Collaborate Disseminate
North Korean IT workers are expanding their efforts beyond the US, and are seeking to fraudulently gain employment with organizations around the world, but most especially in Europe. According to Google’s threat researchers, they are also increas… Continue reading North Korean IT workers set their sights on European organizations
I have written an app that uses a bespoke browser extension to extract my cookies for a third party website so that the cookies can then be passed to selenium running on a server which allows selenium to automate processes on the website b… Continue reading Using browser extension to allow webapp to extract user cookies for third party website [closed]
BinaryFormatter has been removed from C# due to security concerns. In the migration guide it is written:
"Any deserializer, binary or text, that allows its input to carry information about the objects to be created is a security probl… Continue reading What is the problem with Deserialization?
I got a Dynamic Application Security Testing (DAST) scan that reports an issue on a web application.
It says "The web application contains a link to a non-existing domain" and it’s marked with severity high. The domain is fonts.g… Continue reading Web application contains a link to a non-existing domain, is this a vulnerability?
Two weeks ago (Feb 25, 2025), CISA added CVE-2024-49035 to its catalog of actively exploited vulnerabilities.
Now, the thing is: CVE-2024-49035 is not a "classic" vulnerability in a software product where admins need to take acti… Continue reading What’s the deal with CISA adding CVE-2024-49035 (Microsoft Partner Center vulnerability) to its catalog of exploited vulnerabilities?
"Beyond the hardware, how do the integrated software ecosystems of Samsung’s One Ul and Apple’s iOS differ in terms of user experience, app compatibility, and cross device functionality ***
emphasized text
I am looking for a standard to refer to in order to write a security checklist that could be followed to proactively implement security at design level.
I went through the OWASP ASVS, it mentions some recommendations, but they are generic…. Continue reading standard to identify security checklist for web application/apis
I am using Django REST framework.
I want a single API for all of my clients (web, mobile, curl).
I understand that I need to include a CSRF token in requests originating from the web client, to protect against CSRF. However, this is not ne… Continue reading How to protect web app against login CSRF while also allowing mobile app/curl to access REST API?
Suppose that I have a reverse proxy such as caddy or Traefik that requires a client certificate to authenticate via mTLS, globally across reverse proxy.
What is the attack surface for services behind this proxy exposed publicly?
The handsh… Continue reading Attack surface of a reverse proxy secured with mTLS?
Context:
To briefly describe our system, we are preparing a cryptocurrency exchange platform similar to Binance or Bybit. All requests are handled through APIs. We have an External API Gateway that receives and routes client requests as th… Continue reading What Is the Best Validation Logic for an Internal API Gateway in Trading Systems?