1. The document discusses security misconfigurations that can occur when using Amazon Cognito for user authentication.
2. It describes how an unauthenticated user could potentially access AWS services by fetching temporary credentials from an identity pool if the unauthenticated role is not disabled.
3. It also explains how an attacker could bypass authentication by enabling user signup if that API action is not disabled for applications that do not require signup.
4. Additional misconfigurations discussed include privilege escalation through writable user attributes, and updating a user's email attribute before verification which could allow bypassing authorization checks.
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
Amazon API Gateway is a fully managed service that makes it easy for developers to create, deploy, secure, and monitor APIs at any scale. In this presentation, you’ll find out how to quickly declare an API interface and connect it with code running on AWS Lambda. Amazon API Gateway handles all of the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls, including traffic management, authorization and access control, monitoring, and API version management. We will demonstrate how to build an API that uses AWS Identity and Access Management (IAM) for authorization and Amazon Cognito to retrieve temporary credentials for your API calls. We will write the AWS Lambda function code in Java and build an iOS sample application in Objective C.
By leveraging serverless architectures, organisations are building and running modern applications and services with increased agility and simplified scalability—all without managing a single server. Many applications need to manage user identities and support sign-in/sign-up. In this session, we dive deep on how to support millions of user identities, as well as how to integrate with social identity providers and existing corporate directories. We will show the real-world design patterns that AWS customers use to implement authentication and authorisation.
Speaker: Myles Hosford, Security Solutions Architect, Amazon Web Services
Authentication through Claims-Based Authentication
Thinking as far as claims and issuers is an effective reflection that backs better approaches for securing your application. Claims have an understanding with the issuer and allow the claims of the user to be accepted only if the claims are issued by a trusted issuer. Authentication and authorization is explicit in CBAC as compared to other approaches. [1]. Pawan Patil | Ankit Ayyar | Vaishali Gatty"Authentication through Claims-Based Authentication" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-2 | Issue-4 , June 2018, URL: http://www.ijtsrd.com/papers/ijtsrd15644.pdf http://www.ijtsrd.com/engineering/software-engineering/15644/authentication-through-claims-based-authentication/pawan-patil
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...
This document provides an overview and summary of Amazon Cognito. It discusses how Cognito can be used to authenticate users, manage user identities, and synchronize user data across devices. It also describes Cognito's features for user sign-up, sign-in, verification, authentication, authorization and managing user profiles. Several sample use cases are presented, such as using Cognito for user management, social login, and employee single sign-on. The document concludes with information on getting started with Cognito.
This document summarizes a workshop on architecting user authentication and authorization in apps using AWS services. The workshop covers Amazon Cognito for user management, authentication, and data synchronization across devices. It provides an overview of Cognito User Pools and Federated Identities, demonstrates an authentication workflow using the services, and discusses how to get started with a sample Angular app.
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...
The document discusses securing serverless applications using Amazon API Gateway, AWS Lambda, and Amazon Cognito. It describes how to build a basic 3-tier web app that is fully serverless, add authentication with Amazon Cognito by integrating with Cognito user pools, and implement authorization using AWS Identity and Access Management (IAM) by leveraging Cognito. Key benefits mentioned are that AWS Lambda and API Gateway provide automatic scaling with no infrastructure to manage, while security is improved by making use of IAM through Cognito.
Getting Started with Cognito User Pools - September Webinar Series
You can now use Amazon Cognito to easily add user sign-up and sign-in to your mobile and web apps instead of worrying about user management, authentication, and sync across platforms and devices. With the User Pools feature, you can create your own user directory that can scale to hundreds of millions of users, and is fully managed so you don’t have to worry about building, securing, and scaling authentication to your apps. In this webinar, we will walk your through adding the process of adding user sign-up and sign-in to your mobile and web apps.
Learning Objectives:
*Learn to add user sign-up and sign-in to your mobile and web apps quickly and easily
*Authenticate users through social identity providers such as Facebook, Twitter, or Amazon and provide secure access to AWS resources
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...
Amazon Cognito lets you easily add user sign-up and sign-in to your mobile and web apps. Finding the right identity solution can often be challenging. In this session, we will look at how Cognito can support a wide range of authentication scenarios including customers, employees and systems to help you make the right choices.
Speaker: Stephen Liedig. Solutions Architect. Amazon Web Services
Level: 300
This document discusses certificate authorities (CAs) and provides an example scenario for securing a web server using a CA. It defines a CA as an entity that issues digital certificates for use by other parties in public key infrastructure schemes. There are commercial CAs, as well as CAs run by institutions and governments. The document then describes the process a CA goes through to issue a certificate and how users can verify certificates. It provides a list of common CAs. Finally, it presents a scenario where a web server obtains a server certificate from a CA to secure its SSL port, and clients can obtain client certificates from the CA's website to access the secure site.
