Restful Web Services Cookbook
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
A Novel Approach of MIME Sniffing Using
ISSN: 2277-3754 ISO 9001:2008 Certified International Journal of Engineering and Innovative Technology (IJEIT) Volume 4, Issue 11, May 2015 A Novel Approach of MIME Sniffing using AES Ankita Singh, Amit Saxena, Dr.Manish Manoria TRUBA Institute of Engineering and Information Technology (TIEIT), Bhopal (M.P) We discuss some web application attacks which can be Abstract— In today’s scenario communication is rely on possible over browser also discuss security concern can be web, users can access these information from web with the use applied in future for security on web application of browsers, as the usage of web increases the security of data is required. If browser renders malicious html contents or environment. JavaScript code block, the content sniffing attack may occur. The contents are divided in different sections. In section In this paper we provide a framework with AES algorithm to 2 we mention different types of attacks. Related work is secure the content sniffing for the web browsers with text, discussed in section 3. Proposed work is discussed in image and PDF files. In this work the data files having section 4. Result analysis in section 5. Conclusion and encryption then partition in multiple parts for reducing the future direction in Section 6, and then references are duration of file transmission and transferring with parity bit checking to identify the attack. mention. II. ATTACKS Index Terms— Cross-Site Scripting, Web Application We discuss about some attacks, associated with this Security, Content Sniffing, MIME, AES. work. ClickJacking[11] - The purpose of this attack is to open I. -
Hands-On Laboratory on Web Content Injection Attacks
TALLINN UNIVERSITY OF TECHNOLOGY Faculty of Information Technology Department of Computer Science TUT Centre for Digital Forensics and Cyber Security Hands-on laboratory on web content injection attacks Master’s thesis ITC70LT Anti Räis 121973IVCMM Supervisors Elar Lang, MSc Rain Ottis, PhD Tallinn 2015 Declaration I declare that this thesis is the result of my own research except as cited in the refer- ences. The thesis has not been accepted for any degree and is not concurrently submitted in candidature of any other degree. Anti Räis May 22, 2015 ........................ (Signature) Abstract This thesis focuses on explaining web application injection attacks in a practical hands-on laboratory. It is an improvement on Lang’s [1] master’s thesis about web appli- cation security. One of the main contributions of this thesis is gathering and structuring information about Cross Site Scripting (XSS) attacks and defenses and then presenting them in a practical learning environment. This is done to better explain the nuances and details that are involved in attacks against web applications. A thorough and clear under- standing of how these attacks work is the foundation for defense. The thesis is in English and contains 95 pages of text, 6 chapters, 4 figures, 27 tables. Annotatsioon Magistritöö eesmärk on selgitada kuidas töötavad erinevad kaitsemeetmed veebi- rakenduste rünnete vastu. Töö täiendab osaliselt Langi [1] magistritööd veebirakenduse rünnete kohta. Põhiline panus antud töös on koguda, täiendada ja struktureerida teavet XSS rünnete kohta ning luua õppelabor, kus on võimalik antud teadmisi praktikas rak- endada. See aitab kinnistada ja paremini mõista teemat. Selge ning täpne arusaamine, kuidas ründed toimuvad, on korrektse kaitse aluseks. -
Der Security-Leitfaden Für Webentwickler
