Podcasts about cross site scripting xss

Eitan Worcel joins the Application Security Podcast, to talk automated code fixes and the role of artificial intelligence in application security. We start with a thought-provoking discussion about the consistency and reliability of AI-generated responses in fixing vulnerabilities like Cross-Site Scripting (XSS). The conversation highlights a future where AI on one side writes code while AI on the other side fixes it, raising questions about the outcomes of such a scenario.The discussion shifts to the human role in using AI for automated code fixes. Human oversight is important in setting policies or rules to guide AI, as opposed to letting it run wild on the entire code base. This controlled approach, akin to a 'controlled burn,' aims at deploying AI in a way that's beneficial and manageable, without overwhelming developers with excessive changes or suggestions.We also explore the efficiency gains expected from AI in automating tedious tasks like fixing code vulnerabilities. We compare this to the convenience of household robots like Roomba, imagining a future where AI takes care of repetitive tasks, enhancing developer productivity. However, we also address potential pitfalls, such as AI's tendency to 'hallucinate' or generate inaccurate solutions, underscoring the need for caution and proper validation of AI-generated fixes.This episode offers a balanced perspective on the integration of AI in application security, highlighting both its promising potential and the challenges that need to be addressed. Join us as we unravel the complexities and future of AI in AppSec, understanding how it can revolutionize the field while remaining vigilant about its limitations.Recommended Reading from Eitan: The Hard Thing About Hard Things by Ben Horowitz - https://www.harpercollins.com/products/the-hard-thing-about-hard-things-ben-horowitz?variant=32122118471714FOLLOW OUR SOCIAL MEDIA: ➜Twitter: @AppSecPodcast➜LinkedIn: The Application Security Podcast➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast Thanks for Listening! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Cross-Site Scripting (XSS) is a common web application vulnerability that allows attackers to inject malicious scripts into web pages viewed by unsuspecting users. In this Podcast, we delve into the fundamentals of XSS, understanding how it works, its potential impacts, and how to prevent it. #CrossSiteScripting #XSS #WebSecurity #WebAppVulnerabilities #SecurityMeasures #JavaScriptSecurity #WebDevelopment #XSSAttacks

InfosecTrain hosts a Free Workshop “20-Hrs FREE CYBERSECURITY ORIENTATION PROGRAM” with certified expert ‘Abhishek' Thank you for Listening this Podcast, For more details or free demo with our expert write into us at sales@infosectrain.com ✅ Agenda Covered ➡️ XSS (Cross Site Scripting) Practical

SQL Injections: Eine der weitverbreitetsten Sicherheitslücken im Web, auch im Jahr 2022Der Großteil aller Applikationen interagiert in irgendeiner Art und Weise mit einer Datenbank. Deswegen werden die meisten Entwicklerinnen und Entwickler bereits von der Sicherheitslücke "SQL Injection" gehört haben. Seit 24 Jahren ist dies eine der weitverbreitetsten Sicherheitslücken im Internet und es ist kein Ende in Sicht. Was ist eigentlich eine SQL-Injection im Detail? Welche verschiedenen Arten gibt es? Was ist der Grund, dass uns dieses Einfallstor so lange beschäftigt? Woher kommt diese und wer hat sie entdeckt? Wie kann man sich schützen und seine Anwendung ausreichend testen? All das und noch viel mehr in dieser Episode.Bonus: Der Kontrast zwischen Duisburg und Berlin und wie die SQL-Injektion als Nebenprodukt entdeckt wurde.Feedback (gerne auch als Voice Message)Email: stehtisch@engineeringkiosk.devTwitter: https://twitter.com/EngKioskWhatsApp +49 15678 136776Gerne behandeln wir auch euer Audio Feedback in einer der nächsten Episoden, einfach Audiodatei per Email oder WhatsApp Voice Message an +49 15678 136776LinksPhrack Magazine Volume 8, Issue 54 Dec 25th, 1998, article 08 of 12: http://www.phrack.org/archives/issues/54/8.txtOWASP Top Ten 2021: https://owasp.org/www-project-top-ten/CVE Details - Security Vulnerabilities Published In 2022(SQL Injection): https://www.cvedetails.com/vulnerability-list/year-2022/opsqli-1/sql-injection.htmlAnalyzing Prepared Statement Performance: https://orangematter.solarwinds.com/2014/11/19/analyzing-prepared-statement-performance/SQL Injection Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.htmlOWASP Top 10 (2021) - A03:2021 – Injection: https://owasp.org/Top10/A03_2021-Injection/CVE Details - Heartbleed (CVE-2014-0160): https://www.cvedetails.com/cve/CVE-2014-0160/CVE Details - Log4Shell (CVE-2021-44228): https://www.cvedetails.com/cve/CVE-2021-44228/xkcd "Exploits of a Mom": https://xkcd.com/327/HackerOne-Programm von trivago: https://hackerone.com/trivagoOwncloud: https://owncloud.com/TYPO3: https://typo3.org/Wordpress: https://wordpress.com/de/SQL-Proxy: https://github.com/sysown/proxysqlGitHub CodeQL: https://codeql.github.com/sqlmap: https://sqlmap.org/SQLi-Fuzzer: A SQL Injection Vulnerability Discovery Framework Based on Machine Learning: https://ieeexplore.ieee.org/document/9657925OWASP Zed Attack Proxy (ZAP): https://www.zaproxy.org/PlanetScale: https://planetscale.com/Awesome static analysis: https://github.com/analysis-tools-dev/static-analysisSprungmarken(00:00:00) Intro(00:00:42) SQL-Injections aus den 90ern und die Vielfalt in Berlin(00:02:49) Das heutige Thema: Web-Security SQL-Injections in der Tiefe(00:05:07) Was sind SQL-Injections?(00:08:48) Sind SQL-Injections auch im Jahr 2022 noch ein Problem?(00:10:56) Wann gab es die erste SQL-Injection? Woher stammt diese Sicherheitslücke?(00:13:22) Was sind die Gründe, dass SQL-Injections noch so ein großes Problem sind?(00:19:37) Verschiedene Arten von SQL-Injections: Output-Based, Error-Based, Blind-SQL-Injections, Time-Based-SQL-Injections, Out-of-Band-SQL-Injections(00:27:42) Bug Bounty: 2-Channel SQL Injection-Attacke in Kombination mit Cross-Site-Scripting (XSS) bei trivago(00:29:42) Mehrstufige Attacken und Ausnutzung mehrerer Lücken nacheinander(00:33:16) Möglicher Schaden durch eine SQL-Injection: Daten verändern, Befehle auf dem Server ausführen, lokale Dateien lesen und schreiben, SQL-Funktionen ausführen, Denial of Service (DoS)(00:39:09) Gegenmaßnahmen um SQL-Injections zu verhindern: Prepared Statements, Datenbank-Komponenten updaten, limitierte Rechte für Datenbank-User, Web Application Firewalls (WAF)(00:56:42) Möglichkeiten um deine Anwendung automatisch zu testen: Unit-Tests, statische Analyse, dynamische Analyse mit sqlmap und Fuzzing(01:02:51) Maßnahmen um Sicherheit zu gewährleisten von Datenbank as a Service-Providern(01:06:51) OutroHostsWolfgang Gassler (https://twitter.com/schafele)Andy Grunwald (https://twitter.com/andygrunwald)Feedback (gerne auch als Voice Message)Email: stehtisch@engineeringkiosk.devTwitter: https://twitter.com/EngKioskWhatsApp +49 15678 136776

