This document discusses XSS vulnerabilities in Grails applications and provides countermeasures. It explains what XSS is, different XSS types, and threats posed by XSS attacks like session hijacking and malware infection. It details several XSS issues in pre-2.3 Grails versions like the default codec being none, inconsistent encoding behavior across GSP elements, and tags not escaping output. Solutions proposed include changing the default codec, explicitly encoding values, and upgrading to later Grails versions. It also stresses the need to review plugins for security issues and consider plugins part of the app's attack surface.
Looking for Vulnerable Code. Vlad SavitskyVlad Savitsky
How to find vulnerable code in your Drupal project?
Different attacks and how to protect your site?
What to do if you find security problem in code/site?
Matt Nelson, SpecterOps
A persistent "enlightened" attacker will invest the required resources to bypass any and all security features that might stand between them and their objective, regardless if these features are guaranteed to be serviced as security boundaries or not. This includes researching and developing attacks against Windows security features that may impose a hurdle in their attack chain. This talk will outline recent research into features such as User Account Control (UAC), the Antimalware Scan Interface (AMSI) and Device Guard and how these bypasses are useful to attackers in an operational context.
Some examples include:
UAC: If an attacker compromises a user that is running as a split-token administrator, bypassing UAC is required in order to perform any administrative actions; such as dumping credentials from memory.
AMSI: With in-memory attacks becoming more prevalent via scripting languages, AMSI is the next logical step to facilitate detection. An attacker will need to bypass AMSI in order to safely operate in memory when using PowerShell, VBScript, or JScript.
Device Guard: As organizations begin to consider whitelisting solutions, an attacker is required to adapt and develop a bypass to these technologies. One such solution is Device Guard, which can be used to heavily restrict what is allowed to execute on the system. In order to accomplish their objective, an attacker would need to bypass User Mode Code Integrity (UMCI). Such research can find novel ways to execute code in ways that are not likely to be detected.
I will also cover some of the fixes that have been implemented in newer versions of the Windows Operating System. Fixing these bypasses will not only make Windows safer, but it will begin to disrupt attackers by raising the cost associated with successfully executing an attack.
Developer's Guide to JavaScript and Web CryptographyKevin Hakanson
The increasing capabilities and performance of the web platform allow for more feature-rich user experiences. How can JavaScript based applications utilize information security and cryptography principles? This session will explore the current state of JavaScript and Web Cryptography. We will review some basic concepts and definitions, discuss the role of TLS/SSL, show some working examples that apply cryptography to real-world use cases and take a peek at the upcoming W3C WebCryptoAPI. Code samples will use CryptoJS in the browser and the Node.js Crypto module on the server. An extended example will secure the popular TodoMVC project using PBKDF2 for key generation, HMAC for data integrity and AES for encryption.
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
The open source TodoMVC project implements a Todo application using popular JavaScript MV* frameworks. Some of the implementations add support for compile to JavaScript languages, module loaders and real time backends. This presentation will demonstrate a TodoMVC implementation which adds support for the forthcoming W3C Web Cryptography API, as well as review some key cryptographic concepts and definitions.
Instead of storing the Todo list as plaintext in localStorage, this "secure" TodoMVC implementation encrypts Todos using a password derived key. The PBKDF2 algorithm is used for the deriveKey operation, with getRandomValues generating a cryptographically random salt. The importKey method sets up usage of AES-CBC for both encrypt and decrypt operations. The final solution helps address item "A6-Sensitive Data Exposure" from the OWASP Top 10.
With the Web Cryptography API being a recommendation in 2014, any Q&A time will likely include browser implementations and limitations, and whether JavaScript cryptography adds any value.
Looking for Vulnerable Code. Vlad SavitskyVlad Savitsky
How to find vulnerable code in your Drupal project?
Different attacks and how to protect your site?
What to do if you find security problem in code/site?
Matt Nelson, SpecterOps
A persistent "enlightened" attacker will invest the required resources to bypass any and all security features that might stand between them and their objective, regardless if these features are guaranteed to be serviced as security boundaries or not. This includes researching and developing attacks against Windows security features that may impose a hurdle in their attack chain. This talk will outline recent research into features such as User Account Control (UAC), the Antimalware Scan Interface (AMSI) and Device Guard and how these bypasses are useful to attackers in an operational context.
