Collaborate Disseminate
Assuming a team maintaining multiple simple cloud web apps with associated secret key stores.
The control plane for the app needs to access secrets, and we don’t want to expose the secret store on the internet, thus we put both resources i… Continue reading Preserving network segmentation for cloud web app in a user friendly way
Attackers can send requests with data that the server does not expect in order to try to get responses that reveal secret data. One common example is when the server experiences an exception. A poorly configured server might include a deta… Continue reading Benefits of random responses to exceptions over generic error responses
I am creating a web application for individual accounts. The email address is also used as the user name. 2FA is setup for the user to optionally use. I’ve been trying to wrap my head around preparing for account recovery in these couple o… Continue reading Account recovery protocol when email is breached, or inaccessible?
If I’d have a basic Laravel back-end application I’d configure my load balancing using Nginx. I would have one server with the sole purpose of load balancing. The other servers would contain my Laravel-code and the configuration for SSL et… Continue reading Does load balancing pose extra security risks?
i’m doing a research & working around Math.random() like a month ago.
Math.random() uses XORSHIFT128+, so, if we can get the state of the PRNG, it’ll be easy to predict future outputs.
It is public knowledge that Math.random() isn’t a … Continue reading Predicting V8’s Math.random() truncated outputs
I’m not sure if securly classroom works by connecting the device to the teachers device or something, or does it work by using the school’s internet?
I recently encountered a scenario where Mobile Application is generating CSR request, call a POST API request and in response, Ask Server for certificate. Server will respond with the temporary certificate and Mobile Application will use t… Continue reading How to Capture Mobile API Requests in burp when Server side pinning is implemented
I am building a pure client-side app.
My users have a .kdbx vault stored in localStorage, and they can open it with a password.
In order to add a biometric\quick open feature into the app I thought about creating a Webauthn entry and stori… Continue reading storing user hashed password into webauthn id
ULID is a specification for unique identifiers which is intended as an alternative to traditional UUID. Some of the major differences are:
The creation date of the identifier is encoded into part of the identifier.
Because of the above, t… Continue reading What are possible security considerations of using ULID for unique identifiers?
Let’s say we know as a fact that a php web application baked in telemetry to collection data. Without scanning through the codebase, any quick hack tool that we can force the telemetry become useless given that we have full access the har… Continue reading Any "smart" way to disable telemetry of a web application on OS/hardware level? Any specific guide/tool recommend if we use linux and lnmp env