Collaborate Disseminate
Some websites make it easy to enrol multiple TOTP apps at the same time but make it difficult to disable these apps. For instance, the user would have to completely reset the MFA settings instead of just disabling one TOTP app, or the user… Continue reading Why make it difficult to disable MFA tokens?
Using Nginx, I hope to restrict the permissible hosts for cookies. My initial intention was to employ a Content Security Policy for this purpose, but I don’t see an obvious way to do this via a CSP. Ideally I’d find something like
Restric… Continue reading Is there a way to limit cookies to certain hosts in HTTP?
I would like to block the execution of any instance of CSS’s url() function in CSS provided by my server. One promising method would be a CSP, but I’m not sure if this is possible using a CSP. Is it? And if not, what is the best way to acc… Continue reading Is there any way for a Content-Security-Policy to block a CSS function, (specifically the url() function)?
I’m building an IoT project using AWS. All works as intended, however I’ve done some wireshark analysis of a message being published to the cloud: The TCP handshake is as expected, and all the elements of the TLS handshake are as expected…. Continue reading TCP communication in between the TLS1.2 client and server hello? [closed]
I found a vulnerability in a paid Smartphone app. It is supposed to contain a lot of private details.
There is a logging option for support that you can switch off and on, to extract the part that causes you problems. The app’s support ca… Continue reading Reporting poor privacy practices in a mobile app [closed]
I have recently launched a new django based api, and quite quickly, I started to receive INVALID_HOST_HEADER SOME RANDOM URL errors. My understanding is that this is caused by somebody manually changing the HOST header, or proxying my API … Continue reading Why do Invalid Host header errors exist, what are attackers trying to achieve?
Question:
How can an AWS IAM policy be devised to differentiate between a console (web) and access key (API) access?
Use Case:
Say, I want to allow the a certain group of users full IAM privileges via console(web), and read only IAM via a… Continue reading AWS IAM policies that differentiate between console & access key access
In order to allow clients to verify responses originating from our server, we are generating an HMAC signature of the body and a timestamp, and attaching it as a header. The timestamp is also attached as a header. Clients will concatenate … Continue reading Does transmitting short, predictable plaintext along with the HMAC signature of that text present a security risk
So I was thinking, if people get access somehow to your list of hashes, it’s easy for them to figure out what alghoritm you used if they have 32, 40, 60 characters etc
But what if you slice those strings a bit, like you use SHA-1 which is… Continue reading Improving security by altering size of hash strings [duplicate]
To allow api users to verify the authenticity of outgoing webhooks, I am using a similar model to slack:
Concatenate timestamp and body, HMAC with pre-shared key, add timestamp and HMAC digest to headers.
Recipient does the same, and com… Continue reading I am signing (HMAC) outgoing webhooks to allow users to verify their source, should I also sign outgoing responses?