This document discusses cryptography and security in Adobe Experience Manager (AEM). It introduces the presenters Damien Antipa and Antonio Sanso and defines cryptography. It then discusses encryption, integrity protection, and different cryptographic techniques like AES, RSA, HMAC, and JSON Web Tokens. The document also covers use cases for AEM like encapsulating tokens and preventing CSRF attacks. It explains how CSRF protection works transparently in AEM using JSON Web Tokens signed with an HMAC key to ensure integrity and allow caching.
Integrity protection for third-party JavaScriptFrancois Marier
Modern web applications depend on a lot of auxiliary scripts which are often hosted on third-party CDNs. Should an attacker be able to tamper with the files hosted on such a CDN, millions of sites could be compromised. Web developers need a way to guarantee the integrity of scripts hosted elsewhere.
This is the motivation behind a new addition to the web platform being introduced by the W3C: sub-resource integrity (http://www.w3.org/TR/SRI/). Both Firefox and Chrome have initial implementations of this new specification and a few early adopters such as Github are currently evaluating this feature.
The document discusses automating the app lifecycle using the Windows Azure Service Management API. It provides an overview of the API and how it can be used to programmatically manage deployments, configurations, and scaling of apps hosted on Windows Azure. Key points include that the API allows creating, updating, and deleting deployments via RESTful HTTP requests, supports certificate-based authentication, and enables building automation tools for continuous integration, deployment, and monitoring of Azure apps. Examples are given of how the API could be used for staged deployments, in-place upgrades, and automatic scaling of roles.
The document discusses the OWASP Top Ten Project, which focuses on improving application security. It provides an overview of the top 10 security risks, including failure to restrict URI access, insecure communications, insecure cryptographic storage, broken authentication/sessions, information leakage, cross-site request forgery, insecure direct object references, malicious file execution, injection flaws, and cross-site scripting. For each risk, it offers brief explanations and recommendations for mitigation.
This document discusses WebSockets in Ruby in 5 minutes. It introduces WebSockets and the WebSocket API. It then summarizes how to implement a Ruby WebSocket server using the EM-WebSocket library and a Ruby WebSocket client using the Web-Socket-Ruby library. It also discusses how to implement a JavaScript WebSocket client. Finally, it discusses some use cases for WebSockets like chat, games, and real-time notifications and encourages experimenting with building a chat, whiteboard, or todo list application.
This document contains information about various tools and frameworks for working with Microsoft Azure including: ASP.NET MVC, Web API, and Razor which are open source; the Project Kudu GitHub repository; installing Azure tools and libraries via Composer, Pear, NPM, Pip, Gem and Maven; and using the Azure cross-platform command line interface tool.
Windows Azure - Cloud Service Development Best PracticesSriram Krishnan
This document discusses best practices for developing cloud services on Windows Azure. It recommends:
1. Storing state in Windows Azure storage and using loose coupling between components through queues to improve reliability given unreliable networks and hardware failures.
2. Versioning schemas and using rolling upgrades to minimize downtime when deploying updates.
3. Separating code and configuration, using configurable logging and alerts, to aid in debugging when things go wrong in the cloud.
This document discusses profiling PHP applications to improve performance. It recommends profiling during development to identify inefficiencies. The document introduces Xdebug for profiling PHP code and Webgrind, a PHP frontend for visualizing Xdebug profiles. It provides an example of profiling a sample PHP application, identifying issues, making code changes, and verifying performance improvements through re-profiling.
Given at YAPC::EU 2012
Dancer + WebSocket + AnyEvent + Twiggy
This in *not* a talk about doing a hello world in Dancer, as there are plenty of it. This is a real-life example of using Dancer to address a problem in an elegant and powerful way
At $job, we have cpan mirrors. We want them to stay a bit behind the real CPAN for stability, but we have a tool to update modules from the real CPAN to our mirrors. Cool.
I wanted to have a web interface to trigger it, and monitor the injection. This problem is not a typical one (blog, wiki, CRUD, etc). Here we have a long running operation that shall happen only one at a time, that generates logs to be displayed, with states that need keeping. In this regard, it's interesting to see how Dancer is versatile enough to address these situations with ease.
This talk details how I did that, the technology I used, and the full source code (which is quite short). I used Dancer + WebSocket + AnyEvent + Twiggy + some other stuff.
This talk doesn't require any particular knowledge beyond basic Perl, and very basic web server understanding.