It's just too easy to attack websites using Cross Site Scripting (XSS). The XSS Rat demonstrates XSS attacks. XSS Rat explains and demos cross-site scripting (xss) attacks. // MENU // 00:00 ▶️ We are taking over the world! 00:16 ▶️ Introducing//XSS Rat//Wesley 01:28 ▶️ What is XSS/ Cross Site Scripting? 02:59 ▶️ Types of XSS 05:15 ▶️ Reflected XSS 06:22 ▶️ Example of data sanitization 07:35 ▶️ Circumventing filtering with the img tag 11:01 ▶️ Sending a Reflected XSS Attack to Someone 12:01 ▶️ Using HTML comments as an attack vector 13:49 ▶️ Using single quotes to break out of the input tag 15:14 ▶️ Don't use alert() to test for XSS 17:33 ▶️ What you can do with Reflected XSS 19:26 ▶️ Stored XSS 20:31 ▶️ Using comments for XSS 21:05 ▶️ Example #1 of Stored XSS on Twitter 21:42 ▶️ Example #2 of Stored XSS 22:12 -▶️ The answer to the ultimate question of life, the universe, and everything. 22:56 ▶️ Stored vs Reflected XSS 24:22 ▶️ AngularJS/Client Side Template Injection 25:06 ▶️ Don't use JavaScript? 26:09 ▶️ Where to learn more//XSS Survival Guide 27:04 ▶️ DOM Based XSS 29:36 ▶️ List of DOM sinks 30:12 ▶️ jQuery DOM sinks 32:15 ▶️ XSS Rat Live Training 33:00 ▶️ Support XSS Rat//Wesley 34:06 ▶️ Closing//Thanks, Wesley! // Demo Sites // XSS Labs: https://hackxpert.com/labs/RXSS/GET/ Labs site: https://hackxpert.com/labs Rat Site: https://hackxpert.com/ratsite // David's SOCIAL // Discord: https://discord.com/invite/usKSyzb Twitter: https://www.twitter.com/davidbombal Instagram: https://www.instagram.com/davidbombal LinkedIn: https://www.linkedin.com/in/davidbombal Facebook: https://www.facebook.com/davidbombal.co TikTok: http://tiktok.com/@davidbombal YouTube: https://www.youtube.com/davidbombal // XSS Rat SOCIAL // Twitter: https://twitter.com/theXSSrat YouTube: youtube.com/c/TheXSSrat Website: https://thexssrat.podia.com/ // XSS Rat's Udemy course // XSS Survival Guide: https://www.udemy.com/course/xss-surv... // XSS Rat's courses and bootcamps // https://thexssrat.podia.com/ // MY STUFF // https://www.amazon.com/shop/davidbombal // SPONSORS // Interested in sponsoring my videos? Reach out to my team here: sponsors@davidbombal.com xss cross site scripting portswigger ajax jscript javascript xss attack xss video tutorial xss attack tutorial xss explained xss attack example xss bug bounty xss tutorial xss vulnerability xss vs csrf attack xss example xsser xsssa facebook xsssa kali linux penetration testing ethical hacking bug bounty cross site scripting cross-site scripting red teaming cyber security kali linux install kali linux 2022 ethical hacker course ethical hacker javascript ajax jquery node js node js hacking portswigger Please note that links listed may be affiliate links and provide me with a small percentage/kickback should you use them to purchase any of the items listed or recommended. Thank you for supporting me and this channel! #xss #javascript #hacking

