Ihor Bliumental - WebSockets

•

0 likes•347 views

OWASP Kyiv

WebSockets security analysis methods and techniques.

Technology

Ihor Bliumental
OWASP Kyiv Chapter Lead
ihor.bliumental@owasp.org
WebSocket security

Authorization
• An attacker can access the data/functions
without authorization
• An attacker can access the data/functions
which require higher level of authorization
• An attacker can access other same level user's
restricted data/functions

Traffic encryption
• All sensitive data should be transferred using
TLS (wss://)
• TLS should be implemented correctly (no weak
ciphers)

Resource Exhaustion
• Connection is being kept until client or server
close it
• An attacker can exhausts all available
connections
• Modern clients have limits (e.g. Chrome: 256
total WS connections, 30 per one host; Firefox:
200 total WS connections)

Improper input validation
• A1 - Injections (SQLi, Code injections, Template
injections, etc.)
• A4 - XXE
• A7 - XSS
• A8 - Insecure deserialisation

Simple WebSocket Client (FF/Chrome addon)

What's hot

Information Security Systems

Eyad Mhanna

020618 Why Do we Need HTTPS

Jackio Kwok

Stable proxies it's type and advantages

stableproxies

Introduction to stable proxies.

stableproxies

cryptography security

Web Proxy Server

Introduce warden

12 web security

SignalR

XML Key Management Protocol for Secure Web Service

Md. Hasan Basri (Angel)

Fundamental of Webserver Hacking, Web Applications and Database Attacks

UK Defence Cyber School

WT - Firewall & Proxy Server

vinay arora

Proxy Servers & Firewalls

Mehdi Poustchi Amin

Introduction to OAuth

Wei-Tsung Su

Http Proxy Server

Sourav Roy

Api sec demo_updated_v2

Aravindan A

y3dips hacking priv8 network

idsecconf

SQLViking is a post exploitation tool written in Python focused on leveraging unencrypted connections between database and web servers. It is comprised of two pieces: one passive and one active. The passive piece, dubbed Scout, sits on the wire and silently collects information passed between database servers and clients. The active piece, Pillage, leverages TCP injection to run arbitrary queries against a database without credentials or man in the middling. SQLViking was designed with extensibility in mind allowing the open source community to easily add support for new databases without needing to touch any of the actual logic of the tool itself via Python's abstract base classes. This talk will cover how the tool works from a functional perspective as well as existing and future features. It will also discuss the root issue which allows this tool to work and how to protect yourself against such an attack.

Sqlviking

Jonn Callahan

What's hot (18)

Information Security Systems

020618 Why Do we Need HTTPS

Stable proxies it's type and advantages

Introduction to stable proxies.

cryptography security

Web Proxy Server

Introduce warden

12 web security

SignalR

XML Key Management Protocol for Secure Web Service

Fundamental of Webserver Hacking, Web Applications and Database Attacks

WT - Firewall & Proxy Server

Proxy Servers & Firewalls

Introduction to OAuth

Http Proxy Server

Api sec demo_updated_v2

y3dips hacking priv8 network

Sqlviking

Similar to Ihor Bliumental - WebSockets

Vulnerabilities in modern web applications

Niyas Nazar

Computer Network Case Study - bajju.pptx

ShivamBajaj36

The path of secure software by Katy Anton

DevSecCon

HTML5 hacking

Blueinfy Solutions

Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection

Anant Shrivastava

WebApps_Lecture_15.ppt

OmprakashVerma56

Protecting Web Services from DDOS Attack

Ponraj

Palestra ministrada no OWASP Floripa Day - Florianópolis - SC | A palestra tem como objetivo mostrar os conceitos e funcionamento de algumas funcionalidades que foram adicionadas ao HTML5, levando em consideração os aspectos de segurança do client-side. Para as funcionalidades destacadas, foram criados cenários de ataques visando ilustrar a obtenção de informações sensíves armazenadas no browser ou até mesmo usar o browser da vítima para lançar ataques contra outros sistemas. Através da exploração das funcionalidades existentes no HTML5, técnicas de exploração como XSS e CSRF, tornam-se mais poderosas e eficientes, sendo possível em alguns casos contornar algumas restrições do Same Origin Policiy (SOP).

Building Client-Side Attacks with HTML5 Features

Conviso Application Security

Here you can find the slides that accompany my “SPA Secure Coding Guide”, this presentation go through a set of security best practices specially targeted towards developing Angular applications with ASP.Net Web Api backends. It comes with a WebApi example project available on GitHub that provides several code examples of how to defend yourself. The example app is based on the famous "Tour of Heroes" Angular app used throughout the Angular documentation. It first introduce general threat modelling before explaining the most current type of attacks Asp.Net Web API are vulnerable to . It is designed to serve as a secure coding reference guide, to help development teams quickly understand Asp.Net Core secure coding practices.