Some examples include:
UAC: If an attacker compromises a user that is running as a split-token administrator, bypassing UAC is required in order to perform any administrative actions; such as dumping credentials from memory.
AMSI: With in-memory attacks becoming more prevalent via scripting languages, AMSI is the next logical step to facilitate detection. An attacker will need to bypass AMSI in order to safely operate in memory when using PowerShell, VBScript, or JScript.
Device Guard: As organizations begin to consider whitelisting solutions, an attacker is required to adapt and develop a bypass to these technologies. One such solution is Device Guard, which can be used to heavily restrict what is allowed to execute on the system. In order to accomplish their objective, an attacker would need to bypass User Mode Code Integrity (UMCI). Such research can find novel ways to execute code in ways that are not likely to be detected.
I will also cover some of the fixes that have been implemented in newer versions of the Windows Operating System. Fixing these bypasses will not only make Windows safer, but it will begin to disrupt attackers by raising the cost associated with successfully executing an attack.
Developer's Guide to JavaScript and Web CryptographyKevin Hakanson
The increasing capabilities and performance of the web platform allow for more feature-rich user experiences. How can JavaScript based applications utilize information security and cryptography principles? This session will explore the current state of JavaScript and Web Cryptography. We will review some basic concepts and definitions, discuss the role of TLS/SSL, show some working examples that apply cryptography to real-world use cases and take a peek at the upcoming W3C WebCryptoAPI. Code samples will use CryptoJS in the browser and the Node.js Crypto module on the server. An extended example will secure the popular TodoMVC project using PBKDF2 for key generation, HMAC for data integrity and AES for encryption.
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
Securing TodoMVC Using the Web Cryptography APIKevin Hakanson
The open source TodoMVC project implements a Todo application using popular JavaScript MV* frameworks. Some of the implementations add support for compile to JavaScript languages, module loaders and real time backends. This presentation will demonstrate a TodoMVC implementation which adds support for the forthcoming W3C Web Cryptography API, as well as review some key cryptographic concepts and definitions.
Instead of storing the Todo list as plaintext in localStorage, this "secure" TodoMVC implementation encrypts Todos using a password derived key. The PBKDF2 algorithm is used for the deriveKey operation, with getRandomValues generating a cryptographically random salt. The importKey method sets up usage of AES-CBC for both encrypt and decrypt operations. The final solution helps address item "A6-Sensitive Data Exposure" from the OWASP Top 10.
With the Web Cryptography API being a recommendation in 2014, any Q&A time will likely include browser implementations and limitations, and whether JavaScript cryptography adds any value.
Casey Smith, Red Canary
Application whitelisting is a great defense. It really is. As difficult as it may be to implement, it gives organizations a strong defense to turn the tide against malicious binaries. The trouble is, administrators often trust all things that are signed by Microsoft. And... All binaries from Microsoft are signed in the same manner. This talk seeks to be a discussion of what Microsoft signs, how these binaries can be abused, and propose new strategies to move forward. How can we discover these binaries? What are capabilities that can be abused? What should Microsoft be signing? Should the same certificate be used for all binaries emitted from Microsoft? This talk will present a recent binary discovered to bypass Device Guard as a case study.
OSCP Exam Preparation Documents.
In This document, we download one vulnerable machine VM image and start analysis on the machine and get root privileged.
Breaking the cyber kill chain! This slide was presented in securITy – information security conference digital world 2017. This talk is about proactive security and threat hunting.
Dana Baril, Microsoft
Credential theft is an important part of the attacker playbook when attempting lateral movement. This process mostly involves dumping credentials saved locally on the machine. In many cases these passwords can be retrieved from the Windows Credential Manager, allowing attackers an easy path into the organization. This was evident in major attacks such as the NotPetya ransomware, and high-profile tools like Mimikatz.
In this talk, we explain how to detect credential theft out of the Windows Credential Manager using Windows Defender Advanced Threat Protection (WDATP). This involves modifying the Windows operating system to send telemetry to the WDATP cloud which was extended with new detection rules.
