SlideShare une entreprise Scribd logo

Breaking The Framework's Core #PHPKonf 2016

Mehmet Ince
Mehmet Ince

Web framework’leri yani web uygulama çatıları günümüz web teknolojisinin en önemli yapı taşlarından bir tanesidir. Yapısında bir çok farklı özelliği barındıran ve web uygulamalarının temeli olan framework'lerin güvenliği son derece önem teşkil eder. Drupal, WordPress, Symfony veya CodeIgniter gibi çok kullanılan açık kaynak sistemlerde tespit edilecek bir güvenlik açığı birbirinden bağımsız onlarca projeyi, kurumu ve sistemi etki alanı içine alır. Bu sunum içeriğinde popüler frameworklerde oluşan zafiyetlerin detaylı analizi ve en sık karşılaşılan yanlış kullanımlar uygulamalı örnekler ile anlatılacaktır.

Logiciels
1  sur  42
InvictusEurope © 2016 Breaking The Framework’s Core Mehmet INCE
WHO AM I Ince, Mehmet Dursun Senior Penetration Tester, Co-founder / Invictus Europe Ordinarily; ● Hack the app. ● Make it secure. ● Hack it again. ● Train the developers, help them to build secure apps. Blogger http://www.mehmetince.net @mdisec
Web Application Framework A web application framework (WAF) is a software framework that is designed to support the development of dynamic websites, web applications, web services and web resources.
InvictusEurope © 2016 Components ● ORM. ● MVC or MVT Architecture ● DRY => (Don't Repeat Yourself) ● Template engine. ● Out of the box customizable Admin Interface for CRUD operations. ● Built-in lightweight web server. ● URL design. ● Middleware. ● Authentication / Authorization schema by default. ● Internationalization. ● Fast development.
InvictusEurope © 2016
InvictusEurope © 2016 One ring to rule them all One ring to bring them all and in the darkness bind them.
InvictusEurope © 2016
InvictusEurope © 2016 Where should we look at ? Encryption, Utils, ORM, Template Engine, Auth Mechanism, ...
InvictusEurope © 2016 Example #1 - Drupal SQL Injection ORM
InvictusEurope © 2016 Example #1 - Drupal SQL Injection ORM User input is array E.g : ids[]=1&ids[]=2&ids[]=3
InvictusEurope © 2016 Example #1 - Drupal SQL Injection ORM User input is array E.g : ids[0); DROP TABLE foo; --]=1&ids[]=2
InvictusEurope © 2016 MySQL prepared statements are limited to a single stacked query. But ?!
InvictusEurope © 2016 Mitigation?
InvictusEurope © 2016 Fix
InvictusEurope © 2016 serialize() ? unserialize() ?
Object Serialization serialize() returns a string containing a byte-stream representation of any value that can be stored in PHP. Using serialize to save an object will save all variables in an object. The methods in an object will not be saved, only the name of the class.
Object Deserialization unserialize() can use this string to recreate the original variable values. If the variable being unserialized is an object, after successfully reconstructing the object PHP will automatically attempt to call the __wakeup() member function (if it exists).
InvictusEurope © 2016 Code Reuse / POP Attacks 1. Payload is not injected into the application. 2. Instead the application, code flow will be hijacked. 3. Pieces of already available code will be executed in an attacker defined order.
Proof of Concept First picture shows Object. php that contains all the classes. Second picture shows Index.php which is the beginning of our poc application.
PAYLOAD
InvictusEurope © 2016
InvictusEurope © 2016 Example #2 - vBulletin Remote Code Execution via PHP Object Injection vBulletin 5.1.x core/vb/api/hook.php Also above function is callable from unauthenticated user through; ajax/api/hook/decodeArguments?arguments=PAYLOAD
InvictusEurope © 2016 OKAY! We have an entry point. What we gonna do ? 1 - Identify start point. 2- Find desirable end point. 3 - Make it rain!
InvictusEurope © 2016 1 - Find __destruct functions. 2 - This one can cause DoS but still useless. (vB_vURL class located at core/vb/vurl.php) 3 - This one is interesting (vB_dB_Result class located at core/vb/db/result.php ) Now, we need to find a class that have free_result() as a function…!
InvictusEurope © 2016 Example #2 - Luck Luckly! one class has this function..! vB_Database class located at core/vb/database.php
PAYLOAD
InvictusEurope © 2016
Moar! Complicated Object chaining
InvictusEurope © 2016 preg_replace!
InvictusEurope © 2016 Find Desirable End point
InvictusEurope © 2016 Zend 1.9 POP Attack Diagram
InvictusEurope © 2016 Result - PHP Object Injection “usually” easy to detect, - Not easy to exploit. - Do NOT use serialize() / unserialize() with untrusted inputs. - Instead use json_encode and json_decode - Keep up to date! Your framework and components -
InvictusEurope © 2016 Abusing PHP Template Engines Twig, Smarty, ….
InvictusEurope © 2016 Twig
InvictusEurope © 2016 Input as a Template Code
InvictusEurope © 2016 Don’t be fool..! It’s not an XSS. Server-Side Template Injection seems like a XSS but it’s NOT. It’s more dangerous...
InvictusEurope © 2016 RTFM
Moar! RFTM We are able to access env class through self object on templates, so we can call functions of Twig_Environment class.
InvictusEurope © 2016 PoC
InvictusEurope © 2016 Security is a serious business.
InvictusEurope © 2016 Final Words - Before development, - Risk assessments. - Architecture security overview. - SDLC ..? - Development phase, - Every single data is under the hacker control. - Validate input as much as possible - Never ever forget to do “encoding” in templates. - - Deployment phase, - Secure deployment pipeline ..? - Maintenance, - UPDATE your servers, services, packages, everything you have. Just keep UPDATING. - 3rd parties bug tracker. - During your life, - RTFM
THANK YOU Ince, Mehmet Dursun Senior Penetration Tester, Co-founder / Invictus Europe @mdisec mehmet.ince@invictuseurope.com mehmet@mehmetince.net http://www.mehmetince.net

