The document describes a methodology for discovering vulnerabilities in a fictional application with a microservices architecture. It involves mapping out all APIs, endpoints, subdomains and requests to extract a comprehensive list. Parameters are then fuzzed on all combinations to find unintended behaviors like old or unused endpoints exposing more data than intended, or endpoints making internal calls that can be exploited through server-side request forgery or path traversal. Examples are given of similar vulnerabilities discovered in real applications, such as an unused JSON API leaking private user data, path traversal through internal API calls, and account hijacking through improper protection of authentication keys.
The document outlines a methodology for effectively finding security vulnerabilities in web applications through bug hunting. It covers discovery techniques like using search engines and subdomain enumeration tools. It then discusses mapping the application by directory brute forcing and vulnerability discovery. Specific vulnerability classes covered include XSS, SQLi, file uploads, LFI/RFI, and CSRF. The document provides resources for each vulnerability type and recommends tools that can help automate the testing process.
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
This talk (hopefully) provides some new pentesters tools and tricks. Basically a continuation of last year’s Dirty Little Secrets they didn’t teach you in Pentest class. Topics include; OSINT and APIs, certificate stealing, F**king with Incident Response Teams, 10 ways to psexec, and more. Yes, mostly using metasploit.
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...
This document discusses insecure direct object references (IDOR), which occur when a developer exposes references like file or database keys without access control. This allows attackers to access unauthorized data by manipulating the references. The document provides examples of IDOR vulnerabilities found in Twitter, Oculus, Square, Zapier, and WordPress. It emphasizes having a generic access control model, using user IDs instead of numeric IDs, and thoroughly reviewing code to prevent IDOR issues.
Time based CAPTCHA protected SQL injection through SOAP-webservice
Frans Rosén of detectify discusses SQL injection techniques through a SOAP webservice. He provides steps to create a proof of concept attack with as few requests as possible to find vulnerable storefronts. Examples are given of time-based SQL injection payloads using substring, ascii, and sleep functions to retrieve the username and potentially other information about the target host. A link is also provided to a paper on SQL injection optimization and obfuscation techniques.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
This talk shares the various techniques I found whilst building the XSS cheat sheet. It contains auto executing vectors, AngularJS CSP bypasses and dangling markup attacks.
A Hacker's perspective on AEM applications security
Mikhail Egorov gave a presentation on security vulnerabilities in Adobe Experience Manager (AEM) applications. He discussed three vulnerabilities - CVE-2019-8086, CVE-2019-8087, and CVE-2019-8088 - which involved XML external entity injection, JavaScript code injection, and ways to exploit them. He explained the technical details of each vulnerability and provided examples of payloads and steps required for exploitation. Egorov concluded by recommending keeping AEM updated, blocking anonymous write access to certain paths, and removing demo content to help prevent security issues.
The document provides an overview of key features and capabilities of Burp Suite, a popular web application security testing tool. It discusses how to configure Burp Suite for optimal performance, techniques for proxying and filtering traffic, exploiting vulnerabilities using the intruder tool, passive and active scanning with the scanner, replaying requests with the repeater, crawling sites with the spider, analyzing tokens with the sequencer, decoding responses with the decoder, comparing responses with the comparer, searching with engagement tools, extending functionality with extender, maintaining the state of assessments, and references for additional learning. The document is intended to help users get started with Burp Suite and leverage its full capabilities as a "pro."
General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.
The document discusses Server Side Request Forgery (SSRF), including what it is, different types (blind and basic), ways to exploit it like bypassing filters and chaining vulnerabilities, tools that can be used for detection, and two case studies of SSRF vulnerabilities found in the wild. The first case involves using an SSRF to retrieve internal data and then storing malicious HTML in a generated PDF. The second case was an unauthenticated blind SSRF in a Jira OAuth authorization controller that was exploited through a malicious Host header.
This document provides an overview of a presentation on integrating additional data sources into the Elastic Logstash and Kibana (ELK) stack. It discusses using Security Onion for log collection and analysis and integrating vulnerability assessment data and host configuration data into ELK for enhanced security incident response. Examples are given of using Bro logs, Nmap scans, and Nessus/OpenVAS reports to query for related events and behaviors. Methods for collecting and parsing process and system information are also outlined.
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example
Web Applications Hacking – Ruby on Rails example.
Attack web applications by using SQL attacks, CSRF, XSS. You will learn how to extract information by generating API json / xml and how to use cookies to code injection.
Nowadays REST APIs are behind each mobile and nearly all of web applications. As such they bring a wide range of possibilities in cases of communication and integration with given system. But with great power comes great responsibility. This talk aims to provide general guidance related do API security assessment and covers common API vulnerabilities. We will look at an API interface from the perspective of potential attacker.
I will show:
how to find hidden API interfaces
ways to detect available methods and parameters
fuzzing and pentesting techniques for API calls
typical problems
I will share several interesting cases from public bug bounty reports and personal experience, for example:
* how I got various credentials with one API call
* how to cause DoS by running Garbage Collector from API
This document discusses the Heartbleed bug in OpenSSL and the creation of LibreSSL as a more secure alternative. It notes that 17% of HTTPS servers were vulnerable to Heartbleed, which allowed attackers to steal passwords, credit cards, and other private data from server memory. LibreSSL was created to have fewer lines of code, modern coding practices, and fewer portability workarounds than OpenSSL to address bugs like Heartbleed. The document emphasizes fixing bugs quickly and not reinventing standard library functions.