Complex architectures for authentication and authorization on AWS
In this talk we discuss key architecture patterns for designing authentication and authorization solutions in complex microservices environments. We focus on the key advantages and capabilities of AWS Cognito User Pools and Federated Identities and explore how this service can address the challenges of implementing client to service, service to service and service to infrastructure auth.
In addition, we discuss patterns and best practices around building a highly available and resilient decentralised authorization solution for microservices environments based on OIDC. We present a simple RBAC implementation together with fine-grained permissions and end to end automation.
1. The implicit grant type is used for mobile apps and web applications where client secret confidentiality cannot be guaranteed. It returns the access token directly to the client instead of an authorization code.
2. The user is redirected to the authorization server to log in and authorize access. If approved, the access token is encoded in the redirect URI returned to the client.
3. The client extracts the token and can use it to access protected resources, without having to make a separate request to exchange an authorization code for a token. However, the token is exposed in the redirect URI, so it has a short lifetime.
Authentication is the process of verifying a user's identity, while authorization determines what permissions and access levels a user has. Common authentication methods for APIs include basic authentication, bearer tokens, API keys, OAuth 2.0, and OpenID Connect. OAuth 2.0 allows users to grant third party applications access to their account without sharing their credentials. It involves the issuance of tokens that applications use to make API calls. OpenID Connect builds upon OAuth 2.0 to provide authentication for APIs as well by exchanging tokens that contain user identity claims.
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...
Learning Objectives:
-Understand user identity and federation principles and practices
-Learn how Amazon Cognito supports SAML and 3rd party IdP integration
-Demonstrate how to use Amazon Cognito’s built-in UI for user identity management.
App developers need a system to manage the identities of their users for sign-up, sign-in, and access control. Amazon Cognito now provides a public beta of built-in UI for developers to add user sign-up and sign-in pages to their application and customize the looks and feel of those pages simply through the Amazon Cognito console. Also in the public beta, Amazon Cognito now provides support for SAML based federation of user identities for integration with enterprise based directory systems and simplified support for 3rd party Identity Providers (IdP) such as Facebook and Google. This tech talk will provide a brief overview of Amazon Cognito and then discuss the details of the new features and capabilities of the public beta.
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Ed Lima, a Solutions Architect at AWS, discusses adding user sign-in, user management, and security to mobile and web applications using Amazon Cognito. The presentation covers Amazon Cognito Identity for user authentication and authorization, Cognito User Pools for user management, and how applications can integrate with Cognito. It also demonstrates how Cognito can federate with identity providers and provides sample use cases for business to consumer, business to business, and IoT applications.
How to Find and Fix Broken Authentication Vulnerability
In today’s ever-changing digital world, protecting your online presence against vulnerabilities such as failed authentication is critical. IT company provides professional Vulnerability Assessment services that detect and handle such security threats, strengthening the defenses of your website.
Our team of professionals navigates through complex authentication vulnerabilities with accuracy and knowledge, giving personalized solutions that protect your digital assets. Our Vulnerability Assessment provides full security against unauthorized access, data breaches, and possible hacking threats, from resolving defective authentication procedures to deploying effective multi-factor authentication.
Partnering with us means committing your online security to experts who are dedicated to reinforcing your digital firewall. Secure the strength of your website and protect important information by utilizing our cutting-edge Vulnerability Assessment services now!
Quality Patents: Patents That Stand the Test of Time
Is your patent a vanity piece of paper for your office wall? Or is it a reliable, defendable, assertable, property right? The difference is often quality.
Is your patent simply a transactional cost and a large pile of legal bills for your startup? Or is it a leverageable asset worthy of attracting precious investment dollars, worth its cost in multiples of valuation? The difference is often quality.
Is your patent application only good enough to get through the examination process? Or has it been crafted to stand the tests of time and varied audiences if you later need to assert that document against an infringer, find yourself litigating with it in an Article 3 Court at the hands of a judge and jury, God forbid, end up having to defend its validity at the PTAB, or even needing to use it to block pirated imports at the International Trade Commission? The difference is often quality.
Quality will be our focus for a good chunk of the remainder of this season. What goes into a quality patent, and where possible, how do you get it without breaking the bank?
** Episode Overview **
In this first episode of our quality series, Kristen Hansen and the panel discuss:
⦿ What do we mean when we say patent quality?
⦿ Why is patent quality important?
⦿ How to balance quality and budget
⦿ The importance of searching, continuations, and draftsperson domain expertise
⦿ Very practical tips, tricks, examples, and Kristen’s Musts for drafting quality applications
https://www.aurorapatents.com/patently-strategic-podcast.html
Sustainability requires ingenuity and stewardship. Did you know Pigging Solutions pigging systems help you achieve your sustainable manufacturing goals AND provide rapid return on investment.
How? Our systems recover over 99% of product in transfer piping. Recovering trapped product from transfer lines that would otherwise become flush-waste, means you can increase batch yields and eliminate flush waste. From raw materials to finished product, if you can pump it, we can pig it.
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...