Recommandé

Wordpress security
Wordpress securityWordpress security
Wordpress securityMehmet Ince
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applicationsMohammed A. Imran
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In PhpAkash Mahajan
 
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+CsrfBipin Upadhyay
 
Criando aplicações RestFul com Zend Framework 2
Criando aplicações RestFul com Zend Framework 2Criando aplicações RestFul com Zend Framework 2
Criando aplicações RestFul com Zend Framework 2Elton Minetto
 
Intro to Angular.js & Zend2 for Front-End Web Applications
Intro to Angular.js & Zend2 for Front-End Web ApplicationsIntro to Angular.js & Zend2 for Front-End Web Applications
Intro to Angular.js & Zend2 for Front-End Web ApplicationsTECKpert, Hubdin
 
Reversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guideReversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guidesecurityxploded
 
Anti-Virus Evasion Techniques and Countermeasures
Anti-Virus Evasion Techniques and CountermeasuresAnti-Virus Evasion Techniques and Countermeasures
Anti-Virus Evasion Techniques and Countermeasuresn|u - The Open Security Community
 

Recommandé

Wordpress security
Wordpress securityWordpress security
Wordpress securityMehmet Ince
 
How to secure web applications
How to secure web applicationsHow to secure web applications
How to secure web applicationsMohammed A. Imran
 
Secure Programming In Php
Secure Programming In PhpSecure Programming In Php
Secure Programming In PhpAkash Mahajan
 
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+CsrfBipin Upadhyay
 
Criando aplicações RestFul com Zend Framework 2
Criando aplicações RestFul com Zend Framework 2Criando aplicações RestFul com Zend Framework 2
Criando aplicações RestFul com Zend Framework 2Elton Minetto
 
Intro to Angular.js & Zend2 for Front-End Web Applications
Intro to Angular.js & Zend2 for Front-End Web ApplicationsIntro to Angular.js & Zend2 for Front-End Web Applications
Intro to Angular.js & Zend2 for Front-End Web ApplicationsTECKpert, Hubdin
 
Reversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guideReversing & malware analysis training part 1 lab setup guide
Reversing & malware analysis training part 1 lab setup guidesecurityxploded
 
Anti-Virus Evasion Techniques and Countermeasures
Anti-Virus Evasion Techniques and CountermeasuresAnti-Virus Evasion Techniques and Countermeasures
Anti-Virus Evasion Techniques and Countermeasuresn|u - The Open Security Community
 
The state of JavaScript Linting - English version
The state of JavaScript Linting - English versionThe state of JavaScript Linting - English version
The state of JavaScript Linting - English versionMichael Kühnel
 
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...securityxploded
 
Dependency Injection and Autofac
Dependency Injection and AutofacDependency Injection and Autofac
Dependency Injection and Autofacmeghantaylor
 
Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)securityxploded
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Barry Dorrans
 
Php web app security (eng)
Php web app security (eng)Php web app security (eng)
Php web app security (eng)Anatoliy Okhotnikov
 
PHPCS (PHP Code Sniffer)
PHPCS (PHP Code Sniffer)PHPCS (PHP Code Sniffer)
PHPCS (PHP Code Sniffer)Oleksii Prohonnyi
 
Common Sofftware Errors
Common Sofftware ErrorsCommon Sofftware Errors
Common Sofftware ErrorsRebecca Craine
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Enginesc0c0n - International Cyber Security and Policing Conference
 
Anatomy of Exploit Kits
Anatomy of Exploit KitsAnatomy of Exploit Kits
Anatomy of Exploit Kitssecurityxploded
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionBart Leppens
 
Joomla! Day Chicago 2011 Presentation - Steven Pignataro
Joomla! Day Chicago 2011 Presentation - Steven PignataroJoomla! Day Chicago 2011 Presentation - Steven Pignataro
Joomla! Day Chicago 2011 Presentation - Steven PignataroSteven Pignataro
 
Fun with ASP.NET MVC 3, MEF and NuGet (#comdaybe)
Fun with ASP.NET MVC 3, MEF and NuGet (#comdaybe)Fun with ASP.NET MVC 3, MEF and NuGet (#comdaybe)
Fun with ASP.NET MVC 3, MEF and NuGet (#comdaybe)Maarten Balliauw
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 securityxploded
 
20151117 es lint
20151117 es lint20151117 es lint
20151117 es lintNakajima Shigeru
 
Reverse Engineering Project
Reverse Engineering ProjectReverse Engineering Project
Reverse Engineering ProjectNicole Gaehle, MSIST
 
Introduction to Zend Framework
Introduction to Zend FrameworkIntroduction to Zend Framework
Introduction to Zend FrameworkMichelangelo van Dam
 
Flashack
FlashackFlashack
Flashackn|u - The Open Security Community
 
Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014
Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014
Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014Yosuke HASEGAWA
 
Spring boot competitive tests
Spring boot competitive testsSpring boot competitive tests
Spring boot competitive testsSkillPracticalEdTech
 
Help Doctor, my application is an onion!
Help Doctor, my application is an onion!Help Doctor, my application is an onion!
Help Doctor, my application is an onion!Sebastián Guerrero Selma
 
How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )Katy Slemon
 

Contenu connexe

Tendances

The state of JavaScript Linting - English version
The state of JavaScript Linting - English versionThe state of JavaScript Linting - English version
The state of JavaScript Linting - English versionMichael Kühnel
 
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...securityxploded
 
Dependency Injection and Autofac
Dependency Injection and AutofacDependency Injection and Autofac
Dependency Injection and Autofacmeghantaylor
 
Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)securityxploded
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Barry Dorrans
 
Common Sofftware Errors
Common Sofftware ErrorsCommon Sofftware Errors
Common Sofftware ErrorsRebecca Craine
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionBart Leppens
 
Joomla! Day Chicago 2011 Presentation - Steven Pignataro
Joomla! Day Chicago 2011 Presentation - Steven PignataroJoomla! Day Chicago 2011 Presentation - Steven Pignataro
Joomla! Day Chicago 2011 Presentation - Steven PignataroSteven Pignataro
 
Fun with ASP.NET MVC 3, MEF and NuGet (#comdaybe)
Fun with ASP.NET MVC 3, MEF and NuGet (#comdaybe)Fun with ASP.NET MVC 3, MEF and NuGet (#comdaybe)
Fun with ASP.NET MVC 3, MEF and NuGet (#comdaybe)Maarten Balliauw
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 securityxploded
 
Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014
Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014
Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014Yosuke HASEGAWA
 

Tendances (20)

The state of JavaScript Linting - English version
The state of JavaScript Linting - English versionThe state of JavaScript Linting - English version
The state of JavaScript Linting - English version
 
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
Advanced Malware Analysis Training Session 11 - (Part 2) Dissecting the Heart...
 