Secure coding is the practice of developing computer software in a way that guards against the accidental introduction of security vulnerabilities. Defects, bugs and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities. Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.
Session by: Akash S Prakash
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
Big corporations and financial institutions need secure pull printing services which guarantee a proper encryption, data access control and accountability. This research aimed to perform a MITM attack on multifunction printers with embedded software from the most popular vendors. The results are staggering - similar vulnerabilities have been found in multiple solutions which are exposed to breaking the encryption, collecting any prints from the server and printing at others' expense.
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
Security is a very important aspect of web applications. In order to protect sensitive data we should use cryptography. But does cryptography mean security? Absolutely not, especially if developers do not use it properly.
In these slides, Enrico Zimuel, PHP Architect - ZF Core team member, presents some best practices in PHP to implement secure cryptography using the extensions mcrypt, Hash and OpenSSL.
Stranger Danger: Securing Third Party Components (Tech2020)Guy Podjarny
Building software today involves more assembly than actual coding. Much of our code is in fact pulled in open source packages, and the applications heavily rely on surrounding third party binaries. These third parties make us more productive - but they also introduce an enormous risk. Each third party component is a potential source of vulnerabilities or malicious code, each third party service a potential door into our system.
This talk contains more information about this risk, create a framework for digesting and tackling it, and lists a myriad of tools that can help.
We presented few approaches, their pros, cons and the influence they have on structure of the performance test script. See the attached presentation for details on few approaches and the implementation in JMeter.
XSS? Sure, we all have heard about - XSS, stands for Cross Site Scripting, but XSS sounds lot more cool, huh?
Have your account or website been hacked? Or you sure might have heard about such a compromised account or site from someone? Have you been ever tricked by a website? Have you ever noticed your everyday trusted site behaving abnormally, throwing weird content at you?
Nowadays, these are very common incidents.
Recently:
Pentagon XSS Hack
Facebook XSS Hack
How hackers do it all? Why the hell do they do it? Would you like to check it out live, do some hands-on? And focus on how to secure against this nasty vulnerability.
Come join us to see - HOW IT HAPPENS and MAKE IT HAPPEN YOURSELF.
Casey Smith, Red Canary
Application whitelisting is a great defense. It really is. As difficult as it may be to implement, it gives organizations a strong defense to turn the tide against malicious binaries. The trouble is, administrators often trust all things that are signed by Microsoft. And... All binaries from Microsoft are signed in the same manner. This talk seeks to be a discussion of what Microsoft signs, how these binaries can be abused, and propose new strategies to move forward. How can we discover these binaries? What are capabilities that can be abused? What should Microsoft be signing? Should the same certificate be used for all binaries emitted from Microsoft? This talk will present a recent binary discovered to bypass Device Guard as a case study.
OSCP Exam Preparation Documents.
In This document, we download one vulnerable machine VM image and start analysis on the machine and get root privileged.
Breaking the cyber kill chain! This slide was presented in securITy – information security conference digital world 2017. This talk is about proactive security and threat hunting.
Dana Baril, Microsoft
Credential theft is an important part of the attacker playbook when attempting lateral movement. This process mostly involves dumping credentials saved locally on the machine. In many cases these passwords can be retrieved from the Windows Credential Manager, allowing attackers an easy path into the organization. This was evident in major attacks such as the NotPetya ransomware, and high-profile tools like Mimikatz.
In this talk, we explain how to detect credential theft out of the Windows Credential Manager using Windows Defender Advanced Threat Protection (WDATP). This involves modifying the Windows operating system to send telemetry to the WDATP cloud which was extended with new detection rules.
Secure coding is the practice of developing computer software in a way that guards against the accidental introduction of security vulnerabilities. Defects, bugs and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities. Through the analysis of thousands of reported vulnerabilities, security professionals have discovered that most vulnerabilities stem from a relatively small number of common software programming errors. By identifying the insecure coding practices that lead to these errors and educating developers on secure alternatives, organizations can take proactive steps to help significantly reduce or eliminate vulnerabilities in software before deployment.