Have you noticed the OpenSSF Scorecard badges on the official Dart and Flutter repos? It's Google's way of showing that they care about security. Practices such as pinning dependencies, branch protection, required reviews, continuous integration tests etc. are measured to provide a score and accompanying badge.
You can do the same for your projects, and this presentation will show you how, with an emphasis on the unique challenges that come up when working with Dart and Flutter.
The session will provide a walkthrough of the steps involved in securing a first repository, and then what it takes to repeat that process across an organization with multiple repos. It will also look at the ongoing maintenance involved once scorecards have been implemented, and how aspects of that maintenance can be better automated to minimize toil.
Support en anglais diffusé lors de l'événement 100% IA organisé dans les locaux parisiens d'Iguane Solutions, le mardi 2 juillet 2024 :
- Présentation de notre plateforme IA plug and play : ses fonctionnalités avancées, telles que son interface utilisateur intuitive, son copilot puissant et des outils de monitoring performants.
- REX client : Cyril Janssens, CTO d’ easybourse, partage son expérience d’utilisation de notre plateforme IA plug & play.
YOUR RELIABLE WEB DESIGN & DEVELOPMENT TEAM — FOR LASTING SUCCESS
WPRiders is a web development company specialized in WordPress and WooCommerce websites and plugins for customers around the world. The company is headquartered in Bucharest, Romania, but our team members are located all over the world. Our customers are primarily from the US and Western Europe, but we have clients from Australia, Canada and other areas as well.
Some facts about WPRiders and why we are one of the best firms around:
More than 700 five-star reviews! You can check them here.
1500 WordPress projects delivered.
We respond 80% faster than other firms! Data provided by Freshdesk.
We’ve been in business since 2015.
We are located in 7 countries and have 22 team members.
With so many projects delivered, our team knows what works and what doesn’t when it comes to WordPress and WooCommerce.
Our team members are:
- highly experienced developers (employees & contractors with 5 -10+ years of experience),
- great designers with an eye for UX/UI with 10+ years of experience
- project managers with development background who speak both tech and non-tech
- QA specialists
- Conversion Rate Optimisation - CRO experts
They are all working together to provide you with the best possible service. We are passionate about WordPress, and we love creating custom solutions that help our clients achieve their goals.
At WPRiders, we are committed to building long-term relationships with our clients. We believe in accountability, in doing the right thing, as well as in transparency and open communication. You can read more about WPRiders on the About us page.
Transcript: Details of description part II: Describing images in practice - T...
This presentation explores the practical application of image description techniques. Familiar guidelines will be demonstrated in practice, and descriptions will be developed “live”! If you have learned a lot about the theory of image description techniques but want to feel more confident putting them into practice, this is the presentation for you. There will be useful, actionable information for everyone, whether you are working with authors, colleagues, alone, or leveraging AI as a collaborator.
Link to presentation recording and slides: https://bnctechforum.ca/sessions/details-of-description-part-ii-describing-images-in-practice/
Presented by BookNet Canada on June 25, 2024, with support from the Department of Canadian Heritage.
[REPEAT 1] Managing Identity Management, Authentication, & Authorization for ...Amazon Web Services
Build a serverless microservices application demonstrating end-to-end authentication and authorization through the use of Amazon Cognito, Amazon API Gateway, AWS Lambda, and all-things AWS Identity and Access Management (IAM). You will build an end-to-end functional app with a secure identity provider showcasing user authentication patterns.
Amazon Cognito is a service that provides authentication, authorization, and user management for web and mobile applications. It allows for user sign-up, sign-in, access control, account recovery, and integration with social identity providers. Cognito User Pools provides built-in user directory and authentication services, while Cognito Identity Pools enables the generation of temporary AWS credentials for application access. Sample use cases include business to consumer apps, business to employee apps, and IoT applications.
Serverless identity management, authentication, and authorization - SDD405-R ...Amazon Web Services
"In this workshop, you learn how to build a serverless microservices application demonstrating end-to-end authentication and authorization using Amazon Cognito, Amazon API Gateway, AWS Lambda, and all things IAM. You have the opportunity to build an end-to-end functional app with a secure identity provider showcasing user authentication patterns.
All attendees need a laptop, an active AWS Account, an AWS IAM Administrator, and a familiarity with core AWS services."
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIsAmazon Web Services
Amazon API Gateway is a fully managed service that makes it easy for developers to create, deploy, secure, and monitor APIs at any scale. In this presentation, you’ll find out how to quickly declare an API interface and connect it with code running on AWS Lambda. Amazon API Gateway handles all of the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls, including traffic management, authorization and access control, monitoring, and API version management. We will demonstrate how to build an API that uses AWS Identity and Access Management (IAM) for authorization and Amazon Cognito to retrieve temporary credentials for your API calls. We will write the AWS Lambda function code in Java and build an iOS sample application in Objective C.
