Collaborate Disseminate
I was trying this, on a website where I was allowed to carry out testing by the site administrator. On failing to use two different headers (Site is beyond AWS and I am getting a 400), I tried the old way of using 2 different Content-Leng… Continue reading Content-Length based DoS
As a security engineer, I wonder about the common approach for web app 3rd party JS dependency vulnerability management. We have a lot of apps depend on Jquery etc. In a regular vulnerability scan, old versions of JS libraries (which alot … Continue reading web app 3rd party JS dependency vulnerability management
I am testing this application which sends JWT and CSRF token in cookies, I created a PoC file to test for CSRF, but only CSRF token is being sent in the PoC request and not JWT.
I was under the impression that cookies are always sent in al… Continue reading JWT is being sent in cookies, but when I try for CSRF they are not sent
I have had recently gone through the horror of transferring WhatsApp conversations when changing phones (android for iPhone). Actually, the thing that it is close to impossible for everyday folk is a good thing for its security reputation … Continue reading End-2-end encryption with WhatsApp [duplicate]
We are working on a use case which can originate from POS device. In some scenarios, the POS device can ask the user for a PIN(debit pin). There can be offline PIN validation and online PIN validation. In online PIN validation scenarios, w… Continue reading Online Debit PIN validation at POS device
By now, everyone has heard about the malicious December 2020 attack on SolarWinds’ Orion software platform, which affected…
The post It’s Time to Understand Risk in The Software Supply Chain appeared first on ZeroNorth.
The post It’s Time to Understand… Continue reading It’s Time to Understand Risk in The Software Supply Chain
I’m writing a sci-fi story that includes a malicious app that spreads globally. The developer publishes an app without knowing it’s infected, and it spreads because it forces phones to download it. Are there any mechanisms that might make … Continue reading Could a virus force a phone to download an app and spread it?
While going through the app analysis i found that when i use logcat it shows me encrypted data ..now the app is obfuscated … When i use burp suite with my android emulator it was making a POST request to a method of an api in form of JSO… Continue reading Android app leaking data [migrated]
I noticed that certain software does not provide hash anymore nowadays.
E.g.
Zoom
https://zoom.us/download
wolf@linux:~$ ls -lh zoom_amd64.deb
-rw-rw-r– 1 wolf wolf 44M Jan 1 00:00 zoom_amd64.deb
wolf@linux:~$
I’ve googled both md5… Continue reading How to verify integrity of software when the download provider doesn’t publish hashes?
If you’re looking for more information on the latest update to the NIST (National Institute of Standards and Technologies) Security and Privacy Framework outlined in SP800-53, there’s a new article just published in the Cutter Business Technology Journ… Continue reading Details on the New NIST Requirement for RASP and IAST