J. Doe – WindowsTechs.com

How does mime-sniffing enable a drive by download attack?

Posted on August 11, 2023 by J. Doe

A frequent recommendation for hardening Web App response headers is "X-Content-Type-Options: nosniff" with the reasoning that preventing mime-sniffing reduces exposure to drive-by download attacks.
Can anyone explain the reasonin… Continue reading How does mime-sniffing enable a drive by download attack?→

PDF locked for editing [migrated]

Posted on February 16, 2023 by J. Doe

Imagine a PDF file with some text. I want to hide it using Adobe Acrobat following a naive approach.

I place over this text a black rectangle.
I save this PDF with the option "not allow to change".

What routines does PDF format… Continue reading PDF locked for editing [migrated]→

PDF locked for editing [migrated]

Posted on February 16, 2023 by J. Doe

Imagine a PDF file with some text. I want to hide it using Adobe Acrobat following a naive approach.

I place over this text a black rectangle.
I save this PDF with the option "not allow to change".

What routines does PDF format… Continue reading PDF locked for editing [migrated]→

Post-EOL security patches for PHP7

Posted on February 3, 2023 by J. Doe

Imagine the following situation: you have a third party software which still uses PHP7 despite of the EOL.
The risk there will be further post-EOL vulnerabilities is as I estimated considerably higher that zero.
If it’s not possible to mig… Continue reading Post-EOL security patches for PHP7→

How to check if a Firefox add-on is malicious?

Posted on December 11, 2022 by J. Doe

How to check if a Firefox add-on is malicious ?
I’m interested about this one currently : https://addons.mozilla.org/en-US/firefox/addon/istilldontcareaboutcookies/
It got a Github repo

Continue reading How to check if a Firefox add-on is malicious?→

Using John the Ripper for Blockchain.info second password

Posted on May 23, 2021 by J. Doe

Is there a way to use JtR for Blockchain.info’s (v2) secondary password?
I already tried the blockchain2john.py file, and it does not ask for primary password (which I know already) so it is going to look for the one I know, instead of sec… Continue reading Using John the Ripper for Blockchain.info second password→

Is SECCURE (still) safe enough for public backups

Posted on October 10, 2020 by J. Doe

I recently came across the SECCURE tools for simple encryption of data, but I’m uncertain about how up-to-date their security is. On the page, the author points out that the tools have been audited by Ulf Harnhammar and Brian M. Carlson of… Continue reading Is SECCURE (still) safe enough for public backups→

Why doesn’t the PIN become part of the encryption key in bitlocker with TPM?

Posted on June 2, 2020 by J. Doe

I have read here that if you choose TPM + PIN protection the PIN does not become part of the key, it is simply used by the TPM as an additional security measure. It doesn’t make sense to me, it would have been much safer and much easier to… Continue reading Why doesn’t the PIN become part of the encryption key in bitlocker with TPM?→

SQL vulnerable if input type = email check is enabled

Posted on April 16, 2020 by J. Doe

<input type=”email”
class=”form-control”
name=”email address”
id=”signinEmail”
placeholder=”Email address”
aria-label=”Email address”
value=”INPUT”
required=””
data-msg=”Please enter a valid email address.”
data-error-class=”u-has-error… Continue reading SQL vulnerable if input type = email check is enabled→

How can StrongSwan server for IP Sec VPN automatically advertise routes?

Posted on March 2, 2020 by J. Doe

From our team’s experience so far, we have found out that if you want to connect to an IP Sec VPN it does not automatically advertise the route to the clien and it has to be done manually in the client.

Is this bug, missing configuration … Continue reading How can StrongSwan server for IP Sec VPN automatically advertise routes?→