Slides from a workshop I held on cryptography for web developers. Part 1 is about cryptography in web applications and why you should not mix HTTP and HTTPS. https://blog.hboeck.de/archives/849-Slides-from-cryptography-workshop-for-web-developers.html
The time of static or dynamically generated sites is long gone. Non-stop interaction with users is the new normal. However, polling with Ajax requests is processor intensive and cumbersome. Websockets allow you to interact with users in real-time without increasing system load. We'll go through the basics and see all the different options, illustrated with live examples of how and when to use it, as well as when not to use it.
WebSockets allow for full-duplex and low-overhead communication between a client and server. They provide faster and more efficient transmission of data compared to traditional polling techniques. WebSockets are supported in modern browsers and enable use cases such as real-time updates in applications, online games, chat, and data streaming. Popular WebSocket libraries include Pusher and Socket.IO, which allow building WebSocket functionality into web and mobile apps.
Presenter: Lavakumar Kuppan Abstract: In a Mobile application pentest the tester focuses on identifying vulnerabilities on both the mobile app and the backend service the app talks to. However, in a web application pentest the client-side is usually ignored and the focus is placed entirely on security issues on the server-side. Modern browsers have several capabilities which make the JS code running in the browser almost as complex powerful as a mobile app and by extension also prone to serious security issues. Most pentesters remain unaware of these security issues and their severity. DOMGoat is an open source application that is developed primarily to help pentesters understand the various client-side security issues that can occur in the DOM. This includes everything from the several variants of DOM XSS to JavaScript cryptography to client-side data leakage and more. This talk will explain the various security issues that affect the DOM and also show how DOMGoat can be used to learn about these issues.
This document discusses maintaining state in PHP using cookies and sessions. It explains that HTTP is stateless, meaning it does not remember information from previous requests. Cookies and sessions allow state to be maintained across multiple pages. Cookies are small text files stored on the user's computer that associate data with a domain. Sessions use server-side storage and are more secure than cookies. The document provides examples of how to set, read, and delete both cookies and sessions in PHP to maintain state across web pages.
Responsiveness to user interaction is crucial for users of web apps, and businesses need to be able to measure responsiveness so they can be confident that their users are happy. Unfortunately, users are regularly bogged down by frustrations such as a delayed "time to interactive” during page load, high or variable input latency on critical interaction events (tap, click, scroll, etc.), and janky animations or scrolling. These negative experiences turn away visitors, affecting the bottom line. Sites that include third-party content (ads, social plugins, etc.) are frequently the worst offenders. The culprit behind all these responsiveness issues are “long tasks," which monopolize the UI thread for extended periods and block other critical tasks from executing. Developers lack the necessary APIs and tools to measure and gain insight into such problems in the wild and are essentially flying blind trying to figure out what the main offenders are. While developers are able to measure some aspects of responsiveness, it’s often not in a reliable, performant, or “good citizen” way, and it’s near impossible to correctly identify the perpetrators. Shubhie Panicker and Nic Jansma share new web performance APIs that enable developers to reliably measure responsiveness and correctly identify first- and third-party culprits for bad experiences. Shubhie and Nic dive into real-user measurement (RUM) web performance APIs they have developed: standardized web platform APIs such as Long Tasks as well as JavaScript APIs that build atop platform APIs, such as Time To Interactive. Shubhie and Nic then compare these measurements to business metrics using real-world data and demonstrate how web developers can detect issues and reliably measure responsiveness in the wild—both at page load and postload—and thwart the culprits, showing you how to gather the data you need to hold your third-party scripts accountable.
At the time when corporations and states want to control our online lives and ban encryption we will dedicate a workshop to safer online communication. We will learn how to use strong passwords and passphrases, use Virtual Private Networks to access internet, send encrypted emails and add plugins that disable online tracking to our web browsers. LFU, 16 March 2019
Learn what websockets are and how you can build websocket based applications using the GlassFish application server or embed them in your own applications using Grizzly.
WebSockets allow for bidirectional communication between a client and server. They establish a persistent connection that allows real-time data transmission with low latency compared to HTTP. Socket.io makes WebSockets compatible across browsers by using the best available protocol. It works by having the client request an upgrade to WebSocket from an HTTP connection, establishing a full-duplex communication channel between client and server that stays open.
This document discusses Comet, a technique that uses long-lived HTTP connections to allow asynchronous server-client communication and enable real-time updates of web pages. It outlines various Comet techniques like long polling, forever frames, and callback polling. It also discusses technologies that support Comet like Jetty, Twisted Python, and frameworks like DWR, Juggernaut, and Bayeux. The document concludes with a demo of Comet in action and pointers to additional resources.