Collaborate Disseminate
In this Help Net Security video, we take you inside Black Hat USA 2022 at the Mandalay Bay Convention Center in Las Vegas. The video features the following vendors: Abnormal Security, Adaptive Shield, Airgap, Akamai, Anomali, Arctic Wolf Networks, Aris… Continue reading Black Hat USA 2022 video walkthrough
I found a project that uses T-SQL’s newsequentialid() for one of their external ID columns which is used for public APIs.
When that column is added to an existing table, each row gets an incremented GUID.
Is this bad?
A malicious user coul… Continue reading Is using newsequentialid bad?
Application programming interfaces (APIs) enable developers to quickly and easily roll-out services but they’re also equally attractive to attackers. This is because they can provide ready access to back-end systems and sensitive data sets. What makes … Continue reading API security warrants its own specific solution
In a web-based SaaS product, one of the configuration pages allows users to set credentials for system-wide integrations with other products. These include usernames, passwords, and API secrets.
The sensitive fields are set as type="p… Continue reading Normative reference for a web application disclosing existing values of integration secrets to users
Are there any defined approaches that help you identify security requirements given that you have a specific decription of a system design? After a little research, I found OWASP Application Security Verification Standard. I am sure that t… Continue reading Are there any defined approaches to identify security requirements of a system? [closed]
I have built a waf and using CRS 3.0, this waf can inspect the request body to limit the file size that upload to the server, I am wondering ,if I just disable this feature manually, it will cause any CRS rule work unproperly? really appre… Continue reading owasp crs 3.0 rule functuonalityconsult
I have built a waf and using CRS 3.0, this waf can inspect the request body to limit the file size that upload to the server, I am wondering ,if I just disable this feature manually, it will cause any CRS rule work unproperly? really appre… Continue reading owasp crs 3.0 rule functuonalityconsult
GoTestWAF is a tool for API and OWASP attack simulation that supports a wide range of API protocols including REST, GraphQL, gRPC, WebSockets, SOAP, XMLRPC, etc. It was designed to evaluate web application security solutions, such as API security proxi… Continue reading GoTestWAF: Open-source project for evaluating web application security solutions
I have noticed some of the OWASP rules from Azure WAF are rejecting OData default filtered such as $select, suspecting it to be SQL injection. How can you handle the nature of OData from Azure WAF?
1. Warning. Pattern match \"(^[\&quo… Continue reading Azure WAF support for OData
Akamai released a research into the evolving threat landscape for application programming interfaces (APIs), which according to Gartner will be the most frequent online attack vector by 2022. APIs are inherently designed to be fast and easy pipelines b… Continue reading API attacks are both underdetected and underreported