2022-02-01 Weekly News - Episode 133Watch the video version on YouTube at https://youtu.be/6tJ1eEzQ398Hosts: Eric Peterson  - Senior Developer for Ortus SolutionsBrad Wood - Software Consultant for Ortus SolutionsThanks to our Sponsor - Ortus SolutionsThe makers of ColdBox, CommandBox, ForgeBox, TestBox and almost every other Box out there. A few ways  to say thanks back to Ortus Solutions: Like and subscribe to our videos on YouTube.  Star and Fork our Repos Subscribe to our Podcast on your Podcast Apps and leave us a review Sign up for a free or paid account on CFCasts, which is releasing new content every week Buy Ortus's Book - 102 ColdBox HMVC Quick Tips and Tricks on GumRoad (http://gum.co/coldbox-tips) Patreon SupportWe have 37 patreons providing 96% of the funding for our Modernize or Die Podcasts via our Patreon site: https://www.patreon.com/ortussolutions. News and EventsState of the CF Union 2022 Survey ReleasedHelp us find out the state of the CF Union – what versions of CFML Engine do people use, what frameworks, tools etc.https://teratech.com/state-of-the-cf-union-2022-surveyICYMI - Ortus Webinar - cbwire + Alpine.js with Grant CopleyIn this webinar, Grant, lead developer for cbwire, will showcase how to build modern, reactive CFML apps easily using very little JavaScript.https://cfcasts.com/series/ortus-webinars-2022/videos/grant-copley-on-cbwire-+-alpine_jsHawaii CFUG - Using CFCs in your ColdFusion Applications with John BarrettFriday, February 25, 2022 - 5:00 PM CT - Central Time (US and Canada)This will be a talk on using CFCs in your ColdFusion applications. Creating and developing applications using CFCs enables you to separate the code logic from the design and presentation. Utilizing CFCs and creating a clear structured format for your code will help reduce the complexity of logic within your pages and improve the application speed. Having a clearly structured, the well-organized code base will make it easier to develop as an individual and share resources within a team. This is the instant benefit of CFC development.https://www.meetup.com/hawaii-coldfusion-meetup-group/events/283506895/https://cfhawaii.net/CommandBox Workflow Magic (modules to speed up CF development), with Brad WoodBrad Wood talks about “CommandBox Workflow magic (modules to speed up CF development)” in this episode of the CF Alive Podcast, with host Michaela Light.https://teratech.com/podcast/commandbox-workflow-magic-modules-to-speed-up-cf-development-with-brad-wood/Adobe WorkshopsMore Adobe #ColdFusion Workshops announced, lead by Damien Bruyndonckx2 dates announced:February 2, 20229.00 AM - 4.30 PM CET (Central European Time)1.30 PM - 9.00 PM IST (Indian Standard Time)March 09, 20229.00 AM - 4.30 PM CET (Central European Time)1.30 PM - 9.00 PM IST (Indian Standard Time)Register online at https://cf-workshop.meetus.adobeevents.com/ CFCasts Content Updateshttps://www.cfcasts.com Just ReleasedWebinars 2022Grant Copley on cbwire + Alpine.js - https://cfcasts.com/series/ortus-webinars-2022/videos/grant-copley-on-cbwire-+-alpine_js Coming soonInto the Box LATAMConferences and TrainingICYMI - VueJS Nation ConferenceOnline Live EventJanuary 26th & 27th 2022Register for Free and Watch the VODshttps://vuejsnation.com/ DevNexus 2022April 12-14, 2022Atlanta, GABrad & Luis will be speakingLuis - Alpine.js: Declare and React with SimplicityBrad - What's a Pull Request? (Contributing to Open Source)https://devnexus.com/Into The Box 2022Tentative dates - September 27-30More conferencesNeed more conferences, this site has a huge list of conferences for almost any language/community.https://confs.tech/Blogs, Tweets, and Videos of the WeekTweet - Brad Wood - X-Forwarded-For in CommandBox vNextFair warning-- for a more secure-by-default behavior, CommandBox vNext will no longer trust X-Forwarded-For HTTP headers unless you configure it to. This is to prevent IP-based access control being circumvented. https://ortussolutions.atlassian.net/browse/COMMANDBOX-1424 #CFML #ColdFusion #InfoSec #SecureByDefaulthttps://twitter.com/bdw429s/status/1486763129216409620https://twitter.com/bdw429sTweet - Zac Spitzer - M1 support in Lucee 5.3.9.61-SNAPSHOTJust merged in native M1 support for Macs in Lucee 5.3.9.61-SNAPSHOT RC1 comes out next week, we've just been battling getting rid of the last vestiges of log4j1 try it out via #Commandbox https://luceeserver.atlassian.net/browse/LDEV-3536 #lucee #cfmlhttps://twitter.com/zackster/status/1487109711451377666https://twitter.com/zacksterSupplemental - Dan Abramov - npm audit: Broken by DesignCommentary about the auditing woeshttps://overreacted.io/npm-audit-broken-by-design/Blog - Ben Nadel - I Always Design The Database Schema First, Then The ColdFusion CodeThroughout my career, I've often heard that it is a best practice to design your "Domain Objects" and your "Business Logic" first and then, eventually, to design a database schema that allows your domain objects to be persisted. I've even seen many ORM (Object-Relational Mapping) systems that will happily churn-out database schemas based solely on your Objects (and their metadata). Personally, I've never done this. In fact, I find this approach to be antagonistic to how my brain operates. When I'm working on a ColdFusion application (or a feature therein), I always start with the database schema first and then layer the ColdFusion application upon it using an iterative, ground-up approach.https://www.bennadel.com/blog/4191-i-always-design-the-database-schema-first-then-the-coldfusion-code.htmBlog - Ben Nadel - Turning Off "InvalidTag" ScriptProtect Safely In ColdFusion 2021The other day, I wrote an article about dynamically generating tags using Umbrella JS. Historically, writing about the tag has been somewhat challenging - from a technical standpoint - because the ColdFusion server goes out of its way to protect You from persisted Cross-Site Scripting (XSS) attacks. It does this by scanning input scopes (ex, url, form, cgi, cookie) and replacing suspicious tag names (ex, script, object, embed, applet, iframe) with the phrase "InvalidTag". I was able to turn this behavior off using the Application.cfc setting, this.scriptProtect="none". This feels like a scary step, however; so, I wanted to just think out loud about why this is safe to do in my particular context.https://www.bennadel.com/blog/4194-turning-off-invalidtag-scriptprotect-safely-in-coldfusion-2021.htmBlog - Ben Nadel - Ask Ben: Converting An XML Document Into A Nested ColdFusion StructIt's been a long, long time since I've done an Ask Ben question; but, I recently received a question about XML document parsing in ColdFusion and I thought this would be a good opportunity to get back into the swing of things. In this post, I'm going to be using a recursive, depth-first traversal algorithm to iterative create a nested structure based on the an XML configuration document.https://www.bennadel.com/blog/4193-ask-ben-converting-an-xml-document-into-a-nested-coldfusion-struct.htmCFML JobsSeveral positions available on https://www.getcfmljobs.com/Listing over 32 ColdFusion positions from 20 companies across 20 locations in 5 Countries3 new jobs listedFull-Time - Software Developer - ColdFusion at Overland Park, KS - United StatesJan 27https://www.getcfmljobs.com/jobs/index.cfm/united-states/Software-Developer-ColdFusion-at-Overland-Park-KS/11418Full-Time - Software Developer - Database and ColdFusion Developer at Hobart TASJan 27https://www.getcfmljobs.com/jobs/index.cfm/australia/Database-and-ColdFusion-Developer-at-Hobart-TAS/11419Full-Time - Software Developer - Coldfusion Developer at Halifax, ON - United StatesJan 27https://www.getcfmljobs.com/jobs/index.cfm/canada/Coldfusion-Developer-at-Halifax-ON/11417Other Job Linkshttps://www.venntro.com/careers ForgeBox Module of the WeektotpBy Ortus SolutionsA CFML Implementation of Time-based One-time PasswordsCreate secrets, authenticator urls, and QR codes for new TOTP tokens.Generate tokens and verify those tokens using the given secrets.https://forgebox.io/view/totpVS Code Hint Tips and Tricks of the WeekHyper KeyThis idea involves mapping Shift-Control-Option-Command to the caps lock key. Using the hyper key opens your keyboard up to a ton of new easily triggered shortcuts.Mac: https://www.macsparky.com/blog/2021/2/hyper-key-via-bettertouchtool/Windows: https://gist.github.com/mitcdh/33aaf96ce2636d0c9e8ed9473059fa93Linux: https://askubuntu.com/questions/1133312/how-do-i-remap-caps-lock-to-hyper-key-in-ubuntu-18-04Thank you to all of our Patreon SupportersThese individuals are personally supporting our open source initiatives to ensure the great toolings like CommandBox, ForgeBox, ColdBox,  ContentBox, TestBox and all the other boxes keep getting the continuous development they need, and funds the cloud infrastructure at our community relies on like ForgeBox for our Package Management with CommandBox. You can support us on Patreon here https://www.patreon.com/ortussolutionsNow offering Annual Memberships, pay for the year and save 10% - great for businesses. Bronze Packages and up, now get a ForgeBox Pro and CFCasts subscriptions as a perk for their Patreon Subscription. All Patreon supporters have a Profile badge on the Community Website All Patreon supporters have their own Private Forum access on the Community Website https://community.ortussolutions.com/ PatreonsJohn Wilson - Synaptrix Eric HoffmanGary KnightMario RodriguesGiancarlo GomezDavid BelangerJonathan PerretJeffry McGee - Sunstar Media6Dean MaunderJoseph LamoreeDon BellamyJan JannekLaksma TirtohadiCarl Von StettenDan CardJeremy AdamsJordan ClarkMatthew ClementeDaniel GarciaScott Steinbeck - Agri Tracking SystemsBen NadelMingo HagenBrett DeLineKai KoenigCharlie ArehartJonas ErikssonJason DaigerJeff McClainShawn OdenMatthew DarbyRoss PhillipsEdgardo CabezasPatrick FlynnStephany MongeKevin WrightSteven KlotzYou can see an up to date list of all sponsors on Ortus Solutions' Websitehttps://ortussolutions.com/about-us/sponsors ★ Support this podcast on Patreon ★

Links and vulnerability summaries for this episode are available at: https://dayzerosec.com/podcast/bad-code-and-bad-urls.html This week is a shorter episode looking at some bad code in mermaid.js and Moodle's Shibboleth plugin, and a bit of research regarding URL parsing issues. [00:00:44] Orca Security Discovered Two AWS Vulnerabilities [00:06:44] Cross-Site Scripting (XSS) in mermaid.js [00:12:41] Pre-Auth RCE in Moodle Part II - Session Hijack in Moodle's Shibboleth [00:20:24] Exploiting URL Parsing Confusion Vulnerabilities The DAY[0] Podcast episodes are streamed live on Twitch (@dayzerosec) twice a week: Mondays at 3:00pm Eastern (Boston) we focus on web and more bug bounty style vulnerabilities Tuesdays at 7:00pm Eastern (Boston) we focus on lower-level vulnerabilities and exploits. The Video archive can be found on our Youtube channel: https://www.youtube.com/c/dayzerosec You can also join our discord: https://discord.gg/daTxTK9 Or follow us on Twitter (@dayzerosec) to know when new releases are coming.

