138 matches found
What is DevOps❓ Definition, Advantages, Practices
Introduction Inhabitants of the product world realize that new trendy expressions apparently show up out of the blue, and similarly as abruptly multiply news stories, water cooler chitchat and merchant FAQ areas. In the event that you’ve heard the term DevOps being thrown around, you may believe...
A8: Insecure Deserialization ❗️ — Top 10 OWASP 2017
A8: Insecure Deserialization ❗️ — Top 10 OWASP 2017 Introduction Insecure serialization has historically been seen as a super hard to grasp vulnerability, almost like a black box but while it does contain it’s challenges, so does every other issue type on the OWASP top 10. serialization is a...
Skype for business is also vulnerable to the autodiscovery issue
An issue in WPAD proxy automatic configuration was first discovered by Maxim Andreev back in 2015 at the MailRu group security meet-up and then was presented by Maxim Goncharov at BlackHat US 2016 slides. This year Ilya Nesterov and Maxim Goncharov presented a continuation of this research and...
Security testing guide for JSON / REST APIs #1/3
Fuzzing is everything ; It’s the most useful and resultative hacking technique for sure. At the same time, fuzzing is not just random hitting applications or binaries with some random bytes. It’s more about ideas, a deep understanding of data formats and application flows, technology stacks, and ...
What is RCE (Remote code execution) attack ❓ Prevention methods
What is Remote Code Execution? Remote Code Execution or execution, also known as Arbitrary Code Execution, is a concept that describes a form of cyberattack in which the attacker can solely command the operation of another person’s computing device or computer. RCE takes place when malicious...
Lack of Resources Rate Limiting☝️ — What you need to know
Lack of Resources Rate Limiting☝️ — What you need to know Introduction API4:Lack of Resources Rate Limiting What is Lack of Resources and Rate Limiting? Whenever an API is served a request it will have to respond, to generate this response the API requires resources CPU, RAM, network and at times...
Phishing Attack Prevention — How to Spot, What Should Do❓ | Wallarm
Phishing Attack Prevention — How to Spot, What Should Do❓ No business, small or large, is impervious to phishing attacks. In fact, some of the largest-scale attacks have been on renowned multi-million dollar corporations. Fortunately, there is a light at the end of the tunnel. It is possible to...
What is OpenAPI ❓ Concept, Examples and Advantages
What is OpenAPI? If there is anything that is growing anything like leaps and bounds then it’s API development and awareness towards API’s security. Whether it’s web API or mobile API, growth is significant in each domain. While we discuss API development, OpenAPI deserves a mention for sure. Thi...
API security — Wiki: What is ❓ Why ❓ For PenTest & Best Practice
API security — Wiki: What is ❓ Why ❓ For PenTest & Best Practice What does api mean? For beginners, API refers to the Application Programming Interface designed for effortless communication between two different applications. This is why it’s often referred to as the middle person for the...
A5: Broken Access Control ❗️ — Top 10 OWASP 2017
A5: Broken Access Control ❗️ — Top 10 OWASP 2017 Introduction A5:Broken Access Control What is access control Access control as the name implies is there to grant or restrict rights to certain users on the application. If the access control is implemented the right way a regular user should not be...
A1:Injection — Top 10 OWASP 2017
A1:Injection — Top 10 OWASP 2017 💉 Introduction Injection is an issue that arises quite often and in several forms, things like SQL databases for example might contain issues such as SQL injection and the same might go for things like LDAP, XML, OS commands,… . In other words, there is a range of...
API8: Injection☝️ — What you need to know
API8: Injection☝️ — What you need to know Introduction API8:2019 Injection What is Injection? API’s with the following properties are open to injection flaws: When we don’t sanitize the input from the front-end we are opening ourselves to a world of problems, this would allow the user to input...
Broken User Authentication☝️ — What you need to know
Broken User Authentication☝️ — What you need to know Introduction API2:Broken User Authentication What is Broken User Authentication? Broken User Authentication can manifest in several issues. Whenever we come across an API endpoint that handles authentication we need to be extra careful since...
Clarification Of Terms MTU and MSS❗️
Discover What MTU and MSS are We now live in an advanced age where a ton of data is shared over short and significant distances by sharing over a dependable connection. The web has become an extremely helpful association network that upholds various frameworks, yet various boundaries engaged with...
What Is a Honeypot❓ Definition, Types and More
A honeypot is a computer system made to appear like a potential target of a cyber-attack. It may be used to track or redirect hacks away from a legitimate target. It could like wise be utilized to comprehend the strategies that cybercriminals employ. Honeypots have been around for quite awhile, y...
Bypassing NGFW/WAFs using data format obfuscations
A lot of network security solutions today supports a lot data format inside HTTP and other protocols. The main question here is understanding, based on traffic analysis, which data formats such as JSON/Base64/XML/etc should be applied to which field. This is an analytically unsolvable problem...
