Roman Rott – Ruby for Pentesters

Rust is a systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety. The event is focused on introducing and teaching the 'Trust Rust can Entrust' on coding to Young developers and engineers who make the web better and more secure!, to train developers, students, mozillians and budding programmers on Rust. Never wrote a single line of code in Rust? Don’t worry, most of us are just starting off. The Rust programming language will be important to the future of the web, making it safe and great.

OWASP Kyiv 27-05-2017 chapter meeting talk. Video: https://www.youtube.com/watch?v=QtZy5wvAVAA

Software

RUBY FOR
PENTESTERS
PENTESTING
FOR RUBYISTS
VS

RUBY HAS ABILITIES AND TRICKS FOR DEALING WITH ALL STRINGS SCENARIOS
➤ Convert String/Binary to Hex;
➤ Convert Hex to String/Binary;
➤ Encode/Decode String;
➤ Regular Expressions;
➤ String extraction;
➤ Parsing HTML, XML, JSON, etc;
➤ Cryptography libs, MD5, SHA1,2
hash. Generating MySQL/
PostgreSQL, Windows Password
Hashes, etc

TOOLS
http://ronin-ruby.github.io/
Ronin
Ronin is a Ruby platform for
vulnerability research and
exploit development.
Ronin allows for the rapid
development and distribution
of code, Exploits, Payloads,
Scanners, etc, via Repositories.

TOOLS
https://wpscan.org/
WPScan
WordPress vulnerability
scanner.

TOOLS
https://www.morningstarsecurity.com/research/whatweb
WhatWeb
Recognizes web technologies
including CMS,
blogging platforms,
statistic/analytics packages,
JavaScript libraries,
web servers, etc

TOOLS
https://github.com/rubysec/bundler-audit
bundle-audit
Patch-level verification for
Bundler

TOOLS
https://github.com/presidentbeef/brakeman
brakeman
Static analysis tool which
checks Ruby on Rails
applications for security
vulnerabilities.

FRAMEWORKS
http://www.arachni-scanner.com/
Arachni
Ruby framework aimed towards helping
penetration testers and administrators
evaluate the security of modern
web applications.

FRAMEWORKS
BeEF
http://beefproject.com/
The Browser Exploitation
Framework.
It is a penetration testing tool
that focuses on the web browser.

HELPERS
https://github.com/iridakos/duckrails
DuckRails
Allows to quickly mock API endpoints,
Setting response headers,
Setting some advanced configuration (delays,
dynamic headers, content type & status), etc.

HELPERS
➤ Oga - XML/HTML parser - https://github.com/YorickPeterse/oga
➤ html-pipeline - GitHub HTML processing ﬁlters and utilities. This module includes a
small framework for deﬁning DOM based content ﬁlters and applying them to user
provided content. - https://github.com/jch/html-pipeline
➤ Happymapper allows you to parse XML data and convert it quickly and easily into
ruby data structures. - https://github.com/dam5s/happymapper
➤ nokogiri - is a Rubygem providing HTML, XML, SAX, and Reader parsers with
XPath and CSS selector support. - https://github.com/sparklemotion/nokogiri

BROWSER MANIPULATION
Selenium
Watir
webdrivers

AUTOMATIZATION
https://github.com/sophsec/ruby-nmap
ruby-nmap

AUTOMATIZATION
➤ net-ping gem
➤ ruby-nmap gem
➤ etc.

AUTOMATIZATION
Puppet
https://puppet.com/
Chef
Vagrant
https://www.chef.io/chef/
https://www.vagrantup.com/
Docker
https://www.docker.com/
+

COMMAND EXECUTION
➤ Kernel#` (back-ticks)
➤ Kernel#exec
➤ Kernel#system
➤ IO#popen
➤ Process#spawn
➤ %x"", %x[], %x{}, %x$’'$
➤ Rake#sh

PACKAGING
➤ One-Click Ruby
Application(OCRA) Builder
➤ Traveling-ruby
➤ RubyEncoder

EXTEND BURP SUITE USING JRUBY
Jruby
JRuby is a fully threaded
Java implementation of the Ruby