Session by: Akash S Prakash
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...Jakub Kałużny
Big corporations and financial institutions need secure pull printing services which guarantee a proper encryption, data access control and accountability. This research aimed to perform a MITM attack on multifunction printers with embedded software from the most popular vendors. The results are staggering - similar vulnerabilities have been found in multiple solutions which are exposed to breaking the encryption, collecting any prints from the server and printing at others' expense.
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
Security is a very important aspect of web applications. In order to protect sensitive data we should use cryptography. But does cryptography mean security? Absolutely not, especially if developers do not use it properly.
In these slides, Enrico Zimuel, PHP Architect - ZF Core team member, presents some best practices in PHP to implement secure cryptography using the extensions mcrypt, Hash and OpenSSL.
Stranger Danger: Securing Third Party Components (Tech2020)Guy Podjarny
Building software today involves more assembly than actual coding. Much of our code is in fact pulled in open source packages, and the applications heavily rely on surrounding third party binaries. These third parties make us more productive - but they also introduce an enormous risk. Each third party component is a potential source of vulnerabilities or malicious code, each third party service a potential door into our system.
This talk contains more information about this risk, create a framework for digesting and tackling it, and lists a myriad of tools that can help.
We presented few approaches, their pros, cons and the influence they have on structure of the performance test script. See the attached presentation for details on few approaches and the implementation in JMeter.
XSS? Sure, we all have heard about - XSS, stands for Cross Site Scripting, but XSS sounds lot more cool, huh?
Have your account or website been hacked? Or you sure might have heard about such a compromised account or site from someone? Have you been ever tricked by a website? Have you ever noticed your everyday trusted site behaving abnormally, throwing weird content at you?
Nowadays, these are very common incidents.
Recently:
Pentagon XSS Hack
Facebook XSS Hack
How hackers do it all? Why the hell do they do it? Would you like to check it out live, do some hands-on? And focus on how to secure against this nasty vulnerability.
Come join us to see - HOW IT HAPPENS and MAKE IT HAPPEN YOURSELF.
Cross site scripting (XSS) is a type of computer security vulnerability typically found in web applications, but in proposing defensive measures for cross site scripting the websites validate the user input and determine if they are vulnerable to cross site scripting. The major considerations are input validation and output sanitization.
There are lots of defense techniques introduced nowadays and even though the coding methods used by developers are evolving to counter attack cross site scripting techniques, still the security threat persist in many web applications for the following reasons:
• The complexity of implementing the codes or methods.
• Non-existence of input data validation and output sanitization in all input fields of the application.
• Lack of knowledge in identifying hidden XSS issues etc.
This proposed project report will briefly discuss what cross site scripting is and highlight the security features and defense techniques that can help against this widely versatile attack.
This presentation covers the Cross site scripting attacks and defences in web applications, this talk was delivered as part of OWASP Hyderabad Chapter meet. Comments and suggestions are welcome.
In this talk, we’ll walk through utilizing one of the most popular web vulnerability testing frameworks BurpSuite. During this presentation we will cover the process of how to conduct a successful web penetration tests, while utilizing BurpSuite's features and tools (Free and Pro Version). This discussion will also cover realistic examples and a brief overview of common vulnerabilities found in web applications.
Web security: Securing Untrusted Web Content in BrowsersPhú Phùng
A joint Chicago Chapter ACM / Loyola University Computer Science Department meeting
Wednesday, September 10, 2014
Loyola University Water Tower Campus (Chicago/Michigan Area)
111 E. Pearson Street, Chicago IL 60611
Beane Ballroom (13th Floor, Lewis Towers)
Secure Software: Action, Comedy or Drama? (2017 edition)Peter Sabev
If they made movies about the most important software security issues, they could be put into five titles: Insecure Interface, Insufficient Authentication, Security Misconfiguration, Lack of Transport Encryption and Privacy Concerns. What are the action, comedy and drama parts in software security nowadays? A talk presented on IT-Weekend event in Ruse, Bulgaria (2017)
IDA Vulnerabilities and Bug Bounty by Masaaki ChidaCODE BLUE
IDA Pro is an advanced disassembler software and often used in vulnerability research and malware analysis. IDA Pro is used to analyse software behavior in detail, if there was a vulnerability and the user is attacked not only can it have impact in a social sense but also impact legal proceedings. In this presentation I will discuss the vulnerabilities found and attacks leveraging the vulnerabilities and Hex-rays's remediation process and dialogue I had with them.
