XXE Exposed Webinar Slides:
Brief coverage of SQLi and XSS against Web Services to then talk about XXE and XEE attacks and mitigation. Heavily inspired on the "Practical Web Defense" (PWD) style of pwnage + fixing (https://www.elearnsecurity.com/PWD)
Full recording here:
NOTE: (~20 minute) XXE + XEE Demo Recording starts at minute 25
https://www.elearnsecurity.com/collateral/webinar/xxe-exposed/
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
With the big delays in the time it takes until an iOS jailbreak is public and stable, it is often not possible to test mobile apps in the latest iOS version. Occasionally customers might also provide builds that only work in iOS versions for which no jailbreak is available. On Android the situation is better, but there can also be problems to root certain phone models. These trends make security testing of mobile apps difficult. This talk will cover approaches to defeat common security mechanisms that must be bypassed in the absence of root/jailbreak.
This talk shares the various techniques I found whilst building the XSS cheat sheet. It contains auto executing vectors, AngularJS CSP bypasses and dangling markup attacks.
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
Would you want to let your kids discover the darker corners of the internet without protection? Wouldn't it be handy to know what they do online, to be alerted when they search for dangerous keywords and to be able to control what websites they can visit, and even when they play games?
Worry no longer, the South Korean government got you covered. Simply install the "Smart Sheriff" app on your and your kids' phones. Smart Sheriff is the first parental-control mobile app that has been made a legally required, obligatory install in an entire country! Yay, monitoring!
Well, something shady yet mandatory like this cannot go without an external pentest. And even better, one that wasn't solicited by the maintainer but initiated by the OTF and CitizenLab and executed by the Cure53 team! In this talk, two of the Cure53 testers involved into the first and, who would have guessed, second penetration test against the "Smart Sheriff" app, will share what they found. Maybe all was fine with the app, maybe the million kids forced to have this run on their devices were all safe. Maybe. But would there be a talk about it then?
We all know, mandated surveillance apps to protect children are a great idea, and outsourcing to the lowest bidder, always delivers the best results. Right?
Going over the first and second pentest results we will share our impressions about the "security" of this ecosystem and show examples about the "comprehensive" vendor response, addressing "all" the findings impeccably. This talk is a great example of how security research about a serious political decision and mandate might achieve nothing at all - or show, how a simple pentest together with excellent activist work can maybe spark a political discussion and more.
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
Goals of this Presentation:
- Outline and provide an actionable methodology for effectively and efficiently testing for, and finding security vulnerabilities in web applications
- Cover common vulnerability classes/types/categories from a high level
- Provide useful tools and processes that you can take right out into the world to immediately improve your own bug hunting abilities
General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
With the big delays in the time it takes until an iOS jailbreak is public and stable, it is often not possible to test mobile apps in the latest iOS version. Occasionally customers might also provide builds that only work in iOS versions for which no jailbreak is available. On Android the situation is better, but there can also be problems to root certain phone models. These trends make security testing of mobile apps difficult. This talk will cover approaches to defeat common security mechanisms that must be bypassed in the absence of root/jailbreak.
This talk shares the various techniques I found whilst building the XSS cheat sheet. It contains auto executing vectors, AngularJS CSP bypasses and dangling markup attacks.
Smart Sheriff, Dumb Idea, the wild west of government assisted parentingAbraham Aranguren
Would you want to let your kids discover the darker corners of the internet without protection? Wouldn't it be handy to know what they do online, to be alerted when they search for dangerous keywords and to be able to control what websites they can visit, and even when they play games?
Worry no longer, the South Korean government got you covered. Simply install the "Smart Sheriff" app on your and your kids' phones. Smart Sheriff is the first parental-control mobile app that has been made a legally required, obligatory install in an entire country! Yay, monitoring!