Mais conteúdo relacionado

Semelhante a Roman Rott – Ruby for Pentesters

Rust Hack

Viral Parmar

One RubyStack to Rule them All

elliando dias

How to distribute Ruby to the world

Hiroshi SHIBATA

During the past year IR teams and security researchers around the world witnessed a rise in the use of legitimate tools and common scripts in malware and APT attacks. This talk will explore the presenters’ research that focused on automating the analysis of PowerShell and Macro/VBA/VBS attacks by building a heuristic-based compiler engine that determines whether a script is malicious or not. (Source: RSA Conference USA 2017)

Isolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac

Priyanka Aash

[2011-17-C-4] Heroku & database.com

Mitch Okamoto

Given at black hat and DEF CON 2010 by Wayne Huang and team. https://www.defcon.org/html/defcon-18/dc-18-speakers.html#Huang http://www.blackhat.com/html/bh-us-10/bh-us-10-briefings.html#Huang DRIVESPLOIT: CIRCUMVENTING BOTH AUTOMATED AND MANUAL DRIVE-BY-DOWNLOAD DETECTION This year saw the biggest news in Web security ever--Operation Aurora, which aimed at stealing source code and other intellectual properties and succeeded with more than 30 companies, including Google. Incidence response showed that the operation involved an IE 0-day drive-by-download, resulting in Google's compromise and leak of source code to jump points in Taiwan. The US Government is so concerned that they issued a demarche to the Chinese government. Using real, live examples, we will show how easy it is to exploit injection-based, XSS-based, and CSRF-based vulnerabilities in FaceBook, Google, Digg, LinkedIn, and other popular websites, and inject drive-by downloads. If drive-bys are so easy to inject into high-traffic websites, then the question becomes, how easy it is to make them undetectable by automated malware scanning services (such as Google's) and by human manual inspection? We will demonstrate how easy it is to defeat automated detection mechanisms and overview commonly used techniques. We will reveal for the first time, in this conference, some very advanced techniques that are almost impossible to overcome by automated analysis in the past, now, and in the future. We will release Drivesploit, a drive-by download exploit framework implemented on top of Metasploit. We will go into depth on two particular techniques supported by Drivesploit's a) javascript obfuscation based on behavior-based fingerprinting, and b) javascript timelock puzzles. We will have live demos to show how this technique easily defeats both automated AND manual detection. At the very beginning of our talk, we will be giving out a digg.com page, which we have infected with a drive-by download created with Drivesploit. Visiting this page with the right browser will trigger the exploit and download a malware that steals browser cookie files. The whole process will be undetectable by antivirus. The actual javascript drive-by code contains a secret phrase. We will give out an ipad to whomever from the audience that is able to correctly deobfuscate the javascript and give out the secret phrase. Finally, we will present case studies on systems and processes that the largest organizations have put in place in order to fight against Web-based malware. We will also present case studies of our incidence response efforts with organizations hit by Web malware injections such as Google's aurora incident. Based in Taiwan, Co-speaker Wayne has been personally involved in such incidence response efforts since the late 90's. All source codes related to POC exploits against FaceBook, Google, Digg, LinkedIn, etc, as well as source code of Drivesploit, will be released as open source at the conference. Attendees will gain the following: 1. Understanding of drive-by downloads and associated terminologies. 2. Information about various drive-by download infection vectors. 3. Appreciation of tools helpful for drive-by analysis, including Malzilla, spikermonkey, rhino, burp and wepawet 4. Realize why drive-by downloads are hard to analyze and detect. Why antivirus fail, why behavior-based approaches fail, and why even manual efforts are difficult 5. Learning the Drivesploit framework and how it can be used to develop poc drive-bys 6. Learning two new deadly techniques: behavior-based browser finterprinting and javascript timelock puzzles 7. Learning how to implement above two using Drivesploit to defeat both automated and manual drive-by analysis 8. Knowledge about the available countermeasures to this threat

Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection

Wayne Huang

Analysis of web application worms and viruses

UltraUploader

Pentesting Using Burp Suite

jasonhaddix

Web technologies lesson 1

nhepner

Why Rust? - Matthias Endler - Codemotion Amsterdam 2016

Codemotion

Bug Bounty for - Beginners

Himanshu Kumar Das

RAILS OFFERINGS Custom application development. RoR Web-Product development. Rails CMS Development services QA/testing services and Auditing Porting and Migration MVP for start-up businesses Architecture Re-design and Improvement Solving scalability, usability and security Rails e-Commerce Application Development Rails Support and maintenance. Angular JS, Angular 2, Angular 4 ionic frameworks React JS, Node JS MEAN Stack developments Full Stack Developers Phoenix Framework RUBY ON RAILS EXPERTISE Rails – Version Rails 5.0, Rails 4.2, Rails 4.1, Rails 4.0, Rails 3.2, and Rails 2.3. Active Support Core Extensions Rails Internationalization API Action Mailer Basics Active Job Basics Testing Rails Applications Securing Rails Applications Debugging Rails Applications Configuring Rails Applications The Rails Command Line Asset Pipeline Working with JavaScript in Rails Auto loading and Reloading Constants Caching with Rails Using Rails for API-only Applications Action Cable Overview

Ruby on rails | iteron

Iteron Group

How to distribute Ruby to the world

Hiroshi SHIBATA

NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner

Nishant Das Patnaik

Web Development Environments: Choose the best or go with the rest

george.james

This presentation will provide an overview of what a penetration test is, why companies pay for them, and what role they play in most IT security programs. It will also include a brief overview of the common skill sets and tools used by today’s security professionals. Finally, it will offer some basic advice for getting started in penetration testing. This should be interesting to aspiring pentesters trying to gain a better understanding of how penetration testing fits into the larger IT security world. Additional resources can be found in the blog below: https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers More security blogs by the authors can be found @ https://www.netspi.com/blog/

WTF is Penetration Testing v.2

Scott Sutherland

IronRuby for the Rubyist

Will Green

Analyzing malware and correlating huge databases of samples is a job for few. Big AV companies have their own systems for cataloging and analyzing malware and our goal is to bring that power to the masses through our OpenSource malware analysis pipeline system called Aleph <https: />. Aleph is not restricted to malware since it is artifact-oriented. It was built with no specific file-type in mind but with the possibility to work with any filetype and have plugins to extract information and correlate with other artifacts for further analysis. This makes aleph also very useful in forensics and other types of work. Aleph is a multi-compartmentalized framework. There are sample collectors that will fetch samples from local folders, RSS feeds and IMAP folders (for now). These samples are queued where the sample workers will grab them and apply specific filters depending on it's file type. Those plugins might enrich sample metadata, extract other artifacts and retrofeed into Aleph for further analysis making all the cross-reference chain in place. The plugins may also add some warning flags based on their findings to give the researcher a more digested info than interpreting all the data. All sample data is stored into a ElasticSearch database which makes easy to query and manage it's metadata fields without rebuilding tables and such. All time and date data is UTC and converted on the fly to user's Timezone. We have internationalization and localization fully implemented and Aleph is available currently in English, Brazilian Portuguese and Spanish

aleph - Malware analysis pipelining for the masses

Jan Seidl

Application Security for Rich Internet Applicationss (Jfokus 2012)

johnwilander

Rodando *qualquer coisa* na nuvem com OpenShift, o PaaS open source da Red Hat

Fabiano Franz

Semelhante a Roman Rott – Ruby for Pentesters (20)

Rust Hack

One RubyStack to Rule them All

How to distribute Ruby to the world

Isolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac

[2011-17-C-4] Heroku & database.com

Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection

Analysis of web application worms and viruses

Pentesting Using Burp Suite

Web technologies lesson 1

Why Rust? - Matthias Endler - Codemotion Amsterdam 2016

Bug Bounty for - Beginners

Ruby on rails | iteron

How to distribute Ruby to the world

NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner

Web Development Environments: Choose the best or go with the rest

WTF is Penetration Testing v.2

IronRuby for the Rubyist

aleph - Malware analysis pipelining for the masses

Application Security for Rich Internet Applicationss (Jfokus 2012)

Rodando *qualquer coisa* na nuvem com OpenShift, o PaaS open source da Red Hat

Mais de OWASP Kyiv

Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...

Software Supply Chain Security та компоненти з відомими вразливостями

Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite

Threat Modeling with OWASP Threat Dragon

Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...

