Collaborate Disseminate
I’m playing with ModSecurity and need help. I’m trying to add a condition in the conf file where if there is specific header in the request then the SecRuleEngine should be On else it should be DetectionOnly. I tried the below condition in… Continue reading ModSecurity Condition Based Block Mode?
I am currently developing a web application where I need to ensure that retrieved data (stored in database) have been generated by one or multiple (in the case of clustered applications) application. The idea would be to store a hash of th… Continue reading Authenticate web application generated data
I’m currently testing the search feature on a website, and I’ve encountered an interesting behavior. The site displays the search query in the page itself, even if it’s an XSS payload (although it doesn’t trigger any XSS). Here are the det… Continue reading Understanding Search Behavior on a Website [URL Encoding and Query Handling] [closed]
I am currently trying to build an authentication flow where the front end lives on one domain, say X.com and the backend lives on Y.com. I have implemented a refresh/access token system where when a user logs in with username and password … Continue reading Where to store Refresh Token in custom Authentication
Chinese state-sponsored cyber group APT40 is amazingly fast at adapting public proof-of-concept (PoC) exploits for vulnerabilities in widely used software, an advisory released by intelligence and cybersecurity agencies from eight countries warns. The … Continue reading Chinese APT40 group swifly leverages public PoC exploits
I’m writing system which is SPA+BFF+Backend. The BFF is a confidential client. Is responsibe for Authentication and stores AccessToken in Redis. To the browser only goes generated ID of the token in the encrypted cookie. We do not have ext… Continue reading Is refresh token in SPA+BFF (confidential client) necessary?
I have noticed a weird transaction to my credit card, which I canceled/chargebacked and since I have a little bit of security knowledge, I guessed that maybe the credit card information got leaked.
So I searched for my credit card number o… Continue reading Possible credit card leaking through e-commerce on a search engine [closed]
We wrote a e-commerce system where we were asked to generate orders based on a format provided to us
The format was extremely simple which was today’s date with total number of orders in the database + 1.
The e-commerce was sent into testi… Continue reading Should order numbers be guessable?
The InfoSec team of the client I work with has mandated that any customer-facing application’s backend should not directly access the database for that application. They require we create another internal API that is not public and call th… Continue reading Is creating an internal API within a VPN a recommended practice for securing database access for customer-facing applications?
Could you please suggest if I need to do anything else to ensure that my server is secure against the most common attacks? Currently it seems fine to me, but I would highly appreciate if someone with penetration testing / hacking experienc… Continue reading Do I need to implement additional security measures for my self-hosted container web app?