Spa Secure Coding Guide

Geoffrey Vandiest

Web Services Hacking and Security

Blueinfy Solutions

DEF CON 24 - workshop - Craig Young - brainwashing embedded systems

Felipe Prado

Sandeep Kumar

Html5 security

Krishna T

www.webre24h.com - Ajax security

webre24h

Information Security Engineering

Md. Hasan Basri (Angel)

Cross Site Scripting - Mozilla Security Learning Center

Michael Coates

艾鍗教你從實作中認識物聯網！ http://bit.ly/2jZRwt2 課程使用Raspberry Pi結合ARM mbed Cloud來實現一個物聯網解決方案。你會了解M2M(Machine-to-Machine)網路協定,包含CoAP、MQTT、LWM2M等協定，並藉由Raspberry Pi連接 Cloud。 Raspberry Pi的部份教你連接一些感測器，包含GPIO、數位界面I2C的溫溼度感測器、類比感測器如光感應器等，並將這些感測器成為定義為不同的Resource Path並註冊在mbed cloud中。本課程將採用Node.js撰寫WebAPP，使用HTTP/RESTful API存取Resource。在實作WebAPP中，除了後端Node.js，你也將會看到後端如何與前端瀏覽器之間要如何溝通的方式，如AJAX或WebSocket

Websocket

艾鍗科技

DDD Melbourne 2014 security in ASP.Net Web API 2

Pratik Khasnabis

Post XSS Exploitation : Advanced Attacks and Remedies

Adwiteeya Agrawal

Security Patterns with WSO2 ESB

WSO2

Similar to Ihor Bliumental - WebSockets (20)

Vulnerabilities in modern web applications

Computer Network Case Study - bajju.pptx

The path of secure software by Katy Anton

HTML5 hacking

Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection

WebApps_Lecture_15.ppt

Protecting Web Services from DDOS Attack

Building Client-Side Attacks with HTML5 Features

Spa Secure Coding Guide

Web Services Hacking and Security

DEF CON 24 - workshop - Craig Young - brainwashing embedded systems

Html5 security

www.webre24h.com - Ajax security

Information Security Engineering

Cross Site Scripting - Mozilla Security Learning Center

Websocket

DDD Melbourne 2014 security in ASP.Net Web API 2

Post XSS Exploitation : Advanced Attacks and Remedies

Security Patterns with WSO2 ESB

Recently uploaded

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Zilliz

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

Following the popularity of “Cloud Revolution: Exploring the New Wave of Serverless Spatial Data,” we’re thrilled to announce this much-anticipated encore webinar. In this sequel, we’ll dive deeper into the Cloud-Native realm by uncovering practical applications and FME support for these new formats, including COGs, COPC, FlatGeoBuf, GeoParquet, STAC, and ZARR. Building on the foundation laid by industry leaders Michelle Roby of Radiant Earth and Chris Holmes of Planet in the first webinar, this second part offers an in-depth look at the real-world application and behind-the-scenes dynamics of these cutting-edge formats. We will spotlight specific use-cases and workflows, showcasing their efficiency and relevance in practical scenarios. Discover the vast possibilities each format holds, highlighted through detailed discussions and demonstrations. Our expert speakers will dissect the key aspects and provide critical takeaways for effective use, ensuring attendees leave with a thorough understanding of how to apply these formats in their own projects. Elevate your understanding of how FME supports these cutting-edge technologies, enhancing your ability to manage, share, and analyze spatial data. Whether you’re building on knowledge from our initial session or are new to the serverless spatial data landscape, this webinar is your gateway to mastering cloud-native formats in your workflows.

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Safe Software

In the thrilling conclusion to 2023, ransomware groups had a banner year, really outdoing themselves in the "make everyone's life miserable" department. LockBit 3.0 took gold in the hacking olympics, followed by the plucky upstarts Clop and ALPHV/BlackCat. Apparently, 48% of organizations were feeling left out and decided to get in on the cyber attack action. Business services won the "most likely to get digitally mugged" award, with education and retail nipping at their heels. Hackers expanded their repertoire beyond boring old encryption to the much more exciting world of extortion. The US, UK and Canada took top honors in the "countries most likely to pay up" category. Bitcoins were the currency of choice for discerning hackers, because who doesn't love untraceable money?