Vlad Styran - Cyber Security Economics 101

Pavlo Radchuk - OWASP SAMM: Understanding Agile in Security

Ivan Vyshnevskyi - Not So Quiet Git Push

Dima Kovalenko - Modern SSL Pinning

Yevhen Teleshyk - OAuth Phishing

Vlada Kulish - Why So Serial?

Vlad Styran - OWASP Kyiv 2017 Report and 2018 Plans

Roman Borodin - ISC2 & ISACA Certification Programs First-hand Experience

Ihor Bliumental - WebSockets

Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017

Viktor Zhora - Cyber and Geopolitics: Ukrainian factor

Andriy Shalaenko - GO security tips

Vlad Styran - "Hidden" Features of the Tools We All Love

Volodymyr Ilibman - Close Look at Nyetya Investigation

Ihor Bliumental - Collision CORS

+971565801893 Mtp-Kit (500MG) Prices » Dubai [(+971565801893**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Leen Whatsapp +971565801893 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971565801893''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971565801893' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Clinic in Abu Dhabi, United Arab Emirates.+971565801893

Mais de OWASP Kyiv (20)

Is there a penetration testing within PCI DSS certification? (Dmytro Diordiyc...

Software Supply Chain Security та компоненти з відомими вразливостями

Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite

Threat Modeling with OWASP Threat Dragon

Anastasia Vixentael - Don't Waste Time on Learning Cryptography: Better Use I...

Vlad Styran - Cyber Security Economics 101

Pavlo Radchuk - OWASP SAMM: Understanding Agile in Security

Ivan Vyshnevskyi - Not So Quiet Git Push

Dima Kovalenko - Modern SSL Pinning

Yevhen Teleshyk - OAuth Phishing

Vlada Kulish - Why So Serial?

Vlad Styran - OWASP Kyiv 2017 Report and 2018 Plans

Roman Borodin - ISC2 & ISACA Certification Programs First-hand Experience

Ihor Bliumental - WebSockets

Serhiy Korolenko - The Strength of Ukrainian Users’ P@ssw0rds2017

Viktor Zhora - Cyber and Geopolitics: Ukrainian factor

Andriy Shalaenko - GO security tips

Vlad Styran - "Hidden" Features of the Tools We All Love

Volodymyr Ilibman - Close Look at Nyetya Investigation

Ihor Bliumental - Collision CORS

Último

+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...

Health

WSO2CON 2024 - How to Run a Security Program

ADR, or Architecture Decision Record, is a valuable tool in software development for several reasons. It provides a centralized location for documenting and tracking architectural decisions, aiding both current and future team members. ADRs enhance communication among team members by documenting the rationale behind architectural decisions, especially beneficial during onboarding of new team members or when revisiting decisions. They serve as a knowledge base, enabling teams to learn from past decisions and refine their decision-making process. Additionally, ADRs contribute to transparency by helping stakeholders understand the reasons behind specific architectural choices. As with any other tool or process, introducing them into an organization can face several obstacles, and overcoming these challenges is crucial for successful implementation. In this talk I go through some common problems and our way of solving them.

Artyushina_Guest lecture_YorkU CS May 2024.pptx

AnnaArtyushina1

Architecture decision records - How not to get lost in the past

Papp Krisztián

%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain

%in kempton park+277-882-255-28 abortion pills for sale in kempton park

%in tembisa+277-882-255-28 abortion pills for sale in tembisa

WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...

Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...