Well, something shady yet mandatory like this cannot go without an external pentest. And even better, one that wasn't solicited by the maintainer but initiated by the OTF and CitizenLab and executed by the Cure53 team! In this talk, two of the Cure53 testers involved into the first and, who would have guessed, second penetration test against the "Smart Sheriff" app, will share what they found. Maybe all was fine with the app, maybe the million kids forced to have this run on their devices were all safe. Maybe. But would there be a talk about it then?
We all know, mandated surveillance apps to protect children are a great idea, and outsourcing to the lowest bidder, always delivers the best results. Right?
Going over the first and second pentest results we will share our impressions about the "security" of this ecosystem and show examples about the "comprehensive" vendor response, addressing "all" the findings impeccably. This talk is a great example of how security research about a serious political decision and mandate might achieve nothing at all - or show, how a simple pentest together with excellent activist work can maybe spark a political discussion and more.
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
Goals of this Presentation:
- Outline and provide an actionable methodology for effectively and efficiently testing for, and finding security vulnerabilities in web applications
- Cover common vulnerability classes/types/categories from a high level
- Provide useful tools and processes that you can take right out into the world to immediately improve your own bug hunting abilities
General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
Demos: http://www.youtube.com/playlist?list=PL3SqEmKhsxzzUIG1oIOUw3UeK0euTSTNH
Chess is a complex game: The number of permutations is just too great to compute the best possible move during a game. This is similar to pen testing in that we also have too many vulnerabilities to find and choose from not only on a 1 by 1 basis but also how we would chain them together like a real attacker.
Chess players must analyse efficiently to beat time constraints like pentesters but unlike pentesters they have been doing this for a long time.
The purpose of this talk is to expose the techniques chess players have been using for centuries and to illustrate how we can learn from these and apply them to pen testing. The talk will behighly practical and will show how these techniques have been incorporated into OWTF, not only with screenshots but also demos.
Have you ever had to spend valuable time in the middle of a test to prepare something you could have prepared in advance? Did you ever analyse a vulnerability/attack-path in depth only to find a significantly easier to exploit vulnerability hours/days after? Pen testing is very similar to playing chess: It is easy to get carried on and waste valuable analysis time on a line of attack that is just not the best option. Maybe mistakes like this will be a bit less likely after attending this talk.
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
Microsoft's web browsers, Internet Explorer and Edge, have a feature called 'XSS filter' built in which protects users from XSS attacks. In order to deny XSS attacks, XSS filter looks into the request for a string resembling an XSS attack, compares it with the page and finds the appearance of it, and rewrites parts of the string if it appears in the page. This rewriting process of the string - is this done safely? The answer is no. This time, I have found a way to exploit XSS filter not to protect a web page, but to create an XSS vulnerability on a web page that is completely sane and free of XSS vulnerability. In this talk, I will describe technical details about possibilities of XSS attacks exploiting XSS filter and propose what website administrators should do to face this XSS filter nightmare.
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
While input validation vulnerabilities such as XSS and SQL injection have been intensively studied, a new class of injection vulnerabilities called HTTP Parameter Pollution (HPP) has not received as much attention. HPP attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach.
In the talk we present the first automated system for the detection of HPP vulnerabilities in real web applications. Our approach consists of injecting fuzzed parameters into the web application and a set of tests and heuristics to determine if the pages that are generated contain HPP vulnerabilities. We used this system to conduct a large-scale experiment by testing more than 5,000 popular websites and discovering unknown HPP flaws in many important and well-known sites such as Microsoft, Google, VMWare, Facebook, Symantec, Paypal and others. These sites have been all informed and many of them have acknowledged or fixed the problems. We will explain in details how to efficiently detect HPP bugs and how to prevent this novel class of injection vulnerabilities in future web applications.
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
In this talk, top ranked white-hat hacker Frans Rosén (@fransrosen) will focus on methodologies and results of attacking modern web technologies. He will do a deep-dive in postMessage, how vulnerable configurations in both AWS and Google Cloud allow attackers to take full control of your assets.
Listen to 60 minutes of new hacks, bug bounty stories and learnings that will make you realize that the protocols and policies you believed to be secure are most likely not.
