How to Capture Mobile API Requests in burp when Server side pinning is implemented

I recently encountered a scenario where Mobile Application is generating CSR request, call a POST API request and in response, Ask Server for certificate. Server will respond with the temporary certificate and Mobile Application will use t… Continue reading How to Capture Mobile API Requests in burp when Server side pinning is implemented

What are possible security considerations of using ULID for unique identifiers?

ULID is a specification for unique identifiers which is intended as an alternative to traditional UUID. Some of the major differences are:

The creation date of the identifier is encoded into part of the identifier.
Because of the above, t… Continue reading What are possible security considerations of using ULID for unique identifiers?

Any "smart" way to disable telemetry of a web application on OS/hardware level? Any specific guide/tool recommend if we use linux and lnmp env

Let’s say we know as a fact that a php web application baked in telemetry to collection data. Without scanning through the codebase, any quick hack tool that we can force the telemetry become useless given that we have full access the har… Continue reading Any "smart" way to disable telemetry of a web application on OS/hardware level? Any specific guide/tool recommend if we use linux and lnmp env

How can session-persistence of a web application account lead to re-infection of the browser and OS [closed]

I recently read a blog post that mentioned there is a way to highjack a user’s account by stealing their session cookies, and then persisting the logged in state by extending the expiration of the cookie indefinitely. This would also mean … Continue reading How can session-persistence of a web application account lead to re-infection of the browser and OS [closed]