2022-01-11 Weekly News - Episode 130Watch the video version on YouTube at https://youtu.be/BkIKAlDLFkQ Hosts: Gavin Pickin - Senior Software Developer for Ortus SolutionsEric Peterson  - Senior Software Developer for Ortus SolutionsThanks to our Sponsor - Ortus SolutionsThe makers of ColdBox, CommandBox, ForgeBox, TestBox and almost every other Box out there. A few ways  to say thanks back to Ortus Solutions: Like and subscribe to our videos on YouTube.  Subscribe to our Podcast on your Podcast Apps and leave us a review Sign up for a free or paid account on CFCasts, which is releasing new content every week Buy Ortus's Book - 102 ColdBox HMVC Quick Tips and Tricks on GumRoad (http://gum.co/coldbox-tips) Patreon SupportWe have 37 patreons providing 97% of the funding for our Modernize or Die Podcasts via our Patreon site: https://www.patreon.com/ortussolutions.News and EventsUpcoming Ortus Webinar - cbwire + Alpine.js with Grant CopleyJanuary 28, 2022 - 11:00 AM CT - Central Time (US and Canada)In this webinar, Grant, lead developer for cbwire, will showcase how to build modern, reactive CFML apps easily using very little JavaScript.Register today: https://www.ortussolutions.com/events/webinars Log4j UpdatesLog4j-2.17.1 patch released. CommandBox images updates with the latest log4j patched jarsAdobe updated have an updated technote: https://helpx.adobe.com/coldfusion/kb/log4j-2-17-0-vulnerability-coldfusion.html Other libraries like Spreadsheet-CFML have updated as well.Note: ​Log4j2 Support in lucee 5.3 is coming along for 5.3.9‘Elephant Beetle' Lurks for Months in NetworksThe group blends into an environment before loading up trivial, thickly stacked, fraudulent financial transactions too tiny to be noticed but adding up to millions of dollars.This beetle adores Java. The group is “highly proficient” with Java-based attacks and often targets legacy Java apps running on Linux machines – primarily, the Java-based web servers WebSphere and WebLogic – as a means of initial entry to a target environment, the researchers explained. Beyond that, Elephant Beetle even deploys its own, complete Java web application to do the gang's bidding on compromised machines that are, meanwhile, chugging along, running legitimate apps.https://threatpost.com/elephant-beetle-months-networks-financial/177393/?fbclid=IwAR0ytUYx0IOxiNXIUE1jHvqDV0ltP_hBf7XCdEyLEYHfSaKadwf01xPkHLI Adobe WorkshopsMore Adobe #ColdFusion Workshops announced, lead by Damien Bruyndonckx2 dates announced:February 2, 20229.00 AM - 4.30 PM CET1.30 PM - 9.00 PM ISTMarch 09, 20229.00 AM - 4.30 PM CET1.30 PM - 9.00 PM ISThttps://cf-workshop.meetus.adobeevents.com/ AngularJS EOL'ed 12/31/2021As AngularJS is faced with an uncertain future, many teams are searching for answers to the current hot topic: if you are using AngularJS, do you continue to maintain your AngularJS applications or do you migrate your applications to another framework? This is not an easy (or cheap) question to answer.In this article, we'll go over some of the reasons why you should consider migrating your AngularJS applications, and some ideas on how to plan and budget for a successful migration.https://www.thisdot.co/blog/why-you-should-consider-migrating-from-angularjs-to-vue CFCasts Content Updateshttps://www.cfcasts.com Just ReleasedInto the Box 2021 are now all FREE - https://cfcasts.com/series/into-the-box-2021 Coming soonInto the Box LATAMSend your suggestions at https://cfcasts.com/supportConferences and TrainingVueJS Nation ConferenceOnline Live EventJanuary 26th & 27th 2022Register for Freehttps://vuejsnation.com/ More conferencesNeed more conferences, this site has a huge list of conferences for almost any language/community.https://confs.tech/Blogs, Tweets and Videos of the WeekTweet - Adam Cameron - TIL something new about CFOUTPUTI cannot go into details of why this is a good find, but I was unaware that one can pass an encoding algorithm name like `` (and a bunch of others) which will automatically escape the values in `#expression#`. Didn't know that.https://cfdocs.org/cfoutputhttps://twitter.com/adam_cameron/status/1480624980668915716https://twitter.com/adam_cameronTweet - James Moberg - Microsoft taking log4j stuff seriously.While performing some #coldfusion unit testing to identify #log4j exploit attempts (that my WAF may miss), I had to obfuscate the test strings or @msftsecurity would instantly quarantine & report the script. It's good to see that Microsoft is taking this seriously. #cfmlhttps://twitter.com/gamesover/status/1476347523245694984https://twitter.com/gamesoverBlog - James Moberg - Log4j Exploit Pattern Detection Using ColdFusion/CFMLHere are my initial attempts at trying to detect Log4j exploit attempts that may make it past our WAF/service provider protections. While our WAF stopped requests from Trend Micro's Log4j Tester, obfuscated requests made it through. At time of testing, Azure wasn't blocking requests. I had to be a little careful with the script as Windows kept instantly quarantining the CFM files and prevented ColdFusion from executing the template.2021-12-29: Updated rules based on Google Cloud article to additionally block rmi, ldaps & dns (in addition to stripping whitespace.)https://dev.to/gamesover/log4j-exploit-pattern-detection-using-coldfusioncfml-4l17 Tweet - Zac Spitzer - Show some love for the VS Code CFML ExtensionAwesome to see some activity on the vscode-cfml extension, a new minor release coming soon. If you use it, please show some love and star the repo https://github.com/KamasamaK/vscode-cfml #lucee #coldfusion #cfmlhttps://twitter.com/zackster/status/1476206001384828929https://twitter.com/zacksterBlog - Ben Nadel - Building An API Client With The fetch() API In JavaScriptIn my continued effort to modernize this blog, I'm thinking about trying to replace the jQuery library with more modern techniques. I don't personally have anything against jQuery; but, by replacing it, I'll have an opportunity to learn newer - and hawter - JavaScript APIs (at the expense of robust browser support). Case in point, I want to replace the jQuery.ajax() method with a fetch()-based API client. I've never used the fetch() method before; so, this will be an exciting exploration!When consuming an API, you should always create an API client…https://www.bennadel.com/blog/4179-building-an-api-client-with-the-fetch-api-in-javascript.htm Blog - Ben Nadel - Showing A Comment Preview As You Type On This BlogSince comments, on this blog, are authored using Markdown (and ColdFusion), there is a delta between what you write in the intake form and what is eventually rendered in the HTML. Much of the time, this delta is expected; however, if you have small errors in your markdown syntax, you can end up with HTML that does not reflect what you had intended to publish. To help narrow the gap between input and output, I've added a comment preview functionality to this blog.https://www.bennadel.com/blog/4178-showing-a-comment-preview-as-you-type-on-this-blog.htm Blog - Ben Nadel - Mitigating Cross-Site Scripting (XSS) Attacks With A Strict Content Security Policy (CSP) In ColdFusion 2021As I continue to evolve my blogging platform, bringing it into the modern ColdFusion era, I'm trying to catch up on best practices. Of course, I've always used SQL query parameterization to block SQL injection attacks. And, I use encodeForHtml() and encodeForHtmlAttribute() in as many places as is feasible. And when converting user-provided markdown into HTML, I use the OWASP Anti-Samy project to sanitize the HTML output. But, one thing I've never had is a Content Security Policy (CSP). A CSP is yet another line-of-defense in the war against Cross-Site Scripting (XSS) attacks.CAUTION: I Am Not A Security Experthttps://www.bennadel.com/blog/4176-mitigating-cross-site-scripting-xss-attacks-with-a-strict-content-security-policy-csp-in-coldfusion-2021.htm Blog - Ben Nadel - preserveCaseForStructKey Doesn't Work Inside Application.cfc In Adobe ColdFusion 2021Over the New Year's holiday, I ran into a rather peculiar behavior regarding the preservation of key-casing and the serializeJson() function in Adobe ColdFusion 2021. It appears that the serialization setting for preserveCaseForStructKey doesn't apply to code that resized physically within the Application.cfc life-cycle event handlers. To demonstrate this, we can setup a simple demo in which we serialize data across the event handlers and then dump-out the response:https://www.bennadel.com/blog/4175-preservecaseforstructkey-doesnt-work-inside-application-cfc-in-adobe-coldfusion-2021.htmBlog - Ben Nadel - Posting Comments Using Reply Emails And Postmark's Inbound Streams In ColdFusion 2021I've been a very happy Postmark customer for the last decade. Their SMTP and API services make sending and receiving emails absurdly simple. And, their Inbound webhooks allow you to treat Postmark as a reverse proxy that transforms inbound email delivery into API calls (webhooks) against your own servers. I've been wanting to use this feature on my blog forever; however, I was always afraid that it would lead to massive abuse. That said, in response to a recent spam attack, I was forced to add comment moderation. Which means, I can safely start playing with reply-based comment posting using Postmark's Inbound stream!https://www.bennadel.com/blog/4174-posting-comments-using-reply-emails-and-postmarks-inbound-streams-in-coldfusion-2021.htm Blog - Ben Nadel - Centralizing The Error Response Handling For My ColdFusion BlogIf you've noticed that my blog has been quite quiet over the last few weeks, it's because I've dedicated December to modernizing and upgrading my blogging infrastructure. The refactoring has been extensive, to say the least; and, on the list of things that I've wanted to for a long time is centralizing my error response handling in my ColdFusion code. It took me several days to find, factor-out, and normalize my errors; but, I think I have it at a point that I can easily refine and evolve going forward.https://www.bennadel.com/blog/4173-centralizing-the-error-response-handling-for-my-coldfusion-blog.htm CFML JobsSeveral positions available on https://www.getcfmljobs.com/Listing over 256 ColdFusion positions from 111 companies across 131 locations in 5 Countries.7 new jobs listedContract - CFML Developer at Remote - United States Jan 11https://www.getcfmljobs.com/viewjob.cfm?jobid=11407Full-Time - Software Developer - ColdFusion at Overland Park, KS - United States Jan 11https://www.getcfmljobs.com/jobs/index.cfm/united-states/Software-Developer-ColdFusion-at-Overland-Park-KS/11406Full-Time - IT Engineer Applications (Coldfusion developer/admin) : 19-0.. - United States Jan 11https://www.getcfmljobs.com/jobs/index.cfm/united-states/IT-Engineer-Applications-Coldfusion-developeradmin-1905340-at-Portland-OR/11405Full-Time - Senior Coldfusion Developer |LATAM| at Colon, PA - United States Jan 11https://www.getcfmljobs.com/jobs/index.cfm/united-states/Senior-Coldfusion-Developer-LATAM-at-Colon-PA/11404Full-Time - ColdFusion Developer at Virtual, US - United States Jan 10https://www.getcfmljobs.com/jobs/index.cfm/united-states/ColdFusionDev-US/11403Full-Time - Remote Software Developer (Cold Fusion) at Mississauga, ON - Canada Dec 31https://www.getcfmljobs.com/jobs/index.cfm/canada/Remote-CFDev-at-ON-CA/11401Full-Time - Fresh Software Engineer ( For ColdFusion Only) at Ahmedabad,.. - India Dec 30https://www.getcfmljobs.com/jobs/index.cfm/india/Fresh-Software-Engineer-For-ColdFusion-Only-at-Ahmedabad-Gujarat/11402 ForgeBox Module of the WeekJSON-DiffBy Scott SteinbeckAn ColdFusion utility for checking if 2 JSON objects have differencesCall JSONDiff.diff to get a detailed list of changes made between the JSON objects.Call JSONDiff.isSame to get a simple boolean true or false.https://www.forgebox.io/view/jsondiffVS Code Hint Tips and Tricks of the WeekExcel ViewerIf you're working with data, there's a high chance that you'll also encounter an excel spreadsheet in some form. Excel Viewer makes it easy to deal with excel data in your VS Code editor by formatting long and comma-separated strings into a tabled format. This can work wonders for your .csv, .tsv, and .tab extensions.https://marketplace.visualstudio.com/items?itemName=GrapeCity.gc-excelviewerFunny link: https://twitter.com/dawntraoz/status/1479490317766336518Thank you to all of our Patreon SupportersThese individuals are personally supporting our open source initiatives to ensure the great toolings like CommandBox, ForgeBox, ColdBox,  ContentBox, TestBox and all the other boxes keep getting the continuous development they need, and funds the cloud infrastructure at our community relies on like ForgeBox for our Package Management with CommandBox. You can support us on Patreon here https://www.patreon.com/ortussolutionsNow offering Annual Memberships, pay for the year and save 10% - great for businesses. Bronze Packages and up, now get a ForgeBox Pro and CFCasts subscriptions as a perk for their Patreon Subscription. All Patreon supporters have a Profile badge on the Community Website All Patreon supporters have their own Private Forum access on the Community Website https://community.ortussolutions.com/Patreons John Wilson - Synaptrix  Eric Hoffman Gary Knight Mario Rodrigues Giancarlo Gomez David Belanger Jonathan Perret Jeffry McGee - Sunstar Media6 Dean Maunder Joseph Lamoree Don Bellamy Jan Jannek Laksma Tirtohadi Carl Von Stetten Dan Card Jeremy Adams Jordan Clark Matthew Clemente Daniel Garcia Scott Steinbeck - Agri Tracking Systems Ben Nadel Mingo Hagen Brett DeLine Kai Koenig Charlie Arehart Jonas Eriksson Jason Daiger Jeff McClain Shawn Oden Matthew Darby Ross Phillips Edgardo Cabezas Patrick Flynn Stephany Monge Kevin Wright Steven Klotz You can see an up to date list of all sponsors on Ortus Solutions' Websitehttps://ortussolutions.com/about-us/sponsors★ Support this podcast on Patreon ★