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the resource originated.
A web page may freely embed images, stylesheets, scripts, iframes, videos and some plugin content (such as Adobe Flash) from any other domain. However embedded web fonts and AJAX (XMLHttpRequest) requests have
traditionally been limited to accessing the same domain as the parent web page (as per the same-origin security policy). "Cross-domain" AJAX requests are forbidden by default because of their ability to perform
advanced requests (POST, PUT, DELETE and other types of HTTP requests, along with specifying custom HTTP headers) that introduce many cross-site scripting security issues.
CORS defines a way in which a browser and server can interact to determine safely whether or not to allow the cross-origin request. It allows for more freedom and functionality than purely
same-origin requests, but is more secure than simply allowing all cross-origin requests. It is a recommended standard of the W3C.
This presentation illustrates a number of techniques to smuggle and reshape HTTP requests using features such as HTTP Pipelining that are not normally used by testers. The strange behaviour of web servers with different technologies will be reviewed using HTTP versions 1.1, 1.0, and 0.9 before HTTP v2 becomes too popular! Some of these techniques might come in handy when dealing with a dumb WAF or load balancer that blocks your attacks.
Presented @ BSides Manchester 2017 & SteelCon 2017
A Hacker's perspective on AEM applications securityMikhail Egorov
Adobe Experience Manager (AEM), is a comprehensive content management solution for building websites, managing marketing content and assets. I started to look into AEM security back in 2015. Since then I discovered and reported several server-side vulnerabilities and developed toolset for AEM hacking to automate security testing of AEM web-applications.
In 2019 I reported one code injection and three XML external entity (XXE) vulnerabilities to Adobe PSIRT. They are known as CVE-2019-8086, CVE-2019-8087, CVE-2019-8088. These vulnerabilities allow anonymous attackers to compromise AEM web-application.
In the talk, I will disclose details of discovered vulnerabilities and exploitation techniques.
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
Demos: http://www.youtube.com/playlist?list=PL3SqEmKhsxzzUIG1oIOUw3UeK0euTSTNH
Chess is a complex game: The number of permutations is just too great to compute the best possible move during a game. This is similar to pen testing in that we also have too many vulnerabilities to find and choose from not only on a 1 by 1 basis but also how we would chain them together like a real attacker.
Chess players must analyse efficiently to beat time constraints like pentesters but unlike pentesters they have been doing this for a long time.
The purpose of this talk is to expose the techniques chess players have been using for centuries and to illustrate how we can learn from these and apply them to pen testing. The talk will behighly practical and will show how these techniques have been incorporated into OWTF, not only with screenshots but also demos.
Have you ever had to spend valuable time in the middle of a test to prepare something you could have prepared in advance? Did you ever analyse a vulnerability/attack-path in depth only to find a significantly easier to exploit vulnerability hours/days after? Pen testing is very similar to playing chess: It is easy to get carried on and waste valuable analysis time on a line of attack that is just not the best option. Maybe mistakes like this will be a bit less likely after attending this talk.
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
Microsoft's web browsers, Internet Explorer and Edge, have a feature called 'XSS filter' built in which protects users from XSS attacks. In order to deny XSS attacks, XSS filter looks into the request for a string resembling an XSS attack, compares it with the page and finds the appearance of it, and rewrites parts of the string if it appears in the page. This rewriting process of the string - is this done safely? The answer is no. This time, I have found a way to exploit XSS filter not to protect a web page, but to create an XSS vulnerability on a web page that is completely sane and free of XSS vulnerability. In this talk, I will describe technical details about possibilities of XSS attacks exploiting XSS filter and propose what website administrators should do to face this XSS filter nightmare.
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)Marco Balduzzi
While input validation vulnerabilities such as XSS and SQL injection have been intensively studied, a new class of injection vulnerabilities called HTTP Parameter Pollution (HPP) has not received as much attention. HPP attacks consist of injecting encoded query string delimiters into other existing parameters. If a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks. One consequence of HPP attacks is that the attacker can potentially override existing hard-coded HTTP parameters to modify the behavior of an application, bypass input validation checkpoints, and access and possibly exploit variables that may be out of direct reach.
