Topics relating to application security and attacks against software.

- Wiki
97 articles, 12 books. Go to books ↓

When writing forms for your ASP.Net MVC websites the common approach to ensuring only real people use them site is to simply add an Html.AntiForgeryToken() to your form’s view mark-up and controller and be on your way.

Lessons from NYC's improperly anonymized taxi logs

A well-designed application has to have a good balance of various components: aesthetics, usability, security, and so on. Most web apps have measures employed to protect sensitive data, and a majority of those measures are related to information submission and account credentials. That said, this is one area where security and design decisions can easily clash with each other.

This tutorial highlights one promising new defense that can significantly reduce the risk and impact of XSS attacks in modern browsers: Content Security Policy (CSP).

With the web slowly maturing as a platform the demand for cryptography in the browser has risen, especially in a post-Snowden era. Many of us have heard about the upcoming Web Cryptography API but at the time of writing there seem to be no good introductions available. We will take a look at the proposed W3C spec and its current state of implementation.

Every system and thus also every database is always vulnerable. Most databases, however, do offer a significant amount of features to implement a security layer – and MongoDB is no different from any other DBMS here. So, how could this massive security hole happen?

Although the security of all websites is important, the security of an eCommerce website is particularly important because these sites keep records of users’ data and order-related financial information. Any attempt to hack such data can cause a huge loss to your store.

Mark McDonnell shares his research on what the security basics of the web mean. He explains PGP, SSL, SSH, certificates, and the general purpose of public and private key methods.

The recent Ashley Madison hack has shown how to make your originally safe password hashing useless. Many passwords have been already decrypted that way and it again turns out that most passwords are super simple and predictable. It shows that even if the passwords wouldn’t have been cracked, hackers could still run word-lists on the hashes and get access to the accounts easily. Always choose a strong password and use them only once.

The next time you’re thinking of throwing away a used boarding pass with a barcode on it, consider tossing the boarding pass into a document shredder instead. Two-dimensional barcodes and QR codes can hold a great deal of information, and the codes printed on airline boarding passes may allow someone to discover more about you, your future travel plans, and your frequent flyer account.

In case you need an OpenSSL anecdote to scare your co-workers with...

Web authentication systems have evolved over the past ten years to counter a growing variety of threats. This post will present a fictional arms race between a web application developer and an attacker, showing how different threats can be countered with the latest security technologies.

Most of these items are general and applies to all languages and frameworks not just Node.js - however some of the tools presented are Node.js specific.

99.99% of the Redis use cases are inside a sandboxed environment. Security is complex. Adding security features adds complexity. Complexity for 0.01% of use cases is not great, but it is a matter of design philosophy, so you may disagree of course.

Passwords are crap. Nobody picks good ones, when they do they re-use them across sites, and if you use even a trustworthy password manager, they’ll get hacked too. But you know what’s worse than a password? A fingerprint.

This guide provides practical advice to help engineers build up infrastructure following security best practices so that they can confidently deploy their services to the public Internet and lower their chances of being compromised.

In light of increasing threats over the past decade coupled with heightened concern for individual privacy, industries and governments around the world have embarked on a series of initiatives designed to increase security, reduce fraud and protect personally identifiable information.

Ebay thought they were secure, you see. They thought they'd done everything right. Sure, their regex only matched alphanumeric characters inside script tags, but really, who writes javascript without using letters or numbers? How much harm could possibly be done?

If you think you’re clever enough to securely encrypt only part of your web application, you’re almost certainly wrong.

You think PBKDF2 is pretty secure and takes long to brute-force? Well, it’s not the case when you replace the cryptographic keys with precomputed values.

The page we’re linking to gains partial access to the source page via the window.opener object.

Unless you’ve been living under a rock for the past few months you have probably heard about the dump from the 2012 LinkedIn hack being released.

Did you know links sent privately through messenger can be read by anyone? Moreover, Facebook knows about this and has no plans to fix the issue.

As much as we like to keep pushing the needle further around the "strong security dial" with things like security headers, strong HTTPS implementations and robust hashing algorithms, every now and then we need to take a moment to remember just how low the bar still remains and that frequently, we can't even get the basics right.