Ransomware_Q4_2023. The report. [EN].pdf

Overkill Security

[BuildWithAI] Introduction to Gemini.pdf

Sandro Moreira

Effective data discovery is crucial for maintaining compliance and mitigating risks in today's rapidly evolving privacy landscape. However, traditional manual approaches often struggle to keep pace with the growing volume and complexity of data. Join us for an insightful webinar where industry leaders from TrustArc and Privya will share their expertise on leveraging AI-powered solutions to revolutionize data discovery. You'll learn how to: - Effortlessly maintain a comprehensive, up-to-date data inventory - Harness code scanning insights to gain complete visibility into data flows leveraging the advantages of code scanning over DB scanning - Simplify compliance by leveraging Privya's integration with TrustArc - Implement proven strategies to mitigate third-party risks Our panel of experts will discuss real-world case studies and share practical strategies for overcoming common data discovery challenges. They'll also explore the latest trends and innovations in AI-driven data management, and how these technologies can help organizations stay ahead of the curve in an ever-changing privacy landscape.

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

TrustArc

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Zilliz

Keynote 2: APIs in 2030: The Risk of Technological Sleepwalk Paolo Malinverno, Growth Advisor - The Business of Technology Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

apidays

The microservices honeymoon is over. When starting a new project or revamping a legacy monolith, teams started looking for alternatives to microservices. The Modular Monolith, or 'Modulith', is an architecture that reaps the benefits of (vertical) functional decoupling without the high costs associated with separate deployments. This talk will delve into the advantages and challenges of this progressive architecture, beginning with exploring the concept of a 'module', its internal structure, public API, and inter-module communication patterns. Supported by spring-modulith, the talk provides practical guidance on addressing the main challenges of a Modultith Architecture: finding and guarding module boundaries, data decoupling, and integration module-testing. You should not miss this talk if you are a software architect or tech lead seeking practical, scalable solutions. About the author With two decades of experience, Victor is a Java Champion working as a trainer for top companies in Europe. Five thousands developers in 120 companies attended his workshops, so he gets to debate every week the challenges that various projects struggle with. In return, Victor summarizes key points from these workshops in conference talks and online meetups for the European Software Crafters, the world’s largest developer community around architecture, refactoring, and testing. Discover how Victor can help you on victorrentea.ro : company training catalog, consultancy and YouTube playlists.

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Victor Rentea

Scaling API-first – The story of a global engineering organization Ian Reasor, Senior Computer Scientist - Adobe Radu Cotescu, Senior Computer Scientist - Adobe Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

apidays

FWD Group - Insurer Innovation Award 2024

The Digital Insurer

The value of a flexible API Management solution for Open Banking Steve Melan, Manager for IT Innovation and Architecture - State's and Saving's Bank of Luxembourg Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - The value of a flexible API Management solution for O...

apidays

MS Copilot expands with MS Graph connectors

Nanddeep Nachan

ICT role in 21st century education and its challenges

rafiqahmad00786416

Architecting Cloud Native Applications

WSO2

When you’re building (micro)services, you have lots of framework options. Spring Boot is no doubt a popular choice. But there’s more! Take Quarkus, a framework that’s considered the rising star for Kubernetes-native Java. It always depends on what's best for your situation, but how to choose the best solution if you're comparing 2 frameworks? Both Spring Boot and Quarkus have their positives and negatives. Let us compare the two by live coding a couple of common use cases in Spring Boot and Quarkus. After this talk, you’ll be ready to get started with Quarkus yourself, and know when to select Quarkus or Spring Boot.

Spring Boot vs Quarkus the ultimate battle - DevoxxUK

Jago de Vreede

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

Accelerating FinTech Innovation: Unleashing API Economy and GenAI Vasa Krishnan, Chief Technology Officer - FinResults Apidays New York 2024: The API Economy in the AI Era (April 30 & May 1, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

apidays

Dubai, known for its towering skyscrapers, luxurious lifestyle, and relentless pursuit of innovation, often finds itself in the global spotlight. However, amidst the glitz and glamour, the emirate faces its own set of challenges, including the occasional threat of flooding. In recent years, Dubai has experienced sporadic but significant floods, disrupting normalcy and posing unique challenges to its infrastructure. Among the critical nodes in this bustling metropolis is the Dubai International Airport, a vital hub connecting the world. This article delves into the intersection of Dubai flood events and the resilience demonstrated by the Dubai International Airport in the face of such challenges.

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf

Orbitshub

Recently uploaded (20)

Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME

Ransomware_Q4_2023. The report. [EN].pdf

[BuildWithAI] Introduction to Gemini.pdf

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe

FWD Group - Insurer Innovation Award 2024

Apidays New York 2024 - The value of a flexible API Management solution for O...

MS Copilot expands with MS Graph connectors

ICT role in 21st century education and its challenges

Architecting Cloud Native Applications

Spring Boot vs Quarkus the ultimate battle - DevoxxUK

Exploring the Future Potential of AI-Enabled Smartphone Processors

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf