Top Ten Web Hacking Techniques of 2012

The document discusses various methods for preventing SQL injection attacks, including input validation, using static query statements, and least privilege approaches. It provides detailed explanations and examples of how to properly implement input validation, including escaping special characters, validating numeric fields, and preventing second-order SQL injection. The document also cautions that approaches like parameterized statements and stored procedures do not automatically prevent SQL injection and can still be vulnerable if not implemented correctly.

Cross Site Scripting (XSS) is a vulnerability that allows malicious users to insert client-side code into web pages that is then executed by a user's browser. This code can steal cookies, access private information, perform actions on the user's behalf, and redirect them to malicious websites. XSS works by having the server display input containing malicious JavaScript from a request. There are different types of XSS attacks, including non-persistent, persistent, and DOM-based attacks. Prevention methods include validating, sanitizing, and escaping all user input on the server-side and client-side. Web vulnerability scanners like Burp Suite can help test for XSS and other vulnerabilities.

Cross-site scripting (XSS) is a type of vulnerability in web applications that allows attackers to inject client-side scripts. There are three main types of XSS - reflected XSS occurs when malicious scripts are included in links or requests to the server, stored XSS happens when scripts are stored on the server through forums or comments, and local XSS executes without contacting the server through PDFs or Flash. XSS can lead to compromised user accounts, denial of service attacks, or access to users' local machines. Developers can prevent XSS through input validation, encoding output, and keeping software updated.

Cross-site scripting (XSS) is the most common web application vulnerability. There are three main types of XSS attacks: reflected XSS, stored XSS, and DOM-based XSS. Reflected XSS occurs when malicious scripts are included in hyperlinks and infect the victim's browser when the link is clicked. Stored XSS involves injecting malicious scripts into the application itself, which are then executed when users access stored information. DOM-based XSS modifies the DOM environment used by client-side scripts, causing them to run unexpectedly and potentially harmfully. All XSS attacks allow attackers to hijack user sessions, insert hostile content, and fully compromise users. Applications can prevent XSS by validating all input

This document summarizes a presentation about assessing the security of Web 2.0 technologies like Ajax and web services. It discusses the Web 2.0 industry trends, technologies like Ajax, potential security impacts, and methodologies for fingerprinting, enumerating, crawling, and scanning Ajax applications and web services to identify vulnerabilities. It also provides an overview of attacking Ajax and defending applications.

This document summarizes different types of network scans that can be performed using Nmap, including TCP connect scans, SYN scans, FIN scans, Xmas scans, Null scans, and least traffic scans. It also discusses why vulnerability scanning is important and compares the features of the free Nessus Home Feed versus the paid Professional Feed for vulnerability scanning. The Professional Feed provides more frequent plugin updates, policy compliance checks, unlimited PCI audits, operating system audits, and technical support compared to the free Home Feed.

The document summarizes the WannaCry/WannaCrypt ransomware attack that affected over 200,000 victims globally in May 2017. It briefly describes how the ransomware works by encrypting files and demanding ransom payments in bitcoin. It also provides details on how systems get infected, the impacts on victims including encrypted files and ransom messages, and recommendations on how to protect systems by patching vulnerabilities and using backups.

Cross-Site Scripting (referred to as XSS) is a type of web application attack where malicious client-side script is injected into the application output and subsequently executed by the user’s browser.

One of the most typical web application security vulnerabilities Cross-Site Scripting (XSS). What does it mean to Developer? How they are important? What should we keep in mind? How could we prevent this to some extend as Developer? How Attackers proceed? Many mores..

Cross-site scripting (XSS) allows malicious code to be injected into web applications, potentially enabling attacks like cookie theft, account hijacking, and phishing. There are three main types of XSS attacks: reflected, stored, and DOM-based. Reflected XSS tricks the user into clicking a malicious link, while stored XSS embeds malicious code directly into the website. DOM-based XSS targets vulnerabilities in client-side scripts. XSS remains a significant threat and proper input validation and output encoding are needed to help prevent attacks.

The document provides an overview of ways to secure Windows systems, beginning with general advice like enabling drive encryption with BitLocker or VeraCrypt, using strong passwords, and implementing the principle of least privilege for access control. It discusses Windows tools like Cmd, PowerShell, Windows Event Viewer, and the Windows Registry that can help secure and monitor systems. The document also provides an introduction to Active Directory, including its components, structure, and use of group policy for centralized management. It concludes with an overview of updated Microsoft security tools like Defender Security Center, Exploit Guard, Attack Surface Reduction, and Event Forwarding.