Tangled Web - Der Security-Leitfaden für Webentwickler Deutsche Ausgabe – Aktualisiert und erweitert von Mario Heiderich von Michal Zalewski, Mario Heiderich 1. Auflage Tangled Web - Der Security-Leitfaden für Webentwickler – Zalewski / Heiderich schnell und portofrei erhältlich bei beck-shop.de DIE FACHBUCHHANDLUNG Thematische Gliederung: Netzwerksicherheit – Netzwerksicherheit dpunkt.verlag 2012 Verlag C.H. Beck im Internet: www.beck.de ISBN 978 3 86490 002 0 Inhaltsverzeichnis: Tangled Web - Der Security-Leitfaden für Webentwickler – Zalewski / Heiderich 245 13 Mechanismen zur Inhaltserkennung Bis jetzt haben wir einige gutgemeinte Browsermerkmale betrachtet, die sich im Laufe der Entwicklung der Technologie als kurzsichtig und geradezu gefährlich erwiesen haben. In der Geschichte des Web hat sich jedoch nichts als so fehlgelei- tet herausgestellt wie das sogenannte Content-Sniffing. Ursprünglich lag dem Content-Sniffing folgende simple Annahme zugrunde: Browseranbieter gingen davon aus, dass es in manchen Fällen angemessen – und sogar wünschenswert – sei, die normalerweise vom Server stammenden verbind- lichen Metadaten eines geladenen Dokuments zu ignorieren, so etwa den Header Content-Type. Anstatt die erklärte Absicht des Entwicklers zu akzeptieren, versu- chen viele existierende Browser stattdessen den Inhaltstyp zu erraten, indem sie proprietäre Heuristiken auf die vom Server zurückgegebenen Daten anwenden. Das Ziel dieses Vorgehens ist es, eventuelle Unstimmigkeiten zwischen Typ und Inhalt zu »korrigieren«. (Erinnern Sie sich -
OBIX Version 1.1 Committee Specification 01 14 September 2015
OBIX Version 1.1 Committee Specification 01 14 September 2015 Specification URIs This version: http://docs.oasis-open.org/obix/obix/v1.1/cs01/obix-v1.1-cs01.pdf (Authoritative) http://docs.oasis-open.org/obix/obix/v1.1/cs01/obix-v1.1-cs01.html http://docs.oasis-open.org/obix/obix/v1.1/cs01/obix-v1.1-cs01.doc Previous version: http://docs.oasis-open.org/obix/obix/v1.1/csprd03/obix-v1.1-csprd03.pdf (Authoritative) http://docs.oasis-open.org/obix/obix/v1.1/csprd03/obix-v1.1-csprd03.html http://docs.oasis-open.org/obix/obix/v1.1/csprd03/obix-v1.1-csprd03.doc Latest version: http://docs.oasis-open.org/obix/obix/v1.1/obix-v1.1.pdf (Authoritative) http://docs.oasis-open.org/obix/obix/v1.1/obix-v1.1.html http://docs.oasis-open.org/obix/obix/v1.1/obix-v1.1.doc Technical Committee: OASIS Open Building Information Exchange (oBIX) TC Chair: Toby Considine ([email protected]), University of North Carolina at Chapel Hill Editor: Craig Gemmill ([email protected]), Tridium Additional artifacts: This prose specification is one component of a Work Product that also includes: XML schema: http://docs.oasis-open.org/obix/obix/v1.1/cs01/schemas/obix-v1.1.xsd Core contract library: http://docs.oasis-open.org/obix/obix/v1.1/cs01/schemas/stdlib.obix Related work: This specification replaces or supersedes: oBIX 1.0. Edited by Brian Frank. 05 December 2006. Committee Specification 01. https://www.oasis-open.org/committees/download.php/21812/obix-1.0-cs-01.pdf. -
Compendium 2 A4 Printing Advice
Compendium 2 A4 printing advice Print page 1-444 with Page setup = 96%, Acrobat = Not Shrink to fit Print pages 444-end with Page setup = 100%, Acrobat = Shrink to fit *:96 Internet application layer protocols and standards Compendium 2: Allowed during the exam Last revision: 1 Apr 2003 FTP RFC 959: File Transfer Protocol (FTP) .................................................................................. 253-287 Cookies RFC 2109: HTTP State Management Mechanism .............................................................. 288-298 Usenet News Message Format RFC 1036: Standard for Interchange of USENET Messages............................................ 299-308 HTTP RFC 2068: Hypertext Transfer Protocol HTTP 1.1 ............................................................ 309-389 NNTP RFC 977: Network News Transfer Protocol (NNTP).......................................................... 390-403 URL RFC 2396: Uniform Resource Identifiers (URI): Generic Syntax................................... 425-444 Port Numbers IANA Register of Port Numbers............................................................................................... 445-460 Media Types IANA Register of Media Types................................................................................................. 461-468 The documents are not ordered in a suitable order for reading them, see compendium 0 page14-17 RFC 959 October 1985 File Transfer Protocol Network Working Group J. Postel Request for Comments: 959 J. Reynolds ISI 2.1. HISTORY Obsoletes RFC: 765 (IEN 149) October 1985 FTP has had a long evolution over the years. Appendix III is a FILE TRANSFER PROTOCOL (FTP) chronological compilation of Request for Comments documents relating to FTP. These include the first proposed file transfer mechanisms in 1971 that were developed for implementation on hosts Status of this Memo at M.I.T. (RFC 114), plus comments and discussion in RFC 141. This memo is the official specification of the File Transfer RFC 172 provided a user-level oriented protocol for file transfer Protocol (FTP). -