Dependency Injection and Autofac
Dependency Injection and AutofacDependency Injection and Autofac
Dependency Injection and Autofac
 
Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)Defeating public exploit protections (EMET v5.2 and more)
Defeating public exploit protections (EMET v5.2 and more)
 
Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10Don't get stung - an introduction to the OWASP Top 10
Don't get stung - an introduction to the OWASP Top 10
 
Php web app security (eng)
Php web app security (eng)Php web app security (eng)
Php web app security (eng)
 
PHPCS (PHP Code Sniffer)
PHPCS (PHP Code Sniffer)PHPCS (PHP Code Sniffer)
PHPCS (PHP Code Sniffer)
 
Common Sofftware Errors
Common Sofftware ErrorsCommon Sofftware Errors
Common Sofftware Errors
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Engines
 
Anatomy of Exploit Kits
Anatomy of Exploit KitsAnatomy of Exploit Kits
Anatomy of Exploit Kits
 
Owasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF SessionOwasp AppSecEU 2015 - BeEF Session
Owasp AppSecEU 2015 - BeEF Session
 
Joomla! Day Chicago 2011 Presentation - Steven Pignataro
Joomla! Day Chicago 2011 Presentation - Steven PignataroJoomla! Day Chicago 2011 Presentation - Steven Pignataro
Joomla! Day Chicago 2011 Presentation - Steven Pignataro
 
Fun with ASP.NET MVC 3, MEF and NuGet (#comdaybe)
Fun with ASP.NET MVC 3, MEF and NuGet (#comdaybe)Fun with ASP.NET MVC 3, MEF and NuGet (#comdaybe)
Fun with ASP.NET MVC 3, MEF and NuGet (#comdaybe)
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
 
20151117 es lint
20151117 es lint20151117 es lint
20151117 es lint
 
Reverse Engineering Project
Reverse Engineering ProjectReverse Engineering Project
Reverse Engineering Project
 
Introduction to Zend Framework
Introduction to Zend FrameworkIntroduction to Zend Framework
Introduction to Zend Framework
 
Flashack
FlashackFlashack
Flashack
 
Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014
Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014
Bypass SOP, Theft Your Data - XSS Allstars from Japan / OWASP AppSec APAC 2014
 
Spring boot competitive tests
Spring boot competitive testsSpring boot competitive tests
Spring boot competitive tests
 

Similaire à Breaking The Framework's Core #PHPKonf 2016

How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )Katy Slemon
 
Automation of web attacks from advisories to create real world exploits
Automation of web attacks from advisories to create real world exploitsAutomation of web attacks from advisories to create real world exploits
Automation of web attacks from advisories to create real world exploitsMunir Njiru
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
WordCamp LA 2014- Writing Code that Scales
WordCamp LA 2014- Writing Code that ScalesWordCamp LA 2014- Writing Code that Scales
WordCamp LA 2014- Writing Code that ScalesSpectrOMTech.com
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Cysinfo Cyber Security Community
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkVeilFramework
 
#nullblr bachav manual source code review
#nullblr bachav manual source code review#nullblr bachav manual source code review
#nullblr bachav manual source code reviewSantosh Gulivindala
 
Dynamic Multi Levels Java Code Obfuscation Technique (DMLJCOT)
Dynamic Multi Levels Java Code Obfuscation Technique (DMLJCOT)Dynamic Multi Levels Java Code Obfuscation Technique (DMLJCOT)
Dynamic Multi Levels Java Code Obfuscation Technique (DMLJCOT)CSCJournals
 
15.3 Student Guide Web Application Tool TimeOverviewTodays c
15.3 Student Guide Web Application Tool TimeOverviewTodays c15.3 Student Guide Web Application Tool TimeOverviewTodays c
15.3 Student Guide Web Application Tool TimeOverviewTodays cMatthewTennant613
 
15.3 Student Guide Web Application Tool TimeOverviewTodays c
15.3 Student Guide Web Application Tool TimeOverviewTodays c15.3 Student Guide Web Application Tool TimeOverviewTodays c
15.3 Student Guide Web Application Tool TimeOverviewTodays cAnastaciaShadelb
 
15.3 student guide web application tool time overviewtodays c
15.3 student guide web application tool time overviewtodays c15.3 student guide web application tool time overviewtodays c
15.3 student guide web application tool time overviewtodays cUMAR48665
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil FrameworkVeilFramework
 
Vulnerable_and_outdated_components_suman.pptx
Vulnerable_and_outdated_components_suman.pptxVulnerable_and_outdated_components_suman.pptx
Vulnerable_and_outdated_components_suman.pptxSuman Astani
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Malware-Reverse-Engineering-BeginnerToAdvanced-By-Abhijit-Mohanta-1.pdf
Malware-Reverse-Engineering-BeginnerToAdvanced-By-Abhijit-Mohanta-1.pdfMalware-Reverse-Engineering-BeginnerToAdvanced-By-Abhijit-Mohanta-1.pdf
Malware-Reverse-Engineering-BeginnerToAdvanced-By-Abhijit-Mohanta-1.pdfAbhijit Mohanta
 

Similaire à Breaking The Framework's Core #PHPKonf 2016 (20)

Help Doctor, my application is an onion!
Help Doctor, my application is an onion!Help Doctor, my application is an onion!
Help Doctor, my application is an onion!
 