This presentation will provide you the deep knowledge of the Cross-Site Scripting and SQL Injection with the remediation and prevention measures.

About XSS security, their impact on PHP applications. Some examples of xss attacks. Solution for xss attacks.

Mobile Security Framework (MobSF) is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. It can be used for effective and fast security analysis of Android and iOS Applications and supports both binaries (APK & IPA) and zipped source code. MobSF can also perform Web API Security testing with it's API Fuzzer that can do Information Gathering, analyze Security Headers, identify Mobile API specific vulnerabilities like XXE, SSRF, Path Traversal, IDOR, and other logical issues related to Session and API Rate Limiting.

Another way to bypass WAF Cheat Sheet

Eternal Blue was a cyberattack exploit developed by the NSA that was leaked in 2017 and used in several ransomware attacks. It allowed remote code execution via SMBv1 by exploiting three bugs related to incorrect data type casting, transaction parsing, and memory allocation. While patches were released, many systems remained unpatched, allowing the widespread use of Eternal Blue in attacks like WannaCry and NotPetya.

Cross-site scripting (XSS) allows malicious code injection into web applications. There are three types of XSS vulnerabilities: non-persistent, persistent, and DOM-based. To avoid XSS, developers should eliminate scripts, secure cookies, validate input, and filter/escape output. Proper coding practices can help prevent XSS attacks.

This document summarizes a webcast about improving working capital through various payment strategies. It discusses 5 proven strategies: 1) faster invoice approval through automation, 2) improving payment terms through supplier onboarding, 3) enabling more early payment discounts through dynamic discounting, 4) capturing rebates through buyer-initiated payments, and 5) expanding available cash through supply chain financing. Technology plays a key role in enabling these strategies through features like collaborative workflows, financial solutions, and connecting all parties. The webcast highlights how these strategies can save millions through increased working capital compared to traditional AP automation alone.

Presentation from OWASP AppSec EU 2016 Rome All internet banking applications are different but all of them share many common security features which are very specific to this domain of web applications, such as: • transaction limits, • notifications via SMS or e-mail, • authorization schemes, • trusted recipients, • two-factor authentication and transaction authorization, • pay-by-links, • communication channel activation (e.g. mobile banking or IVR), It is not very rare that these safeguards are incorrectly implemented leaving the internet banking application vulnerable. Last year at AppSec EU I was talking about common vulnerabilities in e-banking transaction authorization. As a follow-up to this presentation, OWASP Transaction Authorization Cheat Sheet was published and gained some attention from banks, developers and testers. This year, I want to continue and expand this work to other security mechanisms which are specific and common to internet banking applications. During my presentation I want to show some common mistakes made during implementation of the abovementioned internet banking safeguards. As a follow-up, I am planning to expand OWASP Transaction Authorization Cheat Sheet to Internet Banking Cheat Sheet which will include guidelines for secure implementation of all security mechanisms common to contemporary internet banking applications. At the end of my presentation, I also want to discuss the idea of expanding key OWASP materials such as ASVS, Testing Guide, Development guide by adding appendixes specific to group of applications (such as internet/mobile banking, e-commerce, etc.).

The document discusses cyber warfare as a threat to India's homeland security. It notes India's increasing reliance on digital infrastructure and discusses potential future cyber incidents like power grid failures, financial system paralysis, and satellite or communication system disruptions. The document outlines challenges like attribution of attacks and issues with cyber deterrence. It also examines threats in India's cyber domain from state actors like China and Pakistan as well as non-state groups, and argues for integrating cyber security into India's overall homeland security strategy.

Content Security Policy (CSP) is a browser security mechanism against content injection. Using the CSP header, browsers can restrict content from just the domains whitelisted in the policy. This session shares lessons learned with deploying CSP at Yahoo.

What is hacking? History of hacking. Who is hacker and cracker? Difference between hacker & cracker. Types of hacking. Benefits Of Computer Hacking Security Conclusion (How to hack your friend account or his/her password?)