The Scent of a Newsgroup: Providing Personalized Access to Usenet Sites Through Web Mining?
The Scent of a Newsgroup: Providing Personalized Access to Usenet Sites through Web Mining? Giuseppe Manco1, Riccardo Ortale2, and Andrea Tagarelli2 1 ICAR-CNR – Institute of Italian National Research Council Via Bucci 41c, 87036 Rende (CS), Italy e-mail: [email protected] 2 DEIS, University of Calabria Via Bucci 41c, 87036 Rende (CS), Italy e-mail: {ortale, tagarelli}@si.deis.unical.it Abstract. We investigate Web mining techniques focusing on a specific application scenario: the pro- blem of providing personalized access to Usenet sites accessible through a Web server. We analyze the data available from a Web-based Usenet server, and describe how traditional techniques for pattern discovery on the Web can be adapted to solve the problem of restructuring the access to news articles. In our framework, a personalized access tailored to the needs of each single user, can be devised according to both the content and the structure of the available data, and the past usage experience over such data. 1 Introduction The wide exploitation of new techniques and systems for generating and storing data has made available a huge amount of information, which can be profitably used in the decision processes. Such volumes of data highlight the need for analysis methodologies and tools. The term “Knowledge Discovery in Databases” is usually devoted to the (iterative and interactive) process of extracting valuable patterns from the data by exploiting Data Mining algorithms. In general, data mining algorithms find hidden structures, tendencies, associations and correlations among data, and mark significant information. An example of data mining application involving huge volumes of data is the detection of behavioral models on the Web. -
OBIX Version 1.1 Committee Specification Draft 02 / Public Review Draft 02 19 December 2013
OBIX Version 1.1 Committee Specification Draft 02 / Public Review Draft 02 19 December 2013 Specification URIs This version: http://docs.oasis-open.org/obix/obix/v1.1/csprd02/obix-v1.1-csprd02.pdf (Authoritative) http://docs.oasis-open.org/obix/obix/v1.1/csprd02/obix-v1.1-csprd02.html http://docs.oasis-open.org/obix/obix/v1.1/csprd02/obix-v1.1-csprd02.doc Previous version: http://docs.oasis-open.org/obix/obix/v1.1/csprd01/obix-v1.1-csprd01.pdf (Authoritative) http://docs.oasis-open.org/obix/obix/v1.1/csprd01/obix-v1.1-csprd01.html http://docs.oasis-open.org/obix/obix/v1.1/csprd01/obix-v1.1-csprd01.doc Latest version: http://docs.oasis-open.org/obix/obix/v1.1/obix-v1.1.pdf (Authoritative) http://docs.oasis-open.org/obix/obix/v1.1/obix-v1.1.html http://docs.oasis-open.org/obix/obix/v1.1/obix-v1.1.doc Technical Committee: OASIS Open Building Information Exchange (oBIX) TC Chair: Toby Considine ([email protected]), University of North Carolina at Chapel Hill Editor: Craig Gemmill ([email protected]), Tridium, Inc. Additional artifacts: This prose specification is one component of a Work Product that also includes: XML schemas: http://docs.oasis-open.org/obix/obix/v1.1/csprd02/schemas/ Related work: This specification replaces or supersedes: oBIX 1.0. 5 December 2006. OASIS Committee Specification 01. https://www.oasis- open.org/committees/download.php/21812/obix-1.0-cs-01.pdf. This specification is related to: Bindings for OBIX: REST Bindings Version 1.0. -
Mitigation of Web-Based Program Security Vulnerability Exploitations
MITIGATION OF WEB-BASED PROGRAM SECURITY VULNERABILITY EXPLOITATIONS by Hossain Shahriar A thesis submitted to the School of Computing in conformity with the requirements for the degree of Doctor of Philosophy Queen’s University Kingston, Ontario, Canada November 2011 Copyright ©Hossain Shahriar, 2011 Abstract Over the last few years, web-based attacks have caused significant harm to users. Many of these attacks occur through the exploitations of common security vulnerabilities in web-based programs. Given that, mitigation of these attacks is extremely crucial to reduce some of the harmful consequences. Web-based applications contain vulnerabilities that can be exploited by attackers at a client-side (browser) without the victim’s (browser user’s) knowledge. This thesis is intended to mitigate some exploitations due to the presence of security vulnerabilities in web applications while performing seemingly benign functionalities at the client-side. For example, visiting a webpage might result in JavaScript code execution (cross-site scripting), downloading a file might lead to the execution of JavaScript code (content sniffing), clicking on a hyperlink might result in sending unwanted legitimate requests to a trusted website (cross-site request forgery), and filling out a seemingly legitimate form may eventually lead to stealing of credential information (phishing). Existing web-based attack detection approaches suffer from several limitations such as (i) modification of both server and client-side environments, (ii) exchange of sensitive information between the server and client, and (iii) lack of detection of some attack types. This thesis addresses these limitations by mitigating four security vulnerabilities in web applications: cross-site scripting, content sniffing, cross- site request forgery, and phishing. -
Filter Failure: One-Pass Delete Filter Failure: UTF-7
Outline Cross-site scripting, cont’d CSci 5271 More cross-site risks Introduction to Computer Security Announcements intermission Web security and crypto failure combined Confidentiality and privacy lecture Stephen McCamant Even more web risks University of Minnesota, Computer Science & Engineering More crypto protocols More causes of crypto failure Filter failure: one-pass delete Filter failure: UTF-7 You may have heard of UTF-8 Encode Unicode as 8-bit bytes Simple idea: remove all occurrences of <script> UTF-7 is similar but uses only ASCII Encoding can be specified in a <meta> What happens to <scr<script>ipt>? tag, or some browsers will guess +ADw-script+AD4- Filter failure: event handlers Use good libraries <IMG onmouseover="alert('xss')"> Coding your own defenses will never work Put this on something the user will be Take advantage of known good tempted to click on implementations There are more than 100 handlers like Best case: already built into your this recognized by various browsers framework Disappointingly rare Content Security Policy Outline Cross-site scripting, cont’d New HTTP header, W3C candidate recommendation More cross-site risks Lets site opt-in to stricter treatment of Announcements intermission embedded content, such as: Confidentiality and privacy No inline JS, only loaded from separate URLs Even more web risks Disable JS eval et al. More crypto protocols Has an interesting violation-reporting mode More causes of crypto failure HTTP header injection Content sniffing Browsers determine file type from headers, extension, -
Cure53 Browser Security White Paper
Dr.-Ing. Mario Heiderich, Cure53 Bielefelder Str. 14 D 10709 Berlin cure53.de · [email protected] Cure53 Browser Security White Paper Dr.-Ing. Mario Heiderich Alex Inführ, MSc. Fabian Fäßler, BSc. Nikolai Krein, MSc. Masato Kinugawa Tsang-Chi "Filedescriptor" Hong, BSc. Dario Weißer, BSc. Dr. Paula Pustułka Cure53, Berlin · 29.11.17 1/330 Dr.-Ing. Mario Heiderich, Cure53 Bielefelder Str. 14 D 10709 Berlin cure53.de · [email protected] List of Tables .............................................................................................................................. 3 List of Figures ............................................................................................................................ 5 Chapter 1. Introducing Cure53 BS White Paper ......................................................................... 