers who have a wide range of development experience.
NCDevCon 2017 - Cross Platform Mobile AppsJohn M. Wargo
Building cross-platform mobile apps using open source tools. A manic paced session where I build the same app across 4 different open source mobile development frameworks.
Trying to find the answer if Xamarin is a rockstar platform. Comparing to current Android offerings. Making sure all tools that we developers need (IDE, documentation, community on stackoverflow, etc.) are provided by Xamarin platform.
This presentation deals with different scenarios in attacking applications vulnerable to Buffer overflow by exploiting the default SEH chain, by the SEH overwrite
This is the most basic presentation introducing to the concepts of kubernetes this presentation only solves the mundane purpose as a visual aid to the session
This encompasses different techniques employed by leveraging powershell and attacking the systems in different ways. It is an interesting agglomeration of combined methods in plundering a windows box
This along with the binaries to be found at my github profiles @ github.com/shahenshah99 is used to present and conduct a hands-on session on securely deploying containers in docker at the time of production
This is in regards with the session that I have been holding at Null Bangalore. This session aims at providing basic understanding of Buffer Overflow to the attendees preparing for OSCP
This presentation is in regards with the talk that I gave at null monthly meet. This covers various grounds for covering cryptography. There are numerous ways to attack the methodology of any cryptographic content. The uploaded slides serve the same
This Presentation was for my talk at Null on Steganography using Python. This only serves as a on screen ppt to the talk. In order to understand this in-detail please follow my page to find the code
This is the slide check that I prepared for Null Pulliya session. I had prepared this presentation with the usage and the depth of coverage of GDB for any typical reverse engineer to have in his/her arsenal
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
4. Agenda for today
● Understanding the exploitation process
○ Using Buffer Overflow to overwrite the EIP
○ Using msfVenom generated payloads
● Understanding the need for writing Windows Custom shellcode
● Writing Custom Shellcode scripts and integrating it to our POC
○ Pop a Calculator
○ Pop a Text Message with custom body
● What Next?
@shahenshah9999
14. Environment Setup
● Exploit Development: Kali
● Debugging Machine: Windows 10 and Windows 7
● Vulnerable Software: Minishare and FreeFloat FTP
● Function locator: Arwin
15. Things to keep in mind
● The shellcode we write will be OS Specific
● This technique is only possible because the OS DLLs are not subject to Address Space Layout
Randomization
● Google & MSDN are your best friends
16. What are Windows APIs?
Windows APIs are dynamic-link libraries (DLLs) that are part of the Windows
operating system. You use them to perform tasks when it is difficult to write
equivalent procedures of your own.
For example, Windows provides a function named FlashWindowEx that lets you
make the title bar for an application alternate between light and dark shades.
@shahenshah9999
17. What is Windows Shellcoding?
Shellcode is basically a list of carefully crafted instructions that can be executed once
the code is injected into a running application.
Windows Shellcoding is the art of writing own custom shellcode scripts to call certain
Windows API Functions.
@shahenshah9999
18. Why should I learn Windows Shellcoding
● Evade msf signatures
● Get a foothold for ROP
● Prove the vulnerabilities
● Fundamentally understand crafting parameters to Windows API
● Creating a prototype POC
@shahenshah9999
19. First lets have a look at the shellcode
generated by msfvenom
● Msfvenom –p windows/exec CMD=calc.exe –b “x00x0Ax0D” –f c (For popping calculator)
● msfvenom -p windows/messagebox TEXT="Pop The Box!" TITLE="B33F" -b "x00x0Ax0D" -f c
(for popping Message Box)
20. Let’s test these payloads on both,
Windows 7 and Windows 10 Machines
21. Okay, so it failed
The reasons for this now working -
1. Windows SmartScreen protection
2. Windows Defender detecting such naive exploit scripts
3. Windows Advanced Threat Protection detecting the MSF signature against its
database.
@shahenshah9999
22. Is there no Vulnerability?
No, The Vulnerability does exist at the application level. It is due to the system level
protection that disallows the attacker to run remote commands on the target machine.
Explaining this to a non-tech savvy personnel would be really tough. Hence, it
becomes essential to write a POC for the exploit that is detected.
The only way to evade the signatures of the pre-existing exploit scripts is to write
your own exploit script to execute commands on the target.
@shahenshah9999
23. Windows API kicks in
The way your shellcode executes commands, or as for that matter, any application in
the Windows OS executes any command is by interacting with Windows API function
calls. There are multiple ways to interact with Windows API function calls.
● Using Powershell commands
● Integrating the C/C++ functions predefined to your application
● Using the libraries which have the C# code, for developing windows app
● Using VB .NET functionality in vbs
● Directly passing the shellcode to the kernel to get executed
@shahenshah9999
24. Executing the Windows API function call
In this, we will be submitting the Windows API function calls through our exploit
script, instead of executing scripts in powershell, or something similar. In this, we are
writing the preloaded shellcode to get executed by Windows.
@shahenshah9999
25. Popping Windows Calculator
Hereby, we start by writing our own custom shellcode. There are a series of steps to
be followed before we can finally integrate our custom created shellcode to the exploit
script
@shahenshah9999
27. ASM and opcode
● When you write your own shellcode you obviously have to deal with assembly and opcode. You will
need some basic knowledge in assembly, nothing too dramatic though. The main point, being that
your shellcode will be written in opcode. So you might have to ask yourself, how do I get the opcode
for an instruction?
● Immunity Debugger does this for you. Put a breakpoint to the NOP Sled of you shellcode and start
writing the shellcode, Immunity will basically act as a dictionary for the shellcode ‘translation’
28. WinExec
● Before we start to do anything, we must fully understand the functionality of WinExec function by
reading the MSDN page for this.
● Use the Arwin binary to locate the address for the function within the DLL
31. Things to remember
● The stack grows downward so we need to push the last argument first
● lpCmdLine contains our ASCII command but WinExec doesn’t want the ASCII itself it want a pointer
to the ASCII string.
32. Lets do the similar procedure for Popping
a Message Box