By leveraging serverless architectures, organisations are building and running modern applications and services with increased agility and simplified scalability—all without managing a single server. Many applications need to manage user identities and support sign-in/sign-up. In this session, we dive deep on how to support millions of user identities, as well as how to integrate with social identity providers and existing corporate directories. We will show the real-world design patterns that AWS customers use to implement authentication and authorisation.
Speaker: Myles Hosford, Security Solutions Architect, Amazon Web Services
Authentication through Claims-Based Authenticationijtsrd
Thinking as far as claims and issuers is an effective reflection that backs better approaches for securing your application. Claims have an understanding with the issuer and allow the claims of the user to be accepted only if the claims are issued by a trusted issuer. Authentication and authorization is explicit in CBAC as compared to other approaches. [1]. Pawan Patil | Ankit Ayyar | Vaishali Gatty"Authentication through Claims-Based Authentication" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-2 | Issue-4 , June 2018, URL: http://www.ijtsrd.com/papers/ijtsrd15644.pdf http://www.ijtsrd.com/engineering/software-engineering/15644/authentication-through-claims-based-authentication/pawan-patil
Raleigh DevDay 2017: Managing User Onboarding, Sign-up, Sign-in, Identity and...Amazon Web Services
This document provides an overview and summary of Amazon Cognito. It discusses how Cognito can be used to authenticate users, manage user identities, and synchronize user data across devices. It also describes Cognito's features for user sign-up, sign-in, verification, authentication, authorization and managing user profiles. Several sample use cases are presented, such as using Cognito for user management, social login, and employee single sign-on. The document concludes with information on getting started with Cognito.
This document summarizes a workshop on architecting user authentication and authorization in apps using AWS services. The workshop covers Amazon Cognito for user management, authentication, and data synchronization across devices. It provides an overview of Cognito User Pools and Federated Identities, demonstrates an authentication workflow using the services, and discusses how to get started with a sample Angular app.
Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Secur...Amazon Web Services
The document discusses securing serverless applications using Amazon API Gateway, AWS Lambda, and Amazon Cognito. It describes how to build a basic 3-tier web app that is fully serverless, add authentication with Amazon Cognito by integrating with Cognito user pools, and implement authorization using AWS Identity and Access Management (IAM) by leveraging Cognito. Key benefits mentioned are that AWS Lambda and API Gateway provide automatic scaling with no infrastructure to manage, while security is improved by making use of IAM through Cognito.
Getting Started with Cognito User Pools - September Webinar SeriesAmazon Web Services
You can now use Amazon Cognito to easily add user sign-up and sign-in to your mobile and web apps instead of worrying about user management, authentication, and sync across platforms and devices. With the User Pools feature, you can create your own user directory that can scale to hundreds of millions of users, and is fully managed so you don’t have to worry about building, securing, and scaling authentication to your apps. In this webinar, we will walk your through adding the process of adding user sign-up and sign-in to your mobile and web apps.
Learning Objectives:
*Learn to add user sign-up and sign-in to your mobile and web apps quickly and easily
*Authenticate users through social identity providers such as Facebook, Twitter, or Amazon and provide secure access to AWS resources
Managing Identity and Securing Your Mobile and Web Applications with Amazon C...Amazon Web Services
Amazon Cognito lets you easily add user sign-up and sign-in to your mobile and web apps. Finding the right identity solution can often be challenging. In this session, we will look at how Cognito can support a wide range of authentication scenarios including customers, employees and systems to help you make the right choices.
Speaker: Stephen Liedig. Solutions Architect. Amazon Web Services
Level: 300
This document discusses certificate authorities (CAs) and provides an example scenario for securing a web server using a CA. It defines a CA as an entity that issues digital certificates for use by other parties in public key infrastructure schemes. There are commercial CAs, as well as CAs run by institutions and governments. The document then describes the process a CA goes through to issue a certificate and how users can verify certificates. It provides a list of common CAs. Finally, it presents a scenario where a web server obtains a server certificate from a CA to secure its SSL port, and clients can obtain client certificates from the CA's website to access the secure site.
Complex architectures for authentication and authorization on AWSBoyan Dimitrov
In this talk we discuss key architecture patterns for designing authentication and authorization solutions in complex microservices environments. We focus on the key advantages and capabilities of AWS Cognito User Pools and Federated Identities and explore how this service can address the challenges of implementing client to service, service to service and service to infrastructure auth.
In addition, we discuss patterns and best practices around building a highly available and resilient decentralised authorization solution for microservices environments based on OIDC. We present a simple RBAC implementation together with fine-grained permissions and end to end automation.
1. The implicit grant type is used for mobile apps and web applications where client secret confidentiality cannot be guaranteed. It returns the access token directly to the client instead of an authorization code.
2. The user is redirected to the authorization server to log in and authorize access. If approved, the access token is encoded in the redirect URI returned to the client.
3. The client extracts the token and can use it to access protected resources, without having to make a separate request to exchange an authorization code for a token. However, the token is exposed in the redirect URI, so it has a short lifetime.