http://codeblue.jp/en-speaker.html#MasaakiChida
== Abstract ==
Presented at Analysis of Security APIs
Satellite workshop of IEEE CSF
July 13th 2015, Verona, Italy
http://www.dsi.unive.it/~focardi/ASA8/#program
Browsers HTML sandbox is, by default, only protected by the "Same Origin Policy". Although this simple constraint gave companies a very flexible environment to play with, and was probably one of the key features that led the Web to success as we see it now, it is quite unsatisfactory from a security perspective. In fact, this solution does not face the problem of letting third party code access the whole data in the DOM when explicitly loaded and executed by the browser. This behaviour opens the door to malicious third party code attacks that can be achieved using either Cross Site Scripting (OWASP Top Ten Security risk #1 for many years) or second order attacks, such as malvertising software. In the past, several attempts to sandbox untrusted code have been made. In this talk we will focus on successes and failures of the most interesting open source sandboxing browser techniques.
Let's face it, the web can be a dangerous place. So how do you protect your users and yourself? Tony Amoyal answers that and more as he shows how Rails can help protect against miscreants.
Piratng Avs to bypass exploit mitigationPriyanka Aash
"Put a low-level security researcher in front of hooking mechanisms and you get industry-wide vulnerability notifications, affecting security tools such as Anti-Virus, Anti-Exploitations and DLP, as well as non-security applications such as gaming and productivity tools. In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft's Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.
In this talk we'll survey the different vulnerabilities, and deep dive into a couple of those. In particular, we'll take a close look at a vulnerability appearing in the most popular commercial hooking engine of a large vendor. This vulnerability affects the most widespread productivity applications and forced the vendor to not only fix their engine, but also that their customers fix their applications prior to releasing the patch to the public. Finally, we'll demonstrate how security tools can be used as an intrusion channel for threat actors, ironically defeating security measures."
(Source: Black Hat USA 2016, Las Vegas)
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft’s Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
5. XSS threats
• Interface defacement
• Session hijacking
• Click hijacking
• Malware infection
• Your PC may be joined to the horde of zombies in a BotNet.
25. Commercial software
• XSS is not known for business stakeholders
• For most people, security means attacking your servers
26. Commercial software
• XSS is not known for business stakeholders
• For most people, security means attacking your servers
• Developers don’t pay enough attention
42. #2: Inconsistent behaviour
Apply codec Does not apply codec
• GSP EL: ${...}
• Tag: <g:tag .../>
• GSP EL in tag attribute: <g:tag a="${...}"/>
43. #2: Inconsistent behaviour
Apply codec Does not apply codec
• GSP EL: ${...}
• Tag: <g:tag .../>
• GSP EL in tag attribute: <g:tag a="${...}"/>
• Tag as a method: ${g.tag(...)}
44. #2: Inconsistent behaviour
Apply codec Does not apply codec
• GSP EL: ${...}
• Tag: <g:tag .../>
• GSP EL in tag attribute: <g:tag a="${...}"/>
• Tag as a method: ${g.tag(...)}
• Scriptlets: <%= ... %>
45. #2: Inconsistent behaviour
Apply codec Does not apply codec
• GSP EL: ${...}
• Tag: <g:tag .../>
• GSP EL in tag attribute: <g:tag a="${...}"/>
• Tag as a method: ${g.tag(...)}
• Scriptlets: <%= ... %>
46. #3: Tag output is not
escaped
Problems
Review the tags you use to make sure they
encode their output or have options for this (e.g.
encodeAs attribute).
47. #3: Tag output is not
escaped
Problems
Review the tags from plugins you use.
48. #3: Tag output is not
escaped
Problems
Review the tags you invoke as methods in
Controllers.