Stare porzekadło "Tańcz jakby nikt nie patrzył" niestety nie sprawdzi się w kontekście dokumentacji. Tech Writer powinien raczej stosować zasadę "Szyfruj wszystko tak jakby cały świat chciał przeczytać to co masz do ukrycia". Z Mateuszem Olejarką, specjalistą w zakresie bezpieczeństwa aplikacji webowych, rozmawiamy o tym na co powinniśmy zwracać uwagę w procesie tworzenia dokumentacji, żeby była ona bezpieczna. Dowiecie się gdzie czyhają potencjalne zagrożenia i jak sobie z nimi radzić. Dźwięki wykorzystane w audycji pochodzą z kolekcji "107 Free Retro Game Sounds" dostępnej na stronie https://dominik-braun.net, udostępnianej na podstawie licencji Creative Commons license CC BY 4.0. Informacje dodatkowe: Amazon S3: https://aws.amazon.com/s3/ "README.md, czyli historia zbyt pomocnego pliku": http://techwriter.pl/readme-md-czyli-historia-zbyt-pomocnego-pliku/ SmartDeblur: http://smartdeblur.net/ Fake Name Generator: https://www.fakenamegenerator.com/ DumpsterDiver: https://github.com/securing/DumpsterDiver MD5: https://pl.wikipedia.org/wiki/MD5 "Security agencies leak sensitive data by failing to sanitize PDF files": https://therecord.media/security-agencies-leak-sensitive-data-by-failing-to-sanitize-pdf-files/ FOCA (Fingerprinting Organizations with Collected Archives): https://github.com/ElevenPaths/FOCA "FBI used Instagram, an Etsy review, and LinkedIn to identify a protestor accused of arson": https://www.theverge.com/2020/6/18/21295301/philadelphia-protester-arson-identified-social-media-etsy-instagram-linkedin "What is typosquatting and how typosquatting attacks are responsible for malicious modules in npm": https://snyk.io/blog/typosquatting-attacks/ Cross Site Scripting (XSS): https://owasp.org/www-community/attacks/xss/ Wayback Machine: https://web.archive.org/ Okta: https://www.okta.com/ Single Page Application (SPA): https://pl.wikipedia.org/wiki/Single_Page_Application JSON Web Token (JWT): https://jwt.io/ Non-disclosure agreement (NDA): https://en.wikipedia.org/wiki/Non-disclosure_agreement Kevin Mitnick: https://en.wikipedia.org/wiki/Kevin_Mitnick Profil Mateusza Olejarki na LinkedIn: https://pl.linkedin.com/in/molejarka

Today we are talking about The Session Recording Initiative with Kevin Thull. TalkingDrupal.com/326 Topics John - Getting ready for xmas Kevin - B Movie marathon Santa and the Ice Cream Bunny Nic - New mic location Beginning of Recording Initiative Number of camps annually The “Kit” Effects of the Pandemic Pipeline Tips and tricks Future of the initiative Resources Santa and the Ice Cream Bunny Santa Claus Conquers the Martians DRI on Open Collective Github docs Descript (transcript-based video editing) Recording history Episode 146 Hosts Nic Laflin - www.nLighteneddevelopment.com @nicxvan John Picozzi - www.epam.com @johnpicozzi Kevin Thull - @kevinjthull MOTW CSP The Content-Security-Policy header allows your Drupal site to inform browsers of trusted sources for JavaScript, CSS, and other external resources. This adds a security layer to detect and mitigate the risk of Cross Site Scripting (XSS), data injection, and other vulnerabilities.

