Collaborate Disseminate
A web application firewall (WAF) is most often used by organizations for external security controls to detect and block individual attack attempts against target web application assets.
The post Stopping Active Attacks with Penalty Box appeared first o… Continue reading Stopping Active Attacks with Penalty Box
A web application firewall (WAF) is most often used by organizations for external security controls to detect and block individual attack attempts against target web application assets. Continue reading Stopping Active Attacks with Penalty Box
We are reviewing OWASP guidelines for our legacy SAAS – specifically Online Guessing Attacks.
The algorithm describes an "untrusted source" as someone with no device cookie, an invalid device cookie, or a valid device cookie that… Continue reading What is a device cookie? (with regards to online guessing attacks)
I was reading the OWASP Cheat Sheet Series, specifically their cheat sheet for REST Security and one of the points they had under the section for API Keys was:
Do not rely exclusively on API keys to protect sensitive, critical or high-val… Continue reading What else can be used instead of an API Key to protect resources in a REST API as is implied by OWASP?
I’m testing burp against a vulnerable application as part of work for my client. There was one successful xss payload related to DNS lookup which worked on form data at point of file-upload. Here is the part of payload
javascript:/*</sc… Continue reading Decoding burp XSS DNS resolution payload
The OWASP Top 10 Web Application Security Risks has become synonymous with web application security. Learn who OWASP is and where the top 10 list began and the other resources OWASP has to offer.
The post Understanding the OWASP Top 10 Web Application… Continue reading Understanding the OWASP Top 10 Web Application Risks
We’ve recently had a penetration test for one of our applications.
The Penetration Testing company identified that our application lacks protections against brute-force attacks on the login page.
Ref: https://owasp.org/www-community/contro… Continue reading Is using PBKDF2 good protection against brute-force attacks on web application login pages?
Websites that persist any user-specific state (either a login capability or, say, a basket & checkout purchasing system) tend to have a deliberately expiring session that lasts a few minutes or half an hour or so. I know these sessions… Continue reading What’s the latest thinking on website session expiry time?
APICheck is an HTTP API DevSecOps toolset, it integrates existing HTTP APIs tools, creates execution chains easily and is designed for integration with third-party tools in mind.
APICheck is comprised of a set of tools that can be connected to each ot… Continue reading OWASP APICheck – HTTP API DevSecOps Toolset
From what I understood and read, the typical scenario is the following:
ATK visits a login page which sets a session ID (realistically a cookie). The attacker already tested that after the login in to the web application this SID remains … Continue reading Is this the only form of session fixation?