7 Browser Security Landscape: An Overview ............................................................................ 9 The Authors .......................................................................................................................13 The Sponsor ......................................................................................................................15 Earlier Projects & Related Work .........................................................................................15 Research Scope ................................................................................................................16 Version Details ...................................................................................................................19 -
Survey and Analysis of Client Side Detection of Content Sniffing Attack
ISSN (Print) : 2319-5940 ISSN (Online) : 2278-1021 International Journal of Advanced Research in Computer and Communication Engineering Vol. 2, Issue 3, March 2013 Survey and Analysis of Client Side Detection of Content Sniffing Attack Animesh Dubey1, Ravindra Gupta2, Gajendra Singh3 M.Tech Scholar, CSE, SSSIST, Sehore, Bhopal, India1 Assistant Professor (CSE/IT), SSSIST, Sehore, Bhopal, India 2 HOD (CSE/IT), SSSIST, Sehore, Bhopal, India 3 Abstract: From the last few years, the attacks based on web portals have caused significant harm to users. Many of these attacks occur through the exploitations of common security vulnerabilities in web-based programs. Given that, mitigation of these attacks is extremely crucial to reduce some of the harmful consequences. Web-based applications contain vulnerabilities that can be exploited by attackers at client-side (browser) without the victim‟s (browser user‟s) knowledge. Our work is intended to some exploitation due to the presence of security vulnerabilities in web applications while performing seemingly benign functionalities at the client-side. In this paper we survey the aspects of content sniffing attack mainly on client side and analyses how the control should be monitor from the server side after attack. Keywords: Content sniffing, Security Measures, Web Based Attack, HTML Rendering 1. INTRODUCTION If we analyze our daily routine, then we surprise to observe the number of web-based attacks has increased in recent that we are relying on Internet. It is our need. For example years [7][8], existing research has addressed a subset of email, e-shopping, trading, game etc. In the meantime we security vulnerabilities in web applications for example SQL share our crucial and confidential data by HTML browser. -
WAF Virtual Patching Challenge
Reflected File Download a New Web Attack Vector Oren Hafif Security Researcher Trustwave’s SpiderLabs Twitter: @orenhafif [email protected] [email protected] Revision 1 (October 27, 2014) Abstract Attackers would LOVE having the ability to upload executable files to domains like Google.com and Bing.com. How cool would it be for them if their files are downloaded without ever being uploaded! Yes, download without upload! RFD is a new web based attack that extends reflected attacks beyond the context of the web browser. Attackers can build malicious URLs which once accessed, download files, and store them with any desired extension, giving a new malicious meaning to reflected input, even if it is properly escaped. Moreover, this attack allows running shell commands on the victim's computer. How bad is it? By using this attack on Google.com, Bing.com and others, I created the first cross-social-network worm that is downloadable from trusted sites like Google.com, completely disables same-origin-policy, steals all browser cookies, and spreads itself throughout all social networks such as Facebook, Twitter, Google+, and LinkedIn. - 1 - Table of Content 1. Introduction ......................................................................................................... - 3 - 1.1. RFD Attack Flow ............................................................................................ - 3 - 1.2. Implications ................................................................................................... - 3 - 1.3. RFD Requirements