123456, password, rootkit, 111111, 12345678, qwerty, 123456789, 123123, qwertyui, letmein, 12345, 1234, abc123, dvcfghyt, 0, r00tk1t, ìîñêâà, 1234567, 1234567890, 123, fuckyou, 11111111, master, aaaaaa, 1qaz2wsx

If you ever lose your iPhone, iPad or iPod, be extra alert for upcoming identity theft attempts.

Dropbox had been hacked. Not just a little bit hacked and not in that "someone has cobbled together a list of credentials that work on Dropbox" hacked either, but proper hacked to the tune of 68 million records.

How to safely generate random numbers in C/C++ Java, .NET, Node.js, PHP, Python, Ruby

Most systems administrators use the industry-standard Secure Shell (SSH) for accessing systems, and yet many of its special features are not widely leveraged. At Facebook, we take advantage of those features to use SSH in a way that is reliable, secure, and manageable. SSH, more specifically OpenSSH, has a great way to provide both the security and reliability we require: signed certificates with principals.

In ASP.NET 4.5 the encryption of ViewState received a significant rewrite that addressed this issue and effectively makes ViewState very secure.

Without your consent most major web platforms leak whether you are logged in. This allows any website to detect on which platforms you're signed up. Since there are lots of platforms with specific demographics an attacker could reason about your personality, too.

DNS isn’t a sexy topic. Unless you’re a network or infrastructure engineer, you probably think as little as possible about it — until something goes wrong. If you run a site and haven’t thought much about DNS, now’s a good time to take steps that can keep your site/services up when your peers go down.

All passwords should be hashed before entering a database because you have to consider the scenario where some malicious user attempts to gain entry into your data. Passwords are sensitive pieces of information that you don't want people to see.

Post Snowden, and particularly after the result of the last election in the US, it's clear that everything on the web should be encrypted by default.

The value your site has to attackers is not just the data, it's the reputation. It doesn't even need to be a good reputation in terms of it being a well-established site with lots of inbound links, it simply needs to be a site that doesn't have a bad one.

This is a simple demonstration of form fields hidden from the user, but will be filled anyways when using the browser form autofill feature, which poses a security risk for users, unaware of giving their information to the website.

Clickjacking, XSS and CSRF, exploits that have been around for 15+ years now and still form the basis for many vulnerabilities on the web today. If you spend any time around bug bounty programs you will notice similar patterns with these exploits, that many could have been prevented with just a few HTTP Headers in place.

This post gathers what you need to know, and what you need to do, if you use CloudFlare, or if you personally used a website using CloudFlare.

Don't look now, but online scammers are already hard at work taking advantage of newly signed legislation that allows Internet Service Providers to sell your online privacy, including your web browser history, to the highest bidder without your consent.

After more than a year of research and development, Netflix recently upgraded their infrastructure to provide HTTPS encryption of video streams in order to protect the privacy of their viewers. Despite this upgrade, we demonstrate that it is possible to accurately identify Netflix videos from passive traffic capture in real-time with very limited hardware requirements. Specifically, we developed a system that can report the Netflix video being delivered by a TCP connection using only the information provided by TCP/IP headers.

2FA is an additional layer of security to protect user accounts from attackers that have already compromised your password. When you login into a service using your username and password, you will get an additional challenge before access is granted. Usually it is a 6 digit temporary code that changes every 30 seconds. Google authenticator, Authy and Toopher are just a few of the 2FA solutions Lastpass supports that are based on RFC6238 and RFC4226. There are other types of 2FA but these are the most common.

Bad crypto is everywhere, unfortunately. The frequency of finding crypto done correctly is much less than the number of times I find it done incorrectly. Many of the problems are due to complex crypto APIs that are insecure by default and have have poor documentation.

This write-up will not examine any new vulnerability. Rather, it explores a common methodology used in trivially hacking iOS apps, in which you perform a man-in-the-middle (MitM) attack on yourself.

If you have ever hosted a website or even administrated a server you'll be very well aware of bad people trying bad things with your stuff.

Let that sink in for a moment: A huge collection of botted accounts — the vast majority of which should be easily detectable as such — may be able to abuse Twitter’s anti-abuse tools to temporarily shutter the accounts of real people suspected of being bots!

Most so-called "DNS attacks" are not DNS attacks at all, meaning they don't exploit a weakness in the DNS protocol. Most of the time, they are attacks against the provisioning infrastructure, the set of actors and servers that domain name holders (such as WikiLeaks for use to provision the data.