FOXX - a Javascript application framework on top of ArangoDB
This document discusses ArangoDB Foxx, a feature of ArangoDB that allows developers to define REST APIs and build single page web applications directly against the ArangoDB database using JavaScript. Foxx allows defining controllers with routes, parameterizing routes, generating documentation, and structuring models. It aims to provide a streamlined way for front-end developers to interface directly with the database without overhead typically involved in separating concerns across servers. The document outlines several Foxx features and capabilities including authentication, asset handling, and sharing code through a repository.
Hypermedia: The Missing Element to Building Adaptable Web APIs in Rails
RubyKaigi 2014
http://rubykaigi.org/2014/presentation/S-ToruKawamura
Japanese enlargement version http://www.slideshare.net/tkawa1/rubykaigi2014-hypermedia-the-missing-element-enlarged-ja
RoR Workshop - Web applications hacking - Ruby on Rails example
Web Applications Hacking – Ruby on Rails example. Attack web applications by using SQL attacks, CSRF, XSS. You will learn how to extract information by generating API json / xml and how to use cookies to code injection.
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
The document discusses web application security testing. It introduces web application penetration testing and the OWASP Top 10 security vulnerabilities like injection and XSS. It provides examples of SQL injection vulnerabilities and how to exploit URLs. It discusses how to prevent these vulnerabilities through input validation, output encoding and using parameterized queries. It also covers session management vulnerabilities and the importance of authentication and authorization for application resources.
Serverless in production, an experience report (Going Serverless)
1. The document discusses best practices for making serverless applications production ready, including practices around testing, monitoring, logging, configuration management, and continuous integration/deployment.
2. It recommends integrating serverless applications with services like API Gateway, Kinesis, DynamoDB, and SSM Parameter Store and considering practices like centralized logging, distributed tracing, role-based access controls, and parameterizing configurations.
3. The document emphasizes the importance of testing at the unit, integration, and end-to-end/acceptance levels and having automated testing and deployment pipelines to catch errors and deploy changes quickly and reliably.
This document discusses various techniques for finding and exploiting vulnerabilities during a penetration test when vulnerabilities are marked as "low" or "medium" in severity. It argues that penetration testers and clients should not rely solely on vulnerability scanners and should thoroughly investigate even lower severity issues. Specific techniques mentioned include exploiting default credentials on services like VNC, exploiting exposed admin interfaces found through tools like Metasploit, taking advantage of browsable directories with backups or other sensitive files, exploiting SharePoint misconfigurations, exploiting HTTP PUT or WebDAV configurations, exploiting Apple Filing Protocol, and exploiting trace.axd to view request details in .NET applications. The document emphasizes finding overlooked vulnerabilities and keeping "a human in the mix" rather than full reliance
This document discusses building awesome APIs in Grails. It covers various features that make an API awesome, including using JSON payloads, adhering to REST principles, predictable and consistent responses, stable versions, intuitive URI and response structures, flexible responses through partial responses, filtering, and customized responses. It provides examples of designing an API for a phone shopping application, including potential resources, features, endpoints, versioning, response structures, formats, and more. It demonstrates how to implement many of these features in Grails through domain modeling, controllers, URL mappings, custom marshallers, and other Grails features.
Presented by Vivek Thuravupala, Software Engineer @ Postman in joint meetup in Walmart on 28th April, BLR.
Abstract: We'll talk about the exploding usage of APIs and why security shouldn't be an afterthought when it comes to designing and building APIs. We'll also run through some concrete examples illustrating common pitfalls encountered while design/building.
About the speaker: Vivek builds stuff for the web, and he's been swimming around in various tech ponds since he was a kid. At Postman, he keeps an eye on a bunch of the user-facing products.
Serverless in production, an experience report (JeffConf)
This document provides an experience report on getting serverless applications ready for production. It discusses several important considerations for production readiness including testing, monitoring and alerting, configuration management, security, and continuous integration/delivery pipelines. The document also shares lessons learned from rebuilding several services using a serverless approach at Skype and the cost savings and velocity gains achieved.
Caleb Sima is the founder and CTO of SPI Dynamics, a security company. He has over 11 years of experience in security and is a frequent speaker on topics like exploiting web security vulnerabilities and hacking web applications. The document discusses various web application vulnerabilities like SQL injection, cross-site scripting, and session hijacking, and provides examples of exploiting these vulnerabilities on real websites.
This document discusses building websites using Node.ACS, which allows developing and publishing Node.js apps to the cloud. It provides an overview of Node.ACS and steps for installing, creating, and publishing a simple website using Node.ACS, including using an MVC framework and sessions. Examples of configuration files, controllers, and views are also included.