Just two grumpy old men with some AppSec sprinkled in. Topics this week include new research from portswigger using print to bypass new Chrome XSS iframe restrictions, how XSS is still the best (and worst) issue we deal with, and Microsoft's acquisition of RiskIQ.

Beschreibung: In dieser Folge sprechen über Web Security und erklären die grundlengenden Angriffe wie beispielsweise Cross-Site Scripting (XSS), Cross-Site-Request Forgery (CSRF), SQL Injection und deren Verteidigungen. Viel Spaß beim Hören! Shownotes: RFC 2616 - Hypertext Transfer Protocol – HTTP/1.1 Segfault.fm Episode 0x0f TLS TITLE Same-origin policy - Web security Paper: How the Web Tangled Itself: Uncovering the History of Client-Side Web (In)Security Segfault.fm Episode 0x05 Android Hardening Segfault.fm Episode 0x11 Authentifizierung Register: Google (finally) adds protection for common Web 2.0 attack CSRF WordPress passwords, explained and cracked draft-west-cookie-incrementalism-00 - Incrementally Better Cookies OWASP Top Ten X-XSS-Protection X-Content-Type-Options X-Frame-Options Clickjacking - Wikipedia sqlmap xkcd: Exploits of a Mom SQLite3 Injection Cheat Sheet Content-Security-Policy Header ⟶ CSP Reference & Examples CSP Is Dead, Long Live CSP! On the Insecurity of Whitelists and the Future of Content Security Policy XSS Auditor - The Chromium Projects WP: Jon Postel WP: Robustness principle

Cunningham's Law ( https://meta.wikimedia.org/wiki/Cunningham%27s_Law ) states: > > The best way to get the right answer on the internet is not to ask a > question; it's to post the wrong answer. The crew recently experienced a bit of this law first hand in response to their episode on Testing ( https://workingcode.dev/episodes/009-testing/ ). Adam Cameron ( http://blog.adamcameron.me/ ) - friend of the show and long-time friend of the hosts - posted a scathing (but loving) rebuttal ( http://blog.adamcameron.me/2021/02/thoughts-on-working-code-podcasts.html ) of basically everything that Ben said in episode 009. This week, the crew meets to discuss Adam's post; and, to dig more deeply into how testing gets applied in real world scenarios. Thew crew also attempt to pick apart the relationship between DevOps and engineering - a question posed by @LD2 ( https://twitter.com/LD2/status/1357493535088332801 ). Just don't ask us (or anyone) to define what exactly DevOps is; you ask 10 different people and you'll get 15 different answers. Oh, and Adam totally built a website for the show ( https://workingcode.dev/ ) ! So, heck yeah! It's built on Eleventy ( https://www.11ty.dev/ ) and is generated based on Markdown files. *Triumphs & Failures* * Adam's Triumph / Failure - His application had a Cross-Site Scripting (XSS) vulnerability that was exploited. Which is definitely unfortunate. However, he was able to take a bad situation and turn it into an opportunity to practice transparency, clear communication, and a sense of urgency with his customers. In fact, in the end, he was commended by his customers for how well he handled the situation. * Ben's Triumph - He attached some analytics to a user interface (UI) within his application and suddenly a part of the application which has historically been a blackbox was transformed into a rich, emotional experience in which he could "see" users actually consuming the tools that he built. This recent adoption of analytics (into his workflow) has forever changed the way that he will think about what is and is not an important part of the application that he's building. It's amazing how powerful "user empathy" can be to an engineer's motivation. * Carol's Triumph - Her company is over-committed in terms of the work that they have on their schedule. But, instead of making the engineers freak-out over this planning problem, her managers are doing their job right and are protecting their reports from the organizational chaos. It's rare to see managers that understand how to manage both up and down within a company hierarchy! As Adam says in the episode, a good manager is worth their weight in gold. * Tim's Triumph - His frustration over debugging an issue in Redis had grown to the point where he was walking around his house angry. But, instead of trying to "just muscling through it" , he decided to step back, be kind to himself, and take a break. > > ASIDE: You won't know this from the current recording but this break gave > him the opportunity to rethink the problem and ultimately come back and > figure out what was going wrong. Such is the magic of mental rest and > relaxation! *Notes & Links* * OWASP: XSS ( https://owasp.org/www-community/attacks/xss/ ) - consistently on the Top 10 vulnerabilities outlined by the Open Web Application Security Project (OWASP). * Data Breach Response Plan - an organizational play that outlines how a company responds to data breaches, how quickly they have to notify users, and what immediate and longer-term steps they have to take to mitigate such breaches in the future. * Shattered Glass ( https://www.imdb.com/title/tt0323944 ) - a movie in which Hank Azaria's character demonstrates excellent managerial skills. * Segment ( https://segment.com/ ) - a popular data pipeline and aggregation platform. * Amplitude ( https://amplitude.com/ ) - a popular analytics platform for digital teams. * Eleventy ( https://www.11ty.dev/ ) - a simpler static site generator. * Adam Cameron: Thoughts on Working Code podcast's Testing episode ( http://blog.adamcameron.me/2021/02/thoughts-on-working-code-podcasts.html ) - the rebuttal that we discuss on the show. * Cunningham's Law ( https://meta.wikimedia.org/wiki/Cunningham%27s_Law ) - states, "the best way to get the right answer on the internet is not to ask a question; it's to post the wrong answer." * Test-Driven Development ( https://en.wikipedia.org/wiki/Test-driven_development ) - a test-first methodology for software application development. * Singleton Pattern ( https://en.wikipedia.org/wiki/Singleton_pattern ) - a software design pattern that restricts the instantiation of a class to one "single" instance. * Cory Haines ( https://articles.coreyhaines.com/ ) - a well known programmer in the Ruby and testing worlds. * Ben Nadel: Singleton vs. Single Instance And A Decade Of Unnecessary Guilt ( https://www.bennadel.com/blog/3380-singleton-vs-single-instance-and-a-decade-of-unnecessary-guilt.htm ) - the realization that everything he thought about the "Singleton Pattern" was wrong. * DevOps - who the heck knows what it actually is - platform things mostly? Code++? A mindset? A job title? Follow the show! Our website is workingcode.dev ( https://workingcode.dev/ ) and we're @WorkingCodePod on Twitter ( https://twitter.com/WorkingCodePod ) and Instagram ( https://www.instagram.com/workingcodepod/ ). New episodes weekly on Wednesday. And, if you're feeling the love, support us on Patreon ( https://www.patreon.com/workingcodepod ).

คุยกันเรื่อง Cross Site Scripting (XSS) การโจมตี Web Application ผ่านการแสดงผลของ HTML และ JavaScript มาดูกันว่า มันทำงานยังไง โจทตียังไง ป้องกันยังไง แล้วจะหาเงินจากมันได้อย่างไร!