In the talk we present the first automated system for the detection of HPP vulnerabilities in real web applications. Our approach consists of injecting fuzzed parameters into the web application and a set of tests and heuristics to determine if the pages that are generated contain HPP vulnerabilities. We used this system to conduct a large-scale experiment by testing more than 5,000 popular websites and discovering unknown HPP flaws in many important and well-known sites such as Microsoft, Google, VMWare, Facebook, Symantec, Paypal and others. These sites have been all informed and many of them have acknowledged or fixed the problems. We will explain in details how to efficiently detect HPP bugs and how to prevent this novel class of injection vulnerabilities in future web applications.
OWASP AppSecEU 2018 – Attacking "Modern" Web TechnologiesFrans Rosén
In this talk, top ranked white-hat hacker Frans Rosén (@fransrosen) will focus on methodologies and results of attacking modern web technologies. He will do a deep-dive in postMessage, how vulnerable configurations in both AWS and Google Cloud allow attackers to take full control of your assets.
Listen to 60 minutes of new hacks, bug bounty stories and learnings that will make you realize that the protocols and policies you believed to be secure are most likely not.
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the resource originated.
A web page may freely embed images, stylesheets, scripts, iframes, videos and some plugin content (such as Adobe Flash) from any other domain. However embedded web fonts and AJAX (XMLHttpRequest) requests have
traditionally been limited to accessing the same domain as the parent web page (as per the same-origin security policy). "Cross-domain" AJAX requests are forbidden by default because of their ability to perform
advanced requests (POST, PUT, DELETE and other types of HTTP requests, along with specifying custom HTTP headers) that introduce many cross-site scripting security issues.
CORS defines a way in which a browser and server can interact to determine safely whether or not to allow the cross-origin request. It allows for more freedom and functionality than purely
same-origin requests, but is more secure than simply allowing all cross-origin requests. It is a recommended standard of the W3C.
This presentation illustrates a number of techniques to smuggle and reshape HTTP requests using features such as HTTP Pipelining that are not normally used by testers. The strange behaviour of web servers with different technologies will be reviewed using HTTP versions 1.1, 1.0, and 0.9 before HTTP v2 becomes too popular! Some of these techniques might come in handy when dealing with a dumb WAF or load balancer that blocks your attacks.
Presented @ BSides Manchester 2017 & SteelCon 2017
A Hacker's perspective on AEM applications securityMikhail Egorov
Adobe Experience Manager (AEM), is a comprehensive content management solution for building websites, managing marketing content and assets. I started to look into AEM security back in 2015. Since then I discovered and reported several server-side vulnerabilities and developed toolset for AEM hacking to automate security testing of AEM web-applications.
In 2019 I reported one code injection and three XML external entity (XXE) vulnerabilities to Adobe PSIRT. They are known as CVE-2019-8086, CVE-2019-8087, CVE-2019-8088. These vulnerabilities allow anonymous attackers to compromise AEM web-application.
In the talk, I will disclose details of discovered vulnerabilities and exploitation techniques.
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
SSRF vs. Business-critical applications. XXE tunneling in SAPERPScan
Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. Industrial espionage, sabotage and fraud or insider embezzlement may be very effective if targeted at the victim’s ERP system and cause significant damage to the business.
The presentation describes the history of SSRF attack, or Server Side Request Forgery, its types and different kinds of attacks on SAP.
Web-App Remote Code Execution Via Scripting Engines by Rahul Sasi at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.html
XXE: The XML Backdoor. Your XML parser is probably broken. This talk will outline an little-known attack vector targeting XML parser in web applications called XML External Entity (XXE) Processing. https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing
The presentation has a quick preamble on SQL injection definition, sqlmap and its key features.