A quick guide for setting up Appcelerator's Node.ACS and examples on how to build three different types of websites/APIs. Code can be found at:
https://github.com/ricardoalcocer/acs_key_value_store
https://github.com/ricardoalcocer/nodeacs_sample_website
The top 10 security issues in web applications are:
1. Injection flaws such as SQL, OS, and LDAP injection.
2. Cross-site scripting (XSS) vulnerabilities that allow attackers to execute scripts in a victim's browser.
3. Broken authentication and session management, such as not logging users out properly or exposing session IDs.
4. Insecure direct object references where users can directly access files without authorization checks.
5. Cross-site request forgery (CSRF) that tricks a user into performing actions they did not intend.
6. Security misconfiguration of web or application servers.
7. Insecure cryptographic storage of passwords or sensitive data.
8
This document summarizes integrating the OpenNMS network monitoring platform with modern configuration management tools like Puppet. It discusses using Puppet to provision and automatically configure nodes in OpenNMS from Puppet's configuration data. The authors provide code for pulling node data from Puppet's REST API and generating an XML file for OpenNMS to import the nodes and their configuration. They also discuss opportunities to further improve the integration by developing a Java object model for Puppet's YAML output and filtering imports based on node attributes.
Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017
Building and deploying serverless applications introduces new challenges for developers whose development workflows are optimized for traditional VM-based applications. In this session, we discuss a method for automating the deployment of serverless applications running on AWS Lambda. We first cover how you can model and express serverless applications using the open-source AWS Serverless Application Model (AWS SAM). Then, we discuss how you can use CI/CD tooling from AWS CodePipeline and AWS CodeBuild, and how to bootstrap the entire toolset using AWS CodeStar. We will also cover best practices to embed in your deployment workflow specific to serverless applications.
You will also hear from iRobot about its approach to serverless deployment. iRobot will share how it achieves coordinated deployments of microservices, maintains long-lived and/or separately-managed resources (like databases), and red/black deployments.
Response & Safe AI at Summer School of AI at IIITH
Talk covering Guardrails , Jailbreak, What is an alignment problem? RLHF, EU AI Act, Machine & Graph unlearning, Bias, Inconsistency, Probing, Interpretability, Bias
A brief introduction to quadcopter (drone) working. It provides an overview of flight stability, dynamics, general control system block diagram, and the electronic hardware.
Software Engineering and Project Management - Introduction to Project Management
Introduction to Project Management: Introduction, Project and Importance of Project Management, Contract Management, Activities Covered by Software Project Management, Plans, Methods and Methodologies, some ways of categorizing Software Projects, Stakeholders, Setting Objectives, Business Case, Project Success and Failure, Management and Management Control, Project Management life cycle, Traditional versus Modern Project Management Practices.
In May 2024, globally renowned natural diamond crafting company Shree Ramkrishna Exports Pvt. Ltd. (SRK) became the first company in the world to achieve GNFZ’s final net zero certification for existing buildings, for its two two flagship crafting facilities SRK House and SRK Empire. Initially targeting 2030 to reach net zero, SRK joined forces with the Global Network for Zero (GNFZ) to accelerate its target to 2024 — a trailblazing achievement toward emissions elimination.
Introduction to IP address concept - Computer Networking
An Internet Protocol address (IP address) is a logical numeric address that is assigned to every single computer, printer, switch, router, tablets, smartphones or any other device that is part of a TCP/IP-based network.
Types of IP address-
Dynamic means "constantly changing “ .dynamic IP addresses aren't more powerful, but they can change.
Static means staying the same. Static. Stand. Stable. Yes, static IP addresses don't change.
Most IP addresses assigned today by Internet Service Providers are dynamic IP addresses. It's more cost effective for the ISP and you.
Online music portal management system project report.pdf
The iMMS is a unique application that is synchronizing both user
experience and copyrights while providing services like online music
management, legal downloads, artists’ management. There are several
other applications available in the market that either provides some
specific services or large scale integrated solutions. Our product differs
from the rest in a way that we give more power to the users remaining
within the copyrights circle.
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
During the session we will go through different methods of exploiting file upload pages in order to trigger Remote Code Execution, SQL Injection, Directory Traversal, DOS, Cross Site Scripting and else of web application vulnerabilities with demo codes. Also, we will see things from both Developers and Attackers side. What are the protections done by Developers to mitigate file upload issues by validating File Name, File Content-Type, actual File Content and how to bypass it All using 15 Technique!
DNS hijacking using cloud providers – No verification neededFrans Rosén
This is my talk from OWASP Appsec EU and also Security Fest 2017.
A few years ago, Frans and his team posted an article on Detectify Labs regarding domain hijacking using services like AWS, Heroku and GitHub. These issues still remains and are still affecting a lot of companies. Jonathan Claudius from Mozilla even calls “Subdomain takeover” “the new XSS”. Since then, many tools have popped up to spot these sorts of vulnerabilities. Frans will go through both the currently disclosed and the non-disclosed ways to take control over domains and will share the specific techniques involved.