This document discusses mitigating cross-site scripting (XSS) attacks in PHP. It describes XSS as when an attacker injects scripts into a web application's output that are then executed by a user's browser. The dangers of unmitigated XSS include stolen cookies, deployed trojans, and stolen user data. PHP provides functions like htmlentities(), htmlspecialchars(), get_magic_quotes_gpc(), stripslashes(), and mysql_real_escape_string() to sanitize input and prevent XSS. Examples are given showing how these functions can neutralize dangerous code by converting HTML tags to entities. The document also discusses setting the HttpOnly attribute in PHP to prevent client-side scripts from accessing protected
In the last few years, a number of new security features have become available to web developers (e.g. Content Security Policy, Strict Transport Security) and a few more are coming up this year (e.g. Referrer Policy, Subresource Integrity). In addition to getting familiar with these, a number of recent high-profile bugs in the SSL/TLS protocol and implementations have forced developers to learn more about TLS ciphers and to start worrying about mixed content on their pages.
As a browser vendor and a member of the W3C WebAppSec working group, Mozilla is busy extending the web platform to provide the tools and features that developers and users need in 2015. This talk will give an overview of the security and privacy landscape on the web as well as pointers to what developers need to know to secure their applications.
https://2015.rmll.info/security-and-privacy-on-the-web-in-2015?lang=en
Weird new tricks for browser fingerprintingRoel Palmaers
This document discusses new browser fingerprinting techniques that can track users across devices and browsers to evade ad blocking. It describes how abusing HTTP Public Key Pinning, HTTP Strict Transport Security, and Content Security Policy can be used to fingerprint users based on timing differences between first-time and repeated site visits. Specifically, it shows how measuring the latency of an HTTP to HTTPS redirect allows distinguishing if a user has visited a site before or not. This fingerprint can persist across cookie clearing and identifies users in new ways that are harder for blocking tools to prevent.
10 Excellent Ways to Secure Your Spring Boot Application - The Secure Develop...Matt Raible
Spring Boot is an excellent way to build Java applications with the Spring Framework. If you’re developing apps that handle sensitive data, you should make sure they’re secure. This session will cover HTTPS, dependency checking, CSRF, using a CSP to prevent XSS, OIDC, password hashing, and much more! You’ll learn how to add these features to a real application, using the Java language you know and love.
YouTube: https://www.thesecuredeveloper.com/post/10-excellent-ways-to-secure-your-spring-boot-application
Blog post: https://developer.okta.com/blog/2018/07/30/10-ways-to-secure-spring-boot
Cheat sheet: https://snyk.io/blog/spring-boot-security-best-practices/
Socket.IO is a real-time application framework that provides bi-directional communication between web clients and servers through websockets. It allows for low-latency communication and events to be sent and received between clients and servers. The Socket.IO API provides simple methods for attaching event listeners and emitting events on both the client and server sides to enable real-time applications.
This document discusses websockets and the Ratchet PHP library for implementing websockets. It begins with an introduction to websockets and their benefits over traditional HTTP connections. It then discusses browser support, introduces the Ratchet library, and provides an example of the basic implementation which involves setting up a server, implementing a message component interface, and handling real-time messaging. Some difficulties of websockets like security and latency are also mentioned. Code examples and references are provided at the end.
An overview of the Node.JS platform from a security perspective. Offers guidance on how to secure node apps, as well as ways to test them as an infosec professional. Presented at Rochester Security Summit 2015.
Node Day - Node.js Security in the EnterpriseAdam Baldwin
This document discusses Node.js security in the enterprise. It covers communicating security priorities between technical and business teams, gathering intelligence on vulnerabilities, and implementing technical controls like linting, testing, shrinkwrapping dependencies, and retire.js to detect vulnerable modules. It emphasizes that enterprises are responsible for vetting all dependencies and that the greatest vulnerability is often developers, so peer review is important.
The document discusses practical exploitation techniques used by penetration testers and red teams. It outlines the speaker's background as a senior red teamer who breaks into various systems like mainframes, bank accounts, SCADA systems, and web applications. The speaker defines practical exploitation as applying techniques, tactics, and procedures to accomplish objectives within a targeted engagement. The speaker then demonstrates three exploits: 1) Using a Linux pivot to exploit MS08_067 on Windows, 2) Exploiting a Rails vulnerability to steal credentials using Mimikatz on Windows, and 3) Using a Windows pivot to exploit DistCC on Linux via WinRM on IIS. The speaker emphasizes patching vulnerabilities and not enabling services like WinRM on DMZ
Puppet Camp NYC 2014: Safely storing secrets and credentials in Git for use b...Puppet
"Safely Storing Secrets and Credentials in Git for use by
Puppet: The BlackBox Project" presented by Thomas A. Limoncelli, Stack Exchange at Puppet Camp NYC 2014
Tips on how to deal with legacy code, techniques and patterns. Including stuffs from Adam Tornhill, Michel Feathers, Simon Brown and Dan North.
From presentation at Websteps Kompetensbio November 2015.
This document introduces cryptography concepts like encryption, integrity protection, and digital signatures. It discusses how Adobe Experience Manager (AEM) implements cryptography to encrypt tokens and protect against CSRF attacks. Specifically, AEM uses JSON Web Tokens (JWTs) to encapsulate tokens, signs them with an HMAC key for integrity, and includes the token in non-GET requests to prevent CSRF without requiring changes to application code or dependencies on server-side sessions. Developers do not need to handle the CSRF token explicitly in their JavaScript code.
This document summarizes Antonio Sanso's presentation on vulnerabilities in OAuth 2.0 implementations. It discusses the history and components of OAuth 1.0 and 2.0. Sanso then outlines some common vulnerabilities in OAuth 2.0, including open redirects due to improper validation of redirect URIs, authorization code reuse attacks, and access token leakage via URI spoofing. He emphasizes that OAuth 2.0 itself does not provide security and vulnerabilities can arise if implementations do not follow best practices.
This document discusses implementing OAuth functionality in Adobe Experience Manager (AEM). It begins with an introduction to OAuth and the traditional "OAuth dance" authorization code grant flow. It then covers implementing an OAuth server and client, including how to register an OAuth client and consent screen in AEM. It also discusses using JSON Web Tokens and extending AEM's OAuth APIs to protect custom APIs and content.
OAuth Hacks A gentle introduction to OAuth 2 and Apache OltuAntonio Sanso
The document provides an introduction to OAuth 2.0 and the Apache Oltu framework for implementing OAuth in Java. It discusses the traditional OAuth authorization code grant "dance" involving a client, authorization server, and resource server. It also summarizes some common attacks like confused deputy and redirect URI exploitation. The document concludes with an overview of OAuth 2.0 for server to server authorization without user consent.
Dynamic Components using Single-Page-Application Concepts in AEM/CQNetcetera
This document summarizes a presentation on developing dynamic components in AEM using single-page application concepts. It discusses how traditional approaches to dynamic components can be tricky when components need to communicate and update frequently. An SPA approach treats each component as a module that handles its own data fetching and updating independently via AJAX calls. On page load, the server returns only static markup and components get dynamic data by making POST requests to a controller returning JSON. This allows for perceived faster interactions and easier front-end/back-end separation compared to full page reloads. Examples demonstrate rendering templates, initialization scripts, and a sample controller class to retrieve and return dynamic component data.
This document discusses API security and provides examples of common API attacks and defenses. It covers API fingerprinting and discovery, debugging APIs using proxies, different authentication methods like basic auth, JWTs, and OAuth, and risks of attacking deprecated or development APIs. Specific attacks explained include parameter tampering, bypassing JWT signature validation, OAuth login flows being vulnerable to CSRF, and chaining multiple issues to perform account takeovers. The document emphasizes the importance of API security and provides mitigation strategies like input validation, secret management, rate limiting, and updating old APIs.
Case Studies and Lessons Learned from SSL/TLS Certificate Verification Vulner...JPCERT Coordination Center
Recently we’ve seen many vulnerabilities related to improper certificate validation. Those vulnerabilities come from developers’ ignorance or misunderstanding of basic knowledge of certificate validation or insufficient testing of validation code. This presentation starts with the basics of the certificate validation process, surveys several vulnerabilities in the real world, and concludes with lessons learned from real-world vulnerabilities.
This is presented on JavaOne2015.
How LinkedIn changed its security model in order to offer an APILinkedIn
LinkedIn changed its security model from a simple permission-based model to a more complex role-based access control (RBAC) model to allow third-party partners to access its API on behalf of LinkedIn members. It also adopted an Amazon-style authorization approach for its API that signs requests rather than using expiring session IDs. Finally, it extended these concepts to its website by signing browser cookies in the same manner.
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
The document provides an overview of reviewing modern JavaScript applications for security. It discusses how JavaScript is used widely, common frameworks like React and Angular, and tools for analyzing JavaScript like ESLint. It also covers real-world examples of vulnerabilities like cross-site scripting and remote code execution. The talk emphasizes embracing developer tools and best practices like code reviews and linting to identify security issues in JavaScript applications.