I will then illustrate into details common and uncommon problems and respective solutions with examples that a penetration tester faces when he wants to take advantage of any kind of web application SQL injection flaw on real world web applications, for instance SQL injection in ORDER BY and LIMIT clauses, single entry UNION query SQL injection, specific web application technologies IDS bypasses and more.
These slides have been presented at the 2nd Digital Security Forum in Lisbon on June 27, 2009.
Updated version of http://www.slideshare.net/inquis/sql-injection-not-only-and-11.
My presentation from Framsia.
Topics:
XSS (reflected, stored, dom-based)
CSRF
Clickjacking
Header based approaches (CSP, X-frame-options)
EcmaScript5
HTML5
Some slides borrowed from John Wilander http://www.slideshare.net/johnwilander/application-security-for-rias
This is a multi-faceted workshop that explores new concepts in web security. After a solid grounding in well-known exploits like cross-site scripting (XSS) and cross-site request forgeries (CSRF), I'll demonstrate how traditional exploits are being used together and with other technologies like Ajax to launch sophisticated attacks that penetrate firewalls, target users, and spread like worms. I'll then discuss some ideas for the future, such as evaluating trends to identify suspicious activity and understanding human tendencies and behavior to help provide a better, more secure user experience.
Cross Site Scripting: Prevention and Detection(XSS)Aman Singh
Cross-Site Scripting (referred to as XSS) is a type of web application attack where malicious client-side script is injected into the application output and subsequently executed by the user’s browser.
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...CODE BLUE
Electron is a framework to create the desktop application on Windows,OS X, Linux easily, and it has been used to develop the popular applications such as Atom Editor, Visual Studio Code, and Slack.
Although Electron includes Chromium and node.js and allow the web application developers to be able to develop the desktop application with accustomed methods, it contains a lot of security problems such as it allows arbitrary code execution if even one DOM-based XSS exist in the application. In fact, a lot of vulnerabilities which is able to load arbitrary code in applications made with Electron have been detected and reported.
In this talk, I focus on organize and understand the security problems which tend to occur on development using Electron.
--- Yosuke Hasegawa
Secure Sky Technology Inc, Technical Adviser. Known for finding numerous vulnerablities in Internet Explorer、Mozilla Firefox and other web applications.He has also presented at Black Hat Japan 2008, South Korea POC 2008, 2010 and others.
OWASP Kansai Chapter Leader, OWASP Japan Board member.
A practical walkthrough into why you need a manual pentest.
Real reasons and metrics from the trenches.
The presentation was delivered during an Episode of the SecRepo Podcast with hosts Mackenzie Jackson and Dwayne McDaniel, who asked very good questions.
Update on progress of the 4 OWASP OWTF GSoC 2013 projects, with an intro overview about OWTF and some examples on how the OWASP Testing Guide is being covered at the moment towards the end.
Offensive (Web, etc) Testing Framework: My gift for the community - BerlinSid...Abraham Aranguren
Introduction to the Offensive (Web, etc) Testing Framework
Demos: http://www.youtube.com/playlist?list=PL1E7A97C1BCCDEEBB&feature=plcp
Download as PDF if fonts look funny.