49. #3: Tag output is not
escaped
Problems
Don’t trust Grails core tags, they have
inconsistent behaviour. E.g:
<g:fieldValue /> // HTML-encoded
<g:message /> // NO HTML-encoded
50. #3: Tag output is not
escaped
Solutions
If tag implementation doesn’t encode, add it
explicitly or invoke it as a method inside a GSP
expression:
<g:message ... encodeAs=’’HTML’’/>
${g.message(...)}
g.message(...).encodeAsHTML()
51. #4: g:message doesn’t
escape arguments
Problems
With default codec set to HTML the following
XSS attack vector works:
<g:message code=’welcome’ args=’[params.user]’/>
where:
welcome = Hi {0}!
params.user = <script>alert(’pwnd’)</script>
52. #4: g:message doesn’t
escape arguments
Solutions
Upgrade to a Grails version with the issue
(GRAILS-7170) fixed:
2.0.5, 2.1.5, 2.2.2, 2.3-M1
53. #4: g:message doesn’t
escape arguments
Solutions
Escape explicitly or invoke the tag inside a GSP
expression:
<g:message code=’welcome’ args=’[params.user]’
encodeAs=’HTML’/>
${g.message(code:’welcome’, args:[params.user])}
54. #5: One codec is not
enough
You MUST use the escape syntax for the context of the HTML
document you’re putting untrusted data into:
• HTML
• JavaScript
• URL
• CSS
55. #5: One codec is not
enough
HTML entity encoding doesn’t work if you’re using untrusted
data inside a <script>, or an event handler attribute like
onmouseover, or inside CSS, or in a URL.
56. #5: One codec is not
enough
Problems
You can override the default codec for a page,
but not to switch the codec for each context:
<%@page defaultCodec=’CODEC’ %>
57. #5: One codec is not
enough
Problems
How to manage GSPs with mixed encoding
requirements?
58. #5: One codec is not
enough
Solutions
Turn off default codec for that page and use
encodeAsJavaScript() and
encodeAsHTML() explicitly everywhere.
59. #5: One codec is not
enough
Solutions
Extract the JavaScript fragment to a GSP tag
encoding as JavaScript.
62. #1: New configuration more
security by default
grails {
views {
gsp {
encoding = ’UTF-8’
htmlcodec = ’xml’ // use xml escaping instead of HTML4
codecs {
expression = ’html’ // escapes values inside ${}
scriptlet = ’html’ // escapes output from scriptlets in GSPs
taglib = ’none’ // escapes output from taglibs
staticparts = ’none’ // escapes output from static templates
}
}
// escapes all not-encoded output at final stage of outputting
filteringCodecForContentType {
//’text/html’ = ’html’
}
}
}
63. #2: Finer-grained control of
codecs
Control the codecs used per plugin:
pluginName.grails.views.gsp.codecs.expression = ’CODEC’
64. #2: Finer-grained control of
codecs
Control the codecs used per page:
<%@ expressionCodec=’CODEC’ %>
65. #2: Finer-grained control of
codecs
Control the default codec used by a tag library:
static defaultEncodeAs = ’HTML’
Or on a per tag basis:
static encodeAsForTags = [tagName: ’HTML’]
66. #2: Finer-grained control of
codecs
Add support for an optional encodeAs attribute to all tags
automatically:
<my:tag arg=’foo.bar’ encodeAs=’JavaScript’/>
67. #3: Context-sensitive
encoding switching
Tag withCodec(’CODEC’, Closure) to switch the current
default codec, pushing and popping a default codec stack.
out.println ’<script type=’’text/javascript’’>’
withCodec(‘‘JavaScript’’) {
out << body()
}
out.println()
out.println ’</script>’
69. #4: Raw output
When you do not wish to encode a value, you can use the
raw() method.
${raw(book.title)}
It’s available in GSPs, controllers and tag libraries.
70. #5: Default encoding for all
output
You can configure Grails to encode all output at the end of a
response.
71. #5: Default encoding for all
output
grails {
views {
gsp {
codecs {
...
staticparts = ’raw’ // escapes output from static templates
}
}
// escapes all not-encoded output at final stage of outputting
filteringCodecForContentType {
’text/html’ = ’html’
}
}
}
If activated, the staticparts codec needs to be set to raw so
that static markup is not encoded.
