appsec – Page 8 – WindowsTechs.com

Would a hostname from an HTTPS iframe leak if loaded after a successful connection with another HTTPS hostname which displayed the iframe

Posted on November 7, 2021 by Danny Palma

If your internet traffic had an eavesdropper and you access a website using HTTPS from my understanding they would know the domain name (hostname) that you visit (as well as some other things), but if after logging into that first site (wh… Continue reading Would a hostname from an HTTPS iframe leak if loaded after a successful connection with another HTTPS hostname which displayed the iframe→

How to decode ysoserial .net payload

Posted on October 14, 2021 by K P

Is there any way to decode ysoserial .net payload?
For instance
I’m creating payload with:
ysoserial.exe -f BinaryFormatter -o base64 -c "ping test.com" -g WindowsIdentity

Is there any convenient way to reverse the payload to un… Continue reading How to decode ysoserial .net payload→

The Power of Developer-First Security

Posted on October 11, 2021 by Bill Brenner

Developers want to write good code. Secure code. Tools that optimize developer workflows for handling security issues can take a large burden off security practitioners and make triaging, understanding, prioritizing, and resolving vulnerabilities much… Continue reading The Power of Developer-First Security→

Security issues of exposing CRUD operations through a single API endpoint?

Posted on October 11, 2021 by discordia28

Imagine an API where all CRUD operations are done through the same POST HTTP Request but with different "action" values from request body.
{
"action":"[create|read|update|delete]",
"user":"4&quo… Continue reading Security issues of exposing CRUD operations through a single API endpoint?→

Can android apps be developed to allow users select what Fingerprint out of the multiple stored on the phone to use for authentication? [migrated]

Posted on October 8, 2021 by Bobola

A client recently added fingerprint authentication as an alternative form of signing in to their application which stores sensitive data.
Of course, the username and password are verified before allowing fingerprint authentication.
But thi… Continue reading Can android apps be developed to allow users select what Fingerprint out of the multiple stored on the phone to use for authentication? [migrated]→

I need to secure my access to SQL Server for application accounts, but no one can know the application passwords. How?

Posted on September 22, 2021 by SpaceCowboy74

Here’s our scenario. I have a NodeJS server running that connects to a Microsoft SQL Server using an application account (SQL Basic Auth). The Username and Password were stored in the configuration files when the app was created.
We now … Continue reading I need to secure my access to SQL Server for application accounts, but no one can know the application passwords. How?→

Web App and API Security Needs to Be Modernized: Here’s How

Posted on August 31, 2021 by Bill Brenner

Applications are critical for doing business. They are also the weakest links in many an organization’s security chain. Many APIs continue to expose the personally identifiable information of customers, employees and contractors. As OWASP (Open Web Ap… Continue reading Web App and API Security Needs to Be Modernized: Here’s How→

IAST, IaC, Secrets: A Guide to App Sec Tools

Posted on August 11, 2021 by Katie Horne

Image by S. Hermann & F. Richter from Pixabay
We covered several acronyms common in application security in a previous post: SAST, DAST, and SCA. We’ll continue our discussion on AppSec concepts today by focusing on IAST, IaC, and secrets.
Interact… Continue reading IAST, IaC, Secrets: A Guide to App Sec Tools→

FlyTrap Android Trojan Snares Victims

Posted on August 11, 2021 by Teri Robinson

Logging in to the right domain doesn’t always guarantee security, something users don’t always seem to realize, according to researchers at Zimperium zLabs. Over the last six months, the researchers detailed multiple instances of a new Android Trojan,… Continue reading FlyTrap Android Trojan Snares Victims→

Four best-practices for introducing new application security standards to secure APIs

Posted on August 10, 2021 by Omer Primor

This article is the second in a three part series focused on application security in the API-first era. The articles summarize a 3-part executive series in which leading global security and technology executives discussed how their organizations … Continue reading Four best-practices for introducing new application security standards to secure APIs→