The document describes plans for the OWASP Summit 2017 conference to be held in London from June 12-16. It will bring together application security experts, developers, users, and vendors to collaborate on hard problems through workshops and discussions from 8am to late at night. Workshop ideas include mobile security, security scanners, GitHub integrations, and threat modeling. Tickets are £1,200 or £400 and sponsorships are being sought. Leaders are needed for additional workshops. The objective is to focus on collaboration between OWASP projects, developers, security teams, DevOps, and executives.

This is my attempt to summarize the policy with salient points. For detailed verbose policy please visit http://deity.gov.in/hindi/sites/upload_files/dithindi/files/ncsp_060411.pdf

How does India stand in the perspective of global terrorism and does it have enough countermeasures to tackle the ever growing threat of cyber crime

This document discusses ethical hacking. It defines hacking as unauthorized use of computer and network resources, and describes different types of hackers such as black hat, white hat, and grey hat. It then defines ethical hacking as a methodology used by trusted professionals to discover vulnerabilities in information systems. The document outlines skills required of an ethical hacker such as knowledge of operating systems, networking protocols, and security tools. It describes the steps an ethical hacker takes including reconnaissance, scanning, gaining access, and clearing tracks. Finally, it discusses advantages like improving security, and disadvantages like potential misuse of access.

Due to the dramatic increase of threats worldwide, there is a need for the companies to find ways how to increase the information security. Therefore, one solution is to implement the ISO/IEC 27001 in order to protect information both internally and externally. Main points that will be covered are: • The scope of ISO 27001 & associated other standards references • Information Security and ISIM Terminologies • ISIM auditing principles • Managing audit program & audit activities Presenter: Eng. Kefah El-Ghobbas is a specialist in ‘Business Process Excellence' through ‘Business Process Re-engineering' with over 20 years of experience. Link of the recorded session published on YouTube: https://youtu.be/rTxA8PVULUs

This document discusses cyber security and the importance of protecting critical infrastructure and information societies from cyber threats. It notes that while information technologies provide benefits, societies have grown dependent on them and vulnerable to attacks. It argues that cyber security must be an important part of developing the information society and requires new technologies, policies, legislation, organizations, education, and cooperation across different levels including individuals, organizations, states, allies and the world. The document uses Estonia as an example of implementing different cyber security measures across these levels.

This year WhiteHat SecurityTM celebrates its fteenth anniversary, and the eleventh year that we have produced the Web Applications Security Statistics Report. The stats shared in this report are based on the aggregation of all the scanning and remediation data obtained from applications that used the WhiteHat SentinelTM service for application security testing in 2015. As an early pioneer in the Application Security Market, WhiteHat has a large and unique collection of data to work with.

This document introduces the concept of ethical hacking. It begins by defining hacking as finding solutions to real-life problems, and clarifies that the original meaning of "hack" was not related to computers. It then discusses how the term entered computer culture at MIT in the 1960s, where hackers were students who solved problems in innovative ways, unlike "tools" who just attended class. The document outlines some traits of good hacks and provides examples. It emphasizes that media misconstrues hackers as criminals, and explains that real hackers have strong ethics and help catch cyber criminals, unlike crackers who hack systems illegally. The rest of the document provides an overview of skills, subjects, and basic concepts needed for ethical hacking.

This document discusses ethical hacking. It defines ethical hacking as testing systems for security purposes with permission, compared to cracking which is hacking without permission for malicious reasons. It outlines different types of hackers like script kiddies, white hat hackers who hack legally for security work, grey hat hackers who can help or harm, and black hat hackers who hack criminally. The document advises on security practices like using antiviruses and strong passwords to prevent hacking.

This document provides an overview of security and hacking. It defines security as protection from harm and defines differences between security and protection. It then discusses what hacking and hackers are, provides a brief history of hacking from the 1960s to present day, and describes different types of hackers like white hat and black hat hackers. The document also outlines the hacking process and some common tools used. It lists some famous hackers and recent news stories about hacking.

The document discusses ethical hacking and describes hackers. It defines ethical hacking as evaluating a system's security vulnerabilities by attempting to break into computer systems. Ethical hackers possess strong programming and networking skills and detailed hardware/software knowledge. They evaluate systems by determining what intruders can access, what they can do with that information, and if intruder attempts can be detected. The document outlines different types of hackers and classes them as black hats, white hats, gray hats, and ethical hackers based on their motivations and how they use their skills.

