Collaborate Disseminate
I asked a question on what I need to do to make my application secure, when somebody told me:
That depends on your threat model.
What is a threat model? How do I make a threat model for my application?
Continue reading What is a threat model, and how do I make one?
The Chrome WebRequests API mentions that specific request headers are not available to the onBeforeSendHeaders event, meaning that extensions cannot read and/or modify these headers. Here is an excerpt from the documentation:
The followin… Continue reading Why does Chrome not allow the modification of these headers by extensions?
I have a website in which I include several CSS stylesheets from my own server and one stylesheet from a remote server.
I wanted to write my Content Security Policy in a way to permit all local stylesheets, and only this one… Continue reading Why does Chrome claim that this stylesheet violates the Content Security Policy?
sudo is sometimes used to give untrusted or “semi-trusted” users the ability to perform certain tasks as root, while not giving them unlimited root access. This is usually done via an entry into /etc/sudoers, specifying which… Continue reading How can one tell if a binary is safe to give sudo permissions for to an untrusted user?
In Linux, every process holds its own file descriptor table, which keeps references to all opened files and file-like devices. This table is managed by the kernel.
Is it possible that a non-privileged user modifies a file de… Continue reading Can a non-privileged user modify the file descriptor table of an elevated process?
I’ve always firmly held the belief that obfuscation is essentially useless. Obfuscated code is not impossible to read, only harder to read. I had the belief that a sufficiently skilled attacker would be able to bring the obfu… Continue reading Does code obfuscation give any measurable security benefit?
Between version 4.4 and 9, Android supported Full-Disk Encryption (FDE). On Android 7, a new system called File-Based Encryption (FBE) was introduced, and was subsequently made mandatory on Android 10.
The primary upside cit… Continue reading Does File-Based Encryption offer comparable security to Full-Disk Encryption on Android?
Consider a scenario where my ISP attempts to use a Man-in-the-Middle attack against me to read and possibly modify my Internet traffic.
What can I do to access the Internet and still ensure the integrity and confidentiality… Continue reading How can I protect the confidentiality, integrity and authenticity of my communication if I am victim of a Man-in-the-Middle attack?
Basic Assumptions
Let us assume I work for a company, which aims to authenticate users using traditional usernames and passwords. The company currently uses a slow key-derivation function to hash passwords, such as Argon2, s… Continue reading Does the use of a Hardware Security Module improve the security of a password storage?
Imagine the following code:
ATTACKERDATA=”$(cat attackerControlledFile.txt)”
echo “${ATTACKERDATA}”
An attacker can, through whatever arbitrary process, modify the contents of attackerControlledFile.txt to anything they de… Continue reading Is using ‘echo’ to display attacker-controlled data on the terminal dangerous?