Soumettre la recherche
Mettre en ligne
[Poland] It's only about frontend
•
1 j'aime
•
522 vues
OWASP EEE
Suivre
It's only about frontend. Sergey Belov
Lire moins
Lire la suite
Internet
Signaler
Partager
Signaler
Partager
1 sur 56
Télécharger maintenant
Télécharger pour lire hors ligne
Recommandé
Google chrome presentation
Google chrome presentation
reza jalaluddin
XXE Exposed Webinar Slides: Brief coverage of SQLi and XSS against Web Services to then talk about XXE and XEE attacks and mitigation. Heavily inspired on the "Practical Web Defense" (PWD) style of pwnage + fixing (https://www.elearnsecurity.com/PWD) Full recording here: NOTE: (~20 minute) XXE + XEE Demo Recording starts at minute 25 https://www.elearnsecurity.com/collateral/webinar/xxe-exposed/
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
Abraham Aranguren
This talk will show esoteric web application vulnerabilities in detail, these vulnerabilities would be missed in a quick review by most security consultants, but could lead to remote code execution, authentication bypass and purchasing items in merchants using Paypal as their payment gateway without actually paying. SQL injections are dead, and I don’t care: let's explore the world of null, nil and NULL; noSQL injections; host header injections that lead to phone call audio interception; paypal’s double spent and Rails’ MessageVerifier remote code execution. --- Andres Riancho Andrés Riancho is an application security expert that currently leads the community driven, Open Source, w3af project and provides in-depth Web Application Penetration Testing services to companies around the world. In the research field, he discovered critical vulnerabilities in IPS appliances from 3com and ISS, contributed with SAP research performed at one of his former employers and reported vulnerabilities in hundreds of web applications. His main focus has always been the Web Application Security field, in which he developed w3af, a Web Application Attack and Audit Framework used extensively by penetration testers and security consultants. Andrés has spoken and hold trainings at many security conferences around the globe, like BlackHat (USA and Europe), SEC-T (Sweden),DeepSec (Austria), PHDays (Moscow), SecTor (Toronto), OWASP (Poland),CONFidence (Poland), OWASP World C0n (USA), CanSecWest (Canada),PacSecWest (Japan), T2 (Finland) and Ekoparty (Buenos Aires). Andrés founded Bonsai Information Security, a web security focused consultancy firm, in 2009 in order to further research into automated Web Application Vulnerability detection and exploitation.
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
CODE BLUE
Presentation from Zero Nights 2017 - https://2017.zeronights.ru/report/tryuki-dlya-obhoda-csrf-zashhity/.
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
Above are my slides I used during a workshop I conducted at the Moroccan Cyber Security Camp back in May 2017.
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
Yassine Aboukir
“The call to kill Adobe’s Flash in favour of HTML5 is rising...” This and similar statements mean that many web applications might now contain old and vulnerable SWF files as their developers have to concentrate on developing non-Flash contents. We may all hope that we never have to see Flash files ever again! However, as long as web browsers continue their support for Flash, web applications can be vulnerable to client-side issues and it is important for a penetration tester or a bug bounty hunter to have the right skills to find vulnerable SWF files. This presentation aids eager testers to identify security issues in the SWF files manually and automatically using certain techniques and tools. PowerPoint File: https://soroush.secproject.com/downloadable/flash_it_baby_v2.0.pptx
Flash it baby!
Flash it baby!
Soroush Dalili
http://blog.7-a.org/2013/02/vsa-virtual-scripted-attacker-slides.html
VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012
Abraham Aranguren
Various techniques of TLS Redirection / Virtual Host Confusion attacks https://github.com/GrrrDog/TLS-Redirection
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
GreenD0g
Recommandé
Google chrome presentation
Google chrome presentation
reza jalaluddin
XXE Exposed Webinar Slides: Brief coverage of SQLi and XSS against Web Services to then talk about XXE and XEE attacks and mitigation. Heavily inspired on the "Practical Web Defense" (PWD) style of pwnage + fixing (https://www.elearnsecurity.com/PWD) Full recording here: NOTE: (~20 minute) XXE + XEE Demo Recording starts at minute 25 https://www.elearnsecurity.com/collateral/webinar/xxe-exposed/
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
Abraham Aranguren
This talk will show esoteric web application vulnerabilities in detail, these vulnerabilities would be missed in a quick review by most security consultants, but could lead to remote code execution, authentication bypass and purchasing items in merchants using Paypal as their payment gateway without actually paying. SQL injections are dead, and I don’t care: let's explore the world of null, nil and NULL; noSQL injections; host header injections that lead to phone call audio interception; paypal’s double spent and Rails’ MessageVerifier remote code execution. --- Andres Riancho Andrés Riancho is an application security expert that currently leads the community driven, Open Source, w3af project and provides in-depth Web Application Penetration Testing services to companies around the world. In the research field, he discovered critical vulnerabilities in IPS appliances from 3com and ISS, contributed with SAP research performed at one of his former employers and reported vulnerabilities in hundreds of web applications. His main focus has always been the Web Application Security field, in which he developed w3af, a Web Application Attack and Audit Framework used extensively by penetration testers and security consultants. Andrés has spoken and hold trainings at many security conferences around the globe, like BlackHat (USA and Europe), SEC-T (Sweden),DeepSec (Austria), PHDays (Moscow), SecTor (Toronto), OWASP (Poland),CONFidence (Poland), OWASP World C0n (USA), CanSecWest (Canada),PacSecWest (Japan), T2 (Finland) and Ekoparty (Buenos Aires). Andrés founded Bonsai Information Security, a web security focused consultancy firm, in 2009 in order to further research into automated Web Application Vulnerability detection and exploitation.
