Collaborate Disseminate
I am doing a security audit on a command line tool. The tool is java based and it runs on the server side, it collects some info and generate a report at the end of the run.
This tool can run nevertheless of which user has run this, so any… Continue reading how to apply authentication/authorization on CLI tools
I am trying to understand how refresh tokens and access tokens works, and I ready several threads and documentations. It seems that I am not the only one confused around this topic.
Based on this thread: How does a refresh token help?, wha… Continue reading Security doubts around the refresh token and how it works
I want to run an automated REST API pentest, and I want to integrate my test into CI/CD pipeline. Note: I have the openapi specification of the APIs that I want to test.
My automated test will be divided into 2 parts:
Anti-regression test… Continue reading Which tool to use to automate REST API pentest
I am pentesting a java thick client application, and the communication between client and server is RMI over TLS.
On a certain button, there is an action triggered from the client to the server. In this action, the method triggered sends s… Continue reading how to alter a value in RMI TLS communication
My ISP is able to contact someone I just connected with on Telegram. I don’t know how. I have started using VPN, but even without VPN is that even possible or is there any other method that the ISP is using? Can the ISP contact him with j… Continue reading Can ISP contact someone I connected with on Telegram? [closed]
I am looking for a good certification in security, but there are a lot of certificates.
The security vendors I’ve seen so far are OffSec, GIAC/SANS, ISC2, Comptia, and EC-Council. Each vendor has a variety of certifications.
I want the ce… Continue reading What are the best professional certificates for a software security [closed]
I have a java deserialization vulnerability, with a poc. The poc exploits using the groovy library, and the groovy version is 2.4.19.
When searching online for a CVE related to this gadget I couldn’t find.
Is it that groovy does not agree … Continue reading Which groovy is safe from gadget chains?
What types of certificates are there?
I was checking online and I found several different types, some at the level of the format of the certificate (x509, PEM, DER), and one at the application level (TLS/SSL, SSH, PGP).
Can someone please … Continue reading Types of certificate? [duplicate]
I have a reported finding saying that hostname verification is disabled.
This can be deduced from this line of code:
final HttpClientBuilder httpClientBuilder = HttpClientBuilder.create();
httpClientBuilder.setSSLContext(sslContext).se… Continue reading How to verify hostname of certificate? and Is it mandatory if client knows the certificate?
I have this line of code in a client server project:
sslContext.init(null, new TrustManager[]{new TrustAnyManager()}, null);
A security guy pointed out that this is skipping the validation of the certificate, but I don’t understand the se… Continue reading What is the security impact of disabling certificate check [duplicate]