Authentication is the process of verifying a user's identity, while authorization determines what permissions and access levels a user has. Common authentication methods for APIs include basic authentication, bearer tokens, API keys, OAuth 2.0, and OpenID Connect. OAuth 2.0 allows users to grant third party applications access to their account without sharing their credentials. It involves the issuance of tokens that applications use to make API calls. OpenID Connect builds upon OAuth 2.0 to provide authentication for APIs as well by exchanging tokens that contain user identity claims.
Amazon Cognito Public Beta of Built-in UI for User Sign-up/in and SAML Federa...Amazon Web Services
Learning Objectives:
-Understand user identity and federation principles and practices
-Learn how Amazon Cognito supports SAML and 3rd party IdP integration
-Demonstrate how to use Amazon Cognito’s built-in UI for user identity management.
App developers need a system to manage the identities of their users for sign-up, sign-in, and access control. Amazon Cognito now provides a public beta of built-in UI for developers to add user sign-up and sign-in pages to their application and customize the looks and feel of those pages simply through the Amazon Cognito console. Also in the public beta, Amazon Cognito now provides support for SAML based federation of user identities for integration with enterprise based directory systems and simplified support for 3rd party Identity Providers (IdP) such as Facebook and Google. This tech talk will provide a brief overview of Amazon Cognito and then discuss the details of the new features and capabilities of the public beta.
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...Amazon Web Services
Ed Lima, a Solutions Architect at AWS, discusses adding user sign-in, user management, and security to mobile and web applications using Amazon Cognito. The presentation covers Amazon Cognito Identity for user authentication and authorization, Cognito User Pools for user management, and how applications can integrate with Cognito. It also demonstrates how Cognito can federate with identity providers and provides sample use cases for business to consumer, business to business, and IoT applications.
How to Find and Fix Broken Authentication VulnerabilityAshKhan85
In today’s ever-changing digital world, protecting your online presence against vulnerabilities such as failed authentication is critical. IT company provides professional Vulnerability Assessment services that detect and handle such security threats, strengthening the defenses of your website.
Our team of professionals navigates through complex authentication vulnerabilities with accuracy and knowledge, giving personalized solutions that protect your digital assets. Our Vulnerability Assessment provides full security against unauthorized access, data breaches, and possible hacking threats, from resolving defective authentication procedures to deploying effective multi-factor authentication.
Partnering with us means committing your online security to experts who are dedicated to reinforcing your digital firewall. Secure the strength of your website and protect important information by utilizing our cutting-edge Vulnerability Assessment services now!
Quality Patents: Patents That Stand the Test of TimeAurora Consulting
Is your patent a vanity piece of paper for your office wall? Or is it a reliable, defendable, assertable, property right? The difference is often quality.
Is your patent simply a transactional cost and a large pile of legal bills for your startup? Or is it a leverageable asset worthy of attracting precious investment dollars, worth its cost in multiples of valuation? The difference is often quality.
Is your patent application only good enough to get through the examination process? Or has it been crafted to stand the tests of time and varied audiences if you later need to assert that document against an infringer, find yourself litigating with it in an Article 3 Court at the hands of a judge and jury, God forbid, end up having to defend its validity at the PTAB, or even needing to use it to block pirated imports at the International Trade Commission? The difference is often quality.
Quality will be our focus for a good chunk of the remainder of this season. What goes into a quality patent, and where possible, how do you get it without breaking the bank?
** Episode Overview **
In this first episode of our quality series, Kristen Hansen and the panel discuss:
⦿ What do we mean when we say patent quality?
⦿ Why is patent quality important?
⦿ How to balance quality and budget
⦿ The importance of searching, continuations, and draftsperson domain expertise
⦿ Very practical tips, tricks, examples, and Kristen’s Musts for drafting quality applications
https://www.aurorapatents.com/patently-strategic-podcast.html
Sustainability requires ingenuity and stewardship. Did you know Pigging Solutions pigging systems help you achieve your sustainable manufacturing goals AND provide rapid return on investment.
How? Our systems recover over 99% of product in transfer piping. Recovering trapped product from transfer lines that would otherwise become flush-waste, means you can increase batch yields and eliminate flush waste. From raw materials to finished product, if you can pump it, we can pig it.
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...Chris Swan
Have you noticed the OpenSSF Scorecard badges on the official Dart and Flutter repos? It's Google's way of showing that they care about security. Practices such as pinning dependencies, branch protection, required reviews, continuous integration tests etc. are measured to provide a score and accompanying badge.
You can do the same for your projects, and this presentation will show you how, with an emphasis on the unique challenges that come up when working with Dart and Flutter.
The session will provide a walkthrough of the steps involved in securing a first repository, and then what it takes to repeat that process across an organization with multiple repos. It will also look at the ongoing maintenance involved once scorecards have been implemented, and how aspects of that maintenance can be better automated to minimize toil.
