This document discusses HTTP security headers and techniques for preventing clickjacking and cross-site scripting attacks. It describes the X-Frame-Options header which prevents clickjacking by controlling framing. Content Security Policy (CSP) provides a more powerful alternative to X-Frame-Options and can also prevent cross-site scripting attacks by whitelisting allowed script sources. The document compares X-Frame-Options, CSP directives, and how each addresses different attack vectors. It concludes with recommendations on CSP implementation and testing.
Devouring Security Insufficient data validation risks Cross Site Scriptinggmaran23
Devouring Security: Insufficient Data Validation Risks - Cross Site Scripting (XSS)
• Risk, Stories & the news
• XSS Anatomy
• Untrusted Data Sources – Well, Where did that come from?
• Shouldn’t it be called CSS instead?
• Types of XSS
- Type 0 [DOM based]
- Type 1 [Reflected or Non-persistent XSS]
- Type 2 [Persistent or Stored XSS]
• Live Demo: XSS 101 with alert('hello XSS world')
• Live Demo: Cookie Hijacking and Privilege Escalation
- Face/Off with John Travolta and Nicolas Cage
• Live Demo: Let’s deploy some Key loggers,huh?
• Mitigations
- Input Sanitization
- Popular Libraries for .Net, Java, php
Demo: Input sanitization
- Whitelists (vs. Blackists)
- Output Encoding
Contextual
Demo: Output Encoding
- Browser Protections & bypasses
- Framework Protections & bypasses
- Content Security Policy (CSP) in brief
• Secure Code reviews: Spot an XSS, How?
• Tools: Do we have an option?
• XSS Buzz and how to Fuzz
• Renowned Cheat sheets
• Further reading & References
Devouring Security XML Attack surface and Defencesgmaran23
Agenda:
· XML today
· XML/XPath injection - Demo
· Compiled XPath queries
· DTD use and abuse
- document validations
- entity expansions
- denial of service - Demo
- arbitrary uri access (egress)
- parameters
- file enumeration and theft - Demo
- CSRF on internal systems - Demo?
· Framework defaults limits/restrictions
· Mitigations
· Lessons learned
· Verifying your XML systems for potential threats
Note:
1. All of them inclusive of sample code for exploits and prevention. Language(C#, Java, php)/Platform(Windows/Linux) agnostic wherever possible.
2. It is imperative at this juncture, that you are aware of most attack scenarios against XML, because the framework defaults may not protect you, hence you may be vulnerable, you might have not found it yet.
3. The session is a bit biased towards DTD abuse in XML systems, as the Injection concepts and remediation remain common in XML when compared to Sql injection.
Drupal is a very popular content management system that has been widely adopted by government agencies, major businesses, social networks, and more. This talk focuses on the penetration tester's perspective of Drupal and dives into streamlining the assessment and remediation of commonly observed application and configuration flaws by way of custom exploit code and security checklists.
Download the associated scripts, movies, and checklist here: https://github.com/gfoss/attacking-drupal
Problems With Parameters - A high-level overview of common vulnerabilities identified in web applications, techniques to mitigate these vulnerabilities, and thoughts on incorporating secure webapp development practices into your organization's development culture.
I got 99 trends and a # is all of them or How we found over 100 200+ RCE vulnerabilities in Trend Micro software.
Presentation released at Hack In The Box 2017 Amsterdam, by Roberto Suggi Liverani @malerisch and Steven Seeley @steventseeley.
For more information, please visit: http://blog.malerisch.net or http://srcincite.io
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
This presentation was given at the SANS Rpcky Mountain Conference in Denver, CO June 2014. The presentation had a rather large portion that was demo. That is not captured here. Sorry.
This topic will cover key concepts in android application security testing by employing a variety of tools and techniques to fasten the testing process.
This was presented at Null Bangalore Chapter (Saturday April 26 2014, 11:00 AM)
Web site users are facing new and improved threats nowadays. These range from clickjacking, json injection to likejacking among others. Companies like Google, Mozilla, Microsoft etc. have started implementing new HTTP response headers to counter some of the advanced attacks against their website users. Some of the new attacks aren't well understood by the application developers and hence they aren’t using the new secure headers supported by the new browsers. This is either due to ignorance or in order to keep supporting older insecure browsers versions of Internet Explorer.
This talk we will walkthrough what these attacks are, how this various security headers protect the web application users and what is the status of compatibility currently.
Devouring Security Insufficient data validation risks Cross Site Scriptinggmaran23
Devouring Security: Insufficient Data Validation Risks - Cross Site Scripting (XSS)
• Risk, Stories & the news
• XSS Anatomy
• Untrusted Data Sources – Well, Where did that come from?
• Shouldn’t it be called CSS instead?
• Types of XSS
- Type 0 [DOM based]
- Type 1 [Reflected or Non-persistent XSS]
- Type 2 [Persistent or Stored XSS]
• Live Demo: XSS 101 with alert('hello XSS world')
• Live Demo: Cookie Hijacking and Privilege Escalation
- Face/Off with John Travolta and Nicolas Cage
• Live Demo: Let’s deploy some Key loggers,huh?
• Mitigations
- Input Sanitization
- Popular Libraries for .Net, Java, php
Demo: Input sanitization
- Whitelists (vs. Blackists)
- Output Encoding
Contextual
Demo: Output Encoding
- Browser Protections & bypasses
- Framework Protections & bypasses
- Content Security Policy (CSP) in brief
• Secure Code reviews: Spot an XSS, How?
• Tools: Do we have an option?
• XSS Buzz and how to Fuzz
• Renowned Cheat sheets
• Further reading & References
Devouring Security XML Attack surface and Defencesgmaran23
Agenda:
· XML today
· XML/XPath injection - Demo
· Compiled XPath queries
· DTD use and abuse
- document validations
- entity expansions
- denial of service - Demo
- arbitrary uri access (egress)
- parameters
- file enumeration and theft - Demo
- CSRF on internal systems - Demo?
· Framework defaults limits/restrictions
· Mitigations
· Lessons learned
· Verifying your XML systems for potential threats
Note:
1. All of them inclusive of sample code for exploits and prevention. Language(C#, Java, php)/Platform(Windows/Linux) agnostic wherever possible.
2. It is imperative at this juncture, that you are aware of most attack scenarios against XML, because the framework defaults may not protect you, hence you may be vulnerable, you might have not found it yet.
3. The session is a bit biased towards DTD abuse in XML systems, as the Injection concepts and remediation remain common in XML when compared to Sql injection.
Drupal is a very popular content management system that has been widely adopted by government agencies, major businesses, social networks, and more. This talk focuses on the penetration tester's perspective of Drupal and dives into streamlining the assessment and remediation of commonly observed application and configuration flaws by way of custom exploit code and security checklists.
Download the associated scripts, movies, and checklist here: https://github.com/gfoss/attacking-drupal
Problems With Parameters - A high-level overview of common vulnerabilities identified in web applications, techniques to mitigate these vulnerabilities, and thoughts on incorporating secure webapp development practices into your organization's development culture.
I got 99 trends and a # is all of them or How we found over 100 200+ RCE vulnerabilities in Trend Micro software.
Presentation released at Hack In The Box 2017 Amsterdam, by Roberto Suggi Liverani @malerisch and Steven Seeley @steventseeley.
For more information, please visit: http://blog.malerisch.net or http://srcincite.io
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
This presentation was given at the SANS Rpcky Mountain Conference in Denver, CO June 2014. The presentation had a rather large portion that was demo. That is not captured here. Sorry.
This topic will cover key concepts in android application security testing by employing a variety of tools and techniques to fasten the testing process.
This was presented at Null Bangalore Chapter (Saturday April 26 2014, 11:00 AM)
Web site users are facing new and improved threats nowadays. These range from clickjacking, json injection to likejacking among others. Companies like Google, Mozilla, Microsoft etc. have started implementing new HTTP response headers to counter some of the advanced attacks against their website users. Some of the new attacks aren't well understood by the application developers and hence they aren’t using the new secure headers supported by the new browsers. This is either due to ignorance or in order to keep supporting older insecure browsers versions of Internet Explorer.
This talk we will walkthrough what these attacks are, how this various security headers protect the web application users and what is the status of compatibility currently.
HTTP Strict Transport Security (HSTS), English versionMichal Špaček
HTTP Strict Transport Security (HSTS) provides secure transport of data, by removing the possibility of HTTPS stripping. HSTS is an HTTP header issued by the server. After receiving such header, the browser will perform internal redirects from http:// to https:// for given amount of seconds.
HTTP Security Headers Every Java Developer Must KnowAyoma Wijethunga
Demonstration based session on HTTP headers relevant to security aspect of web applications. Target audience is web developers, and more attention is given to Java language.
How to secure your web applications with NGINXWallarm
Your website is probably vulnerable and gonna be hacked one day. Here're 15 ready-to-use tips on how you can make your web applications more secure. How to protect web application from hacker attacks and mitigate DDoS with NGINX web server.