When properly configured, the protections between a user and a CloudFlare-secured site can be an effective way of shielding the true IP addresses of an organization’s internet-facing assets and therefore protect them with CloudFlare’s filtering capabilities.

Security researchers in China have invented a clever way of activating voice recognition systems without speaking a word. By using high frequencies inaudible to humans but which register on electronic microphones, they were able to issue commands to every major “intelligent assistant” that were silent to every listener but the target device.

There are a few resources that you can find that teach how to secure an ASP.NET Core web application. For web apis using ASP.NET Core it’s a little bit harder to find information.

Azure Blob storage is a great method to cost effectively store data, from key/value pairs to individual binary files, and Microsoft provides several mechanisms to ensure that you can properly secure your data. In this post, we'll take a look at methods you can use to secure data that is stored as blobs in Azure Storage Accounts.

There’s a potential security exploit that ASP.NET MVC leaves you open to. However, in Peter’s opinion, all the proposed solutions miss the point.

It seems that there is no limit to human ingenuity when it comes to working around limitations within one's environment.

From minimizing pointer use to strong type checking at compile time, Swift is a great language for secure development. But that means it's tempting to forget about security altogether. There are still vulnerabilities, and Swift is also enticing to new developers who haven't yet learned about security.

There are some repeating ideas that due to their massive potential impact it is important to know (and tell your friends) about.

Security breaches are very common. To make matters worse, when it comes to users’ passwords it is frequent that no reasonable precautions were taken to ensure that they can’t be easily extracted from the breached data.

You may know that most websites have third-party analytics scripts that record which pages you visit and the searches you make. But lately, more and more sites use “session replay” scripts. These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers. Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder.

Checklist of the most important security countermeasures when designing, testing, and releasing your API.

When offering an online service there are two risks to user accounts: Firstly, the service itself can be compromised by an attacker. Secondly, a user’s password could be obtained by an attacker and then be used to target our platform by injecting malicious content or abusing the account.

There is a widespread misconception that having a CAPTCHA in place protects against CSRF. In most cases, this is incorrect at best and dangerous at worst. CAPTCHA does not prevent CSRF – here’s why.

Uber maintains GPS coordinate tracking data for tens of millions of people in the U.S. and abroad, so the security of their information assets is almost a matter of public interest.

So far, we thought we were protected by cpu mechanisms because when you try to load kernel (sensitive) data, cpu triggers an exception which in turn is propagated by kernel to application as SIGSEGV, leading to application termination.

Credit card fraud is not new to the Magento eCommerce platform.There are two methods used by attackers to siphon credit cards away from eCommerce stores. The first of which is through the use of Javascript which takes place client-side. This is achieved through malicious JavaScript hosted on the web page which causes the customer’s machine to silently send a crafted request to a server in control of the hacker. The other method commonly used by attackers, as described in the Sucuri blog, is modification of the app/code/core/Mage/Payment/Model/Method/Cc.php file. This method requires shell access to the server and indicates a serious compromise.

It’s been a frantic week of security scares — it seems like every day there’s a new vulnerability. So, it is with a heavy heart that I’ve decided to come clean and tell you all how I’ve been stealing usernames, passwords and credit card numbers from your sites for the past few years.

The story of the Internet and its Things may seem as star-crossed a tale as any, but it does not need to be hopeless. Although security researchers Dennis Giese and Daniel Wegemer eventually managed to hack into the Xiaomi Mi Robot vacuum cleaner, their research shows that the device is much more secure than most other smart things are.

On the heels of news about concerns regarding the use of certain fitness technologies that could reveal confidential military troop and base locations, comes an entirely different spectrum of issues to consider before allowing for public or partner consumption of your APIs.

I wrote a post recently describing how I distributed malicious code that gathers credit card numbers and passwords from thousands of sites in a way that’s quite difficult to detect. In this follow-up post I’d like to put down the megaphone and put forward some practical advice.

Secure applications are essential to the life and longevity of any organization creating or releasing software, and security starts from the foundation: the code. How can developers create secure code? By deeply understanding what secure code is, what it looks like, and how to write and test it.

Europe’s imminent privacy overhaul means that we all have to become more diligent about what data we collect, how we collect it, and what we do with it. In our turbulent times, these privacy obligations are about ethics as well as law.

This is not a “passwords are dead pls don’t use” article, but an attempt at convincing you to consider alternatives to password authentication. It also includes a primer on the different passwordless authentication techniques you might want to use.