How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )How to Make Your NodeJS Application Secure (24 Best Security Tips )
How to Make Your NodeJS Application Secure (24 Best Security Tips )
 
Automation of web attacks from advisories to create real world exploits
Automation of web attacks from advisories to create real world exploitsAutomation of web attacks from advisories to create real world exploits
Automation of web attacks from advisories to create real world exploits
 
Call ringout app
Call ringout appCall ringout app
Call ringout app
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
WordCamp LA 2014- Writing Code that Scales
WordCamp LA 2014- Writing Code that ScalesWordCamp LA 2014- Writing Code that Scales
WordCamp LA 2014- Writing Code that Scales
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
 
#nullblr bachav manual source code review
#nullblr bachav manual source code review#nullblr bachav manual source code review
#nullblr bachav manual source code review
 
Dynamic Multi Levels Java Code Obfuscation Technique (DMLJCOT)
Dynamic Multi Levels Java Code Obfuscation Technique (DMLJCOT)Dynamic Multi Levels Java Code Obfuscation Technique (DMLJCOT)
Dynamic Multi Levels Java Code Obfuscation Technique (DMLJCOT)
 
15.3 Student Guide Web Application Tool TimeOverviewTodays c
15.3 Student Guide Web Application Tool TimeOverviewTodays c15.3 Student Guide Web Application Tool TimeOverviewTodays c
15.3 Student Guide Web Application Tool TimeOverviewTodays c
 
15.3 Student Guide Web Application Tool TimeOverviewTodays c
15.3 Student Guide Web Application Tool TimeOverviewTodays c15.3 Student Guide Web Application Tool TimeOverviewTodays c
15.3 Student Guide Web Application Tool TimeOverviewTodays c
 
15.3 student guide web application tool time overviewtodays c
15.3 student guide web application tool time overviewtodays c15.3 student guide web application tool time overviewtodays c
15.3 student guide web application tool time overviewtodays c
 
The State of the Veil Framework
The State of the Veil FrameworkThe State of the Veil Framework
The State of the Veil Framework
 
The Veil-Framework
The Veil-FrameworkThe Veil-Framework
The Veil-Framework
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
 
Vulnerable_and_outdated_components_suman.pptx
Vulnerable_and_outdated_components_suman.pptxVulnerable_and_outdated_components_suman.pptx
Vulnerable_and_outdated_components_suman.pptx
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
Malware-Reverse-Engineering-BeginnerToAdvanced-By-Abhijit-Mohanta-1.pdf
Malware-Reverse-Engineering-BeginnerToAdvanced-By-Abhijit-Mohanta-1.pdfMalware-Reverse-Engineering-BeginnerToAdvanced-By-Abhijit-Mohanta-1.pdf
Malware-Reverse-Engineering-BeginnerToAdvanced-By-Abhijit-Mohanta-1.pdf
 
Web backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detectionWeb backdoors attacks, evasion, detection
Web backdoors attacks, evasion, detection
 

Plus de Mehmet Ince

Drupal Coder Zafiyet Analizi & İstismar Kodu Geliştirimesi
Drupal Coder Zafiyet Analizi & İstismar Kodu GeliştirimesiDrupal Coder Zafiyet Analizi & İstismar Kodu Geliştirimesi
Drupal Coder Zafiyet Analizi & İstismar Kodu GeliştirimesiMehmet Ince
 
Devfest istanbul'14 - Web Application Attacks and Trusting Frameworks
Devfest istanbul'14 - Web Application Attacks and Trusting FrameworksDevfest istanbul'14 - Web Application Attacks and Trusting Frameworks
Devfest istanbul'14 - Web Application Attacks and Trusting FrameworksMehmet Ince
 
Devfest istanbul'14 web app security and framework
Devfest istanbul'14 web app security and framework Devfest istanbul'14 web app security and framework
Devfest istanbul'14 web app security and framework Mehmet Ince
 