Silent web app testing by example - BerlinSides 2011Abraham Aranguren
A practical OWASP Testing Guide walk-through focused on passive and semi passive web app testing techniques
NOTE: Use the "Download" option at the top to see the presentation as a PDF properly
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
3. Page 3
Meet our author Abraham Aranguren
Project founder and leader of OWASP OWTF
7+ years in Web App Security research and consulting
Speaker at top European IT Security events
Co-creator of VSA along with Mario Heiderich and Gareth Heyes
Author of Practical Web Defense
The most comprehensive training course on web app security
Launched in November 2013
Presenter
4. Page 4
Agenda
Web Service TypesWeb Service Types
SQLi on Web ServicesSQLi on Web Services
XSS on Web ServicesXSS on Web Services
XXE / XEE on Web ServicesXXE / XEE on Web Services
XXE / XEE DemoXXE / XEE Demo
Q & AQ & A
5. Page 5
Major Web Service Types:
Web Service Types
Abbreviation Stands for
XML-RPC XML Remote Procedure Call
JSON-RPC JSON Remote Procedure Call RPC
SOAP Simple Object Access Protocol
REST Representational State Transfer
BEPL Business Process Execution Language
WCF Windows Communication Foundation
More in-depth examples, labs, videos, etc. on:
«Practical Web Defense»
https://www.elearnsecurity.com/PWD
6. Page 6
Basic Example:
• «Find a player web service»
• Web service returns matches from a database
Web Service Example
Message:
“Find a player”
Request
“Web service client” Web service server:
1) Search player
2) Return matchesMessage:
“Player matches”
Response
7. Page 7
In this webinar:
• Web service = Process request + Return response
• Web service = «the function», «find a player»
• Web service type = «the envelope», «HOW to call the function»
• Vulnerabilities are often in «the function»:
IF SO, Web Service attacks work against ALL types
NOT in this webinar:
• Vulnerabilities can also be in processing of «the envelope»
http://www.ws-attacks.org/
Web Service Types
8. Page 8
“Find a player” in “XML-RPC speak”
XML-RPC Request Example
POST /xml_rpc_web_service HTTP/1.1
Host: example.com
...
<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
<methodName>FindPlayer</methodName>
<params>
<param>
<value>
<string>Simon</string>
</value>
</param>
</params>
</methodCall>
9. Page 9
“Find a Player” in “JSON-RPC speak”
JSON-RPC Request Example
POST /json_rpc_web_service HTTP/1.1
Host: example.com
...
{
"method": "FindPlayer“,
"params": [ "Simon" ],
"id": 1
}
10. Page 10
“Find a Player” in “SOAP speak”
SOAP Request Example
POST /soap_web_service HTTP/1.1
Host: example.com
...
<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope"
xmlns:enc="http://www.w3.org/2003/05/soap-encoding"
xmlns:ns1="http://example.com/soap_web_service"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<env:Body>
<ns1:FindPlayer
env:encodingStyle="http://www.w3.org/2003/05/soap-encoding">
<name xsi:type="xsd:string">Simon</name>
</ns1:FindPlayer>
</env:Body>
</env:Envelope>
11. Page 11
«Find a Player» in «RESTful speak»
RESTful Request Example
GET /restful_web_service/Find_player/Simon
HTTP/1.1
Host: example.com
...
12. Page 12
For our purposes:
• The function can be the same:
«Find a Player»
• The attacks can be the same:
SQLi, XSS, XXE, etc.
• What changes is «the envelope»:
«How to invoke the function»
In our example:
«HOW to call the web service to find a player»
Web Service Types: Summary
13. Page 13
Definitions:
SQLi = SQL Injection
XSS = Cross Site Scripting
XXE = XML eXternal Entity
What do SQLi, XSS and XXE have in common?
• They are all «Injection» attacks
• Injection attacks = Number 1 Web Risk
https://www.owasp.org/index.php/Top_10_2013-A1-Injection
Usual culprits:
• String concatenations
• XML parsers
• Home rolled parsers
SQLi, XSS and XXE?
14. Page 14
SQL Injection (SQLi) 101:
• User input can change the SQL query
• «input» is «injected» into the «SQL query»
• Usually due to string concatenations:
«SELECT ... WHERE id = input»
SQL Injection on Web Services:
• Usually the same as SQLi on Web Applications.
• Difference = Attack encoded according to «the envelope»
Why?
Break XML/JSON = Web Service cannot see/process the message
REMEMBER: Encoding is easy ☺
https://hackvertor.co.uk/public
SQLi on Web Services
17. Page 17
POST /xml_rpc_web_service HTTP/1.1
Host: example.com
...
<?xml version="1.0" encoding="UTF-8"?>
<methodCall><methodName>FindPlayer</methodName>
<params>
<param>
<value>
<string>
zz' union all ...