The presentation tells about performing cross domain ajax request. Subject included principles of preflight requests and limitations of cross origin resource sharing (CORS) policy. You will be able to find implementation examples for frontend (JavaScript, jQuery, AngularJS) and for backend (.Net, Ruby on Rails). Browser compatibility is covered in section ‘Limitation in IE 8,9‘ and there shown possible workarounds. And finally there are couple words about Content Security Policy – the latest approach in Web Application Security.
Browser Serving Your We Application Security - ZendCon 2017Philippe Gamache
One important concept in web application security is defense in depth. You protect your server, your network, your database, and your application, but what about the user browser? Can it be done?
Yes! Several new technologies and protocols to assist security has been added to the browsers. Several should be added, activated, and configured from your web server or webpage. In this session we'll explore these technologies and learn how to use them. You’ll learn about the Robots meta tags (for crawlers indexing), browsing compatibility, XSS and clickjacking protection, SSL/TLS Control, and content security policy.
Browser Serving Your Web Application Security - Madison PHP 2017Philippe Gamache
One important concept in web application security is defense in depth. You protect your server, your network, your database and your application, but what about the user browser? Can it be done? Yes! Several new technologies and protocols to assist security has been added to the browsers. Several should be added, activated and configure from your web server or web page. In this presentation we will explore these technologies and learn how to use them. You'll learn about the Robots meta tags (for crawlers indexing), Browsing Compatibility, XSS and Clickjaking Protection, SSL/TLS Control, and Content Security Policy.
Browser Serving Your Web Application Security - NorthEast PHP 2017Philippe Gamache
One important concept in web application security is defense in depth. You protect your server, your network, your database and your application, but what about the user browser? Can it be done?
Yes! Several new technologies and protocols to assist security has been added to the browsers. Several should be added, activated and configure from your web server or web page. In this presentation we will explore these technologies and learn how to use them. You’ll learn about the Robots meta tags (for crawlers indexing), Browsing Compatibility, XSS and Clickjaking Protection, SSL/TLS Control, and Content Security Policy.
Content Security Policy is a key part of Web Application Security that helps in mitigating Cross Site injections (such as XSS). The application (server-side) "informs" the client (browser) of the resources it uses; the client-side implementation whitelists these resources and bans everything else - thus providing the protection as designed.
This presentation was given at NULL & OWASP Chandigarh Chapter April Meet.
Browser Hacking For Fun and Profit | Null Bangalore Meetup 2019 | Divyanshu S...Divyanshu
Browser exploitation| Reporting vulnerability in top browsers and finding CVE.
Session in Null Bangalore Meet 23 November 2019 Null/OWASP/G4H combined meetup
Thanks to respective researchers for their work.
How do JavaScript frameworks impact the security of applications?Ksenia Peguero
The best way to enable developers to create secure applications is to “shift left” in security. That means providing developers with the tools and techniques that help build more secure applications from the get-go. Developers may get security controls into their applications in different ways. They may write them from scratch following security training or guidance, they may use open source libraries, or they may use frameworks that have the security features built in already. In this talk we explore JavaScript applications that use different types of security controls implemented at levels ranging from developer code, to libraries and plugins, to different frameworks, and analyze which applications actually turn out to be more secure. This work is based on analysis of over 500 open source JavaScript applications on GitHub that use client-side frameworks and template engines to prevent XSS, as well as server-side frameworks (Express, Koa, Hapi, Sails, Meteor) and CSRF prevention mechanisms. In conclusion, we provide data-driven recommendations for framework maintainers and application developers on how to develop and choose a framework that will actually make applications more secure.
Rails security: above and beyond the defaultsMatias Korhonen
In a world with increasingly sophisticated adversaries employing both targeted and automated attacks, what can we do to keep our users and our web apps safe?
While Rails provides pretty decent security options straight out of the box, we can go further and make attacks more difficult to accomplish.
For example, why and how to implement a Content Security Policy. Should you use HTTP Public Key Pinning? How do you know if you've configured HTTPS correctly?
20 years of web cryptography, and its amazing how frequently its configured sub-optimally. We've had numerous encryption algorithms, digests, protocols come, and should have GONE, but everyone has just left them on. Its time to shut out the legacy browser. The vast majority of the worlds browser install base now auto-updates, and with strict (and prescriptive) compliance in force, we get to drop the bloat form the past. In this talk we'll cover the current TRANSITIONS we're going through from a web admins perspective: TLS, Cipher Suites, HTTP Security Headers, CAs, the move to an encrypted-by-default web, and more.