Siber güvenlik konferansı' 14 client-side security & csp (1)
Siber güvenlik konferansı' 14 client-side security & csp (1)Siber güvenlik konferansı' 14 client-side security & csp (1)
Siber güvenlik konferansı' 14 client-side security & csp (1)Mehmet Ince
 
Web Uygulama Güvenliği 101
Web Uygulama Güvenliği 101Web Uygulama Güvenliği 101
Web Uygulama Güvenliği 101Mehmet Ince
 
Web Uygulamalarında Kaynak Kod Analizi - 1
Web Uygulamalarında Kaynak Kod Analizi - 1Web Uygulamalarında Kaynak Kod Analizi - 1
Web Uygulamalarında Kaynak Kod Analizi - 1Mehmet Ince
 
Web Uygulamalarında Kayank Kod Analizi – II
Web Uygulamalarında Kayank Kod Analizi – IIWeb Uygulamalarında Kayank Kod Analizi – II
Web Uygulamalarında Kayank Kod Analizi – IIMehmet Ince
 
Ozgur web teknolojileri'13
Ozgur web teknolojileri'13Ozgur web teknolojileri'13
Ozgur web teknolojileri'13Mehmet Ince
 
Kali ile Linux'e Giriş | IntelRAD
Kali ile Linux'e Giriş | IntelRADKali ile Linux'e Giriş | IntelRAD
Kali ile Linux'e Giriş | IntelRADMehmet Ince
 
Oylg2013 web uygulamalari sizmatesti
Oylg2013 web uygulamalari sizmatestiOylg2013 web uygulamalari sizmatesti
Oylg2013 web uygulamalari sizmatestiMehmet Ince
 

Plus de Mehmet Ince (10)

Drupal Coder Zafiyet Analizi & İstismar Kodu Geliştirimesi
Drupal Coder Zafiyet Analizi & İstismar Kodu GeliştirimesiDrupal Coder Zafiyet Analizi & İstismar Kodu Geliştirimesi
Drupal Coder Zafiyet Analizi & İstismar Kodu Geliştirimesi
 
Devfest istanbul'14 - Web Application Attacks and Trusting Frameworks
Devfest istanbul'14 - Web Application Attacks and Trusting FrameworksDevfest istanbul'14 - Web Application Attacks and Trusting Frameworks
Devfest istanbul'14 - Web Application Attacks and Trusting Frameworks
 
Devfest istanbul'14 web app security and framework
Devfest istanbul'14 web app security and framework Devfest istanbul'14 web app security and framework
Devfest istanbul'14 web app security and framework
 
Siber güvenlik konferansı' 14 client-side security & csp (1)
Siber güvenlik konferansı' 14 client-side security & csp (1)Siber güvenlik konferansı' 14 client-side security & csp (1)
Siber güvenlik konferansı' 14 client-side security & csp (1)
 
Web Uygulama Güvenliği 101
Web Uygulama Güvenliği 101Web Uygulama Güvenliği 101
Web Uygulama Güvenliği 101
 
Web Uygulamalarında Kaynak Kod Analizi - 1
Web Uygulamalarında Kaynak Kod Analizi - 1Web Uygulamalarında Kaynak Kod Analizi - 1
Web Uygulamalarında Kaynak Kod Analizi - 1
 
Web Uygulamalarında Kayank Kod Analizi – II
Web Uygulamalarında Kayank Kod Analizi – IIWeb Uygulamalarında Kayank Kod Analizi – II
Web Uygulamalarında Kayank Kod Analizi – II
 
Ozgur web teknolojileri'13
Ozgur web teknolojileri'13Ozgur web teknolojileri'13
Ozgur web teknolojileri'13
 
Kali ile Linux'e Giriş | IntelRAD
Kali ile Linux'e Giriş | IntelRADKali ile Linux'e Giriş | IntelRAD
Kali ile Linux'e Giriş | IntelRAD
 
Oylg2013 web uygulamalari sizmatesti
Oylg2013 web uygulamalari sizmatestiOylg2013 web uygulamalari sizmatesti
Oylg2013 web uygulamalari sizmatesti
 

Dernier

Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Intelisync
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 

Dernier (20)

Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)Introduction to Decentralized Applications (dApps)
Introduction to Decentralized Applications (dApps)
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 

Breaking The Framework's Core #PHPKonf 2016