Web sockets - Pentesting
1 like2,630 views
This document discusses WebSockets, including what they are, why they are needed, how they can be used, vulnerabilities, and limitations. WebSockets provide bi-directional communication over a single TCP connection and reduce latency compared to HTTP polling. They enable real-time applications and are supported by modern browsers through the HTML5 WebSocket API. Tools like Burp and ZAP can intercept and analyze WebSocket traffic. Vulnerabilities in WebSocket implementations have included denial of service, remote code execution, and bypassing of security restrictions. Limitations include lack of support in all browsers and need for client libraries to handle network issues.
1 of 20
Ad
Recommended
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana This document discusses common web application vulnerabilities and their root causes. It provides an overview of the OWASP Top 10 list of vulnerabilities, describing each vulnerability type, how attackers exploit them, examples of insecure code that enables the vulnerabilities, and recommendations for secure coding practices to prevent the vulnerabilities. Specific vulnerabilities covered include cross-site scripting, SQL injection, malicious file execution, insecure direct object references, cross-site request forgery, and information leakage from error handling. The document emphasizes the importance of following secure coding standards and input validation to prevent vulnerabilities.
OAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc. The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing
the third-party application to obtain access on its own behalf.
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi Cross Site Scripting (XSS) is a vulnerability that allows malicious users to insert client-side code into web pages that is then executed by a user's browser. This code can steal cookies, access private information, perform actions on the user's behalf, and redirect them to malicious websites. XSS works by having the server display input containing malicious JavaScript from a request. There are different types of XSS attacks, including non-persistent, persistent, and DOM-based attacks. Prevention methods include validating, sanitizing, and escaping all user input on the server-side and client-side. Web vulnerability scanners like Burp Suite can help test for XSS and other vulnerabilities.
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari What is SQL Injection? Why does this problem exist? How it can be exploited? How to secure your app against this vulnerability?
Intro to WebSockets
Intro to WebSocketsGaurav Oberoi WebSockets allow for bidirectional communication between a client and server over a single TCP connection. They provide lower latency and overhead than traditional HTTP requests which require a new connection for each request. The talk demonstrated how to use WebSockets with JavaScript on the client and event-driven servers like Node.js on the server. While browser support is still limited and the specification is in flux, WebSockets offer a way to build real-time applications without hacks like long-polling that HTTP requires.
Pentesting Using Burp Suite
Pentesting Using Burp Suitejasonhaddix This document provides an outline for a presentation on pentesting web applications with Burp Suite. It discusses using Burp Suite to scope a target, map content through spidering and directory bruteforcing, replace automated scanning with manual fuzzing using attack paylists, and test authentication through bruteforcing logins. Specific techniques covered include using the Burp spider, intruder, and engagement tools to discover content and hidden directories, importing wordlists to bruteforce hidden paths, and configuring intruder payloads and grep rules to analyze results from fuzzing and authentication testing.
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Daniel Tumser Cross-Site Scripting (XSS) is a web security vulnerability that allows attackers to inject client-side scripts into web pages viewed by other users. There are three main types of XSS attacks: reflected XSS, stored XSS, and DOM-based XSS. XSS has been one of the top vulnerabilities on the OWASP Top Ten list for many years. While XSS attacks can compromise user sessions and steal sensitive data, developers can prevent XSS through proper input sanitization and output encoding. As web applications continue to grow in use, jobs in web application security and penetration testing are also expected to increase significantly in the coming years.
Sql injection attack
Sql injection attackRajKumar Rampelli SQL is a language used to access and manipulate databases. It allows users to execute queries, retrieve, insert, update and delete data from databases. SQL injection occurs when malicious code is injected into an SQL query, which can compromise the security of a database. To prevent SQL injection, developers should validate all user input, escape special characters, limit database permissions, and configure databases to not display error information to users.
CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatSurachai Chatchalermpun Challenge Web Application Today!!!
Promote CSSLP Certification.
Introduce OWASP 2010 Top 10 Risks?
Practice with Web Goat?
For Education only.
Web api
Web apiSudhakar Sharma This document provides an overview of ASP.NET Web API, a framework for building RESTful web services. It discusses key REST concepts like URIs, HTTP verbs, and HATEOAS. It also compares Web API to other technologies like WCF and SOAP, noting advantages of REST such as simpler CRUD operations and standardized development methodology. The document recommends resources like a book on building REST services from start to finish with ASP.NET MVC 4 and Web API.
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz Contents :
- Introduction
- Description as A Widely Used Hacking Technique
- How it is used in Hacking
- What can be done with XSS
#XSS, #Hacking, #Security, #CookieStealing, #InternetBug, #HTMLInjection
Sincerely,
Irfad Imtiaz
Web security
Web securitySubhash Basistha The presentation discussed web security issues including client-side, server-side, and data transmission risks and proposed SSL as a solution to encrypt data exchange between clients and servers, providing authentication, integrity, and confidentiality of data. It described the SSL architecture and protocols for encrypting records, negotiating keys during handshake, and alerting of errors. The presentation also covered the SET protocol for secure online payment transactions.
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin This document discusses REST API security methods. It provides an overview of authentication and authorization and describes common security methods like cookie-based authentication, token-based authentication, OAuth, OpenID, and SAML. It then compares OAuth2, OpenID, and SAML and discusses best practices for securing REST APIs like protecting HTTP methods, validating URLs, using security headers, and encoding JSON input.
Sql injection
Sql injectionNuruzzaman Milon This document discusses SQL injection attacks and how to prevent them. It describes different types of SQL injection like blind SQL injection and union-based injection. It provides examples of vulnerable code and how attackers can exploit it. Finally, it recommends best practices for prevention, including using parameterized queries, stored procedures, input validation, and secure configuration.
SQL INJECTION
SQL INJECTIONAnoop T SQL injection is a code injection technique, used to attack data-driven applications,
in which malicious SQL statements are inserted into an entry field for execution.
This is a method to attack web applications that have a data repository.The
attacker would send a specially crafted SQL statement that is designed to cause
some malicious action.SQL injection is an attack technique that exploits a security
vulnerability occurring in the database layer of an application and a service. This
is most often found within web pages with dynamic content.
Application Security
Application Securityflorinc The document summarizes application security best practices. It discusses who is responsible for application security and design considerations like authentication, authorization, privacy and data integrity. It then covers security principles like designing for security by default and in deployment. Top application vulnerabilities like SQL injection, cross-site scripting and access control issues are explained along with remedies. Finally, it provides checklists for designers, developers and testers to follow for application security.
OpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov OpenID Connect is a simple identity/SSO protocol based on OAuth 2.0. This presentation explains its intent and core business features in 15 slides.
Getting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureBeau Bullock Webcast Recording: https://www.youtube.com/watch?v=fCbVMWvncuw
Increasingly, more organizations are migrating resources to being hosted in the cloud. With this comes a greater potential for misconfiguration if there isn’t a solid understanding of the attack surface. While there are many similarities between traditional on-premises pentesting and cloud-based pentesting, the latter is an animal of its own. This webcast will attempt to clear up some of the fogginess around cloud-based pentesting, specific to Microsoft Azure environments, including Microsoft 365.
In order to adequately determine the attack surface, the appropriate coverage areas will be highlighted. Differences between Azure resources and Microsoft 365 can oftentimes be confusing but knowing these differences is key to helping you pivot and escalate privileges. Conditional access policies are great for defining different scenarios for how users can authenticate securely but can also be misconfigured. There are security protections for stopping certain password attacks but some of these can be bypassed. Ultimately, a methodology for testing Azure environments along with tools and techniques will be presented in this talk.
Botnets In Cyber Security
Botnets In Cyber Securitysumit saurav Botnets are networks of compromised computers called zombies or bots that are controlled remotely by an attacker known as a bot herder. Originally bots were useful tools but now are used for malicious purposes. A botnet has four main components: the bot herder who installs bot software on vulnerable systems, the bots or zombies, an IRC server for communication, and a command and control server to issue instructions. The bot herder builds their botnet army by infecting home and small business computers. Once installed, bots communicate secretly with the C&C server to receive tasks like DDoS attacks, spamming, phishing and stealing information.
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi Session on OWASP Top 10 Vulnerabilities presented by Aarti Bala and Saman Fatima. The session covered the below 4 vulnerabilities -
Injection,
Sensitive Data Exposure
Cross Site Scripting
Insufficient Logging and Monitoring
Broken Authentication and Authorization(1).pptx
Broken Authentication and Authorization(1).pptxManahari Darshika Pemarathna Broken authentication and authorization can occur when authentication and authorization functions are not implemented correctly, allowing attackers to compromise credentials and exploit flaws. This can lead to valuable business information being leaked, customer dissatisfaction, and financial losses. Issues can be addressed through measures like strong password policies, access control, validating users, and server-side validation. Known security incidents provide examples like personal information of millions being leaked through an API or robberies occurring due to unauthorized access to cash transit details.
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria I'm take picture from here and there by goggling not mentioning all source please let me know if anyone has any objection.
Networking and penetration testing
Networking and penetration testingMohit Belwal This document discusses network security and penetration testing. It provides an overview of creating a networking lab and the tools used, including Cisco Packet Tracer, Backtrack, Metasploit, and Wireshark. The document then covers network security topics like common network threats, router security, switch security, and port security. It defines penetration testing and explains its goals of finding vulnerabilities and recommending improvements. The phases of penetration testing are outlined as profiling, enumeration, vulnerability analysis, exploitation, and reporting. Different styles of penetration testing like blue team and red team are also summarized.
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Nabin Dutta Cross-site scripting (XSS) allows malicious code to be injected into web applications, potentially enabling attacks like cookie theft, account hijacking, and phishing. There are three main types of XSS attacks: reflected, stored, and DOM-based. Reflected XSS tricks the user into clicking a malicious link, while stored XSS embeds malicious code directly into the website. DOM-based XSS targets vulnerabilities in client-side scripts. XSS remains a significant threat and proper input validation and output encoding are needed to help prevent attacks.
CSRF Basics
CSRF Basicsn|u - The Open Security Community Csrf / Xsrf Basics defines CSRF as a type of web application vulnerability that allows a malicious website to send unauthorized requests to a vulnerable website using active sessions of its authorized users. CSRF tricks the victim into loading a page that contains a malicious request, which inherits the victim's identity and privileges to perform an undesired function like changing passwords. CSRF attacks target functions that cause state changes on the server but can also access sensitive data. The synchronizer token pattern is a server-side prevention technique that establishes a token on the server to validate submissions through a corresponding token in a hidden form field, marking tokens as invalid after single use.
Intro to Web Application Security
Intro to Web Application SecurityRob Ragan Introduction to Web Application Security presented at for the Penn State Information Assurance Club (Fall 2007)
Restful web services ppt
Restful web services pptOECLIB Odisha Electronics Control Library The document provides an overview of a seminar on RESTful web services. It discusses what REST is, its characteristics and principles, and compares RESTful architectures to SOAP. Key points covered include how REST focuses on a system's resources and how they are addressed and transferred over HTTP, the client-server interaction style of REST, and advantages of REST like scalability and loose coupling between components.
WebSockets wiith Scala and Play! Framework
WebSockets wiith Scala and Play! FrameworkFabio Tiriticco A WebSockets HOW-TO using Scala and Play!Framework. Links to example repositories and other resources. Created for the AmsterdamScala meetup.
Real time web apps
Real time web appsSepehr Rasouli This document discusses real-time web applications and technologies. It defines real-time apps as allowing bi-directional communication between clients and servers so that users receive information as soon as it is published. Examples include chat, social media, gaming and notifications. Key implementation methods discussed are HTTP polling, streaming and WebSockets. The document also surveys popular real-time libraries for publish/subscribe, data syncing and hybrid approaches.
Ad
More Related Content
What's hot (20)
Sql injection attack
Sql injection attackRajKumar Rampelli SQL is a language used to access and manipulate databases. It allows users to execute queries, retrieve, insert, update and delete data from databases. SQL injection occurs when malicious code is injected into an SQL query, which can compromise the security of a database. To prevent SQL injection, developers should validate all user input, escape special characters, limit database permissions, and configure databases to not display error information to users.
CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatSurachai Chatchalermpun Challenge Web Application Today!!!
Promote CSSLP Certification.
Introduce OWASP 2010 Top 10 Risks?
Practice with Web Goat?
For Education only.
Web api
Web apiSudhakar Sharma This document provides an overview of ASP.NET Web API, a framework for building RESTful web services. It discusses key REST concepts like URIs, HTTP verbs, and HATEOAS. It also compares Web API to other technologies like WCF and SOAP, noting advantages of REST such as simpler CRUD operations and standardized development methodology. The document recommends resources like a book on building REST services from start to finish with ASP.NET MVC 4 and Web API.
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz Contents :
- Introduction
- Description as A Widely Used Hacking Technique
- How it is used in Hacking
- What can be done with XSS
#XSS, #Hacking, #Security, #CookieStealing, #InternetBug, #HTMLInjection
Sincerely,
Irfad Imtiaz
Web security
Web securitySubhash Basistha The presentation discussed web security issues including client-side, server-side, and data transmission risks and proposed SSL as a solution to encrypt data exchange between clients and servers, providing authentication, integrity, and confidentiality of data. It described the SSL architecture and protocols for encrypting records, negotiating keys during handshake, and alerting of errors. The presentation also covered the SET protocol for secure online payment transactions.
Rest API Security - A quick understanding of Rest API Security
Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin This document discusses REST API security methods. It provides an overview of authentication and authorization and describes common security methods like cookie-based authentication, token-based authentication, OAuth, OpenID, and SAML. It then compares OAuth2, OpenID, and SAML and discusses best practices for securing REST APIs like protecting HTTP methods, validating URLs, using security headers, and encoding JSON input.
Sql injection
Sql injectionNuruzzaman Milon This document discusses SQL injection attacks and how to prevent them. It describes different types of SQL injection like blind SQL injection and union-based injection. It provides examples of vulnerable code and how attackers can exploit it. Finally, it recommends best practices for prevention, including using parameterized queries, stored procedures, input validation, and secure configuration.
SQL INJECTION
SQL INJECTIONAnoop T SQL injection is a code injection technique, used to attack data-driven applications,
in which malicious SQL statements are inserted into an entry field for execution.
This is a method to attack web applications that have a data repository.The
attacker would send a specially crafted SQL statement that is designed to cause
some malicious action.SQL injection is an attack technique that exploits a security
vulnerability occurring in the database layer of an application and a service. This
is most often found within web pages with dynamic content.
Application Security
Application Securityflorinc The document summarizes application security best practices. It discusses who is responsible for application security and design considerations like authentication, authorization, privacy and data integrity. It then covers security principles like designing for security by default and in deployment. Top application vulnerabilities like SQL injection, cross-site scripting and access control issues are explained along with remedies. Finally, it provides checklists for designers, developers and testers to follow for application security.
OpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov OpenID Connect is a simple identity/SSO protocol based on OAuth 2.0. This presentation explains its intent and core business features in 15 slides.
Getting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureBeau Bullock Webcast Recording: https://www.youtube.com/watch?v=fCbVMWvncuw
Increasingly, more organizations are migrating resources to being hosted in the cloud. With this comes a greater potential for misconfiguration if there isn’t a solid understanding of the attack surface. While there are many similarities between traditional on-premises pentesting and cloud-based pentesting, the latter is an animal of its own. This webcast will attempt to clear up some of the fogginess around cloud-based pentesting, specific to Microsoft Azure environments, including Microsoft 365.
In order to adequately determine the attack surface, the appropriate coverage areas will be highlighted. Differences between Azure resources and Microsoft 365 can oftentimes be confusing but knowing these differences is key to helping you pivot and escalate privileges. Conditional access policies are great for defining different scenarios for how users can authenticate securely but can also be misconfigured. There are security protections for stopping certain password attacks but some of these can be bypassed. Ultimately, a methodology for testing Azure environments along with tools and techniques will be presented in this talk.
Botnets In Cyber Security
Botnets In Cyber Securitysumit saurav Botnets are networks of compromised computers called zombies or bots that are controlled remotely by an attacker known as a bot herder. Originally bots were useful tools but now are used for malicious purposes. A botnet has four main components: the bot herder who installs bot software on vulnerable systems, the bots or zombies, an IRC server for communication, and a command and control server to issue instructions. The bot herder builds their botnet army by infecting home and small business computers. Once installed, bots communicate secretly with the C&C server to receive tasks like DDoS attacks, spamming, phishing and stealing information.
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi Session on OWASP Top 10 Vulnerabilities presented by Aarti Bala and Saman Fatima. The session covered the below 4 vulnerabilities -
Injection,
Sensitive Data Exposure
Cross Site Scripting
Insufficient Logging and Monitoring
Broken Authentication and Authorization(1).pptx
Broken Authentication and Authorization(1).pptxManahari Darshika Pemarathna Broken authentication and authorization can occur when authentication and authorization functions are not implemented correctly, allowing attackers to compromise credentials and exploit flaws. This can lead to valuable business information being leaked, customer dissatisfaction, and financial losses. Issues can be addressed through measures like strong password policies, access control, validating users, and server-side validation. Known security incidents provide examples like personal information of millions being leaked through an API or robberies occurring due to unauthorized access to cash transit details.
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria I'm take picture from here and there by goggling not mentioning all source please let me know if anyone has any objection.
Networking and penetration testing
Networking and penetration testingMohit Belwal This document discusses network security and penetration testing. It provides an overview of creating a networking lab and the tools used, including Cisco Packet Tracer, Backtrack, Metasploit, and Wireshark. The document then covers network security topics like common network threats, router security, switch security, and port security. It defines penetration testing and explains its goals of finding vulnerabilities and recommending improvements. The phases of penetration testing are outlined as profiling, enumeration, vulnerability analysis, exploitation, and reporting. Different styles of penetration testing like blue team and red team are also summarized.
Cross Site Scripting(XSS)
Cross Site Scripting(XSS)Nabin Dutta Cross-site scripting (XSS) allows malicious code to be injected into web applications, potentially enabling attacks like cookie theft, account hijacking, and phishing. There are three main types of XSS attacks: reflected, stored, and DOM-based. Reflected XSS tricks the user into clicking a malicious link, while stored XSS embeds malicious code directly into the website. DOM-based XSS targets vulnerabilities in client-side scripts. XSS remains a significant threat and proper input validation and output encoding are needed to help prevent attacks.
CSRF Basics
CSRF Basicsn|u - The Open Security Community Csrf / Xsrf Basics defines CSRF as a type of web application vulnerability that allows a malicious website to send unauthorized requests to a vulnerable website using active sessions of its authorized users. CSRF tricks the victim into loading a page that contains a malicious request, which inherits the victim's identity and privileges to perform an undesired function like changing passwords. CSRF attacks target functions that cause state changes on the server but can also access sensitive data. The synchronizer token pattern is a server-side prevention technique that establishes a token on the server to validate submissions through a corresponding token in a hidden form field, marking tokens as invalid after single use.
Intro to Web Application Security
Intro to Web Application SecurityRob Ragan Introduction to Web Application Security presented at for the Penn State Information Assurance Club (Fall 2007)
Restful web services ppt
Restful web services pptOECLIB Odisha Electronics Control Library The document provides an overview of a seminar on RESTful web services. It discusses what REST is, its characteristics and principles, and compares RESTful architectures to SOAP. Key points covered include how REST focuses on a system's resources and how they are addressed and transferred over HTTP, the client-server interaction style of REST, and advantages of REST like scalability and loose coupling between components.
Similar to Web sockets - Pentesting (20)
WebSockets wiith Scala and Play! Framework
WebSockets wiith Scala and Play! FrameworkFabio Tiriticco A WebSockets HOW-TO using Scala and Play!Framework. Links to example repositories and other resources. Created for the AmsterdamScala meetup.
Real time web apps
Real time web appsSepehr Rasouli This document discusses real-time web applications and technologies. It defines real-time apps as allowing bi-directional communication between clients and servers so that users receive information as soon as it is published. Examples include chat, social media, gaming and notifications. Key implementation methods discussed are HTTP polling, streaming and WebSockets. The document also surveys popular real-time libraries for publish/subscribe, data syncing and hybrid approaches.
HTML5 WebSocket: The New Network Stack for the Web
HTML5 WebSocket: The New Network Stack for the WebPeter Lubbers Presentation given on Feb. 11, 2011 at the New York HTML5 User Group by Peter Lubbers and Frank Greco
WebSockets: The Current State of the Most Valuable HTML5 API for Java Developers
WebSockets: The Current State of the Most Valuable HTML5 API for Java DevelopersViktor Gamov WebSockets provide a standardized way for web browsers and servers to establish two-way communications channels over a single TCP connection. They allow for more efficient real-time messaging compared to older techniques like polling and long-polling. The WebSocket API defines client-side and server-side interfaces that allow for full-duplex communications that some popular Java application servers and web servers support natively. Common use cases that benefit from WebSockets include chat applications, online games, and real-time updating of social streams.
Html5 web sockets - Brad Drysdale - London Web 2011-10-20
Html5 web sockets - Brad Drysdale - London Web 2011-10-20Nathan O'Hanlon The document discusses how WebSockets provide a full-duplex communication channel over a single TCP connection. This allows for real-time data transmission with much lower overhead compared to traditional HTTP polling techniques. WebSockets reduce bandwidth usage and latency, making them suitable for building interactive applications with low-latency requirements like gaming, financial trading, and real-time messaging. The speaker provides examples of how WebSockets can be used and are supported in major browsers and servers.
D1-3-Signaling
D1-3-SignalingOleg Levy - Signaling protocols like SIP and XMPP allow WebRTC applications to establish real-time media sessions by providing a way for clients to communicate session details.
- Scaling signaling to support millions of users is challenging due to the need to maintain many open connections. Distributed architectures are required.
- Security objectives for WebRTC include confidentiality, integrity, and authenticity of media streams, but authenticating user identities in signaling is also important.
- Mobility poses issues for signaling as users' IP addresses may change when hopping networks, disrupting existing connections.
ITCamp 2011 - Florin Cardasim - Duplex Communications with WCF and Azure
ITCamp 2011 - Florin Cardasim - Duplex Communications with WCF and AzureFlorin Cardasim This document summarizes an IT camp presentation on duplex communication with WCF and Azure. The presentation covered enterprise duplex communication using WCF bindings and a router service, as well as web duplex communication for browser clients using polling, comet/long polling, and WebSockets. It provided demos of connecting enterprises using NetTcpBinding, WsDualHttpBinding, a router service, and Azure Service Bus. It also demonstrated WebSockets communication and discussed server implementations in various languages.
Web-Socket
Web-SocketPankaj Kumar Sharma WebSocket is a protocol that provides full-duplex communication channels over a single TCP connection. It was standardized in 2011 and allows for real-time data exchange between a client and server. The document discusses how WebSocket works, compares it to previous techniques like polling which had limitations, and outlines how to implement WebSocket in Java using JSR 356 and in Spring using the WebSocket API and STOMP protocol.
HTTP/2 Comes to Java: Servlet 4.0 and what it means for the Java/Jakarta EE e...
HTTP/2 Comes to Java: Servlet 4.0 and what it means for the Java/Jakarta EE e...Edward Burns Servlet is very easily the most important standard in server-side Java. The much awaited HTTP/2 standard is now complete, was fifteen years in the making and promises to radically speed up the entire web through a series of fundamental protocol optimizations.
In this session we will take a detailed look at the changes in HTTP/2 and discuss how it may change the Java ecosystem including the foundational Servlet 4 specification included in Java/Jakarta EE 8.
Programming WebSockets - OSCON 2010
Programming WebSockets - OSCON 2010sullis Sean Sullivan presented on WebSockets at OSCON in July 2010. WebSockets enable bidirectional communication between web browsers and servers through a standardized API and protocol. This allows for real-time applications like multiplayer games. Sullivan demonstrated how to use the JavaScript WebSocket API to open a connection and send/receive messages. He noted that browser support was growing but the protocol was still evolving. WebSockets provide an improvement over previous techniques like AJAX polling and Comet for real-time web applications.
DevCon5 (July 2014) - Intro to WebRTC
DevCon5 (July 2014) - Intro to WebRTCCrocodile WebRTC SDK and Cloud Signalling Network WebRTC provides a standardized profile for real-time communication that enables interoperability between browsers without plugins. It defines client-side APIs for audio and video calling as well as other real-time communication capabilities. The WebRTC architecture includes the API, codecs, transport mechanisms like STUN and TURN, and network I/O that allow real-time apps to run directly in browsers. Signaling is required to establish connections between users, and the standardization of WebRTC aims to improve interoperability compared to proprietary solutions. However, interoperability is not always in the best interests of businesses. Ultimately, the API is more important than the underlying protocols it uses.
Ws
WsSunghan Kim This document discusses the purpose, background, and implementation status of web sockets. It describes how web sockets enable bidirectional communication between web applications and servers through a single TCP connection. This overcomes limitations of traditional HTTP where communication was typically one-way from server to client using polling. The document outlines the web socket protocol specification process involving the W3C and IETF and lists some potential application areas.
The State of WebRTC
The State of WebRTCRobin Hawkes WebRTC brings peer-to-peer networking to the browser, and it's here to stay. So what is WebRTC? How does it work? How do you use it? And what are others doing with it? In this talk, Rob covers the current state of WebRTC, outlines how to use it, and shows off some of the amazing things that it can do beyond video chat.
WHIP and Janus @ IIT-RTC 2021
WHIP and Janus @ IIT-RTC 2021Lorenzo Miniero This document discusses WebRTC ingestion for broadcasting (WHIP), a new protocol being standardized by the IETF. It provides an overview of WHIP, including how it can be implemented using existing WebRTC servers like Janus. The presenter describes creating a simple WHIP server and client as proof-of-concept implementations. Interoperability between different WHIP server and client implementations is also discussed.
Kamailio World 2017: Getting Real with WebRTC
Kamailio World 2017: Getting Real with WebRTCChad Hart My talk at Kamailio World in Berlin this year about WebRTC's adoption status, key considerations, and what's next for the technology. Special consideration given to the open source telephony community.
Torino js
Torino jsMatteo Avalle WebRTC and the Web Audio API allow real-time communication and audio/video processing capabilities directly in the browser. WebRTC provides APIs for capturing media streams from devices and establishing peer-to-peer connections, while dealing with challenges like firewalls and NAT using ICE, STUN and TURN. The Web Audio API enables efficient audio stream manipulation through a processing block model. While building full-featured video chat applications with WebRTC alone can be difficult, these capabilities open opportunities for applications involving real-time media and audio processing directly in the browser.
Developing Revolutionary Web Applications using Comet and Ajax Push
Developing Revolutionary Web Applications using Comet and Ajax PushDoris Chen Join the asynchronous web revolution! Because Ajax-based applications are almost becoming the de facto technology for designing web-based applications, it is more and more important that such applications react on the fly, or in real time, to both client and server events. AJAX can be used to allow the browser to request information from the web server, but does not allow a server to push updates to a browser. Comet solves this problem. Comet is a technology that enables web clients and web servers to communicate asynchronously, allowing real-time operations and functions previously unheard of with traditional web applications to approach the capabilities of desktop applications. This session will start to provide an brief introduction to the asynchronous web, AJAX polling, long polling, and Streaming, explaining the Bayeux protocol, Cometd, Grizzly Comet implementation on GlassFish. Different approaches and best practices to develop comet application will also be discussed. You will learn how to develop the chat application, how to implement distance learning slideshow application, how to manage a chat application from the server and how to develop a two-player distributed game application. Attendees will take away the tactics they need in order to add multiuser collaboration, notification and other Comet features to their application, whether they develop with Dojo, jQuery, jMaki, or Prototype and whether they deploy on Jetty, Tomcat, or the GlassFish Application Server.
Introduction to WebSockets
Introduction to WebSocketsGunnar Hillert WebSocket is a protocol that provides bidirectional communication over a single TCP connection. It uses an HTTP handshake to establish a connection and then transmits messages as frames that can contain text or binary data. The frames include a header with metadata like opcode and payload length. WebSocket aims to provide a standard for browser-based applications that require real-time data updates from a server.
HTML5 Real Time and WebSocket Code Lab (SFHTML5, GTUGSF)
HTML5 Real Time and WebSocket Code Lab (SFHTML5, GTUGSF)Peter Lubbers Presentation by Peter Lubbers and Frank Salim presented at the San Francisco HTML5 User Group/GTUGSF Code Lab.
Websocket
Websocket艾鍗科技 艾鍗教你從實作中認識物聯網!
http://bit.ly/2jZRwt2
課程使用Raspberry Pi結合ARM mbed Cloud來實現一個物聯網解決方案。你會了解M2M(Machine-to-Machine)網路協定,包含CoAP、MQTT、LWM2M等協定,並藉由Raspberry Pi連接 Cloud。 Raspberry Pi的部份教你連接一些感測器,包含GPIO、數位界面I2C的溫溼度感測器、類比感測器如光感應器等,並將這些感測器成為定義為不同的Resource Path並註冊在mbed cloud中。
本課程將採用Node.js撰寫WebAPP,使用HTTP/RESTful API存取Resource。在實作WebAPP中,除了後端Node.js,你也將會看到後端如何與前端瀏覽器之間要如何溝通的方式,如AJAX或WebSocket
Ad
More from Vandana Verma (18)
Building security into the pipelines
Building security into the pipelinesVandana Verma Vandana Verma is a cybersecurity expert who specializes in DevSecOps. She serves on the OWASP Global Board of Directors as Vice-Chair and is a member of several security review boards. Her work focuses on diversity initiatives in information security. She advocates for integrating security practices throughout the entire software development lifecycle from coding to deployment. This includes having developers take ownership of security and empowering them with tools and processes to build more secure applications within their existing workflows.
Applying OWASP web security testing guide (OWSTG)
Applying OWASP web security testing guide (OWSTG)Vandana Verma This document provides an overview of the OWASP Web Security Testing Guide. It categorizes testing as either passive or active, and outlines 11 sections covering different types of security testing for web applications. Each section includes a summary, testing methodology, available tools, and references. Testing areas covered include information gathering, configuration management, identity and authentication, authorization, session management, input validation, error handling, cryptography, business logic, and client-side issues. The goal of the guide is to provide a standard methodology for performing security tests on web applications.
Running an app sec program with OWASP projects_ Defcon AppSec Village
Running an app sec program with OWASP projects_ Defcon AppSec VillageVandana Verma This document outlines how to run an application security (AppSec) program using various open source tools from the Open Web Application Security Project (OWASP). It discusses tools for requirements gathering, threat modeling, source code review, vulnerability testing, defect tracking, defensive controls, training and awareness, and knowledge management. Many of the tools are linked, including the OWASP Security Knowledge Framework, Dependency Check, ModSecurity Core Rule Set, Juice Shop, DevSlop, the OWASP Top 10, and the OWASP Testing guides. The document provides an open source framework for implementing an AppSec program.
SARCON Talk - Vandana Verma Sehgal
SARCON Talk - Vandana Verma SehgalVandana Verma The Open Web Application Security Project (OWASP) is an online community that produces freely available articles, methodologies, documentation, tools, and technologies related to web application security. It has over 93 active projects led by volunteer community members. Some of the major OWASP projects include the OWASP Top Ten project, the Application Security Verification Standard, the Web Security Testing Guide, and security tools like ZAP, Dependency Check, and DefectDojo.
Sacon 2020 living in the world of zero trust v1.0
Sacon 2020 living in the world of zero trust v1.0Vandana Verma Vandana Verma Sehgal gave a presentation on Zero Trust security models at SACON International 2020 in Bangalore, India. She began by introducing herself and her background in information security. She then discussed the limitations of conventional security models that rely on network perimeter defenses and trusting internal systems and users. She outlined the Zero Trust model which is based on the principles of never trusting any user, device, or network and requiring strict identity verification for all access. Some key aspects of Zero Trust architectures discussed included identity-based access controls, application-level access instead of network access, isolating network infrastructure, advanced threat protection, and treating identity as the new security perimeter.
Addo 2019 vandana_dev_secops_culturalchange
Addo 2019 vandana_dev_secops_culturalchangeVandana Verma Vandana Verma Sehgal discusses building a DevSecOps culture. She outlines both top-down and bottom-up approaches to shifting culture, emphasizing collaboration between teams. Key aspects include establishing training programs, building security champions, embracing automation, and empowering developers to deliver securely. Case studies from ABN Amro and Fannie Mae demonstrate successful DevSecOps journeys. The end goal is for security to be integrated into the development process from the beginning through a shared responsibility model.
App Sec village DevSecOps as a culture
App Sec village DevSecOps as a cultureVandana Verma The document discusses shifting organizational culture to DevSecOps. It outlines challenges in integrating security practices into DevOps processes and culture shifts like encouraging a security mindset across teams through collaboration, education and common goals. The security team role evolves to creating security champions in each team. Case studies from ABN Amro and Fannie Mae demonstrate successful DevSecOps journeys. Resources are provided for establishing a DevSecOps culture.
Oscp - Journey
Oscp - JourneyVandana Verma The document provides an overview of how to get started with the OSCP (Offensive Security Certified Professional) certification. It outlines the required skills like basic Linux usage and programming knowledge. It recommends starting with Hack The Box to practice skills like port scanning and web application testing. The journey involves lab machines to exploit systematically through enumeration, exploitation, and privilege escalation. The exam involves cracking 5 out of 10 machines within 23 hours 45 minutes to pass. Regular breaks, thorough enumeration, and immediately submitting flags are tips for the exam. Overall it recommends perseverance and practicing systematically on similar machines.
Story of http headers
Story of http headersVandana Verma The document discusses the importance of HTTP security headers as the first layer of defense for web applications. It describes several important headers like HSTS, CSP, and features like XSS protection. It outlines how headers help secure the client-side DOM from attacks and help prevent vulnerabilities. The document also discusses HTTP requests/responses, JavaScript vulnerabilities, and tools for analyzing security headers.
Security audits & compliance
Security audits & complianceVandana Verma The document provides an overview of security audits and compliance based on the ISO 27001:2013 standard. It defines key terms, describes the three pillars of information security and types of audits. It introduces ISO 27001, outlines the framework's 13 control domains and objectives. The document explains how to conduct a security audit from initiation to follow up and closure of nonconformities. It stresses that audits are about improvement, not fault finding, and ensuring unbiased reviews.
Basics of Server Side Template Injection
Basics of Server Side Template InjectionVandana Verma The document discusses server-side template injection, where malicious code can be injected through templates used to generate web pages or emails. Templates are widely used by web applications to dynamically generate data. The first step in detecting a server-side template injection is noticing unusual behavior, errors, or mathematical expressions being executed on the server. Ways to detect injections include inserting mathematical expressions into templates. Mitigations include executing users' code in sandboxed environments like Docker containers and validating user input.
SIEM Vendor Neutrality
SIEM Vendor NeutralityVandana Verma SIEM (Security Information and Event Management) is software that combines SIM (Security Information Management) and SEM (Security Event Manager) to provide real-time monitoring, event correlation, notifications, and reporting of log data. The three main purposes of SIEM are compliance, security, and operations. SIEM products collect logs, monitor user activity, correlate events in real-time, retain logs, generate compliance reports, monitor file integrity, perform log forensics, and provide dashboards. Popular open source SIEMs include Elastic Stack and MozDef, while licensed SIEMs include IBM QRadar, HP ArcSight, and Splunk. Vendor-neutral SIEM certifications like CompTIA Security+ are
Getting started with android
Getting started with androidVandana Verma Minali Arora is a cyber security professional with 6 years of experience in application and network pentesting, bash scripting, and red teaming. She also works as a part-time bug bounty hunter and blogger. The document discusses Android security architecture, which uses UID separation and sandboxing to isolate apps from each other. It describes tools used for static and dynamic Android application testing such as apktool, dex2jar, and Drozer. Common vulnerabilities found include OTP bypass, authentication bypass, and privilege escalation. The document provides tips for developers to store data safely, enforce secure communication, and implement least privilege permissions.
Importance of Penetration Testing
Importance of Penetration TestingVandana Verma This document discusses the importance of penetration testing education and provides information about cost-effective training options. It introduces the author, Jasmine Jackson, who has several security certifications and works as a penetration tester. Her blog, PassionForPentesting, was created in 2012 to showcase her skills and teach beginners about information security. The document then lists several free or low-cost training resources for penetration testing, including PentesterLab, OverTheWire, HackTheBox, Vulnerable By Design, PicoCTF, and OWASP projects. These resources provide vulnerable machines, wargames, capture the flag challenges, and other hands-on learning opportunities to help people learn penetration testing skills.
Identity & access management
Identity & access managementVandana Verma This document provides an overview of identity and access management (IAM) concepts. IAM involves managing digital identities and the access provided through them. Key components include establishing unique identities, authorizing access to entitlements through roles, approving access requests, reviewing access through certifications, and provisioning/deprovisioning access. The document also describes how an IAM framework works, including how identities request access, roles and rules are managed, access is aggregated and provisioned to target systems, and certifications are performed to review access. It provides SailPoint as an example of a leading IAM tool.
Chariot generic presentation owaspwia_Infosecgirls
Chariot generic presentation owaspwia_InfosecgirlsVandana Verma The CHARIOT project aims to develop a secure and safe cognitive IoT architecture and platform for industrial applications. The project will specify a methodological framework for designing secure IoT applications that address system safety. It will also develop an open cognitive IoT architecture called the CHARIOT Platform that exhibits intelligent safety behavior. Additionally, the project will create a runtime privacy, security and safety supervision engine to monitor IoT systems. The new architecture and tools will be tested and validated in three living labs focused on different industrial sectors.
OWASP - Dependency Check
OWASP - Dependency CheckVandana Verma The document discusses the open source vulnerability scanner Dependency Check. It provides an overview of Dependency Check's history and importance, how it works by checking dependencies against the National Vulnerability Database, and how to use Dependency Check to generate reports on vulnerabilities. The document also covers best practices for enterprise deployments of Dependency Check and common use cases.
Incident response in Cloud
Incident response in CloudVandana Verma This document discusses incident response in the cloud. It begins with an introduction to cloud basics like service and deployment models. It then contrasts traditional incident response with cloud incident response due to the dynamic nature of cloud environments. It stresses the importance of preparation, including establishing response plans with cloud providers and evaluating security controls. Specific areas of focus for preparation are also outlined, like identity management, monitoring, and backups. The document then provides best practices for containment, investigation, and recovery of cloud incidents. It concludes with recommendations on logging, automation, and resources for further information.
Ad
Recently uploaded (20)
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsInData Labs At InData Labs, we have been keeping an ear to the ground, looking out for AI-enabled digital transformation trends coming our way in 2025. Our report will provide a look into the technology landscape of the future, including:
-Artificial Intelligence Market Overview
-Strategies for AI Adoption in 2025
-Anticipated drivers of AI adoption and transformative technologies
-Benefits of AI and Big data for your business
-Tips on how to prepare your business for innovation
-AI and data privacy: Strategies for securing data privacy in AI models, etc.
Download your free copy nowand implement the key findings to improve your business.
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In Francechb3 The latest updates on Manifest's pre-seed stage progress.
Generative Artificial Intelligence (GenAI) in Business
Generative Artificial Intelligence (GenAI) in BusinessDr. Tathagat Varma My talk for the Indian School of Business (ISB) Emerging Leaders Program Cohort 9. In this talk, I discussed key issues around adoption of GenAI in business - benefits, opportunities and limitations. I also discussed how my research on Theory of Cognitive Chasms helps address some of these issues
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...
TrustArc Webinar: Consumer Expectations vs Corporate Realities on Data Broker...TrustArc Most consumers believe they’re making informed decisions about their personal data—adjusting privacy settings, blocking trackers, and opting out where they can. However, our new research reveals that while awareness is high, taking meaningful action is still lacking. On the corporate side, many organizations report strong policies for managing third-party data and consumer consent yet fall short when it comes to consistency, accountability and transparency.
This session will explore the research findings from TrustArc’s Privacy Pulse Survey, examining consumer attitudes toward personal data collection and practical suggestions for corporate practices around purchasing third-party data.
Attendees will learn:
- Consumer awareness around data brokers and what consumers are doing to limit data collection
- How businesses assess third-party vendors and their consent management operations
- Where business preparedness needs improvement
- What these trends mean for the future of privacy governance and public trust
This discussion is essential for privacy, risk, and compliance professionals who want to ground their strategies in current data and prepare for what’s next in the privacy landscape.
How analogue intelligence complements AI
How analogue intelligence complements AIPaul Rowe
Artificial Intelligence is providing benefits in many areas of work within the heritage sector, from image analysis, to ideas generation, and new research tools. However, it is more critical than ever for people, with analogue intelligence, to ensure the integrity and ethical use of AI. Including real people can improve the use of AI by identifying potential biases, cross-checking results, refining workflows, and providing contextual relevance to AI-driven results.
News about the impact of AI often paints a rosy picture. In practice, there are many potential pitfalls. This presentation discusses these issues and looks at the role of analogue intelligence and analogue interfaces in providing the best results to our audiences. How do we deal with factually incorrect results? How do we get content generated that better reflects the diversity of our communities? What roles are there for physical, in-person experiences in the digital world?
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Aqusag Technologies In late April 2025, a significant portion of Europe, particularly Spain, Portugal, and parts of southern France, experienced widespread, rolling power outages that continue to affect millions of residents, businesses, and infrastructure systems.
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?Daniel Lehner 𝙄𝙨 𝘼𝙄 𝙟𝙪𝙨𝙩 𝙝𝙮𝙥𝙚? 𝙊𝙧 𝙞𝙨 𝙞𝙩 𝙩𝙝𝙚 𝙜𝙖𝙢𝙚 𝙘𝙝𝙖𝙣𝙜𝙚𝙧 𝙮𝙤𝙪𝙧 𝙗𝙪𝙨𝙞𝙣𝙚𝙨𝙨 𝙣𝙚𝙚𝙙𝙨?
Everyone’s talking about AI but is anyone really using it to create real value?
Most companies want to leverage AI. Few know 𝗵𝗼𝘄.
✅ What exactly should you ask to find real AI opportunities?
✅ Which AI techniques actually fit your business?
✅ Is your data even ready for AI?
If you’re not sure, you’re not alone. This is a condensed version of the slides I presented at a Linkedin webinar for Tecnovy on 28.04.2025.
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroUiPathCommunity This session is designed to equip developers with the skills needed to build mission-critical, end-to-end processes that seamlessly orchestrate agents, people, and robots.
📕 Here's what you can expect:
- Modeling: Build end-to-end processes using BPMN.
- Implementing: Integrate agentic tasks, RPA, APIs, and advanced decisioning into processes.
- Operating: Control process instances with rewind, replay, pause, and stop functions.
- Monitoring: Use dashboards and embedded analytics for real-time insights into process instances.
This webinar is a must-attend for developers looking to enhance their agentic automation skills and orchestrate robust, mission-critical processes.
👨🏫 Speaker:
Andrei Vintila, Principal Product Manager @UiPath
This session streamed live on April 29, 2025, 16:00 CET.
Check out all our upcoming Dev Dives sessions at https://community.uipath.com/dev-dives-automation-developer-2025/.
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AIartmondano By 2026, AI agents will consume 10x more enterprise data than humans, but with none of the contextual understanding that prevents catastrophic misinterpretations.
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityriccardosl1 Cyber awareness training educates employees on risk associated with internet and malicious emails
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...SOFTTECHHUB I started my online journey with several hosting services before stumbling upon Ai EngineHost. At first, the idea of paying one fee and getting lifetime access seemed too good to pass up. The platform is built on reliable US-based servers, ensuring your projects run at high speeds and remain safe. Let me take you step by step through its benefits and features as I explain why this hosting solution is a perfect fit for digital entrepreneurs.
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environmentspanagenda Webinar Recording: https://www.panagenda.com/webinars/hcl-nomad-web-best-practices-and-managing-multiuser-environments/
HCL Nomad Web is heralded as the next generation of the HCL Notes client, offering numerous advantages such as eliminating the need for packaging, distribution, and installation. Nomad Web client upgrades will be installed “automatically” in the background. This significantly reduces the administrative footprint compared to traditional HCL Notes clients. However, troubleshooting issues in Nomad Web present unique challenges compared to the Notes client.
Join Christoph and Marc as they demonstrate how to simplify the troubleshooting process in HCL Nomad Web, ensuring a smoother and more efficient user experience.
In this webinar, we will explore effective strategies for diagnosing and resolving common problems in HCL Nomad Web, including
- Accessing the console
- Locating and interpreting log files
- Accessing the data folder within the browser’s cache (using OPFS)
- Understand the difference between single- and multi-user scenarios
- Utilizing Client Clocking
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptx
DevOpsDays Atlanta 2025 - Building 10x Development Organizations.pptxJustin Reock Building 10x Organizations with Modern Productivity Metrics
10x developers may be a myth, but 10x organizations are very real, as proven by the influential study performed in the 1980s, ‘The Coding War Games.’
Right now, here in early 2025, we seem to be experiencing YAPP (Yet Another Productivity Philosophy), and that philosophy is converging on developer experience. It seems that with every new method we invent for the delivery of products, whether physical or virtual, we reinvent productivity philosophies to go alongside them.