Support en anglais diffusé lors de l'événement 100% IA organisé dans les locaux parisiens d'Iguane Solutions, le mardi 2 juillet 2024 :
- Présentation de notre plateforme IA plug and play : ses fonctionnalités avancées, telles que son interface utilisateur intuitive, son copilot puissant et des outils de monitoring performants.
- REX client : Cyril Janssens, CTO d’ easybourse, partage son expérience d’utilisation de notre plateforme IA plug & play.
YOUR RELIABLE WEB DESIGN & DEVELOPMENT TEAM — FOR LASTING SUCCESS
WPRiders is a web development company specialized in WordPress and WooCommerce websites and plugins for customers around the world. The company is headquartered in Bucharest, Romania, but our team members are located all over the world. Our customers are primarily from the US and Western Europe, but we have clients from Australia, Canada and other areas as well.
Some facts about WPRiders and why we are one of the best firms around:
More than 700 five-star reviews! You can check them here.
1500 WordPress projects delivered.
We respond 80% faster than other firms! Data provided by Freshdesk.
We’ve been in business since 2015.
We are located in 7 countries and have 22 team members.
With so many projects delivered, our team knows what works and what doesn’t when it comes to WordPress and WooCommerce.
Our team members are:
- highly experienced developers (employees & contractors with 5 -10+ years of experience),
- great designers with an eye for UX/UI with 10+ years of experience
- project managers with development background who speak both tech and non-tech
- QA specialists
- Conversion Rate Optimisation - CRO experts
They are all working together to provide you with the best possible service. We are passionate about WordPress, and we love creating custom solutions that help our clients achieve their goals.
At WPRiders, we are committed to building long-term relationships with our clients. We believe in accountability, in doing the right thing, as well as in transparency and open communication. You can read more about WPRiders on the About us page.
Transcript: Details of description part II: Describing images in practice - T...BookNet Canada
This presentation explores the practical application of image description techniques. Familiar guidelines will be demonstrated in practice, and descriptions will be developed “live”! If you have learned a lot about the theory of image description techniques but want to feel more confident putting them into practice, this is the presentation for you. There will be useful, actionable information for everyone, whether you are working with authors, colleagues, alone, or leveraging AI as a collaborator.
Link to presentation recording and slides: https://bnctechforum.ca/sessions/details-of-description-part-ii-describing-images-in-practice/
Presented by BookNet Canada on June 25, 2024, with support from the Department of Canadian Heritage.
The DealBook is our annual overview of the Ukrainian tech investment industry. This edition comprehensively covers the full year 2023 and the first deals of 2024.
7 Most Powerful Solar Storms in the History of Earth.pdfEnterprise Wired
Solar Storms (Geo Magnetic Storms) are the motion of accelerated charged particles in the solar environment with high velocities due to the coronal mass ejection (CME).
Choose our Linux Web Hosting for a seamless and successful online presencerajancomputerfbd
Our Linux Web Hosting plans offer unbeatable performance, security, and scalability, ensuring your website runs smoothly and efficiently.
Visit- https://onliveserver.com/linux-web-hosting/
Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Em...Erasmo Purificato
Slide of the tutorial entitled "Paradigm Shifts in User Modeling: A Journey from Historical Foundations to Emerging Trends" held at UMAP'24: 32nd ACM Conference on User Modeling, Adaptation and Personalization (July 1, 2024 | Cagliari, Italy)
The Rise of Supernetwork Data Intensive ComputingLarry Smarr
Invited Remote Lecture to SC21
The International Conference for High Performance Computing, Networking, Storage, and Analysis
St. Louis, Missouri
November 18, 2021
Mitigating the Impact of State Management in Cloud Stream Processing SystemsScyllaDB
Stream processing is a crucial component of modern data infrastructure, but constructing an efficient and scalable stream processing system can be challenging. Decoupling compute and storage architecture has emerged as an effective solution to these challenges, but it can introduce high latency issues, especially when dealing with complex continuous queries that necessitate managing extra-large internal states.
In this talk, we focus on addressing the high latency issues associated with S3 storage in stream processing systems that employ a decoupled compute and storage architecture. We delve into the root causes of latency in this context and explore various techniques to minimize the impact of S3 latency on stream processing performance. Our proposed approach is to implement a tiered storage mechanism that leverages a blend of high-performance and low-cost storage tiers to reduce data movement between the compute and storage layers while maintaining efficient processing.
Throughout the talk, we will present experimental results that demonstrate the effectiveness of our approach in mitigating the impact of S3 latency on stream processing. By the end of the talk, attendees will have gained insights into how to optimize their stream processing systems for reduced latency and improved cost-efficiency.
Quantum Communications Q&A with Gemini LLM. These are based on Shannon's Noisy channel Theorem and offers how the classical theory applies to the quantum world.
1. Hunting For AWS Cognito Security
Misconfigurations
Yassine Aboukir (@yassineaboukir)
2. Introduction
Yassine Aboukir (@yassineaboukir)
● Application security consultant.
● Pentester at HackerOne.
● Bug Bounties (since 2014): HackerOne Top 20,
H1-303 MVH & 1st place.
● ex- HackerOne Triage (2017 - 2019).
● Digital nomad (5 years & Over 40 countries).
3. Introduction to AWS Cognito
With Amazon Cognito, you can add user sign-up and sign-in features and control access to your web
and mobile applications.
Amazon Cognito provides an identity store that scales to millions of users, supports social and
enterprise identity federation, and offers advanced security features to protect your consumers and
business.
Source: https://aws.amazon.com/cognito/
4. Introduction to AWS Cognito
Amazon Cognito makes it easier for you to manage user identities, authentication, and permissions. It
consists of two main components:
● User Pools: allow sign-in and sign-up functionality.
● Identity Pools: allow authenticated and unauthenticated users to access AWS resources using
temporary AWS credentials.
5. Introduction to AWS Cognito
Source: https://aws.amazon.com/blogs/mobile/building-fine-grained-authorization-using-amazon-cognito-user-pools-groups/
6. How to tell if an application is using Amazon Cognito?
API calls to AWS Cognito API endpoint
● Yellow: API calls to user pool.
● Green: API calls to identity pool.
7. Security misconfiguration #1: Unauthorized access to AWS
services due to Liberal AWS Credentials
1. Try to fetch temporary AWS credentials using unauthenticated user
To generate the AWS credentials, we need to find Identity Pool ID which is usually hardcoded in the
source code, in a bundled JS file or in HTTP response. Other useful information that you can find:
● Client ID
● User Pool ID
● Region
Identity Pool ID
Client ID
User Pool ID
Region
8. Security misconfiguration #1: Unauthorized access to AWS
services due to Liberal AWS Credentials
1. Try to fetch temporary AWS credentials using unauthenticated user
Using Burpsuite, search for a variation of the following keywords in the HTTP history:
Aws_cognito_identity_pool_id
identityPoolId
cognitoIdentityPoolId
userPoolWebClientId
userPoolId
aws_user_pools_id
These hardcoded IDs aren’t considered sensitive on their own!
9. Security misconfiguration #1: Unauthorized access to AWS
services due to Liberal AWS Credentials
1. Try to fetch temporary AWS credentials using unauthenticated user
Next step is to use the Pool Identity ID to generate an Identity ID. Use AWS-Cli
(https://github.com/aws/aws-cli) as follows:
$ aws cognito-identity get-id --identity-pool-id <identity-pool-id> --region <region>
10. Security misconfiguration #1: Unauthorized access to AWS
services due to Liberal AWS Credentials
1. Try to fetch temporary AWS credentials using unauthenticated user
Next step is to use the previous Identity ID to generate AWS credentials. Use AWS Cli as follows:
$ aws cognito-identity get-credentials-for-identity --identity-id <identity-id> --region <region>
11. Security misconfiguration #1: Unauthorized access to AWS
services due to Liberal AWS Credentials
1. Try to fetch temporary AWS credentials using unauthenticated user
Now, we can enumerate permissions associated with these credentials using a tool such as:
● Enumerate-iam: https://github.com/andresriancho/enumerate-iam
● Scout Suite: https://github.com/nccgroup/ScoutSuite
$ ./enumerate-iam.py --access-key <AccessKeyID> --secret-key <SecretKey> --session-token
<SessionToken>
Enumerated permissions
12. Security misconfiguration #1: Unauthorized access to AWS
services due to Liberal AWS Credentials
1. Try to fetch temporary AWS credentials using unauthenticated user
You could enumerate all sort of permissions that allows unauthenticated user to access AWS services:
● dynamodb.list_backups()
● dynamodb.list_tables()
● lambda.list_functions()
● s3.list_buckets()
● etc.
13. Security misconfiguration #1: Unauthorized access to AWS
services due to Liberal AWS Credentials
If the unauthenticated role is explicitly disabled. You’ll will receive similar error:
NotAuthorizedException: Unauthenticated access is not supported for this identity pool.
14. Security misconfiguration #1: Unauthorized access to AWS
services due to Liberal AWS Credentials
2. Try to fetch temporary AWS credentials using authenticated user
Assuming unauthenticated user is disabled and you either can sign up or have access to an authenticated
account. Observe the HTTP traffic upon successful authentication:
Id_token is exchanged for
temporary AWS credentials:
● AccessKeyId
● SecretKey
● SessionToken
15. Security misconfiguration #2: Authentication bypass due to
enabled Signup API action
Applications not offering user signup and only supporting administrative provision of accounts could be
vulnerable as a result of not disabling signup API action.
This includes admin login portals which implement AWS cognito allowing authentication bypass as a
result.
16. Security misconfiguration #2: Authentication bypass due to
enabled Signup API action
Self-registration enabled by default when creating a new user pool
17. Security misconfiguration #2: Authentication bypass due to
enabled Signup API action
We only need the client ID and region to test against the self-registration.
$ aws cognito-idp sign-up --client-id <client-id> --username <email-address> --password <password>
--region <region>
Successful singup
Failed signup
18. Security misconfiguration #2: Authentication bypass due to
enabled Signup API action
We only need the client ID and region to test against the self-registration.
AWSCognitoIdentityProviderService.SignUp
19. Security misconfiguration #2: Authentication bypass due to
enabled Signup API action
In case of a successful self-registration, a 6 digits confirmation code will be delivered to the attacker’s
email address.
$ aws cognito-idp confirm-sign-up --client-id <client-id> --username <email-address> --confirmation-code
<confirmation-code> --region <region>
You’ll need to confirm the account next.
20. Security misconfiguration #2: Authentication bypass due to
enabled Signup API action
You can also directly call the Cognito API endpoint as follows:
AWSCognitoIdentityProviderService.ConfirmSignUp
21. Security misconfiguration #2: Authentication bypass due
to enabled Signup API action
Sometimes, you might successfully be able to signup and register an account but it doesn’t have any
user group assigned. However, you will be able to obtain temporary AWS credentials which you can test
against liberal permissions as we explained earlier.
22. Security misconfiguration #3: Privilege escalation
through writable user attributes
Attributes are pieces of information that help you identify individual users, such as name, email address,
and phone number. A new user pool has a set of default standard attributes.
23. Security misconfiguration #3: Privilege escalation
through writable user attributes
You can also add custom attributes to your user pool definition in the AWS Management Console.
24. Security misconfiguration #3: Privilege escalation
through writable user attributes
Unless set as readable only, the new custom attribute permission is writable by default which allows the user
to update its value.
25. Security misconfiguration #3: Privilege escalation
through writable user attributes
1. Fetching user attributes
In order to test against this misconfiguration, you need to be authenticated then we’ll fetch the available
user attributes using the generated access token (Check Authorization header).
$ aws cognito-idp get-user --region <region> --access-token <access-token>
27. Security misconfiguration #3: Privilege escalation
through writable user attributes
AWSCognitoIdentityProviderService.GetUser
1. Fetching user attributes
Look out for custom
attributes such as:
custom:isAdmin
custom:userRole
custom:isActive
custom:isApproved
custom:accessLevel
28. Security misconfiguration #3: Privilege escalation
through writable user attributes
2. Updating user attributes
$ aws cognito-idp update-user-attributes --access-token <access-token> --region <region> --user-attributes
Name="<attribute-name>", Value="<new-value>"
AWSCognitoIdentityProviderService.UpdateUserAttributes
30. Security misconfiguration #4: Updating email attribute
before verification
There scenarios where the user isn’t allowed to update their email address due to both client and server-side
security controls. However, by leveraging Cognito API, it might also be possible to bypass this restriction.
$ aws cognito-idp update-user-attributes --access-token <access-token> --region <region> --user-attributes
Name="email", Value="<new-email-address>"
31. This is especially bad when verification isn’t required.
If the email is relied upon for authorization and access control, this will result in horizontal and vertical
privilege escalation.
Security misconfiguration #4: Updating email attribute
before verification
32. Even with email verification enabled, most applications will update the email attribute value to the
new unverified email address.
Security misconfiguration #4: Updating email attribute
before verification
33. This is bad because the user will be still be able to login and obtain an authenticated access token using
the unverified email address.
Many application do not necessarily check if email_verified is set to True or False. Therefore, this would
bypass any security controls that relies on email domain for authorization, hence privilege escalation.
Security misconfiguration #4: Updating email attribute
before verification
34. AWS has introduced a new security configuration to mitigate this issue, so if you have
Keep original attribute value active when an update is pending explicitly enabled the email attribute will
not be updated to the new email address until it is verified.
This is a new security configuration that was only introduced after June 2022 which means a lot of
applications might still be misconfigured.
Security misconfiguration #4: Updating email attribute
before verification
36. 1. User victim email is: jack@domain.com
2. Updating email was not possible, but using Cognito API, researcher managed to update their
email to Jack@domain.com
Misconfigurations:
● Email attribute is writable so it’s possible to update it via Cognito API.
● Email attribute is case-sensitive which could have been set to insensitive from AWS console.
3. Attacker authenticates to Jack@domain.com
Misconfigurations:
● email_verified attribute value wasn’t checked if it’s True.
● Keep original attribute value active when an update is pending wasn’t enabled.
4. Flickr normalizes Jack@domain.com email to jack@domain.com (victim) resulting in ATO.
Security misconfiguration #4: Updating email attribute
before verification
37. Recommendations for developers
● Remove sensitive details from server responses, including Cognito Identity Pool Id.
● Disable Signup on AWS Cognito if not required.
● Disable unauthenticated role if not required.
● Review IAM policy attached to the authenticated and unauthenticated role to ensure least
privilege access.
● Evaluate all user attributes and disable writing permission if not necessary.
● Remember that the email attribute value may hold an unverified email address.