Defending Your Frontend

•Télécharger en tant que PPTX, PDF•

0 j'aime•529 vues

Bishan Singh

Technologie Sports

http://www.flickr.com/photos/8164746@N05/2329405200/

http://www.flickr.com/photos/52137170@N00/56206868/

Web Defacement!

Step 1: Victim Clicks Attack Step 2: Victim sees a friendly error
Payload message

Web Defacement: Insert Exploit

Step 1: Attacker inserts Step 2: Wait for victim to visit this
exploit book

Web Defacement: Exploit Analysis

Step 1: Clear current page Step 2: Create a fake page

Stealing Session Cookies 

Step 2: Cookie is sent to
Attacker

Step 3: Attacker hijacks
Step 1: Victim Clicks Attack Victim’s session by adding
Payload stolen cookie to the browser

Steal Passwords 

Step 2: Victim is
forced to re-login

Step 1: Victim Clicks Attack
Payload Step 3: Malicious payload
sends username and
password to Attacker

Steal Passwords: Exploit Analysis

Step 1: Create fake login

Step 2: Publish fake login

DB Compromise :(

Step 2: Victim can’t
Step 1: Attacker shuts DB do anything on the
website. DB is down

What’s the biggest app security issue?

Cross Site Scripting?
SQL / Command Injection?
Malicious URL Redirection?
Malicious File Execution?

Answer: It is temporal.
And this approach, not appropriate

http://www.flickr.com/photos/34838158@N00/3370167184/

OK. Let’s try again.
A better approach.
What’s that single biggest solution?

http://www.flickr.com/photos/14318462@N00/66012169/

What’s that single biggest solution?

Context-sensitive Auto Sanitization
&
Defensive Coding

http://www.flickr.com/photos/55046645@N00/3933514241/

(includes validation and encoding) Sanitization

http://www.flickr.com/photos/37386206@N08/4056667699/

(Use Platforms with) Auto (Sanitization)

http://www.flickr.com/photos/73344134@N00/2366984016/

Context-Sensitive

Click. You can fire XSS with JS URI.. So use solution below

But Evolution Doesn’t stop
No prod auto Web 2.0
solution yet. DOM
Ajax/JSON/
Encode Manually XML
But that’s highly
error prone. Misuse cases

http://www.flickr.com/photos/88442983@N00/1541378785/

Defensive Coding
• Evolution Theory
• E.g. quality code/capability
– document.getElementById('
myAnchor').innerHTML=url;
– YUI().use('node', function
(Y) {
var node =
Y.one('#myanchor');
node.set('text',url);});
• But why do so
– Murphy’s Law
– Mr. Einstein said as well

http://www.flickr.com/photos/diavolo/5870934960/

Yes, takes 2 to tango..

http://www.flickr.com/photos/9737768@N04/3537843322/

Contenu connexe

Similaire à Defending Your Frontend

Web Security - Introduction v.1.3

Oles Seheda

JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение

JSFestUA

Professional Hacking in 2011

securityaegis

The moment we start creating a website, we’re setting ourselves up for failure later. Bad code creates middle of the night fire drills. Lack of thinking about accessibility gets our employer sued. Not thinking ahead on mobile generates rework. We accept this as the normal course of business – but is there any way we could prevent (or lower) this cost? Is there anything we can learn from the building codes that dictate how our built environment is constructed? We will talk about the lessons of building codes and what we can do today to build more robust web applications and sites, including: - The need for design patterns in websites - The need for patterns in user stories so that we build websites consistently - Baking accessibility into websites comes from putting accessibility into user stories - Planning a web application is different from planning a building, but it does share similar aspects of work - The better we can becoming at creating best practices (building codes) the better we will get at building sites, and the closer we will come to Berners-Lee’s “one web for all” dream Presented at MinneWebCon 2015.

Making the Web Fireproof: A Building Code for Websites

Dylan Wilbanks

AppSecCali - How Credential Stuffing is Evolving

Jarrod Overson

10+ Deploys Per Day: Dev and Ops Cooperation at Flickr

John Allspaw

Phishing with Super Bait Jeremiah Grossman, Founder and CTO, WhiteHat Security The use of phishing/cross-site scripting (XSS) hybrid attacks for financial gain is spreading. ItÕs imperative that security professionals familiarize themselves with these new threats to protect their websites and confidential corporate information. This isn't just another presentation about phishing scams or cross-site scripting. WeÕre all very familiar with each of those issues. Instead, weÕll discuss the potential impact when the two are combined to form new attack techniques. Phishers are beginning to exploit these techniques, creating new phishing attacks that are virtually impervious to conventional security measures. Secure sockets layer (SSL), blacklists, token-based authentication, browser same-origin policy, and monitoring / take-down services offer little protection. Even eyeballing the authenticity of a URL is unlikely to help. By leveraging cross-site scripting, the next level of phishing scams will be launched not from look-alike web pages, but instead from legitimate websites! This presentation will demonstrate how these types of attacks are being achieved. We'll also demonstrate the cutting edge exploits that can effectively turn your browser into spyware with several lines of JavaScript. And, we'll give you the steps you need to take to protect your websites from these attacks.

