Archives for Security - Page 2
DoES your app need a certificate SerVER?
Typically, no! There are some use cases where it may be justified : VPN Authentication Use Case A certificate can also be the second factor for VPN access. In…
Blocking traffic from overseas countries
Blocking other countries' IP addresses to prevent hacking attacks from overseas has a few downsides: a) You will block a lot of legitimate traffic - Armed forces overseas, IPs that…
Browser plugins and security
The Problem – PlugIns are far behind Browsers Browsers nowadays, will automatically update themselves (with security updates) by default. Plugins are far behind browsers when it comes to security updates…
Types of Security Scans
Port scanner ( Nmap) Network vulnerability scanner ( Nessus, SAINT, OpenVAS) Web application security scanner ( Nikto, w3af) Database security scanner Host based vulnerability scanner (Lynis)
HTTPs and Authentication based sites not necessarily secure
Simple HTTPs does little to protect your website. All it does is protect MITM (Man in the Middle) attacks. Even an authentication based website is not necessarily secure - each…
Certificates Demystified – root versus self signed, private versus public key
I struggled a lot with understanding the nuances of security certificates – self-signed versus root certs, public keys versus private keys versus Certificate Authorities (CAs)….This post will attempt to clarify…
Random hostnames seen in Fiddler–when using Chrome
If you use Google Chrome (and who doesn’t), then you might see requests such as those below when you start up your browser. Randomized hostnames – so obviously, you start…
Sanitizing image and pdf files prior to upload
Does your site allow for file uploads of any sort? Pdfs? Jpegs? Anything whatsoever? All these file formats are notorious for allowing malware to piggyback onto them (a technique known…
Web Shells
A web shell is a piece of code that essentially takes over your web ; By providing a simple web-executable file ( aspx file, php file…) that contains code to…
Web application intrusion testing
What is Black Box Scanning? Black-box web application scanning, if we abstract from the details, is a simple process: Identify all links, forms, query string parameters. Send specially crafted strings…