Cyber security involves protecting computers, networks, programs and data from unauthorized access and cyber attacks. It includes communication security, network security and information security to safeguard organizational assets. Cyber crimes are illegal activities that use digital technologies and networks, and include hacking, data and system interference, fraud, and illegal device usage. Some early forms of cyber crime date back to the 1970s. Maintaining antivirus software, firewalls, backups and strong passwords can help protect against cyber threats while being mindful of privacy and security settings online. The document provides an overview of cyber security, cyber crimes, their history and basic safety recommendations.

Cyber crime involves unlawful activities using computers and the internet. The document categorizes cyber crimes as those using computers to attack other computers or as tools to enable real-world crimes. It provides examples of various cyber crimes like hacking, child pornography, viruses, and cyber terrorism. It stresses the importance of cyber security to defend against attacks through prevention, detection and response. The document advises safety tips like using antivirus software, firewalls, and strong passwords. India's cyber laws address both traditional crimes committed online and new crimes defined in the Information Technology Act.

This document provides an overview of hacking, including its history, definitions, types, famous hackers, reasons for hacking, and advice on security and ethics. Hacking emerged in the 1960s at MIT and refers to attempting to gain unauthorized access to computer systems. It describes hackers as those who exploit weaknesses in computers. Different types of hacking are outlined such as website, network, password, and computer hacking. Advice is given around using strong unique passwords, backing up data, and contacting authorities if hacked. Both advantages like security testing and disadvantages like privacy harm are discussed.

This document provides an overview of cyber crime and security. It defines cyber crime as illegal activity committed on the internet, such as stealing data or importing malware. The document then covers the history and evolution of cyber threats. It categorizes cyber crimes as those using the computer as a target or weapon. Specific types of cyber crimes discussed include hacking, denial of service attacks, virus dissemination, computer vandalism, cyber terrorism, and software piracy. The document concludes by emphasizing the importance of cyber security.

Many notable and new web hacking techniques, discoveries and compromises were uncovered in 2008. During his session, the top 10 vulnerabilities present in 2008, as well as some of the prevalent security issues emerging in 2009. Attendees will virtually be able to walk through the vulnerabilities appearing on today’s corporate websites, learning real-world solutions to today’s web application security issues. Moderator: Mike Stephenson, SC lab manager, SC Magazine - Jeremiah Grossman, founder and chief technology officer, WhiteHat Security

The document discusses cross-site tracing (XST), a new web security attack technique that can bypass the HTTP-only security mechanism in Internet Explorer 6 SP1. XST uses the HTTP TRACE request method to echo back request headers, including authentication cookies, allowing an attacker to access credentials from any site. The document provides background on the TRACE method and how it is enabled by default on many web servers. It also explains the HTTP-only cookie option that aims to prevent access to cookies via JavaScript but is circumvented by XST.

1) HTML5 and new web standards like Content Security Policy and cross-origin resource sharing improve security by enabling enforcement of policies like script isolation in the client instead of through server-side filtering. 2) Script injection vulnerabilities like cross-site scripting can be solved using these new client-side techniques rather than incomplete server-side simulations. 3) Mashups can be made more secure by using CORS to retrieve validated data instead of injecting code, and postMessage with isolated iframes to communicate with legacy APIs.

A security note to web developers on how they can instill safe security design practices on their web development projects.

Slides for "HTML5 Security Realities" talk at W3Conf: Practical Standards for Web Professionals 2013. Brad Hill - PayPal @hillbrad

The document discusses a new web security technique called cross-site tracing (XST) that can bypass the HTTP-only security feature in Internet Explorer 6 SP1 and perform cross-site scripting attacks. XST exploits the TRACE HTTP request method, which echoes request information to the client, to obtain authentication cookies from other domains over HTTP and HTTPS. While HTTP-only helps prevent cookie access via JavaScript, XST can still access cookies through TRACE requests.

This presentation by Mike Shame of Qualys the basics of Web Application Security and how to safeguard your web infrastructure against the most prevalent online threats and security risks, such as: cross-site scripting (XSS) attacks, SQL injection, directory traversals, and other web vulnerabilities. Learn how to proactively identify critical web application vulnerabilities and take corrective actions to minimize risks.