This document discusses security best practices for Django web applications. It begins by introducing the author and their background in Python, Django, and computer security. It then covers common web vulnerabilities and attacks like information disclosure, input validation issues, session hijacking, and denial of service. Throughout, it provides recommendations for how to configure Django and code defensively to mitigate these risks, such as using parameterized queries, input sanitization, secure sessions, and cross-site request forgery protection. It emphasizes adopting a layered security approach and being vigilant about updates and monitoring.
Von JavaEE auf Microservice in 6 Monaten - The Good, the Bad, and the wtfs...André Goliath
This document summarizes a talk about transitioning from JavaEE monoliths to microservices architecture in 6 months. It discusses the reasons for moving to microservices (faster development and deployment, lower costs), and the challenges including organizing configuration, communication between services, and deployment. It then outlines the steps taken to implement microservices at a company, including setting up continuous integration, using Spring Boot and Cloud, and establishing vertical feature teams to overcome organizational barriers. The key lessons are that the transition does not require a "big bang", can start with a single service, and works best by automating the development and deployment process from development to production.
Top Ten Tips For Tenacious Defense In Asp.Netalsmola
The document provides 10 tips for securing ASP.NET applications. It discusses common web attacks like cross-site request forgery and session fixation, and defenses against them such as using secret tokens and regenerating session IDs. It also covers proper use of cryptography, input validation, authorization, cookies, password security, and restricting application trust levels.
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
Vault is a tool for centrally managing secrets like passwords, API keys, and certificates. It addresses the problem of "secrets sprawl" where credentials are stored insecurely in multiple places like source code, emails, and configuration files. Vault centralizes secrets management, provides access control and auditing, and generates unique short-lived credentials to reduce risk if a secret is compromised. It also supports encrypting sensitive data for additional protection. Implementing Vault involves deciding where it will run, who will manage encryption keys, which secrets it will store, where audit logs will go, and who will operate and configure the system on an ongoing basis.
Top Ten Proactive Web Security Controls v5Jim Manico
It is not easy to build a secure, low-risk or risk-managed web application. Firewalls, “policy” and other traditional information security measures serve as either an incomplete or useless measure in the pursuit of web application security.
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game.
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.
This document is neither scientific nor complete. In fact it is a bit misguided. There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.
Let's face it, the web can be a dangerous place. So how do you protect your users and yourself? Tony Amoyal answers that and more as he shows how Rails can help protect against miscreants.
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
"Through cooperation between browser vendors and standards bodies in the recent past, numerous standards have been created to enforce stronger client-side control for web applications. As web appsec practitioners continue to shift from mitigating vulnerabilities to implementing proactive controls, each new standard adds another layer of defense for attack patterns previously accepted as risks. With the most basic controls complete, attention is shifting toward mitigating more complex threats. As a result of the drive to control for these threats client-side, standards such as SubResource Integrity (SRI), Content Security Policy (CSP), and HTTP Public Key Pinning (HPKP) carry larger implementation risks than others such as HTTP Strict Transport Security (HSTS). Builders supporting legacy applications actively make trade-offs between implementing the latest standards versus accepting risks simply because of the increased risks newer web standards pose.
In this talk, we'll strictly explore the risks posed by SRI, CSP, and HPKP; demonstrate effective mitigation strategies and compromises which may make these standards more accessible to builders and defenders supporting legacy applications; as well as examine emergent properties of standards such as HPKP to cover previously unforeseen scenarios. As a bonus for the breakers, we'll explore and demonstrate exploitations of the emergent risks in these more volatile standards, to include multiple vulnerabilities uncovered quite literally during our research for this talk (which will hopefully be mitigated by d-day)."
(Source: Black Hat USA 2016, Las Vegas)
The document summarizes the OWASP 2013 top 10 list of web application security risks. It provides descriptions and examples for each of the top 10 risks: 1) Injection, 2) Broken Authentication and Session Management, 3) Cross-Site Scripting (XSS), 4) Insecure Direct Object References, 5) Cross-Site Request Forgery (CSRF), 6) Security Misconfiguration, 7) Sensitive Data Exposure, 8) Missing Function Level Access Control, 9) Using Components with Known Vulnerabilities, and 10) Unvalidated Redirects and Forwards. Protection strategies are also outlined for each risk.