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP
Presentation of OWASP Global Chairman of the Board - Martin Knobloch at OWASP Poland meeting in Warsaw on 13 November 2018. Great review of important OWASP Projects.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
5. Facts about HTTP Headers
• Headers can be used to steer browsers (and
applications) behaviour
• You can define your own headers
• If the browser does not know or support the
header, it will ignore the header
• Response headers are client side controls that
are implemented on the server side
8. Clickjacking
• Tricking the user into
clicking something
different, then what the
user perceives
• Demo time (Source code:
https://github.com/
marpuch/Java-Sec-
Examples )
9. X-Frame-Options
• Steers whether or not the browser is allowed
to render the page in an <frame> or
<iframe> tag
• Mitigates the clickjacking threat
• Example: X-Frame-Options : DENY
10. X-Frame-Options - Parameters
• DENY - The page can never be displayed in a
frame
• SAMEORIGIN - The page can only be framed
by pages with the same origin.
• ALLOW-FROM <uri> - The page can only be
framed by the followingURIs.
11. X-Frame-Options - Compatibility
• Parameters DENY and SAMEORIGIN are
supported by all major browsers
• Some major browser (e.g. Chrome v47) does
not support ALLOW-FROM uri
• Browsers compatibility can be checked here:
http://erlend.oftedal.no/blog/tools/xframeop
tions/
12. X-Frame-Options - Implementation
• Tomcat users - activate the
httpHeaderSecurity filter in the file
TOMCAT_HOME/conf/web.xml
• Spring MVC users - look here
• ...
14. How many sites use X-Frame-
Options?
Source scotthelme.co.uk
15. Content Security Policy (CSP)
• CSP defines the sources (of images, scripts,
styles, media, fonts, …) the site can access
• Quite big and powerful
• Current version 2.0, version 3.0 in progress
• Addresses not only clickjacking, but also cross-
site vulnerabilities
• Enforces coding rules on developers (yes, can
be painful for the dev team)
16. Using CSP
• Header syntax:
Content-Security-Policy: <directive1>
<source1.1> <source1.2> <source1.3>;
<directive 2> <source2.1> <source2.2>; …
• You can define CSP also over the meta tag on
the HTML page like this:
<meta http-equiv="Content-Security-Policy"
content="directive source1 source2">
19. Clickjacking mitigation with CSP
• Does the same as X-Frame-Options:
Content-Security-Policy: frame-
ancestor 'none'; …
• Defines allowed sources for frame and
iframe:
Content-Security-Policy: child-src
'none'; …
20. CSP 2.0 browser support
• NOTE: Clickjacking protection is part of the
CSP 2.0 specification (see caniuse.com)
22. Cross-Site Scripting (XSS)
• XSS happen, when you let the user inject their
code to the page content
• But really, how dangerous can this be? :>
23. Types of XSS
• Stored
out.writeln(„Reflected XSS: ” + note.getContent());
• Reflected
out.writeln(„Reflected XSS: ”+request.getParameter(„hacked”));
Browser Server DB
Browser Server
24. Types of XSS
• DOM-Based
<script>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.l
ength));
</script>
http://www.vulnerable.site/welcome.html?name=<script>alert(1)</script>
Browser
25. X-XSS-Protection
• Header designed for IE8 and later, supported
by Chrome and Safari
• Offers reflected XSS protection
• Turned on by default
• Syntax:
X-XSS-Protection: 0 // turn off
X-XSS-Protection: 1 // turn on, sanitize
X-XSS-Protection: 1; mode=block // turn on, block
27. CSP VS XSS
• How to prevent the
exploitation even when
the website is vulnerable
• Demo time (Source code:
https://github.com/
marpuch/Java-Sec-
Examples )
30. CSP - Implementation
• You want your developer team to be aware of
CSP to detect problems early
• It is better to turn this feature on in your
software stack (then e.g. web server), but be
aware – it is somehow still a new feature:
“Spring Security does not provide support for this [CSP] as the specification is not
released and it is quite a bit more complicated. However, you could use the static
headers feature to implement this. To stay up to date with this issue and to see how you
can implement it with Spring Security refer to SEC-2342”
32. Better CSP utilization, CSP testing
• Be aware, that you can run CSP in the report-
only mode by setting the –Report-only
flag or by using the Content-Security-
Policy-Report-Only header
• You can use both Content-Security-
Policy and Content-Security-
Policy-Report-Only header to enforce
CSP rules and to test stricter ones
33. Read more about CSP
• https://scotthelme.co.uk/csp-cheat-sheet/
• https://report-uri.io/home/generate
• https://cspbuilder.info/static/#/main/
34. Read even more about CSP 2.0 in
Sekurak offline 2
http://sekurak.pl/sekurak-offline-2/