This document discusses various web application security vulnerabilities and methods for mitigating them. It begins by summarizing the OWASP Top 10 list of most critical web application security risks. It then provides examples of different types of injection attacks, cross-site scripting, broken authentication and session management issues. The document also discusses insecure cryptographic storage, insufficient transport layer protection and other vulnerabilities. It emphasizes the importance of input and output validation, as well as proper encoding to prevent attacks. The OWASP ESAPI framework is presented as a tool to help developers address many of these security issues.

This document summarizes the top ten web hacking techniques of 2013 as identified by WhiteHat Security. It provides brief descriptions of each technique, including Mutation XSS, BREACH, Pixel Perfect Timing Attacks with HTML5, Lucky 13, weaknesses in the RC4 encryption algorithm, XML Out of Band Data Retrieval, creating a million browser botnet, large-scale detection of DOM-based XSS, Tor Hidden Service passive decloaking, and HTML5 hard disk filler attacks. The document also provides background on the individuals and organization presenting this information.

video demos: http://whitehatsec.com/home/assets/videos/Top10WebHacks_Webinar031711.zip Many notable and new Web hacking techniques were revealed in 2010. During this presentation, Jeremiah Grossman will describe the technical details of the top hacks from 2010, as well as some of the prevalent security issues emerging in 2011. Attendees will be treated to a step-by-step guided tour of the newest threats targeting today's corporate websites and enterprise users. The top attacks in 2010 include: • 'Padding Oracle' Crypto Attack • Evercookie • Hacking Auto-Complete • Attacking HTTPS with Cache Injection • Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution • Universal XSS in IE8 • HTTP POST DoS • JavaSnoop • CSS History Hack In Firefox Without JavaScript for Intranet Portscanning • Java Applet DNS Rebinding Mr. Grossman will then briefly identify real-world examples of each of these vulnerabilities in action, outlining how the issue occurs, and what preventative measures can be taken. With that knowledge, he will strategize what defensive solutions will have the most impact.

This document discusses the Heartbleed vulnerability in OpenSSL and its potential impacts. Heartbleed is a bug in the OpenSSL cryptography library that exposes the contents of the server's memory, including private keys and user session cookies. An attacker can exploit Heartbleed to steal sensitive data from vulnerable servers or impersonate services. The vulnerability had widespread implications because OpenSSL is used to secure a majority of websites. While patching servers and changing passwords addressed direct theft of information, Heartbleed also weakened the security of encrypted communications and online identities.

This document provides an introduction to web security and the browser security model. It discusses goals of web security including safely browsing the web and supporting secure web applications. It outlines common web threat models and covers topics like HTTP, rendering content, isolation using frames and same-origin policy, communication between frames, frame navigation policies, client state using cookies, and clickjacking. The document aims to provide background knowledge on how the web and browsers work from a security perspective.

The document discusses cross-site scripting (XSS) vulnerabilities. It defines XSS as allowing malicious scripts to be served to users from a vulnerable website. There are different types of XSS vulnerabilities including those without storage and with storage of malicious scripts on the website. The document provides examples of XSS vulnerabilities and discusses how they can be used to steal user credentials and track users. It also outlines challenges in preventing XSS vulnerabilities.

Jeremiah Grossman and T.C. Niedzialkowski presented on the dangers of JavaScript malware exploiting vulnerabilities to hack intranet websites from outside the network. They demonstrated how JavaScript malware can steal browser history, fingerprint servers, and change router passwords by exploiting vulnerabilities like cross-site scripting and cross-site request forgery. The presentation recommended hardening websites by validating input, protecting sensitive functionality, finding vulnerabilities through assessments, and using web application firewalls.

Web Application Security: The Land that Information Security Forgot Today, the vast majority of those within information security have heard about web application security and posses at least a vague understanding of the risks involved. However, the multitude of attacks which make this area of security important, for the most part, go undocumented, unexplained and misunderstood. As a result, our web applications become undefended and at the mercy of a determined attacker. In order to gain a deeper understanding of the threats, witnessing these attacks first hand is essential. Make no mistake, insecure and unprotected web applications are the fastest, easiest, and arguably the most utilized route to compromise networks and exploit users. What's worse is that conventional security measures lack the proper safeguards and offer little protection, resulting in nothing more than a "false sense of security". This discussion will cover theory surrounding some of the more dangerous web application attacks, examples of the attack in action, and possible countermeasures. Founder and chairman of WhiteHat Security, and former information security officer with Yahoo!. As information security officer at Yahoo!, Jeremiah was designing, auditing, and penetration-testing the huge company's web applications which demand highest security. During his past 5 years of employment, Jeremiah has been researching and applying information security with special emphasis on prevention of web application sabotage. Grossman has presented "Web Application Security" talks at many security conventions such as the Defcon, Air Force and Technology Conference, ToorCon, and others. Jeremiah is a lead contributor to the "Open Web Application Security Project" www.owasp.com and considered to be among the foremost web security experts.

This document summarizes an upcoming presentation on browser exploitation techniques. It will discuss previous episodes on the topic, the state of cross-site scripting (XSS) vulnerabilities, a new type of non-persistent global or URL-based XSS, exploiting mobile devices through multiple technologies like SMS and Bluetooth, and demonstrating exploitation using tools like BeEF and Metasploit. The presentation aims to show how easily a browser can be attacked and to change perceptions of XSS vulnerabilities.

The document discusses securing web applications from common vulnerabilities like cross-site scripting (XSS) and cross-site request forgery (CSRF). It outlines various techniques attackers use to exploit these issues, such as injecting malicious scripts into user input or forging unauthorized requests. The document then provides recommendations for developers to prevent these attacks, such as carefully validating and encoding all user input, and authenticating that requests are intended by the user.

The open source TodoMVC project implements a Todo application using popular JavaScript MV* frameworks. Some of the implementations add support for compile to JavaScript languages, module loaders and real time backends. This presentation will demonstrate a TodoMVC implementation which adds support for the forthcoming W3C Web Cryptography API, as well as review some key cryptographic concepts and definitions. Instead of storing the Todo list as plaintext in localStorage, this "secure" TodoMVC implementation encrypts Todos using a password derived key. The PBKDF2 algorithm is used for the deriveKey operation, with getRandomValues generating a cryptographically random salt. The importKey method sets up usage of AES-CBC for both encrypt and decrypt operations. The final solution helps address item "A6-Sensitive Data Exposure" from the OWASP Top 10. With the Web Cryptography API being a recommendation in 2014, any Q&A time will likely include browser implementations and limitations, and whether JavaScript cryptography adds any value.

With new tools like Angular.js and Node.js, it is easier than ever to build User Interfaces and Single-Page Applications (SPAs) backed by APIs. But how to do it securely? Web browsers are woefully insecure, and hand-rolled APIs are risky. In this presentation, Robert Damphousse, lead front-end developer at Stormpath, covers web browser security issues, technical best practices and how you can mitigate potential risks. Enjoy! Topics Covered: 1. Security Concerns for Modern Web Apps 2. Cookies, The Right Way 3. Session ID Problems 4. Token Authentication to the rescue! 5. Angular Examples

The document discusses various techniques for hacking client-side insecurities, including discovering clients on the internet and intranet, attacking client-side through JavaScript jacking and pluggable protocol handlers, exploiting cross-site request forgery vulnerabilities, and fingerprinting clients through analysis of HTTP headers and browser information leaks. The presentation aims to demonstrate these hacking techniques through examples and a question/answer session.

There is a serious misalignment of interests between Application Security vulnerability assessment vendors and their customers. Vendors are incentivized to report everything they possible can, even issues that rarely matter. On the other hand, customers just want the vulnerability reports that are likely to get them hacked. Every finding beyond that is a waste of time, money, and energy, which is precisely what’s happening every day.

This document provides an analysis of the attack surface for 19 major healthcare organizations based on data collected by Bit Discovery from public sources on the internet. It includes statistics on each organization's total assets, domain names, cloud assets, use of content delivery networks, certificate authorities, expired certificates, geographic distribution, private IP addresses, WordPress vulnerabilities, and recommendations for building a security program around mapping the attack surface.

Paubox SECURE @ Home 2020 Virtual Healthcare Cybersecurity & Innovation Conference October 21 - 22, 2020 https://www.paubox.com/blog/jeremiah-grossman-confirmed-to-speak-at-paubox-secure/ https://try.paubox.com/paubox-secure-2020