SelfMade bd

%in Soweto+277-882-255-28 abortion pills for sale in soweto

%in ivory park+277-882-255-28 abortion pills for sale in ivory park

Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic near me by a powerful astrologer and spell caster in Atlanta. Bring back your lover with Asaf's voodoo-love witchcraft. Psychic Reading | Astrologer | Spell Caster | Obsession Spells | Black Magic | Witchcraft | Protection spell | wiccan spells. Black magic expert and voodoo love spells that work overnight to retrieve that love | lost love spell caster with powerful love psychic reading. Best astrologer & psychic in Sandy Springs, GA to renew your relationship & make your relationship stronger. love spells to bring back the feelings of love for ex-lovers. Increase the intimacy, affection & love between you and your lover using voodoo relationship obsession spells in USA. Money spells, easy love spells with just words, think of me spell, powerful love spell, spells of love, spells that work, love potion to attract a man, easy love spells with just words, pink candle prayer, white magic spells, call me spell, manifestation spell, gay love spells, Commitment spells, business spells and, how to bring back lost love in a relationship, Witchcraft love spells that work immediately to increase love & intimacy in your relationship. Attraction love spells to attract someone, stop a divorce, prevent a breakup & get your ex back. When using love binding spells, there are several things you should know, particularly how to protect yourself from negative energies and how to use the powers of incantations for the good of all people involved. When the focus is love, the results are truly magical. It’s important to remember love is not manipulative, it is not forceful, and it does not bend another to its will. Love is free-flowing, accepting, kind, and generous. For your love spell to work as intended, you must have good intentions in your heart. Below, we share the top five love spells you can use today to shift the energies in your life and create a future filled with love and fulfilment. Obsession spells to Get Your Ex-Lover Back. All women want one thing the most in life to be love and love in return – not much to ask. A lady wants a good man who loves you unconditionally and loyally. You want a man who is honest, hardworking, and loyal – not a complainer or a weakling or a self-centred man. You are a strong, independent, sensual, caring, loving woman. And you don’t think it’s asking too much to want to be with a loving, intelligent man with a good sense of humour and daring, an upright and confident man – who knows who he is. No one wants a chauvinistic and macho man, but you do want someone who will be willing to protect and care for you. Who loves you for you and not some kind of imaginary. You have no doubt that when the right guy appears on your doorstep, you’ll never let him go. But sometimes a man doesn’t realize he has that good woman.

MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...

Jittipong Loespradit

Love witchcraft +27768521739 Binding love spell in Sandy Springs, GA |psychic...

chiefasafspells

%in Benoni+277-882-255-28 abortion pills for sale in Benoni

WSO2CON2024 - It's time to go Platformless

We specialize in Psychic Readings, Psychic Love Spells, Binding Love Spells, Obsession Spells, Voodoo Spells, Lottery Spells, Marriage Spells, Black Magic Spells, Palm Readings & much more. Are you depressed? We perform this come-to-me love spell that works instantly with the aim of Winnipeg back the victim to the person performing the magic. Have you lost your lover? We perform this come-to-me love spell that works instantly with the aim of bringing back the victim to the person performing the magic. Have you lost your lover? Do u need to solve any relationship problem? Contact the powerful spells caster chief kule with love spells that work overnight and love spells that really work. Have you found yourself infatuated with a special someone you think could be the one? Are you looking for a spell to provide them with a nudge in the right direction? Or maybe the spell you cast didn’t achieve the results you were hoping for? Whether you’re new or versed in the ways of spell casting, we’re here to help. Today we’re going to provide you with a detailed guide on the types of love spells to cast. Not only that but there’s something for those who wish to find outside advice from more advanced spell casters. We’re also going to provide you with the top sites available to help you with your dilemma. Let’s begin our journey by educating ourselves on love magic and what a real love caster looks like. Love Magic and Love Casters Love magic made its first appearance back in Ancient Egypt and has been an active practice since. This type of magic is a branch of traditional magic and can be practiced in various ways. Typically the more common use of love magic is through the work of spells, but other methods look like Charms Rituals-LOVE Potions-Dolls and even Amulets If you are interested in becoming a love caster, be prepared for what’s to come. A genuine love caster knows that the art of love casting is no easy feat and shouldn’t be done casually. You should know that not only does it require you to be gifted spiritually, but you must be ready to serve others. Someone who is considered a real love caster has experience in all manner of spells, no matter the difficulty. Training yourself in attraction, commitment, and marriage spells is an excellent place to start. But this by no means will make you a professional. Practice your craft and expand your knowledge; understand that you will possess the ability to help others in time truly. Types of Love Spells What better way to start broadening your experiences with love spells than by learning more about them? These spells work like just about any other spell. Simply apply your intention, use a medium (sigils, mantras, candles, or charm bags), and top it off with establishing the belief that you will receive what you want. So what kind of spells are available and which ones suit your needs the best? Let’s take a look at the many options you have at your disposal. Attraction Spells

%+27788225528 love spells in Huntington Beach Psychic Readings, Attraction sp...

WSO2CON 2024 - Navigating API Complexity: REST, GraphQL, gRPC, Websocket, Web...

tonesoftg

lanshi9

%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview