From 2dda894e449cacf699b8e6a2eda98b309e880f0d Mon Sep 17 00:00:00 2001
From: Vincent Mazenod <vmazenod@gmail.com>
Date: Fri, 14 Apr 2023 08:28:21 +0200
Subject: [PATCH] update websec
---
content/slides/1337/http.html | 4 +-
content/slides/1337/md/http.md | 11 +++--
content/slides/1337/md/js.md | 13 +++++-
content/slides/privacy/md/sovereignty.md | 38 ++++++++---------
content/slides/privacy/md/tls.md | 54 +++++++-----------------
content/slides/privacy/md/tracking.md | 5 +--
notes.md | 7 +++
7 files changed, 61 insertions(+), 71 deletions(-)
create mode 100644 notes.md
diff --git a/content/slides/1337/http.html b/content/slides/1337/http.html
index 115764b..bd43a69 100644
--- a/content/slides/1337/http.html
+++ b/content/slides/1337/http.html
@@ -68,14 +68,14 @@
</script>
<script>
document.addEventListener('DOMContentLoaded', function () {
- q = "ok boomer"; // search query
+ q = "w00t"; // search query
request = new XMLHttpRequest;
request.open('GET', 'https://api.giphy.com/v1/gifs/random?api_key=GmPNFEPI5osSNgLf9IcWoq00anejpuQY&tag='+q, true);
request.onload = function() {
if (request.status >= 200 && request.status < 400){
- data = JSON.parse(request.responseText).data.image_url;
+ data = JSON.parse(request.responseText).data.images.original.url;
document.getElementById("giphyjson").innerHTML = JSON.stringify(JSON.parse(request.responseText), null, 2);
document.getElementById("giphyme").innerHTML = '<center><img src = "'+data+'" title="GIF via Giphy"></center>';
} else {
diff --git a/content/slides/1337/md/http.md b/content/slides/1337/md/http.md
index ae3d284..52f607b 100644
--- a/content/slides/1337/md/http.md
+++ b/content/slides/1337/md/http.md
@@ -234,7 +234,7 @@ deux types
## REpresentational State Transfer
Must read:
-* [Haters gonna HATEOAS](http://timelessrepo.com/haters-gonna-hateoas).
+* [HATEOAS](https://fr.wikipedia.org/wiki/HATEOAS).
* [L’architecture REST expliquée en 5 règles](https://blog.nicolashachet.com/niveaux/confirme/larchitecture-rest-expliquee-en-5-regles/)
* [Architectural Styles and
the Design of Network-based Software Architectures](https://www.ics.uci.edu/%7Efielding/pubs/dissertation/top.htm) by Roy Thomas Fielding 2000
@@ -257,7 +257,7 @@ Note:
```js
document.addEventListener('DOMContentLoaded', function () {
q = "finger guns";
- api_key = "ok boomer";
+ api_key = "w00t";
api_url = "https://api.giphy.com/v1/gifs/random";
request = new XMLHttpRequest;
request.open('GET', api_url + '?api_key=' + api_key + '&tag='+q, true);
@@ -275,14 +275,14 @@ document.addEventListener('DOMContentLoaded', function () {
<div id="giphyme"></div>
+
+[https://developers.giphy.com/docs/](https://developers.giphy.com/docs/)
+
<pre>
<div id="giphyjson">
</code>
</pre>
-* [https://developers.giphy.com/docs/](https://developers.giphy.com/docs/)
-
-
## HTTP est "__stateless__"
@@ -346,7 +346,6 @@ Cookie: PHPSESSID=hr0ms75gs6f7vlph0hhct2bjj3
* 5MB / domaine contre 4096bytes pour le cookie
* supprimable uniquement via js
-
## header, cookie, body, query string, script ...
<!-- .element: width="35%" -->
diff --git a/content/slides/1337/md/js.md b/content/slides/1337/md/js.md
index 77070a6..4549196 100644
--- a/content/slides/1337/md/js.md
+++ b/content/slides/1337/md/js.md
@@ -148,4 +148,15 @@ directement dans les événements associés à un élément du DOM
[<i class="fa fa-github"></i> un gist exemple](https://gist.github.com/nealrs/28dbfe2c74dfdde26a30)
-[<i class="fa fa-book"></i> pour le reste tout est accessible à partir d'ici](http://edu.muetton.me/)
+<i class="fa fa-book"></i> Apprendre JS
+
+* https://developer.mozilla.org/fr/docs/Web/JavaScript
+ * https://www.youtube.com/watch?v=jnbiNr9b_lk
+* https://devdocs.io/javascript/
+
+<i class="fa fa-book"></i> Faire du JS en 2023
+
+* https://www.typescriptlang.org/
+* https://nodejs.org/
+* https://fr.reactjs.org/
+* https://vuejs.org/
\ No newline at end of file
diff --git a/content/slides/privacy/md/sovereignty.md b/content/slides/privacy/md/sovereignty.md
index e727a66..8595228 100644
--- a/content/slides/privacy/md/sovereignty.md
+++ b/content/slides/privacy/md/sovereignty.md
@@ -7,12 +7,12 @@ Il est contrôlé par ses outils
## Hacking
-<!-- .element width="20%"-->
-<!-- .element width="37%" -->
+[<!-- .element width="20%"-->](https://fr.wikipedia.org/wiki/Richard_Stallman)
+[<!-- .element width="37%" -->](https://fr.wikipedia.org/wiki/Eric_Raymond)
* Black Hat, white Hat, Grey Hat
* Ethical
- * [une brève histoire des hackers](http://www.linux-france.org/article/these/hackers_history/fr-a_brief_history_of_hackerdom_monoblock.html)
+ * [une brève histoire des hackers](https://usbeketrica.com/fr/article/une-breve-histoire-des-hackers)
* [code is law](http://framablog.org/2010/05/22/code-is-law-lessig/)
@@ -36,32 +36,21 @@ Il est contrôlé par ses outils
* Même Microsoft s'ouvre
* ["An Open Letter to Hobbyists" Bill Gates, 1976](https://fr.wikipedia.org/wiki/An_Open_Letter_to_Hobbyists)
* ["Linux is a cancer" Steve Ballmer, 2001](http://www.theregister.co.uk/2001/06/02/ballmer_linux_is_a_cancer/)
- * [Windows bientôt en Open Source](http://www.lemondeinformatique.fr/actualites/lire-windows-bientot-en-open-source-60767.html)
- * [Foire aux questions sur l'open source et l'intéropérabilité](http://www.microsoft.com/france/openness/ressources/faq.aspx)
+ * [github](https://github.com), [type script](https://www.typescriptlang.org/), [vscode](https://code.visualstudio.com/), [et autres ...](https://opensource.microsoft.com/projects/)
## Logiciel privateur
+[](https://fr.wikipedia.org/wiki/Logiciel_propri%C3%A9taire)
-## logicels libres & opensources
-
-* OS: [Ubuntu](https://ubuntu-fr.org/)
-* logiciels: [framasoft](https://framasoft.org/), [alternativeto](https://alternativeto.net/)
+## logicels libres & opensources
-* Android: [F-DROID](https://f-droid.org/fr/), [<i class="fa fa-reddit" aria-hidden="true"></i> best android ROM for privacy](https://www.reddit.com/r/privacy/comments/6d3a33/best_android_rom_for_privacy/)
+* OS: [Certains linux sont libres](https://www.gnu.org/distros/free-distros.fr.html), mais [pas ubuntu](https://www.developpez.com/actu/332740/Richard-Stallman-s-exprime-sur-l-etat-du-mouvement-du-logiciel-libre-et-declare-que-les-Macintosh-continuent-d-etre-des-prisons-pour-les-utilisateurs/)
+* logiciels: [framasoft](https://framasoft.org/), [alternativeto](https://alternativeto.net/), [liste des logiciels libres](https://fr.wikipedia.org/wiki/Liste_de_logiciels_libres) (tiens il y a ubuntu?)
-## logicels libres & opensources
-
-* [Framastart](https://framastart.org/)
-* [Framalibre](https://framasoft.org/rubrique2.html)
-* [Framakey](https://framakey.org/Main/Index)
- * [LiberKey](https://www.liberkey.com/fr.html)
-* [Framapack](https://framapack.org/)
-* [AlternativeTo](http://alternativeto.net/)
-* [Github](https://github.com/)
- * <strike>https://sourceforge.net/</strike>
+* Android: [LineageOS](https://lineageos.org/), [F-DROID](https://f-droid.org/fr/), [<i class="fa fa-reddit" aria-hidden="true"></i> best android ROM for privacy](https://www.reddit.com/r/privacy/comments/6d3a33/best_android_rom_for_privacy/)
## Services
@@ -72,7 +61,10 @@ Il est contrôlé par ses outils
* sur des machines accessibles physiquement si possible
* enjeux des connexions personnelles
* Utiliser des services décentralisés
+* Déjouer le [capitalisme de surveillance](https://www.zulma.fr/livre/lage-du-capitalisme-de-surveillance/)
+
+## Services
* [OwnCloud](https://owncloud.org/) > [framadrive](https://framadrive.org/) ou [service-public.fr](https://www.service-public.fr/assistance-et-contact/aide/compte#Comment%20stocker%20vos%20documents%20) > [Google Drive](https://drive.google.com) / [Dropbox](https://www.dropbox.com) / [One Drive](https://onedrive.live.com)
* [OwnCloud](https://owncloud.org/) > [framagenda](https://framagenda.org) > [Google calendar](https://calendar.google.com)
@@ -80,6 +72,12 @@ Il est contrôlé par ses outils
* [Postfix](http://www.postfix.org/) > [Proton mail](https://protonmail.com/) > [GMail](https://mail.google.com/)
* [Qwant](https://www.qwant.com/) > [DuckDuckGo](https://duckduckgo.com/) > [Google](https://www.google.fr)
* g!
+
+<div style="text-align: center">
+ <a href="https://www.chatons.org">
+ <img src="https://www.chatons.org/sites/default/files/uploads/logo_chatons.png" style="width: 200px"/>
+ </a>
+</div>
## Auto-hébergement
diff --git a/content/slides/privacy/md/tls.md b/content/slides/privacy/md/tls.md
index 1f0905b..dd53a5c 100644
--- a/content/slides/privacy/md/tls.md
+++ b/content/slides/privacy/md/tls.md
@@ -636,28 +636,18 @@ Note:
* [Certificate authorities issue SSL certificates to fraudsters](http://news.netcraft.com/archives/2015/10/12/certificate-authorities-issue-hundreds-of-deceptive-ssl-certificates-to-fraudsters.html)
-## <i class="fa fa-gears"></i> Tests serveurs
+## <i class="fa fa-gears"></i> Tester
-* Tester un certificat SSL
- * [SSL Decoder](https://ssldecoder.org/)
- * [Certificate Expiry Monitor](https://certificatemonitor.org/)
-* Tester une configuration SSL
+* Tester un certificat SSL/TLS
+ * [SSL Certificate Decoder](https://www.sslchecker.com/certdecoder)
+* Tester un serveur SSL/TLS
* [Qualys](https://www.ssllabs.com/ssltest/)
- * [Comodo ssl analyzer](https://sslanalyzer.comodoca.com/)
- * [OpenSSL Decoder](https://raymii.org/s/software/OpenSSL_Decoder.html)
- * [Strong SSL Security On nginx](https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html)
+ * [testssl.sh](https://github.com/drwetter/testssl.sh)
* ```shell
$ nmap -p 443 --script=ssl-enum-ciphers heart.bleed
```
-
-
-## <i class="fa fa-gears"></i> Tests navigateurs
-
-* [SSL Cipher Suite Details of Your Browser](https://cc.dcsec.uni-hannover.de/)
-* [How's my SSL?](https://www.howsmyssl.com/)
-* [<i class="fa fa-firefox"></i> Toggle Cipher Suites](https://addons.mozilla.org/fr/firefox/addon/toggle-cipher-suites/)
- * [<i class="fa fa-github"></i> Toggle Cipher Suites](https://github.com/dillbyrne/toggle-cipher-suites/releases)
-* [<i class="fa fa-github"></i> Calomel SSL validator](https://addons.mozilla.org/fr/firefox/addon/calomel-ssl-validation/)
+* Tester un navigateur
+ * [How's my SSL?](https://www.howsmyssl.com/)
Note:
- aspect arbitraire de la notation notamment qualys
@@ -669,35 +659,21 @@ Note:
* un service sans **s** est un problème
* pas ftp, mais sftp ou ftps
- * pas rsync, mais rsync over sssh
+ * pas rsync, mais rsync over ssh
* pas imap, pop3 et smtp, mais imaps, pop3s et smtps
-* Seules les implémentations conformes à TLSv1 et supérieures doivent être employées
+* Seules les implémentations conformes à TLSv2 et supérieures doivent être employées
* Les cyphersuites offrant la PFS doivent être favorisées
* [Anssi - SSL/TLS: état des lieux et recommandations](https://www.ssi.gouv.fr/uploads/2012/06/ssl_tls_etat_des_lieux_et_recommandations.pdf)
-## <i class="fa fa-medkit"></i> Se protéger / Apache
-
-* [Chiffrement fort SSL/TLS : Mode d'emploi](https://httpd.apache.org/docs/2.4/fr/ssl/ssl_howto.html)
-* [Hardening Your Web Server’s SSL Ciphers](https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/)
-* [ssllabs.com's own Apache SSL Config Directives](https://community.qualys.com/thread/9652)
-* [Apache web server SSL best practices](https://wiki.fysik.dtu.dk/it/SSL_best_practices)
-
-
-## <i class="fa fa-medkit"></i> Se protéger / Nginx
-
-* [HTTPS on Nginx: From Zero to A+ (Part 1)](https://juliansimioni.com/blog/https-on-nginx-from-zero-to-a-plus-part-1/)
-* [HTTPS on Nginx: From Zero to A+ (Part 2)](https://juliansimioni.com/blog/https-on-nginx-from-zero-to-a-plus-part-2-configuration-ciphersuites-and-performance/)
-
-
-#### <i class="fa fa-medkit"></i> Se protéger / tout serveur
-
-* [https://syslink.pl/cipherlist/](https://syslink.pl/cipherlist/) pour une conf sécurisée
- * [<i class="fa fa-warning"></i> Modifier tous les vhosts pour nginx!!](http://serverfault.com/questions/641150/nginx-cant-disable-sslv3)
+## <i class="fa fa-medkit"></i> Se protéger
-* fixer le [weak Diffie-Hellman (aka logjam Attack](https://weakdh.org/))
+* Apache
+ * [Chiffrement fort SSL/TLS : Mode d'emploi](https://httpd.apache.org/docs/current/ssl/ssl_howto.html)
+différents services
+* [https://syslink.pl/cipherlist/](https://syslink.pl/cipherlist/)
+* fixer le [weak Diffie-Hellman (aka logjam Attack)](https://weakdh.org/))
<pre><code class="hljs bash" style="font-size: 28px"> openssl dhparam -out dhparams.pem 2048 </code></pre>
-
* suivre les [<i class="fa fa-book"></i> recommandations de l'ANSSI](https://www.ssi.gouv.fr/agence/publication/ssltls-3-ans-plus-tard/)
diff --git a/content/slides/privacy/md/tracking.md b/content/slides/privacy/md/tracking.md
index 093fb1a..681ffc9 100644
--- a/content/slides/privacy/md/tracking.md
+++ b/content/slides/privacy/md/tracking.md
@@ -3,16 +3,15 @@
# <i class="fa fa-user-secret" aria-hidden="true"></i>
-## [panopticlick](https://panopticlick.eff.org/)
+## [Cover Your Tracks](https://coveryourtracks.eff.org/)
### Is your browser safe against tracking?
[Electronic Frontier Foundation](https://www.eff.org/about)'s project
-
## Fingerprint
-<!-- .element style="width: 80%" -->
+[<!-- .element style="width: 80%" -->](https://coveryourtracks.eff.org/)
## Cookies
diff --git a/notes.md b/notes.md
new file mode 100644
index 0000000..09fbf59
--- /dev/null
+++ b/notes.md
@@ -0,0 +1,7 @@
+sudo vi /etc/sudoers -> %sudo ALL=(ALL:ALL) ALL -> %sudo ALL=(ALL) NOPASSWD:ALL
+sudo vi /etc/default/keyboard -> replace "us" by "fr"
+default language in kali : https://www.youtube.com/watch?v=zCzxXc2SJ6Y
+firefox / burp suite / kali / https://www.youtube.com/watch?v=Uzy28osev5g
+simple api project / https://developer.okta.com/blog/2019/03/08/simple-rest-api-php
+
+https://github.com/onhexgroup/Vulnerable-WordPress
\ No newline at end of file
--
GitLab