Simon gives his perspective on Cross-Site Scripting (XSS) and we dig into some of the common protections. We also cover different views between front and back end development and where the responsibility lies for teams facing this issue. We start to unpack the importance of the product, context, and user experience as it pertains to browser attacks.

Since we forgot to cover it when it came out, we look at Relyze's new decompiler that is available on the free version. There is also some sandbox escaping, some crypto issues (AMD's SME/SEV) and even some IBM 0days. [00:00:33] Relyze Decompiler [00:22:06] Firefox's Bug Bounty in 2019 and into the Future [00:30:29] Source code for both CS:GO and TF2 Leaked [00:38:58] Fixing SQL injection vulnerability and malicious code execution in XG Firewall/SFOS [00:44:34] MSI TrueColor Unquoted Service Path Vulnerability [00:48:43] 1-click RCE on Keybase [00:55:56] jQuery < 3.5 Cross-Site Scripting (XSS) in html() https://xss.pwnfunction.com/challenges/ww3/ [01:01:37] Multiple 0 day vulnerabilities in IBM Data Risk Manager [01:17:24] You Won't Believe what this One Line Change Did to the Chrome Sandbox https://docs.microsoft.com/en-us/archive/blogs/david_leblanc/practical-windows-sandboxing-part-1 [01:23:58] You’ve Got (0-click) Mail! [01:31:29] Sharing a Logon Session a Little Too Much [01:37:00] SEVurity: No Security Without Integrity - Breaking Integrity-Free Memory Encryption with Minimal Assumptions https://0x0539.net/play/fangorn/crypto_cookie [01:47:10] MarkUs: Drop-in Use-After-Free Prevention for Low-Level Languages [01:54:37] Android 8.0-9.0 Bluetooth Zero-Click RCE [CVE-2020-0022] [01:57:26] Patchguard: Detection of Hypervisor Based Introspection https://revers.engineering/patchguard-detection-of-hypervisor-based-instrospection-p2/ [01:59:37] HITB Lockdown Livestream Day 1 Watch the DAY[0] podcast live on Twitch (@dayzerosec) every Monday afternoon at 12:00pm PST (3:00pm EST) Or the video archive on Youtube (@DAY[0])

Continuamos con el botton 5 de este Top 10 de Vulnerabilidades de OWASP. Donde hablamos de Vulnerabilidades que van mas dedicadas a Dev Ops relacionadas a la configuración de seguridad y monitorio de aplicaciones, también hablamos de una de las vulnerabilidades mas importantes que es Cross Site Scripting(XSS) y damos recomendaciones de aplicaciones para prevenir estas vulnerabilidades y otras cosas para investigar.

Denna gång är Mattias och Erik ensamma i studion och en ny typ av attack står på avsnittets agenda. Cross Site Scripting (XSS). Kanske inte lika vanligt som SQLi men ändå värt att djupdyka i. Avsnittet avhandlar de olika typerna - Persistant och Reflected samt en lista med åtgärder som stoppar en attack, som faktiskt riktar sig i första hand mot slutanvändaren och dess webbläsare och inte systemet, men som måste lösas på servern. I vanlig ordning avviker duon från ämnet så sjökaptener på Tinder och scenskräck avhandlas i avsnittet.

A quick look at the recent news headlines reveales that the payments industry has been under attack. When I delved deeper into this story, I found a recent survey that also revealed that a mass majority (84%) of payments industry professionals believe payments fraud is going to get worse – and soon. Smaller companies that process online payments are enlisting the help of payment processors - like Stripe, Square, or PayPal - to help them meet stringent compliance standards like PCI DSS. But are they opening themselves up into a security risk? “The fact that the malware targets sites using a variety of payment gateway providers calls into question the effectiveness of PCI DSS security standards for online businesses, in particular, the absence of a requirement for businesses to know and manage all third-party code present on their sites and apps,” wrote Michael Bittner, digital security and operations manager at The Media Trust. tCell researchers discovered that hackers can use Cross Site Scripting (XSS) to steal payment information. Any web application component (like a chat window) can become a possible attack vector, but very few non-payment-related components will have recognized the need to implement a PCI-style deep security program. This is no longer just a theoretical attack -- recently this approach was used on Magento e-commerce customers. And the British Airways hack used this same approach as well. I invited Matthew Gast from tCell onto my daily tech podcast to find out more about what companies can do to protect customers visiting their website or application from Cross Site Scripting (XSS) 

It is fairly common for pentesters to discover Cross-Site Scripting (XSS) vulnerabilities on web application assessments. Exploiting these issues potentially allow access to a user's session tokens enabling attackers to navigate a site as the victim in the context of the web application. In this episode the hosts Beau Bullock (@dafthack) & Mike Felch (@ustayready) demonstrate how to exploit a XSS vulnerability to access HTML5 local storage to steal a cookie. (Sorry the camera video feed froze at 9 minutes)

It is fairly common for pentesters to discover Cross-Site Scripting (XSS) vulnerabilities on web application assessments. Exploiting these issues potentially allow access to a user's session tokens enabling attackers to navigate a site as the victim in the context of the web application. In this episode the hosts Beau Bullock (@dafthack) & Mike Felch (@ustayready) demonstrate how to exploit a XSS vulnerability to access HTML5 local storage to steal a cookie. (Sorry the camera video feed froze at 9 minutes)

Next in the OWASP Top 10 series is number 3, Cross Site Scripting (XSS). This vulnerability is the most common of the Top 10. It can open your application to user impersonation, session stealing to data dumps. This episode goes over what XSS is and some of the steps and resources you can use to help prevent them. OWASP XSS Page OWASP XSS Cheat Sheet Types of XSS   Be aware, be safe. ------------------------------------ Website - https://www.binaryblogger.com Podcast RSS - http://securityinfive.libsyn.com/rss Twitter @binaryblogger - https://www.twitter.com/binaryblogger iTunes - https://itunes.apple.com/us/podcast/security-in-five-podcast/id1247135894?mt=2 YouTube - https://www.youtube.com/binaryblogger TuneIn Radio - 

Web applications are constantly under attack, and must defend themselves. Sadly, today, most cannot. There are several key elements to building self-defending software but only a few are focused on today, including input validation, output encoding, and error handling. Strong Session Handing and effective Authorization mechanisms are almost completely ignored in web application software development. Many of the threats are well known, but the techniques for building applications that can defend themselves against the known threat landscape are still ignored due to lack of documentation, lack of sample code, and lack of awareness of the threats and attack methods. This ignorance is dangerous; The landscape has changed. In April 2005 alone, zero-day scripted session attacks were discovered in the wild for eBay and other high-profile web applications that you use. Session and Authorization attacks are real, mature, and increasing in frequency of use in the wild. They are also misunderstood or ignored by most of the development and web application security community. This presentation will: * Summarize and categorize what State, Session, and Authorization attacks are. * Provide you with a simple, effective Taxonomy for understanding the threats. * Provide you with an entirely new understanding of Cross-Site Scripting (XSS). * Disclose new Session and Authorization attacks released in recent months. * Show you how to attack your intranet from the Internet using Your browser without You knowing. * Unveil the Paraegis Project which will provide free web app security code for .NET, J2EE, and Flash frameworks. * Paraegis will include functional code elements for DAT generation and stopping automated scanners/scripts. * Paraegis will show you how to reduce the attack surface of XSS from "all people all the time" to "one person one time" resulting in XSS vulnerabilities being virtually unexploitable. The techniques presented are simple, innovative, realistically usable, and predominantly missing in today's webapp designs. The Paraegis Project will release code that will not only demonstrate this, but that you will be able to use in your applications for free. Arian Evans has spent the last seven years pondering information security and disliking long bios. His focus has been on intrusion detection and application security. He currently works for FishNet Security researching and developing new methodologies for evaluating the security posture of applications and databases, in addition to helping FishNet clients design, deploy, and defend their applications. Arian works with clients worldwide for FishNet Security, and has worked with the Center for Internet Security, FBI, and various client organizations on web application-related hacking incident response. Arian contributes to the information security community in the form of vulnerability research and advisories, writing courseware and teaching classes on how to build secure web applications, and questioning everything. He frequently breaks things, and sometimes figures out how to put them back together again. Daniel Thompson is the lead interface developer for Secure Passage, a software company specializing in network device change management. His interest in computer graphics and visual design started over fifteen years ago while searching for an efficient way to create fake documents. Currently Daniel works with Java, C# and ActionScript to create secure, dependable, distributed applications. He targest .JSP, ASP.NET and the Macromedia Flash Player for delivery to the browser and Eclipse SWT and Microsoft WindowsForms for delivery to the desktop. In his spare time he works on data visualization and generative graphics, as well as the occasional game. Dan became interested in information security when Arian Evans started reading his email.