But which of these approaches actually work? DORA? SPACE? DevEx? What should we invest in and create urgency behind today, so that we don’t find ourselves having the same discussion again in a decade?
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingAndrew Leo From predictive maintenance to robotic automation, AI is driving the future of manufacturing. But without high-quality annotated data, even the smartest models fall short.
Discover how data annotation services are powering accuracy, safety, and efficiency in AI-driven manufacturing systems.
Precision in data labeling = Precision on the production floor.
Procurement Insights Cost To Value Guide.pptx
Procurement Insights Cost To Value Guide.pptxJon Hansen Procurement Insights integrated Historic Procurement Industry Archives, serves as a powerful complement — not a competitor — to other procurement industry firms. It fills critical gaps in depth, agility, and contextual insight that most traditional analyst and association models overlook.
Learn more about this value- driven proprietary service offering here.
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...Alan Dix Talk at the final event of Data Fusion Dynamics: A Collaborative UK-Saudi Initiative in Cybersecurity and Artificial Intelligence funded by the British Council UK-Saudi Challenge Fund 2024, Cardiff Metropolitan University, 29th April 2025
https://alandix.com/academic/talks/CMet2025-AI-Changes-Everything/
Is AI just another technology, or does it fundamentally change the way we live and think?
Every technology has a direct impact with micro-ethical consequences, some good, some bad. However more profound are the ways in which some technologies reshape the very fabric of society with macro-ethical impacts. The invention of the stirrup revolutionised mounted combat, but as a side effect gave rise to the feudal system, which still shapes politics today. The internal combustion engine offers personal freedom and creates pollution, but has also transformed the nature of urban planning and international trade. When we look at AI the micro-ethical issues, such as bias, are most obvious, but the macro-ethical challenges may be greater.
At a micro-ethical level AI has the potential to deepen social, ethnic and gender bias, issues I have warned about since the early 1990s! It is also being used increasingly on the battlefield. However, it also offers amazing opportunities in health and educations, as the recent Nobel prizes for the developers of AlphaFold illustrate. More radically, the need to encode ethics acts as a mirror to surface essential ethical problems and conflicts.
At the macro-ethical level, by the early 2000s digital technology had already begun to undermine sovereignty (e.g. gambling), market economics (through network effects and emergent monopolies), and the very meaning of money. Modern AI is the child of big data, big computation and ultimately big business, intensifying the inherent tendency of digital technology to concentrate power. AI is already unravelling the fundamentals of the social, political and economic world around us, but this is a world that needs radical reimagining to overcome the global environmental and human challenges that confront us. Our challenge is whether to let the threads fall as they may, or to use them to weave a better future.
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Ortus Solutions, Corp This is the keynote of the Into the Box conference, highlighting the release of the BoxLang JVM language, its key enhancements, and its vision for the future.
Web sockets - Pentesting
- 2. ABOUT ME NEHA BAHETY PENETRATION TESTER & ETHICAL HACKER
- 3. WHAT IS THIS TALK ABOUT? What are WebSockets? Why do we need them? How do we use them? Tools used for WebSocket Pentesting. List of Vulnerabilities What limitations do they have
- 4. WHAT ARE WEBSOCKETS? WEBSOCKET IS A TECHNOLOGY FOR PROVIDING BI-DIRECTIONAL FULL DUPLEX COMMUNICATION CHANNELS OVER A SINGLE TCP SOCKET.
- 5. SIMPLE DEFINITION. IT’S A NEW FEATURE IN HTML5 THAT LET YOU STREAM DATA TO AND FROM WEB BROWSERS.
- 9. WHY DO WE NEED WEBSOCKETS?? • 1-WebSocket is a naturally full-duplex, bidirectional, single-socket connection. With WebSocket, your HTTP request becomes a single request to open a WebSocket connection and reuses the same connection from the client to the server, and the server to the client. • 2-WebSocket reduces latency. For example, unlike polling, WebSocket makes a single request. The server does not need to wait for a request from the client. Similarly, the client can send messages to the server at any time. This single request greatly reduces latency over polling, which sends a request at intervals, regardless of whether messages are available. • 3-WebSocket makes real-time communication much more efficient. You can always use polling (and sometimes even streaming) over HTTP to receive notifications over HTTP. However, WebSocket saves bandwidth, CPU power, and latency. WebSocket is an innovation in performance
- 11. SOME MORE USAGE : • WebSocket is an underlying network protocol that enables you to build other standard protocols on top of it. • WebSocket is part of an effort to provide advanced capabilities to HTML5 applications in order to compete with other platforms. • WebSocket is about Simplicity
- 12. HOW DO WE USE THEM??? • What all things required: Webkit: Chrome, Safari(Work on ios) Client Javascript API Server-Side API
- 15. TOOLS USED • Burp can proxy WebSocket Traffic • OWASP ZAP can Proxy and fuzz WebSocket Traffic • Chrome offers a Web Socket client and developer tools(F12) **During Mapping phase look for ws:// or wss:// ** Both Ruby and python support websocket client and servers.
- 16. LIST OF VULNERABILITIES WebSockets have been a source of interesting vulnerabilities Apache, Wireshark, Chrome, OpenStack, MessageSight, Firefox, Drupal, Ansible Tower, and others Denial of service, remote code execution, sandbox bypass, and authorization bypass • CVE-2014-0193, CVE-2014-0921, CVE-2014-0922, CVE-2014-1703, CVE-2014- 3165, CVE-2014-3429, CVE-2015-0176, CVE-2015-0228, CVE-2015-0259, CVE- 2015-1244, CVE-2015-1482, CVE-2015-3810, CVE-2015-7197, and CVE-2015-8601
- 18. BIG ONE’S • Not all Browsers support them: Firefox 4, IE9,Opera • WebSockets need maintenance and care: Re-open connif network timeout Back off if server is down Keep Alive if your connection times out Buffer and resends the message in above cases • Many libraries – including the most popular Ruby one
- 19. ATTACKER’S VIEW OF WEBSOCKET • This is a relatively new area of security research New technologies create challenges for defenders • Protocol use might not be properly monitored • Defenders might not even know it is there! Attackers can leverage WebSockets to • attack server side • attack client side • attack parsers • bypass filtering
- 20. REFERENCES • https://tools.ietf.org/html/rfc6455 • https://blog.sessionstack.com/how-javascript-works-deep-dive-into-websockets- and-http-2-with-sse-how-to-pick-the-right-path-584e6b8e3bf7 • https://media.blackhat.com/bh-us- 12/Briefings/Shekyan/BH_US_12_Shekyan_Toukharian_Hacking_Websocket_Slides. pdf • https://github.com/interference-security/DVWS • https://github.com/tssoffsec/docker-dvwsocket