A7: Cross-Site Scripting (XSS) — Top 10 OWASP 2017
A7: Cross-Site Scripting XSS 💻 — Top 10 OWASP 2017 Introduction XSS is one of my favourite vulnerability types because of the depth and complexity. It all seems so super simple but when you really get down to the core of XSS there is a world of wonder to explore. Besides the different types of XS...
Credential Stuffing Attack: ❗️ Definition and Protection
Introducing A new SecureAuth study discovered that 53% of shoppers reuse similar secret phrase for various accounts. When login credentials are presented to programmers, even once, they can be utilized to get to a large number of records, regardless of whether it is an email account, medical...
A3: Sensitive Data Exposure ❗️ — Top 10 OWASP 2017
A3: Sensitive Data Exposure ❗️ — Top 10 OWASP 2017 Introduction I feel like a lot of mystery surrounds this issue from the top 10 OWASP vulnerabilities. A lot of people seem to wonder which data is sensitive when exposed. Some people seem to think every single API key disclosed in a JS file is a...
What are Booters, Stressers and DDoSers❓
What are booter administrations? Booters, frequently known as booter administrations are mainstream DDoS Distributed-Denial-of-Service that are offered by brilliant hoodlums to assault and cut down sites and secure organizations. To lay it out plainly, booters are alluded to as ill-conceived...
A9: Using Components with Known Vulnerabilities ❗️ — Top 10 OWASP 2017
A9: Using Components with Known Vulnerabilities ❗️ — Top 10 OWASP 2017 Introduction A9: Using Components with Known Vulnerabilities What are Components With Known Vulnerabilities? Top 10 OWASP describes the term components as a very broad term. It can either be a full piece of software that our...
What is DNS Hijacking❓ Basic methods of protection
DNS hijacking is a common cyberattack technique known as domain name server reconfiguration. The attacker’s goal is to redirect the user to a bogus website created by them. Domain Name Server Hijacking. Also referred to as DNS redirection, the process is utilized by hackers to alter the resolutio...
Thanks for sharing!
Thanks for sharing! I also wrote about \u encoding several times https://lab.wallarm.com/what-stealthy-attacks-are-hiding-in-api-data%E2%80%8A-%E2%80%8Aand-why-do-most-waf-miss-them-c9f59e865d74/ That’s why we implemented parsers in Wallarm...
BGP Routing Explained. How Border Gateway Protocol Works❓
What is BGP? BGP, fully known as Border Gateway Protocol is the postal help of the Internet. At the point when somebody drops a letter into a post box, the postal help measures that piece of mail and picks a quick, effective course to convey that letter to its beneficiary. Additionally, when...
What is minification and why is it needed❓ The Advantages Of Minification
This concept might look simple to understand but it requires deep-understanding for one to interact with the concept properly and know what it entails and what it doesn’t. A bunch of developers use minification in website development, in order to have fast and active web. Minification can be...
What you didn’t know about OWASP Top-10 2017? Part 2/3
In my previous post I covered first 3 of the OWASP Top-10 2017 risks. Today I’d like to continue this and explain the next 3 risks: A4. XML External Entities XXE A5. Broken Access Control A6. Security Misconfiguration Let’s begin then! A4. XXE. This is my favorite one. I made some money because o...
Server side template injection — SSTI vulnerability ⚠️
Server side template injection — SSTI vulnerability ⚠️ Introduction There is hardly any software development or other linked elements that haven’t fallen into the trap of cyber vulnerabilities. Templates, used for HTML code management on the server-side, are amongst them. The attack targeting the...
What is JSON-RPC ❓ Definition, Work, Comparison
Just like everything else, the world of API protocols is evolving. Typical SOAP and REST APIs have many companies like GraphQL, gRPC, and Thrift. JSON-RPC is also on the list. Created to develop feature-rich and quick websites, it is developers’ best buddy. Let us see what it is and how it benefi...
Common Vulnerabilities and Exposures Explained
What is a Vulnerability? A weakness can be characterized as a shortcoming that can be misused by a digital assailant to get through your security and gain unauthorized admittance to classified documents. Defects will ensure that aggressors run programs, acquire section admittance to your document...
Differences SOAP vs REST: Comparison of protocols and their security
SOAP and REST are two of the most used terms in the API development sector. If you don’t have thorough knowledge of the two, you may wonder: Why should a developer choose and ditch others? Can these two be used at a time? …and so on. Well, it’s a lot of information and is covered bit by bit in th...
What you didn’t know about OWASP Top-10 2017? Part 1/3
I hope everybody have already read the latest OWASP Top-10 list . Let me share some useful insights about it. First of all, OWASP Top-10 is NOT a vulnerability classification system. Rather it is a list of the most critical security risks for web application. What’s the difference? For example, t...
A2: Broken Authentication ❗️ — Top 10 OWASP 2017
A2: Broken Authentication ❗️ — Top 10 OWASP 2017 Introduction When issues arise within the authentication of a program, there are most likely a wide range of dire implications. An example we can discuss is when there is a weak password policy which allows for easily guessable or brute forceable...