</string>
</value>
</param>
</params>
</methodCall>
SQLi: XML-RPC SQLi Attack
18. Page 18
Query:
NOTE: String concatenation!
SELECT * FROM players WHERE name LIKE '%{$player}%'
Intended usage:
• Player: Simon
• XML-RPC call snippet:
<string>Simon</string>
• Query becomes:
SELECT * FROM players WHERE name LIKE '%Simon%'
SQLi attack:
• Player: zz' union all ...
• XML-RPC call snippet:
NOTE: XML-encoded single quote (') = '
<string>zz' union all ... </string>
• Query becomes:
SELECT * FROM players WHERE name LIKE '%zz' union all ... %'
SQLi: XML-RPC Explanation
19. Page 19
Usual SQLi Impact:
• The attacker can run arbitrary SQL code
• Dumping the whole database, Sometimes code execution, etc.
Root cause: Code + Data = Code
• Code: SELECT * FROM players WHERE name LIKE '%%'
• + Data (i.e. user input): $player
• = Code: SELECT * FROM players WHERE name LIKE '%zz' union all ... %‘
• «Data» is executed as «Code» (All Injection attacks work like this)
How to fix: Separate «code» from «data» as aggressively as possible
• BEST: Bind variables aka «Parameterized queries» Always do this if you can!
• 2nd BEST: Escaping Sometimes the only option (think legacy), be careful
• 3rd BEST: Strict validation Only do this in addition to binding/escaping
• More info:
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
SQLi Mitigation: Basics
20. Page 20
REMEMBER: Bind variables > Escaping
IF you have to use escaping make sure that:
1) you use the DBMS function for that:
i.e. Escape MySQL using a MySQL-specific function, etc.
AND
2) You put quotes around the value you are escaping!
Our example:
Could be fixed, using escaping, like:
SQLi Mitigation: On Escaping
21. Page 21
XSS Intro
Three major types of XSS:
• (Server-Side) Reflected:
The XSS payload is displayed back from the request
• (Server-Side) Stored:
The XSS payload is
1) stored –i.e. in a DB-
2) Displayed back
• (JavaScript-Side) DOM-based:
The XSS payload is evaluated as JavaScript, from JavaScript code
Cross Site Scripting (XSS) 101:
• User input can change the HTML page OR JavaScript
• «input» is «injected» into the «Page»
• Run JavaScript under «victim domain» = session hijacking, etc.
• Usually due to string concatenations:
«<html><body>....input...</body></html>»
22. Page 22
XSS against RESTful web services can sometimes be like XSS on web apps:
XSS on RESTful Web Services
23. Page 23
XSS on RESTful Web Services
Proof of concept:
XSS=$(php -r "echo urlencode("<svg onload=alert(1)>");")
curl -i "http://localhost/findplayer/$XSS"
OR directly:
http://localhost/findplayer/%3Csvg+onload%3Dalert%281%29%3E
Returns:
HTTP/1.1 200 OK
..
Content-Type: text/html
Your search: <svg onload=alert(1)>Matches: ...
NOTE:
Content-Type != text/html on SOAP, XML-RPC, JSON-RPC .. usually ☺
24. Page 24
But, more commonly, XSS on Web Services happens in two stages:
1) The web service saves the data NOT the problem
2) The data is displayed (insecurely) by a web app THE problem
XSS on Web Services:
• Usually the same as Persistent XSS on Web Applications.
• Difference = Attack encoded according to «the envelope»
Why?
Break XML/JSON = Web Service cannot see/process the message
REMEMBER: Encoding is easy ☺
https://hackvertor.co.uk/public
XSS on most Web Services
26. Page 26
NOTE: Encode according to «the envelope», JSON-RPC = JSON encode
XSS=$(php -r "echo json_encode("<svg onload=alert(1)>");");
POST /json_rpc_web_service HTTP/1.1
Host: example.com
...
{
"method": "FindPlayer“,
"params": [ "<svg onload=alert(1)>" ],
"id": 1
}
JSON-RPC XSS Attack
27. Page 27
XSS Mitigation
XSS Mitigation 101:
• Solution != Validation (i.e. Business requires «risky» characters, etc.)
• Solution = Output Encoding in the right context
• ALWAYS use validation in addition to output encoding.
• As with all Injection attacks, the problem is when:
Code + Input = Code
• Usual culprit aka “right place to fix”
String concatenations on code that renders/builds HTML/JavaScript
NOTE: Usually on the web app, rarely on the web service.
• More info (recommended reading):
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention
_Cheat_Sheet
28. Page 28
XSS Mitigation Example
XSS Mitigation 101 = Output Encoding in the right context, using the
relevant platform function for such purpose. i.e. Htmlentities in PHP.
Vulnerable example:
Fixed example (in this context!):
Safe Output:
Your search: <svg onload=alert(1)> Matches: ...
Unsafe Output:
Your search: <svg onload=alert(1)> Matches: ...
29. Page 29
XXE / XEE Intro
XML Entity (XXE / XEE) attacks 101:
• User input can change the parsed XML, «the XML the app will see»
• «input» is «injected» into the «parsed XML»
• Usually due to a default XML parser feature:
XML (External / Inline) Entities
Two major types of atacks:
• XXE = Path Traversal = Read system files, source code, etc.
• XEE = Denial of Service = Crash the web server
Interesting attack variants:
• Internal network HTTP requests
• PHP / Java wrappers
• Remote Code Execution (RCE) in some edge cases
• Etc.
30. Page 30
XXE / XEE = Subtle issues
XXE / XEE = Attacks against the XML parser, the code might «look safe»
Scenario:
An NGO builds a «crime report» web service, this allows people to report
government abuse crimes anonymously.
Code:
31. Page 31
XEE attackXML File
XEE = XML Entity Expansion = Denial of Service (DoS) attack
Amplified XEE: «The billion laughs attack» / «recursive entity expansion»
XML File:
It will take … 687 GB of RAM to parse this document ..
Recommended watching: http://vimeo.com/73255656
32. Page 32
Intended XML File
XML File:
Web Service Code:
echo "Uploading Crime Report: {$xml->summary}..";
Web Service Output:
Uploading Crime Report: Joey is guilty..
33. Page 33
XXE attackXML File
XXE = External Entity attack = Path Traversal = Read files, etc.
XML File:
Web Service Code:
echo "Uploading Crime Report: {$xml->summary}..";
Web Service Output: «summary» = «/etc/passwd» via XML parser!
Uploading Crime Report: root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh…….
34. Page 34
XXE / XEE: Mitigation
XXE and XEE attacks mitigation 101:
• Disable external entities
• Disable DOCTYPE declarations
• Prefer SAX over DOM parsers
• Validate XML files against schemas
• More info (recommended reading, especially links at the end):
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processin
g
35. Page 35
XXE / XEE: Mitigation example
Vulnerable:
$xml = simplexml_load_string($request->getBody());
Fixed:
NOTE: Do ALL this before parsing
//Fix 1) Disable External Entities: Fixes XXE and *some* XEE
libxml_disable_entity_loader(true);
//Fix 2) Limit overall XML size: IMPORTANT before Fix 3)
if (strlen($xml_string) > (1024 * 5))
die('Sorry, we do not support XML files greater than 5
KBs');
//Fix 3) Forbid DOCTYPE declarations: Fixes XXE and XEE
If (preg_match("/<!DOCTYPE/i", preg_replace("/s/", '',
$xml_string)))
die('Unsupported XML file, sorry');
//NOW we can parse the XML safely ☺
$xml = simplexml_load_string($xml_string);
36. Page 36
XXE / XEE Demo
XXE / XEE
DEMO
Watch it from minute 25 here:
https://www.elearnsecurity.com/collateral/webinar/xxe-exposed/
(NOTE: Wait for the video to fully load first)