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
The document outlines a methodology for effectively finding security vulnerabilities in web applications through bug hunting. It covers discovery techniques like using search engines and subdomain enumeration tools. It then discusses mapping the application by directory brute forcing and vulnerability discovery. Specific vulnerability classes covered include XSS, SQLi, file uploads, LFI/RFI, and CSRF. The document provides resources for each vulnerability type and recommends tools that can help automate the testing process.
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
This talk (hopefully) provides some new pentesters tools and tricks. Basically a continuation of last year’s Dirty Little Secrets they didn’t teach you in Pentest class. Topics include; OSINT and APIs, certificate stealing, F**king with Incident Response Teams, 10 ways to psexec, and more. Yes, mostly using metasploit.
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
This document discusses insecure direct object references (IDOR), which occur when a developer exposes references like file or database keys without access control. This allows attackers to access unauthorized data by manipulating the references. The document provides examples of IDOR vulnerabilities found in Twitter, Oculus, Square, Zapier, and WordPress. It emphasizes having a generic access control model, using user IDs instead of numeric IDs, and thoroughly reviewing code to prevent IDOR issues.
Time based CAPTCHA protected SQL injection through SOAP-webserviceFrans Rosén
Frans Rosén of detectify discusses SQL injection techniques through a SOAP webservice. He provides steps to create a proof of concept attack with as few requests as possible to find vulnerable storefronts. Examples are given of time-based SQL injection payloads using substring, ascii, and sleep functions to retrieve the username and potentially other information about the target host. A link is also provided to a paper on SQL injection optimization and obfuscation techniques.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
This talk shares the various techniques I found whilst building the XSS cheat sheet. It contains auto executing vectors, AngularJS CSP bypasses and dangling markup attacks.
A Hacker's perspective on AEM applications securityMikhail Egorov
Mikhail Egorov gave a presentation on security vulnerabilities in Adobe Experience Manager (AEM) applications. He discussed three vulnerabilities - CVE-2019-8086, CVE-2019-8087, and CVE-2019-8088 - which involved XML external entity injection, JavaScript code injection, and ways to exploit them. He explained the technical details of each vulnerability and provided examples of payloads and steps required for exploitation. Egorov concluded by recommending keeping AEM updated, blocking anonymous write access to certain paths, and removing demo content to help prevent security issues.
The document provides an overview of key features and capabilities of Burp Suite, a popular web application security testing tool. It discusses how to configure Burp Suite for optimal performance, techniques for proxying and filtering traffic, exploiting vulnerabilities using the intruder tool, passive and active scanning with the scanner, replaying requests with the repeater, crawling sites with the spider, analyzing tokens with the sequencer, decoding responses with the decoder, comparing responses with the comparer, searching with engagement tools, extending functionality with extender, maintaining the state of assessments, and references for additional learning. The document is intended to help users get started with Burp Suite and leverage its full capabilities as a "pro."
General Waf detection and bypassing techniques. Main focus to demonstrate that how to take right approach to analyse the behaviour of web application firewall and then create test cases to bypass the same.
The document discusses Server Side Request Forgery (SSRF), including what it is, different types (blind and basic), ways to exploit it like bypassing filters and chaining vulnerabilities, tools that can be used for detection, and two case studies of SSRF vulnerabilities found in the wild. The first case involves using an SSRF to retrieve internal data and then storing malicious HTML in a generated PDF. The second case was an unauthenticated blind SSRF in a Jira OAuth authorization controller that was exploited through a malicious Host header.
This document provides an overview of a presentation on integrating additional data sources into the Elastic Logstash and Kibana (ELK) stack. It discusses using Security Onion for log collection and analysis and integrating vulnerability assessment data and host configuration data into ELK for enhanced security incident response. Examples are given of using Bro logs, Nmap scans, and Nessus/OpenVAS reports to query for related events and behaviors. Methods for collecting and parsing process and system information are also outlined.
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example Anna Klepacka
Web Applications Hacking – Ruby on Rails example.
Attack web applications by using SQL attacks, CSRF, XSS. You will learn how to extract information by generating API json / xml and how to use cookies to code injection.
Nowadays REST APIs are behind each mobile and nearly all of web applications. As such they bring a wide range of possibilities in cases of communication and integration with given system. But with great power comes great responsibility. This talk aims to provide general guidance related do API security assessment and covers common API vulnerabilities. We will look at an API interface from the perspective of potential attacker.
I will show:
how to find hidden API interfaces
ways to detect available methods and parameters
fuzzing and pentesting techniques for API calls
typical problems
I will share several interesting cases from public bug bounty reports and personal experience, for example:
* how I got various credentials with one API call
* how to cause DoS by running Garbage Collector from API
This document discusses the Heartbleed bug in OpenSSL and the creation of LibreSSL as a more secure alternative. It notes that 17% of HTTPS servers were vulnerable to Heartbleed, which allowed attackers to steal passwords, credit cards, and other private data from server memory. LibreSSL was created to have fewer lines of code, modern coding practices, and fewer portability workarounds than OpenSSL to address bugs like Heartbleed. The document emphasizes fixing bugs quickly and not reinventing standard library functions.