73. Plugins are also part of your application
• Grails plugins are not security audited
74. Plugins are also part of your application
• Grails plugins are not security audited
• Grails plugins are part of your application’s attack surface
75. Plugins are also part of your application
• Grails plugins are not security audited
• Grails plugins are part of your application’s attack surface
• Review plugins to make sure they encode, and if they don’t
you should JIRA the authors immediately, and fork and
patch to fix your app quickly.
77. E.g. Javamelody vulnerability
• CVE-2013-4378 vulnerability reported.
• Allows blind XSS attack via X-Forwarded-For header
spoofing.
78. E.g. Javamelody vulnerability
• CVE-2013-4378 vulnerability reported.
• Allows blind XSS attack via X-Forwarded-For header
spoofing.
• The attack target is the admin’s browser.
79. E.g. Javamelody vulnerability
• CVE-2013-4378 vulnerability reported.
• Allows blind XSS attack via X-Forwarded-For header
spoofing.
• The attack target is the admin’s browser.
• Fixed in the last release (1.47).
80. E.g. Javamelody vulnerability
• CVE-2013-4378 vulnerability reported.
• Allows blind XSS attack via X-Forwarded-For header
spoofing.
• The attack target is the admin’s browser.
• Fixed in the last release (1.47).
• You should upgrade ASAP.
83. Think like an attacker
• According to your grails version
84. Think like an attacker
• According to your grails version
• Find unescaped values
85. Think like an attacker
• According to your grails version
• Find unescaped values
• Use fuzzers
86. Think like an attacker
• According to your grails version
• Find unescaped values
• Use fuzzers
• Read and understand Samy code
87. Think like an attacker
• According to your grails version
• Find unescaped values
• Use fuzzers
• Read and understand Samy code
• Review OWASP XSS cheatsheets
88. Be aware
• Review your Grails app to double-check how all dynamic
content gets escaped
89. Be aware
• Review your Grails app to double-check how all dynamic
content gets escaped
• Monitor for suspicious traffic
90. Be aware
• Review your Grails app to double-check how all dynamic
content gets escaped
• Monitor for suspicious traffic
• Spread the knowledge
91. Be aware
• Review your Grails app to double-check how all dynamic
content gets escaped
• Monitor for suspicious traffic
• Spread the knowledge
• Adopt ZAP or similar fuzzers in your CI process
92. Be aware
• Review your Grails app to double-check how all dynamic
content gets escaped
• Monitor for suspicious traffic
• Spread the knowledge
• Adopt ZAP or similar fuzzers in your CI process
• Review available security plugins for Grails
103. Grails
• Is able to defend our application from XSS attacks
• But we need to pay attention to the details
104. Grails
• Is able to defend our application from XSS attacks
• But we need to pay attention to the details
• Upgrade to 2.3 ASAP
105. Grails
• Is able to defend our application from XSS attacks
• But we need to pay attention to the details
• Upgrade to 2.3 ASAP
• Pay attention to XSS
107. XSS
• Is much more dangerous than defacement jokes
• The browsers are the actual target
108. XSS
• Is much more dangerous than defacement jokes
• The browsers are the actual target
• Difficult to monitor
109. XSS
• Is much more dangerous than defacement jokes
• The browsers are the actual target
• Difficult to monitor
• Unconfortable counter-measures in the browser: NoScript,
Request Policy
111. Wake up
• Write secure applications by default
• Get yourself used with Metasploit, Burp, ZAP
112. Wake up
• Write secure applications by default
• Get yourself used with Metasploit, Burp, ZAP
• Spread the word both horizontally and vertically
113. Picture credits
• Cover:
http://www.flickr.com/photos/usairforce/
CC by-nc
• White rabbit:
http://www.flickr.com/photos/alles-banane/5849593440
CC by-sa-nc
• Hieroglyphs:
http://www.flickr.com/photos/59372146@N00
CC by-sa-nc
• Zombies:
http://www.flickr.com/photos/aeviin/4986897433
CC by-sa-nc