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
[CB16] Esoteric Web Application Vulnerabilities by Andrés Riancho
CODE BLUE
Presentation from Zero Nights 2017 - https://2017.zeronights.ru/report/tryuki-dlya-obhoda-csrf-zashhity/.
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
Mikhail Egorov
Above are my slides I used during a workshop I conducted at the Moroccan Cyber Security Camp back in May 2017.
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
Yassine Aboukir
“The call to kill Adobe’s Flash in favour of HTML5 is rising...” This and similar statements mean that many web applications might now contain old and vulnerable SWF files as their developers have to concentrate on developing non-Flash contents. We may all hope that we never have to see Flash files ever again! However, as long as web browsers continue their support for Flash, web applications can be vulnerable to client-side issues and it is important for a penetration tester or a bug bounty hunter to have the right skills to find vulnerable SWF files. This presentation aids eager testers to identify security issues in the SWF files manually and automatically using certain techniques and tools. PowerPoint File: https://soroush.secproject.com/downloadable/flash_it_baby_v2.0.pptx
Flash it baby!
Flash it baby!
Soroush Dalili
http://blog.7-a.org/2013/02/vsa-virtual-scripted-attacker-slides.html
VSA: The Virtual Scripted Attacker, Brucon 2012
VSA: The Virtual Scripted Attacker, Brucon 2012
Abraham Aranguren
Various techniques of TLS Redirection / Virtual Host Confusion attacks https://github.com/GrrrDog/TLS-Redirection
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
GreenD0g
A case study of security features inside the popular python-based web framework, Django. Made by Mohammed ALDOUB (@Voulnet)
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
video demos: http://whitehatsec.com/home/assets/videos/Top10WebHacks_Webinar031711.zip Many notable and new Web hacking techniques were revealed in 2010. During this presentation, Jeremiah Grossman will describe the technical details of the top hacks from 2010, as well as some of the prevalent security issues emerging in 2011. Attendees will be treated to a step-by-step guided tour of the newest threats targeting today's corporate websites and enterprise users. The top attacks in 2010 include: • 'Padding Oracle' Crypto Attack • Evercookie • Hacking Auto-Complete • Attacking HTTPS with Cache Injection • Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution • Universal XSS in IE8 • HTTP POST DoS • JavaSnoop • CSS History Hack In Firefox Without JavaScript for Intranet Portscanning • Java Applet DNS Rebinding Mr. Grossman will then briefly identify real-world examples of each of these vulnerabilities in action, outlining how the issue occurs, and what preventative measures can be taken. With that knowledge, he will strategize what defensive solutions will have the most impact.
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
Jeremiah Grossman
Don't cross the streams.
HTML5 Web Messaging
HTML5 Web Messaging
Mike Taylor
Angular js security
Angular js security
Angular js security
Jose Manuel Ortega Candel
Over 70% of the security issues in Drupal sites are either XSS, CSRF, or SQL Injection. Let's talk about how sites get hacked and how you can write secure Drupal code and maintain security throughout your development process and live maintenance. About the Presenter: Ben Jeavons is a member of the Drupal Security team and co-author of the Drupal Security Report. As an engineer at Acquia he works on the Acquia Network including the security and performance analysis tool, Acquia Insight. Experience Level: Intermediate
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
nyccamp
OWASP Kraków, January 2014
WebView security on iOS (EN)
WebView security on iOS (EN)
lpilorz
OWASP - Open Web Applications Security Project to fundacja której celem jest eliminacja problemów bezpieczeństwa aplikacji. OWASP działa w duchu "open source" i dostarcza narzędzi, informacji i wiedzy pozwalających podnieść poziom bezpieczeństwa aplikacji. W trakcie wykładu przedstawię krótko OWASP Top 10 w wydaniu dla programistów, czyli "Top 10 Proactive Controls" a więc najważniejsze zalecenia pozwalające na uniknięcie kluczowych błędów bezpieczeństwa.
Ten Commandments of Secure Coding
Ten Commandments of Secure Coding
Mateusz Olejarka
* Django is a Web Application Framework, written in Python * Allows rapid, secure and agile web development. * Write better web applications in less time & effort.
Django (Web Applications that are Secure by Default )