If you work in Application Security you’ve probably already heard about OWASP and the OWASP Top 10, which lists the Top 10 most critical vulnerabilities in web applications. Its latest version was released in 2017 after some changes and reviews from the community. But when it comes to teaching the developers about the basic principles on how to write secure code, there is another OWASP project that is the best option: the OWASP Top 10 Proactive Controls.

For development teams, process can often be antithetical to speed. Ease of deployment and security tend to have an inverse relationship, with some resentment for the security team occasionally mixed in.

Yet another type of surreptitious data collection by third-party scripts: the exfiltration of personal identifiers from websites through “login with Facebook” and other such social login APIs.

The Web Authentication API gives Web applications user-agent-mediated access to authenticators – which are often hardware tokens accessed over USB/BLE/NFC or modules built directly into the platform – for the purposes of generating and challenging application-scoped (eTLD+k) public-key credentials.

How to open a Tapplock over BLE in under two seconds.

Since the recent NPM, RubyGems, and Gentoo incidents, I’ve become increasingly interested, and concerned, with the potential for package managers to be used in supply chain attacks to distribute malicious software. Specifically with how the maintainers and infrastructure of these projects can be targeted as an attack vector.

It has been known for a while that WPA-2 (802.11i) has some fundamental security problems, and these have thus led to the creation of WPA-3. A core problem is around the 4-way handshake.

Credential compromise is an important concern for anyone operating in the cloud. The problem becomes more obvious over time, as organizations continue to adopt cloud resources as part of their infrastructure without maintaining an accompanying capability to observe and react to these compromises.

Managed Service Identity makes it a lot simpler and more secure to access other Azure resources from your Web Applications deployed to App Service.

Many healthcare organizations are starting to adopt artificial intelligence (AI) systems to gain deeper insight into operations, patient care, diagnostic imaging, cost savings and so on. However, it can sometimes be daunting to even know where to get started. Many times, you need a clear lighted path to start your journey and embrace AI and machine learning (ML) capabilities rapidly.

It could be possible for any website to access this data. This vulnerability is called JSON hijacking, and allows websites to extract the JSON data from those API's.

Because user data was not adequately secured, Knuddels was fined five digits. The responsible data protection officer still has praise for the chat platform.

This post discusses web security issues that I come across – so far thankfully mostly by reading about them. It is a work in progress which I’ll keep updating. The post title includes “advanced” because the topics discussed here involve clever, non-trivial hacks, are novel at the time of their publication and often combine features with non-obvious consequences.

I hope that this post is useful to a variety of security people: not just engineers, but also UX designers and researchers, project/product/program managers, people and business managers, and operations. In any case, all paths to success require the help of all those kinds of people. This post is even more of a link-fest than usual; I hope that’s useful.

The security of your application should be treated just like your code, in that, you should actually test it out.

Storage encryption protects your data if your phone falls into someone else's hands. Adiantum is an innovation in cryptography designed to make storage encryption more efficient for devices without cryptographic acceleration, to ensure that all devices can be encrypted.

In 2017 and 2018, Naiakshina et al. studied in a lab setting whether computer science students need to be told to write code that stores passwords securely. The authors’ results showed that, without explicit prompting, none of the students implemented secure password storage.

Throughout the last year security analysts all over the world discovered a number of new botnets which not only drive traffic to the target application server to engage bandwidth, but places the best possible request automatedly to the application itself so to engage maximum possible server resources with minimum number of terminals. The aim of such intelligent botnets has been to be identified DDoS traffic as actual users so to make the DDoS protection engine unable to distinguish between actual traffic and malicious traffic.

Hundreds of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees — in some cases going back to 2012. Facebook says an ongoing investigation has so far found no indication that employees have abused access to this data.

Authentication itself is a fairly simple process. Don’t build that, go and use a builtin solution, authentication is complex, but the good side of it is that there are rarely any business specific stuff around it. You need to authenticate a user, and that is one of those things that is generally such a common concern that you can take an off the shelve solution and go with that. Authorization is a lot more interesting.

The importance of the HIPAA risk analysis can’t be understated. The Office for Civil Rights (OCR) announced that 2018 was an all-time record year for HIPAA enforcement, and an incomplete risk analysis or inadequate follow-up on findings were cited in three of the major breaches.