Phishing with Super Bait

Jeremiah Grossman

How to hide your browser 0-day @ Disobey

Zoltan Balazs

Web PenTest Sample Report

Octogence

Dom XSS: Encounters of the3rd kind

Bishan Singh

6 ways to hack your JavaScript application by Viktor Turskyi

OdessaJS Conf

Thinking Outside the Sand[box]

Juniper Networks

Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis

securityxploded

Cyphort Labs has discovered an extensive data theft campaign that we have named NightHunter. The campaign, active since 2009, is designed to steal login credentials of users. Targeted applications include Google, Yahoo, Facebook, Dropbox and Skype. Attackers have many options to leverage the credentials and the potential for analyzing and correlating the stolen data to mount highly targeted, damaging attacks.

Malware’s Most Wanted: NightHunter. A Massive Campaign to Steal Credentials R...

Cyphort

Speakers: Matt Johansen, Johnathan Kuskos Language: English Every year the security community produces a stunning number of new Web hacking techniques. Now in its 9th year, the Top 10 Web Hacking Techniques list encourages information and knowledge sharing and recognizes researchers who contribute excellent work. In this talk, we will do a technical deep dive and take you through the Top 10 Web Hacks of 2014, as picked by an expert panel of judges. The full list is available here: https://blog.whitehatsec.com/top-10-web-hacking-techniques-of-2014/ CONFidence: http://confidence.org.pl/pl/

CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos

PROIDEA

Abstracting Features Into Custom Reverse Proxies (Or: Making Better Lemonade From Chaos) Life isn't always simple. We often have to deal with a mishmash of applications, languages, and servers. How can we begin to standardize functionality across this chaos? Custom reverse proxies to the rescue! Using Ruby and EventMachine, learn how you can abstract high-level features and functionality into fast reverse proxies that can improve scalability, save time, and make the world happy. - See how we've applied this across a diverse set of web service APIs to standardize the implementation of authentication, request throttling, analytics, and more. - See how this can save development time, eliminate code duplication, make your team happy, make the public happy, and make you a hero. - See how this can be applied to any TCP-based application for a wide-variety of use cases. - Still think your situation is complicated? Learn about the U.S. Government's plans to standardize API access across the entire federal government. With some reverse proxy magic, this isn't quite as difficult or as foolhardy as it may first sound. It also comes with some nice benefits for both the public audience and government developers.

RubyConf 2012: Custom Reverse Proxies

nickblah

iThome CyberSec2021 Container Security

Jie Liau

(130216) #fitalk potentially malicious ur ls

INSIGHT FORENSIC

This presentation is in English; the announcement (beneath) & talk were in Dutch (NL) OpenTechTalks | Ethisch hacken met Kali Overheden, bedrijven en particulieren worden steeds kwetsbaarder voor aanvallen van black hat hackers, criminelen die de lekken in computers uitbuiten voor geldgewin of louter om schade te veroorzaken. Daartegenover staan de white hat hackers: zij testen computersystemen op fouten en dichten de lekken voordat malafide hackers inbreken. Tijl Deneut (UGent/Howest) geeft een overzicht van welke vormen van cybercriminalteit er bestaan en hoe je je ertegen kunt wapenen. De focus ligt op Kali Linux, een besturingssysteem dat honderden beveiligings- en testprogramma's bundelt. Volgende vragen komen aan bod: hoe installeer je Kali Linux? Hoe kun je in een veilige omgeving testen? Is ethisch hacken eigenlijk wel legaal? Algemene IT-kennis is aangewezen. Achteraf drinken we een glas in het café van Vooruit.

OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)

Avansa Mid- en Zuidwest

Passwords are passé. WebAuthn is simpler, stronger and ready to go

Michael Furman

Similaire à Defending Your Frontend (20)

Web Security - Introduction v.1.3

JS Fest 2019. Виктор Турский. 6 способов взломать твое JavaScript приложение

Professional Hacking in 2011

Making the Web Fireproof: A Building Code for Websites

AppSecCali - How Credential Stuffing is Evolving

10+ Deploys Per Day: Dev and Ops Cooperation at Flickr

Phishing with Super Bait

How to hide your browser 0-day @ Disobey

Web PenTest Sample Report

Dom XSS: Encounters of the3rd kind

6 ways to hack your JavaScript application by Viktor Turskyi

Thinking Outside the Sand[box]

Reversing & Malware Analysis Training Part 9 - Advanced Malware Analysis

Malware’s Most Wanted: NightHunter. A Massive Campaign to Steal Credentials R...

CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos

RubyConf 2012: Custom Reverse Proxies

iThome CyberSec2021 Container Security

(130216) #fitalk potentially malicious ur ls

OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)

Passwords are passé. WebAuthn is simpler, stronger and ready to go

Dernier

GenAI Risks & Security Meetup 01052024.pdf

lior mazor

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the deployment of external web forms using Jotform for Bonterra Impact Management. This solution can be customized to your organization’s needs and deployed to support the common use cases below: - Intake and consent - Assessments - Surveys - Applications - Program registration Interested in deploying web form automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

Jeffrey Haguewood

DBX First Quarter 2024 Investor Presentation

Dropbox

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

MadyBayot

Strategies for Landing an Oracle DBA Job as a Fresher

Remote DBA Services

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

Modernizing Securities Finance: The cloud-native prime brokerage platform transforming capital markets. Madhu Subbu, Managing Director, Head of Securities Finance Engineering Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu

apidays

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

Corporate and higher education. Two industries that, in the past, have had a clear divide with very little crossover. The difference in goals, learning styles and objectives paved the way for differing learning technologies platforms to evolve. Now, those stark lines are blurring as both sides are discovering they have content that’s relevant to the other. Join Tammy Rutherford as she walks through the pros and cons of corporate and higher ed collaborating. And the challenges of these different technology platforms working together for a brighter future.

Corporate and higher education May webinar.pptx

Rustici Software

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

Boost Fertility New Invention Ups Success Rates.pdf

sudhanshuwaghmare1

Scalable LLM APIs for AI and Generative AI Application Development Ettikan Karuppiah, Director/Technologist - NVIDIA Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...

apidays

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

Artificial Intelligence Chap.5 : Uncertainty

Khushali Kathiriya

MINDCTI Revenue Release Quarter One 2024

MIND CTI

Accelerating FinTech Innovation: Unleashing API Economy and GenAI Vasa Krishnan, Chief Technology Officer - FinResults Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

apidays

A Beginners Guide to Building a RAG App Using Open Source Milvus

Zilliz

Manulife - Insurer Transformation Award 2024

The Digital Insurer

Dernier (20)

GenAI Risks & Security Meetup 01052024.pdf

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...

DBX First Quarter 2024 Investor Presentation

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER

Strategies for Landing an Oracle DBA Job as a Fresher

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Corporate and higher education May webinar.pptx

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Data Cloud, More than a CDP by Matt Robison

Boost Fertility New Invention Ups Success Rates.pdf

Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

Exploring the Future Potential of AI-Enabled Smartphone Processors

Artificial Intelligence Chap.5 : Uncertainty

MINDCTI Revenue Release Quarter One 2024

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

A Beginners Guide to Building a RAG App Using Open Source Milvus

Manulife - Insurer Transformation Award 2024

Defending Your Frontend

1. http://www.flickr.com/photos/8164746@N05/2329405200/

2. http://www.flickr.com/photos/52137170@N00/56206868/

3. Web Defacement! Step 1: Victim Clicks Attack Step 2: Victim sees a friendly error Payload message

4. Web Defacement: Insert Exploit Step 1: Attacker inserts Step 2: Wait for victim to visit this exploit book

5. Web Defacement: Exploit Analysis Step 1: Clear current page Step 2: Create a fake page

6. Stealing Session Cookies  Step 2: Cookie is sent to Attacker Step 3: Attacker hijacks Step 1: Victim Clicks Attack Victim’s session by adding Payload stolen cookie to the browser

7. Steal Passwords  Step 2: Victim is forced to re-login Step 1: Victim Clicks Attack Payload Step 3: Malicious payload sends username and password to Attacker

8. Steal Passwords: Exploit Analysis Step 1: Create fake login Step 2: Publish fake login

9. DB Compromise :( Step 2: Victim can’t Step 1: Attacker shuts DB do anything on the website. DB is down

10. What’s the biggest app security issue? Cross Site Scripting? SQL / Command Injection? Malicious URL Redirection? Malicious File Execution? Answer: It is temporal. And this approach, not appropriate http://www.flickr.com/photos/34838158@N00/3370167184/

11. OK. Let’s try again. A better approach. What’s that single biggest solution? http://www.flickr.com/photos/14318462@N00/66012169/

12. What’s that single biggest solution? Context-sensitive Auto Sanitization & Defensive Coding http://www.flickr.com/photos/55046645@N00/3933514241/

13. (includes validation and encoding) Sanitization http://www.flickr.com/photos/37386206@N08/4056667699/

14. (Use Platforms with) Auto (Sanitization) http://www.flickr.com/photos/73344134@N00/2366984016/

15. Context-Sensitive Click. You can fire XSS with JS URI.. So use solution below

16. But Evolution Doesn’t stop No prod auto Web 2.0 solution yet. DOM Ajax/JSON/ Encode Manually XML But that’s highly error prone. Misuse cases http://www.flickr.com/photos/88442983@N00/1541378785/

17. Defensive Coding • Evolution Theory • E.g. quality code/capability – document.getElementById(' myAnchor').innerHTML=url; – YUI().use('node', function (Y) { var node = Y.one('#myanchor'); node.set('text',url);}); • But why do so – Murphy’s Law – Mr. Einstein said as well http://www.flickr.com/photos/diavolo/5870934960/

18. Yes, takes 2 to tango.. http://www.flickr.com/photos/9737768@N04/3537843322/

19. Thanks Again….

Defending Your Frontend

Recommandé

Recommandé

Contenu connexe

Similaire à Defending Your Frontend

Similaire à Defending Your Frontend (20)

Dernier

Dernier (20)

Defending Your Frontend