Web applications are constantly under attack, and must defend themselves. Sadly, today, most cannot. There are several key elements to building self-defending software but only a few are focused on today, including input validation, output encoding, and error handling. Strong Session Handing and effective Authorization mechanisms are almost completely ignored in web application software development. Many of the threats are well known, but the techniques for building applications that can defend themselves against the known threat landscape are still ignored due to lack of documentation, lack of sample code, and lack of awareness of the threats and attack methods. This ignorance is dangerous; The landscape has changed. In April 2005 alone, zero-day scripted session attacks were discovered in the wild for eBay and other high-profile web applications that you use. Session and Authorization attacks are real, mature, and increasing in frequency of use in the wild. They are also misunderstood or ignored by most of the development and web application security community. This presentation will: * Summarize and categorize what State, Session, and Authorization attacks are. * Provide you with a simple, effective Taxonomy for understanding the threats. * Provide you with an entirely new understanding of Cross-Site Scripting (XSS). * Disclose new Session and Authorization attacks released in recent months. * Show you how to attack your intranet from the Internet using Your browser without You knowing. * Unveil the Paraegis Project which will provide free web app security code for .NET, J2EE, and Flash frameworks. * Paraegis will include functional code elements for DAT generation and stopping automated scanners/scripts. * Paraegis will show you how to reduce the attack surface of XSS from "all people all the time" to "one person one time" resulting in XSS vulnerabilities being virtually unexploitable. The techniques presented are simple, innovative, realistically usable, and predominantly missing in today's webapp designs. The Paraegis Project will release code that will not only demonstrate this, but that you will be able to use in your applications for free. Arian Evans has spent the last seven years pondering information security and disliking long bios. His focus has been on intrusion detection and application security. He currently works for FishNet Security researching and developing new methodologies for evaluating the security posture of applications and databases, in addition to helping FishNet clients design, deploy, and defend their applications. Arian works with clients worldwide for FishNet Security, and has worked with the Center for Internet Security, FBI, and various client organizations on web application-related hacking incident response. Arian contributes to the information security community in the form of vulnerability research and advisories, writing courseware and teaching classes on how to build secure web applications, and questioning everything. He frequently breaks things, and sometimes figures out how to put them back together again. Daniel Thompson is the lead interface developer for Secure Passage, a software company specializing in network device change management. His interest in computer graphics and visual design started over fifteen years ago while searching for an efficient way to create fake documents. Currently Daniel works with Java, C# and ActionScript to create secure, dependable, distributed applications. He targest .JSP, ASP.NET and the Macromedia Flash Player for delivery to the browser and Eclipse SWT and Microsoft WindowsForms for delivery to the desktop. In his spare time he works on data visualization and generative graphics, as well as the occasional game. Dan became interested in information security when Arian Evans started reading his email.

Attacks always get better, never worse. The malicious capabilities of Cross-Site Scripting (XSS) and Cross-Site Request Forgeries (CSRF), coupled with JavaScript malware payloads, exploded in 2006. Intranet Hacking from the Outside, Browser Port Scanning, Browser History Stealing, Blind Web Server Fingerprinting, and dozens of other bleeding-edge attack techniques blew away our assumptions that perimeter firewalls, encryption, A/V, and multi-actor authentication can protect websites from attack. One quote from a member of the community summed it way: ""The last quarter of this year (2006), RSnake and Jeremiah pretty much destroyed any security we thought we had left - including the ""I'll just browse without JavaScript"" mantra. Could you really call that browsing anyway?"" -Kryan That's right. New research is revealing that even if JavaScript has been disabled or restricted, some of the now popular attack techniques - such as Browser Intranet Hacking, Port Scanning, and History Stealing - can still be perpetrated. From an enterprise security perspective, when users are visiting ""normal"" public websites (including web mail, blogs, social networks, message boards, news, etc.), there is a growing probability that their browser might be silently hijacked by a hacker and exploited to target the resources of the internal corporate network. This years new and lesser-known attacks attack techniques Anti-DNS Pinning, Bypassing Mozilla Port Blocking / Vertical Port Scanning, sophisticated filter evasion, Backdooring Media Files, Exponential XSS, and Web Worms are also finding their way into the attackers' arsenals. The ultimate goal of this presentation is to describe and demonstrate many of the latest Web application security attack techniques and to highlight best practices for complete website vulnerability management to protect enterprises from attacks. You'll see: - Web Browser Intranet Hacking / Port Scanning - (with and without JavaScript) - Web Browser History Stealing / Login Detection - (with and without JavaScript) - Bypassing Mozilla Port Blocking / Vertical Port Scanning - The risks involved when websites include third-party Web pages widgets/gadgets (RSS Feeds, Counters, Banners, JSON, etc.) - Fundamentals of DNS Pinning and Anti-DNS Pinning - Encoding Filter Bypass (UTF-7, Variable Width, US-ASCII)

Attacks always get better, never worse. The malicious capabilities of Cross-Site Scripting (XSS) and Cross-Site Request Forgeries (CSRF), coupled with JavaScript malware payloads, exploded in 2006. Intranet Hacking from the Outside, Browser Port Scanning, Browser History Stealing, Blind Web Server Fingerprinting, and dozens of other bleeding-edge attack techniques blew away our assumptions that perimeter firewalls, encryption, A/V, and multi-actor authentication can protect websites from attack. One quote from a member of the community summed it way: ""The last quarter of this year (2006), RSnake and Jeremiah pretty much destroyed any security we thought we had left - including the ""I'll just browse without JavaScript"" mantra. Could you really call that browsing anyway?"" -Kryan That's right. New research is revealing that even if JavaScript has been disabled or restricted, some of the now popular attack techniques - such as Browser Intranet Hacking, Port Scanning, and History Stealing - can still be perpetrated. From an enterprise security perspective, when users are visiting ""normal"" public websites (including web mail, blogs, social networks, message boards, news, etc.), there is a growing probability that their browser might be silently hijacked by a hacker and exploited to target the resources of the internal corporate network. This years new and lesser-known attacks attack techniques Anti-DNS Pinning, Bypassing Mozilla Port Blocking / Vertical Port Scanning, sophisticated filter evasion, Backdooring Media Files, Exponential XSS, and Web Worms are also finding their way into the attackers' arsenals. The ultimate goal of this presentation is to describe and demonstrate many of the latest Web application security attack techniques and to highlight best practices for complete website vulnerability management to protect enterprises from attacks. You'll see: - Web Browser Intranet Hacking / Port Scanning - (with and without JavaScript) - Web Browser History Stealing / Login Detection - (with and without JavaScript) - Bypassing Mozilla Port Blocking / Vertical Port Scanning - The risks involved when websites include third-party Web pages widgets/gadgets (RSS Feeds, Counters, Banners, JSON, etc.) - Fundamentals of DNS Pinning and Anti-DNS Pinning - Encoding Filter Bypass (UTF-7, Variable Width, US-ASCII)