FOXX - a Javascript application framework on top of ArangoDBArangoDB Database
This document discusses ArangoDB Foxx, a feature of ArangoDB that allows developers to define REST APIs and build single page web applications directly against the ArangoDB database using JavaScript. Foxx allows defining controllers with routes, parameterizing routes, generating documentation, and structuring models. It aims to provide a streamlined way for front-end developers to interface directly with the database without overhead typically involved in separating concerns across servers. The document outlines several Foxx features and capabilities including authentication, asset handling, and sharing code through a repository.
Hypermedia: The Missing Element to Building Adaptable Web APIs in RailsToru Kawamura
RubyKaigi 2014
http://rubykaigi.org/2014/presentation/S-ToruKawamura
Japanese enlargement version http://www.slideshare.net/tkawa1/rubykaigi2014-hypermedia-the-missing-element-enlarged-ja
RoR Workshop - Web applications hacking - Ruby on Rails exampleRailwaymen
Web Applications Hacking – Ruby on Rails example. Attack web applications by using SQL attacks, CSRF, XSS. You will learn how to extract information by generating API json / xml and how to use cookies to code injection.
Reliable and fast security audits - The modern and offensive way-Mohan Gandhibhumika2108
The document discusses web application security testing. It introduces web application penetration testing and the OWASP Top 10 security vulnerabilities like injection and XSS. It provides examples of SQL injection vulnerabilities and how to exploit URLs. It discusses how to prevent these vulnerabilities through input validation, output encoding and using parameterized queries. It also covers session management vulnerabilities and the importance of authentication and authorization for application resources.
Serverless in production, an experience report (Going Serverless)Yan Cui
1. The document discusses best practices for making serverless applications production ready, including practices around testing, monitoring, logging, configuration management, and continuous integration/deployment.
2. It recommends integrating serverless applications with services like API Gateway, Kinesis, DynamoDB, and SSM Parameter Store and considering practices like centralized logging, distributed tracing, role-based access controls, and parameterizing configurations.
3. The document emphasizes the importance of testing at the unit, integration, and end-to-end/acceptance levels and having automated testing and deployment pipelines to catch errors and deploy changes quickly and reliably.
This document discusses various techniques for finding and exploiting vulnerabilities during a penetration test when vulnerabilities are marked as "low" or "medium" in severity. It argues that penetration testers and clients should not rely solely on vulnerability scanners and should thoroughly investigate even lower severity issues. Specific techniques mentioned include exploiting default credentials on services like VNC, exploiting exposed admin interfaces found through tools like Metasploit, taking advantage of browsable directories with backups or other sensitive files, exploiting SharePoint misconfigurations, exploiting HTTP PUT or WebDAV configurations, exploiting Apple Filing Protocol, and exploiting trace.axd to view request details in .NET applications. The document emphasizes finding overlooked vulnerabilities and keeping "a human in the mix" rather than full reliance
This document discusses building awesome APIs in Grails. It covers various features that make an API awesome, including using JSON payloads, adhering to REST principles, predictable and consistent responses, stable versions, intuitive URI and response structures, flexible responses through partial responses, filtering, and customized responses. It provides examples of designing an API for a phone shopping application, including potential resources, features, endpoints, versioning, response structures, formats, and more. It demonstrates how to implement many of these features in Grails through domain modeling, controllers, URL mappings, custom marshallers, and other Grails features.
Presented by Vivek Thuravupala, Software Engineer @ Postman in joint meetup in Walmart on 28th April, BLR.
Abstract: We'll talk about the exploding usage of APIs and why security shouldn't be an afterthought when it comes to designing and building APIs. We'll also run through some concrete examples illustrating common pitfalls encountered while design/building.
About the speaker: Vivek builds stuff for the web, and he's been swimming around in various tech ponds since he was a kid. At Postman, he keeps an eye on a bunch of the user-facing products.
Serverless in production, an experience report (JeffConf)Yan Cui
This document provides an experience report on getting serverless applications ready for production. It discusses several important considerations for production readiness including testing, monitoring and alerting, configuration management, security, and continuous integration/delivery pipelines. The document also shares lessons learned from rebuilding several services using a serverless approach at Skype and the cost savings and velocity gains achieved.
Caleb Sima is the founder and CTO of SPI Dynamics, a security company. He has over 11 years of experience in security and is a frequent speaker on topics like exploiting web security vulnerabilities and hacking web applications. The document discusses various web application vulnerabilities like SQL injection, cross-site scripting, and session hijacking, and provides examples of exploiting these vulnerabilities on real websites.
This document discusses building websites using Node.ACS, which allows developing and publishing Node.js apps to the cloud. It provides an overview of Node.ACS and steps for installing, creating, and publishing a simple website using Node.ACS, including using an MVC framework and sessions. Examples of configuration files, controllers, and views are also included.
A quick guide for setting up Appcelerator's Node.ACS and examples on how to build three different types of websites/APIs. Code can be found at:
https://github.com/ricardoalcocer/acs_key_value_store
https://github.com/ricardoalcocer/nodeacs_sample_website
The top 10 security issues in web applicationsDevnology
The top 10 security issues in web applications are:
1. Injection flaws such as SQL, OS, and LDAP injection.
2. Cross-site scripting (XSS) vulnerabilities that allow attackers to execute scripts in a victim's browser.
3. Broken authentication and session management, such as not logging users out properly or exposing session IDs.
4. Insecure direct object references where users can directly access files without authorization checks.
5. Cross-site request forgery (CSRF) that tricks a user into performing actions they did not intend.
6. Security misconfiguration of web or application servers.
7. Insecure cryptographic storage of passwords or sensitive data.
8
This document summarizes integrating the OpenNMS network monitoring platform with modern configuration management tools like Puppet. It discusses using Puppet to provision and automatically configure nodes in OpenNMS from Puppet's configuration data. The authors provide code for pulling node data from Puppet's REST API and generating an XML file for OpenNMS to import the nodes and their configuration. They also discuss opportunities to further improve the integration by developing a Java object model for Puppet's YAML output and filtering imports based on node attributes.
Building CI/CD Pipelines for Serverless Applications - SRV302 - re:Invent 2017Amazon Web Services
Building and deploying serverless applications introduces new challenges for developers whose development workflows are optimized for traditional VM-based applications. In this session, we discuss a method for automating the deployment of serverless applications running on AWS Lambda. We first cover how you can model and express serverless applications using the open-source AWS Serverless Application Model (AWS SAM). Then, we discuss how you can use CI/CD tooling from AWS CodePipeline and AWS CodeBuild, and how to bootstrap the entire toolset using AWS CodeStar. We will also cover best practices to embed in your deployment workflow specific to serverless applications.
You will also hear from iRobot about its approach to serverless deployment. iRobot will share how it achieves coordinated deployments of microservices, maintains long-lived and/or separately-managed resources (like databases), and red/black deployments.
Similar to Frans Rosén Keynote at BSides Ahmedabad (20)
Response & Safe AI at Summer School of AI at IIITHIIIT Hyderabad
Talk covering Guardrails , Jailbreak, What is an alignment problem? RLHF, EU AI Act, Machine & Graph unlearning, Bias, Inconsistency, Probing, Interpretability, Bias
A brief introduction to quadcopter (drone) working. It provides an overview of flight stability, dynamics, general control system block diagram, and the electronic hardware.
Software Engineering and Project Management - Introduction to Project ManagementPrakhyath Rai
Introduction to Project Management: Introduction, Project and Importance of Project Management, Contract Management, Activities Covered by Software Project Management, Plans, Methods and Methodologies, some ways of categorizing Software Projects, Stakeholders, Setting Objectives, Business Case, Project Success and Failure, Management and Management Control, Project Management life cycle, Traditional versus Modern Project Management Practices.
In May 2024, globally renowned natural diamond crafting company Shree Ramkrishna Exports Pvt. Ltd. (SRK) became the first company in the world to achieve GNFZ’s final net zero certification for existing buildings, for its two two flagship crafting facilities SRK House and SRK Empire. Initially targeting 2030 to reach net zero, SRK joined forces with the Global Network for Zero (GNFZ) to accelerate its target to 2024 — a trailblazing achievement toward emissions elimination.
An Internet Protocol address (IP address) is a logical numeric address that is assigned to every single computer, printer, switch, router, tablets, smartphones or any other device that is part of a TCP/IP-based network.
Types of IP address-
Dynamic means "constantly changing “ .dynamic IP addresses aren't more powerful, but they can change.
Static means staying the same. Static. Stand. Stable. Yes, static IP addresses don't change.
Most IP addresses assigned today by Internet Service Providers are dynamic IP addresses. It's more cost effective for the ISP and you.
Online music portal management system project report.pdfKamal Acharya
The iMMS is a unique application that is synchronizing both user
experience and copyrights while providing services like online music
management, legal downloads, artists’ management. There are several
other applications available in the market that either provides some
specific services or large scale integrated solutions. Our product differs
from the rest in a way that we give more power to the users remaining
within the copyrights circle.
4. FRANS ROSÉN
Rundown
• Imaginary app structure and methodology on
breaking it
• Real-life vulnerabilities found
using these techniques
5. FRANS ROSÉN
Rundown
• Imaginary app structure and methodology on
breaking it
• Real-life vulnerabilities found
using these techniques
• Many ways to do this, this is just one example!
8. FRANS ROSÉN
Client based micro services
invoice.example.com
business.example.com
conversation.example.com
api.example.com
CORS-requests to different apps
SPA + a lot of JS
9. FRANS ROSÉN
Client based micro services
business.example.com
/api/v1/users
/api/v1/users/123
…
/api/v3/invoices
/api/v3/invoices/123
…
/api/v2/messages
/api/v2/messages/123
…
CORS-requests to different apps:
SPA + a lot of JS
invoice.example.com
conversation.example.com
api.example.com
13. FRANS ROSÉN
API-endpoints per microservice
• invoice.example.com
/api/v3/invoices
/api/v3/invoices/1234
/api/v3/accounts
/api/v3/accounts/1234
Found in JS:
14. FRANS ROSÉN
API-endpoints per microservice
• invoice.example.com
Found in JS: /invoices*
/accounts*
/api
/api/v3
/api/v3/invoices*
/api/v3/accounts*
…
Save to path-lists:
/api/v3/invoices
/api/v3/invoices/1234
/api/v3/accounts
/api/v3/accounts/1234
15. FRANS ROSÉN
• invoice.example.com
Found in JS: /invoices*
/accounts*
/api
/api/v3
/api/v3/invoices*
/api/v3/accounts*
…
Save to path-lists:
/api/v3/invoices
/api/v3/invoices/1234
/api/v3/accounts
/api/v3/accounts/1234
The * tells us it supports direct requests or additional paths
for IDs or similar: /invoices/123
16. FRANS ROSÉN
API-endpoints per microservice
• conversation.example.com
/api/v2/online
/api/v2/conversations
/api/v2/websocket
Found in JS:
17. FRANS ROSÉN
API-endpoints per microservice
• conversation.example.com
/api/v2/online
/api/v2/conversations
/api/v2/websocket
Found in JS:
/online
/conversations*
/websocket
/api/v2
/api/v2/conversations*
…
Save to path-lists:
18. FRANS ROSÉN
Continue to curate lists
Find more endpoints:
• Desktop client
• Web-archive
• PHP/Java/Golang-SDKs
• npm/composer/yarn
• Documentation
19. FRANS ROSÉN
Now we have this
• List of all available endpoints: /conversations*
/invoices*
/users*
…
20. FRANS ROSÉN
Now we have this
• List of all available endpoints:
• Also separate prefixes:
/api
/api/v3
/api/v2
/api/v1
…
/conversations*
/invoices*
/users*
…
21. FRANS ROSÉN
Now we have this
• List of all available endpoints:
• Also separate prefixes:
/api
/api/v3
/api/v2
/api/v1
…
/conversations*
/invoices*
/users*
…
• And all subdomains used:
invoice.example.com
api.example.com
business.example.com
…
22. FRANS ROSÉN
Now, combine it all:
• Test everything on everything
subdomain-list * path-prefix-list * path-suffix-list
• Add additional standard fuzz to suffix-list
test
"
'
#
…
23. FRANS ROSÉN
What we might find
• New or old endpoints not in use
Might leak more data than the current one
24. FRANS ROSÉN
What we might find
• New or old endpoints not in use
Might leak more data than the current one
Example of this happening IRL!
29. FRANS ROSÉN
What we might find
• New or old endpoints not in use
Might leak more data than the current one
• That the micro-services might connect server-side:
SSRF, path-traversal, bypass query-strings used…
30. FRANS ROSÉN
What we might find
• New or old endpoints not in use
Might leak more data than the current one
• That the micro-services might connect server-side:
SSRF, path-traversal, bypass query-strings used…
Example of this happening IRL!
35. FRANS ROSÉN
Sent to v3, error with v1?
/api/v3/invoices/"
{
"error": "Bad URI: /api/v1/
invoices/""
}
36. FRANS ROSÉN
Possible explanation
Endpoint at /api/v3/invoices/{id} makes an internal call
to a different service:
route('/api/v3/invoices/{id}', () => {
return
api.call(
`http://internal-api/api/v1/invoices/${id}?
token=${userToken}`
)
})
37. FRANS ROSÉN
Possible explanation
Endpoint at /api/v3/invoices/{id} makes an internal call
to a different service:
route('/api/v3/invoices/{id}', () => {
return
api.call(
`http://internal-api/api/v1/invoices/${id}?
token=${userToken}`
)
})
43. FRANS ROSÉN
Path-traversal,
reach outside of invoices/
/api/v3/invoices/%2e%2e%2fFUZZ
We know token is used in query, move it to fragment:
/api/v3/invoices/%2e%2e%2fFUZZ%23
internal-api/api/v1/invoices/../FUZZ#
44. FRANS ROSÉN
Traversing into accounts/ without
the token query parameter
/api/v3/invoices/%2e%2e%2faccounts%23
45. FRANS ROSÉN
Traversing into accounts/ without
the token query parameter
/api/v3/invoices/%2e%2e%2faccounts%23
{
"accounts": [
{"account": 123, "name": "Other Business", "email":
"secret@x.com", "invoices": [
{"id": 123, "amount": 1100.00 …}
{"id": 123, "amount": 1100.00 …}
…
]
46. FRANS ROSÉN
"Path-traversal getting access to all
invoice accounts"
/api/v3/invoices/%2e%2e%2faccounts%23
{
"accounts": [
{"account": 123, "name": "Other Business", "email":
"secret@x.com", "invoices": [
{"id": 123, "amount": 1100.00 …}
{"id": 123, "amount": 1100.00 …}
…
]
We can access all accounts and all their invoices!
48. FRANS ROSÉN
Ways forward
1.Locate all APIs/micro-services used
2.Extract all API-endpoints we can find
3.Look at other strings in JS-files
49. FRANS ROSÉN
What we might find
• Keys or tokens expected to be secrets
Third party apps with unclear docs if tokens should be secrets.
50. FRANS ROSÉN
What we might find
• Keys or tokens expected to be secrets
Third party apps with unclear docs if tokens should be secrets.
Example of this happening IRL!
54. FRANS ROSÉN
Zendesk SSO-key
• This JSON should be signed with the SSO-key:
{
"iat": 123,
"jti": "uuid",
"name" "x",
"email": "x@x.com",
"external_id": "UUID"
}
55. FRANS ROSÉN
Zendesk SSO-key
• This JSON should be signed with the SSO-key:
{
"iat": 123,
"jti": "uuid",
"name" "x",
"email": "x@x.com",
"external_id": "UUID"
}
unix timestamp
random unique ID
56. FRANS ROSÉN
Zendesk SSO-key
• This JSON should be signed with the SSO-key:
{
"iat": 123,
"jti": "uuid",
"name" "x",
"email": "x@x.com",
"external_id": "UUID"
}
unix timestamp
random unique ID
name for user, will be updated
email for user, will be updated
57. FRANS ROSÉN
Zendesk SSO-key
• This JSON should be signed with the SSO-key:
{
"iat": 123,
"jti": "uuid",
"name" "x",
"email": "x@x.com",
"external_id": "UUID"
}
unix timestamp
random unique ID
name for user, will be updated
email for user, will be updated
UserID to hijack account
58. FRANS ROSÉN
Zendesk SSO-key
• Send JWT for UserID you want to hijack:
https://example.zendesk.com/access/jwt?
eYAAA.eYBBB.XXX
59. FRANS ROSÉN
Zendesk SSO-key
• Send JWT for UserID you want to hijack:
https://example.zendesk.com/access/jwt?
eYAAA.eYBBB.XXX
• Zendesk will reply with a session as the UserID:
https://example.zendesk.com/hc/en-us?
flash_digest=0cbfae0bec0bfea08cbfec0
60. FRANS ROSÉN
"Account hijack on support panel due
to publicly disclosed Zendesk SSO-key"
• Send JWT for UserID you want to hijack:
https://example.zendesk.com/access/jwt?
eYAAA.eYBBB.XXX
• Zendesk will reply with a session as the UserID:
https://example.zendesk.com/hc/en-us?
flash_digest=0cbfae0bec0bfea08cbfec0
61. FRANS ROSÉN
What we might find
• Keys or tokens expected to be secrets
Third party apps with unclear docs if tokens should be secrets.
62. FRANS ROSÉN
What we might find
• Keys or tokens expected to be secrets
Third party apps with unclear docs if tokens should be secrets.
Another example of this happening IRL!
64. FRANS ROSÉN
a = algolia('AFBKDE54',
'7ace8b8c7fbea78caebcf78ecbfaebca7
8f');
idx = a.index('publicdb');
App-ID
Public API-key
Algolia API-key
Intended to be public
Index name
70. FRANS ROSÉN
HTTP/1.1 200 OK
{"result": [
{"id": 123, "user": "x", "email":
"secret@x.com", "phone": "003234234.."},
…
]}
Another index with sensitive data
71. FRANS ROSÉN
HTTP/1.1 200 OK
{"result": [
{"id": 123, "user": "x", "email":
"secret@x.com", "phone": "003234234.."},
…
]}
Another index with sensitive data
72. FRANS ROSÉN
"Emails + phone for all users disclosed
due to sensitive data in public AlgoliaDB"
HTTP/1.1 200 OK
{"result": [
{"id": 123, "user": "x", "email":
"secret@x.com", "phone": "003234234.."},
…
]}
73. FRANS ROSÉN
What we might find
• Keys or tokens expected to be secrets
Third party apps with unclear docs if tokens should be secrets.
• Secret ENV variables dumped in CI-minification
If any minifications or
Example of this happening IRL!
78. FRANS ROSÉN
Ways forward
1.Locate all APIs/micro-services used
2.Extract all API-endpoints we can find
3.Look at other strings in JS-files
4.Create wordlists
84. FRANS ROSÉN
Wordlists!
• For every program:
• Build / combine
• Apply context!
/api/v1/payment
/api/v1/payment-methods
/api/v1/shipping
85. FRANS ROSÉN
Wordlists!
• For every program:
• Build / combine
• Apply context!
/api/v1/payment
/api/v1/payment-methods
/api/v1/shipping
/api/v1/shipping-methods
Also add this
86. FRANS ROSÉN
Ways forward
1.Locate all APIs/micro-services used
2.Extract all API-endpoints we can find
3.Look at other strings in JS-files
4.Create wordlists
5.Fuzz, fuzz, fuzz
87. FRANS ROSÉN
Fuzz with / without
• All HTTP-methods POST PATCH DELETE PUT…
• IDs or not /users/1 vs /users
• / in the end /payments/ vs /payments
• File extension users.json vs users
90. FRANS ROSÉN
• Curate your own context specific wordlists
• Combine with regular fuzzing
Takeaways
91. FRANS ROSÉN
• Curate your own context specific wordlists
• Combine with regular fuzzing
• Understand and learn what is being disclosed
and how to abuse it.
Takeaways
92. FRANS ROSÉN
Takeaways
That’s it, thank you!
Any questions?
• Curate your own context specific wordlists
• Combine with regular fuzzing
• Understand and learn what is being disclosed
and how to abuse it.