Top 3 Tech Challenges RASP/(ng)WAF Vendors Are Faced With
Here I’d like to share my experience and pain in building L7 data protection solutions which are frequently called WAF/ngWAFs or RASPs. I started to build it back in 2009 from a simple detection logic based on self-adopted heuristics for a CTF competition and then build an entire company on machi...
What is threat modeling ❓ Definition, Methods, Example
Threat modeling is a method for upgrading the security of an application, system, or business process by distinguishing objections and weaknesses, just as carrying out countermeasures to stay away from or alleviate the impacts of structure dangers. Threat modeling supports recognizing the securit...
Explanation of the zero-day attack
What is a zero-day vulnerability? A zero-day weakness is an obscure security weakness or programming blemish that a danger entertainer can focus with noxious code. The expression “Zero-Day” is utilized in light of the fact that the product merchant was uninformed of their product weakness, and...
Excessive Data Exposure☝️ — What you need to know
Excessive Data Exposure☝️ — What you need to know Introduction API3:Excessive Data Exposure What is Excessive Data Exposure? An API is only supposed to return the required data to the front-end clients but sometimes teams will make a mistake or take the easy route and implement APIs that return al...
How Tesla and HyperLoop accelerations help people with rocket flights
We don’t need that crazy acceleration for Tesla cars and Hyperloop for daily life in a few words. It’s a lot of fun, for sure, and some marketing feature that puts electric cars in supercars bucket. At the same time, that crazy acceleration train people to take overloads. In my personal experienc...
Meaning of WAF. What does stand for ❓
The most wearisome and fundamental trouble in app-development is to ensure its high security. The enhanced security practices an application adopts, the better is its performance. While we consider application’s safety, WAF Web Application Firewall deserves a mention. A profoundly acclaimed...
What is the Reverse Proxy❓ Reverse vs. Forward Proxy
Reverse proxies help in shielding web workers from assaults while further developing execution and dependability. Continue reading to learn more about data about forward and invert proxies. What is a proxy server? Forward proxies are commonly known as proxies, web proxies, or internet servers, are...
Layer 7 DDoS Attacks: ❗️ Methods and Ways of Mitigation
The web has been the greatest type of development in the 21st century. It has uncovered the whole world to more current prospects and more effective methods of living. Today, we have various sites, online stores, online papers, etc. Essentially everything is online nowadays. Be that as it may, th...
What you didn’t know about OWASP Top-10 2017? Part 3/3
This is the last part of my trilogy about OWASP Top-10 2017 risks. Two previous parts one and two described A1-A6 risks and this time I’d like to not just explain A7-A10 risks but also draw an intersection or overlap venn diagram of them. I hope this diagram would clarify why the questions about...
What Is CI/CD❓ Concept, How Does It Work
What is CI/CD? The CI/CD idea is a well-known one that has step by step become quite possibly the main methods utilized by DevOps groups to make regular and dependable changes to the code. Continuous Integration CI and Continuous Delivery CD are terms that are utilized to address a lifestyle,...
What is SAML authentication ❓ How does it work ❓
Enterprises using various business apps have a tough time maintaining data’s secrecy and access grants as per user roles throughout the infrastructure landscape. SAML Security Assertion Markup Language shows up as a great aid at this front. Let’s see what is it, how it works, what are its...
CoAP Protocol: Definition, Architecture
Professionals involved in IoT network designing or development must have come across CoAP. A dedicatedly set standard by IETF, it works the best when it comes to constrained IoT-enabled solutions. To make you understand CoAP Constrained Application Protocol better, we have prepared this post,...
What is a White Hat Hacker❓ | Ethical Hackers
Introduction White Hat programmers or hackers are individuals that do security assessments as a component of a business course of action. Albeit this idea is helpful in many cases, it has no legitimate or moral ramifications. When differentiated to the meaning of Black Hat, this nonappearance...
What is AMQP Protocol ❓ All you need to know
The cost-free and fast operations of the open-source tool have made them a preferred choice over their closed-source peers. Without putting any hard and fast restrictions on the users, open-source applications have become a norm these days. AMQP Standard is a commonly used messaging protocol used...
What is MQTT ❓ All you need to know.
Introduction Regardless of the application type, seamless information exchange between two points is a pivotal operational step. IoT or Internet of Things application development is on the rise and is not free from this crucial requirement. That’s where Message Queue Telemetry Protocol comes into...
What is a Purple Team ❓
Many individuals know about red groups ‒ moral programmers who test the security protections of an association by dispatching assaults in a controlled climate. Red groups are gone against by blue groups, who are entrusted with assessing an association’s security availability, forestalling red gro...
What is Eavesdropping Attack❓ Definition, Types and Prevention
Eavesdropping can be defined as the demonstration of quietly catching a discussion among arbitrary outsiders; albeit discourteous, what mischief might it actually do? All things considered, very little in case somebody is simply honestly paying attention to a discussion that intrigues them...
Improper Assets Management☝️ — What you need to know
Improper Assets Management☝️ — What you need to know Introduction API9:2019 Improper Assets Management What is Improper Assets Management? We should always wonder for every API if all the current endpoint should even be available and if we maybe can’t do with only allowing the API to communicate...