APIDays Australia - Openresty for scaleSteven Cooper
As CTO of a rapid growth FinTech one of my biggest challenges is rebuilding the platform to scale elastically plus still allowing for the rapid development and integration of core platform functionality. Even for fast prototyping and design Openresty allows for the quick integration for mobile and web services that can integrate with almost any database or stateless program logic allowing for faster than normal deployment and event geo based load balancing. Utilising NGINX ill show some of the ways i am overcoming some of the challenges by building a developer focused api platform that will allow the quick and easy deployment of new services while still maintaining the functionality needed by modern REST API design techniques. Also we will be looking at some of the additional functionality available to the Openresty suite including Machine Learning (which can be used for API error handling), QR code handling and API tempting and authentication. http://au.apidays.io/abstracts.html#2747a1f1
This document discusses the Play web framework and provides an overview of its key features and benefits. It then outlines a plan to build a sample application from scratch to demonstrate Play's capabilities. The application aims to validate a problem before building a product, in line with the Lean Startup methodology. The session concludes with references for further reading on Play and web development.
Jon McCoy - AppSec-USA-2014 Hacking C#(.NET) Applications:Defend by Designjonmccoy
This document outlines a presentation on securing .NET/C# applications. It discusses designing defendable systems through layered defenses, segmentation, and establishing a common security language between different teams. Examples are provided of strong versus weak software designs. The importance of security user stories and testing is emphasized to prevent vulnerabilities like SQL injection.
Rails security: above and beyond the defaultsMatias Korhonen
- The document discusses securing Rails web applications by improving on the framework's default security settings.
- It emphasizes using HTTPS to encrypt traffic, securing certificates with tools like Let's Encrypt, and strengthening configurations using the Mozilla SSL Configuration Generator.
- Content Security Policies provide an added layer of security by restricting what content can be loaded from external sources, reducing vulnerabilities, though they require careful configuration.
- HTTP Public Key Pinning can lock users out if misconfigured, so caution is advised. Overall, the talk provides guidance on tightening security beyond Rails defaults.
1. So, you wanna crypto (in AEM)
Damien Antipa (@visiongeist)
Antonio Sanso (@asanso)
Adobe Research Switzerland
2. Who are these guys BTW
Damien Antipa
Senior UX Engineer Adobe Research Switzerland
3. Who are these guys BTW
Antonio Sanso
Software Engineer Adobe Research Switzerland
Committer and PMC Member for Apache Sling
VP (Chair) for Apache Oltu (OAuth Protocol Implementation in Java)
Internet Bug Bounty, Google Security Hall of Fame, Facebook Security
Whitehat, GitHub Security Bug Bounty, Microsoft Honor Roll
19. CSRF – How does the attack work?
POST http://bank.com/transfer.do HTTP/1.1
acct=BOB&amount=100
The Attack (Mallory Page)
<form action="http://bank.com/transfer.do" method="POST">
<input type="hidden" name="acct" value=”ANTONIO"/>
<input type="hidden" name=amount" value="100000"/>
<input type="submit" value=”Show pictures"/>
</form>
Browsers make requests (with cookies) to any other origin
20. CSRF – AEM <= 6.0 Protection
Apache Sling Referrer Filter
White list of allowed referrer
for
POST/PUT/DELETE operations
Q. IS IT SAFE ? A. YES
22. CSRF – Token (Classic solution)
- Include a hidden form field
<form action="http://bank.com/transfer.do" method="POST">
...
<input type="hidden" name="csrfToken" value=“ewqakjdsa”/>
</form>
- Store the token server side in a database
- Check if the token match
- Not cachable !
- Not scalable !
23. Goals of the CSRF implementation
★
- Easy to use
- Transparent to application code
- No dependencies
- Auto refresh
- Available on author and publish
- No leakage to other domain
- Browser support
- IE8+
- Scalable and Cacheable
- No sticky sessions
- No HTTP Sessions
24. How to use it in a project
If you are building an admin UI based on Granite, you need to do:
NOTHING - we include it for you
If you are building an independent or public facing login, you to:
you need to add granite.csrf.standalone client library
In both scenarios your Javascript code does NOT need to do
anything or be aware of the CSRF token.
25. Ensure Integrity and Caching
- Use JSON Web Token
- Sign using system HMAC key
- Validate the token using standard JWT validation
- Short expiration time
- Asynchronous update
http://localhost:4502/libs/granite/csrf/token.json
26. Covered Communication
- HTML forms. Make sure the synchronous POST includes the TOKEN
- Make sure all non-GET AJAX calls include the token
- “Asynchronous” file upload for legacy IE.
Make sure that form submissions to dynamically created
iFrames include the TOKEN.
do not want to bore you with the details but in case you are wondering…
for instance for the AJAX call we patched the XMLHttpRequest prototype. and add a HTTP Request header
As an app dev you can simply ignore this, you can keep using jQuery etc.
(this is simplified code)
globalToken includes the token