Category
Sort By
Application Security, Technology
Being in the middle of the second quarter of 2017, we can already find a number of reports regarding web attacks, also known as cyber-attacks or cyber threats. Due to a constant rate of increase of reports regarding web attacks, it is essential for people all over the world to be aware of the imminent attacks or threats. From the loss of...
Application Security, Product Engineering
Have you witnessed a scenario where a trusted site gets injected with a malicious script attack? Well, commonly people refer this as a "'Cross Site Scripting' attack. The XSS scripts injected into a site can leak out sensitive data and information including cookies, session tokens, and auth tokens. The vulnerability of the XSS attack is...
In Jenkins by default user authentication is not enabled but we can establish the user authentication from the Global Security section. We have to create users for team members and it maintains all user in its own database. But we can also configure Jenkins with Google oAuth. So, if you are leveraging Google services and already have...
You may wonder why an arrangement of servers, constructed of hard metal, which tend to run hot and weigh thousands of pounds, be called a “cloud”? This can be propped up only by an engineering diagram, in which data travels by an undefined pathway from beginning to end. So, the cloud refers to the randomized packet transfer protocol...
Application Security, Technology
Android has been the most used mobile operating system till date. With the huge base of end-users, Android has been guilty of hosting numerous security related bugs in the past. With the latest version of Android 6.0 namely Marshmallow being released, I expected to see a few changes in the security model. Change in the permissions...
Being a technology focused company, TO THE NEW has always made its presence felt in major conferences around the world. This time, it was X0RC0NF in Cochin, India. I was invited to present my talk there and attend the conference as a speaker. The topic of my talk was "Anatomizing online payment systems: hack to shop", majorly focusing on...
Recently, we came across a scenario where we need to create AMIs of multiple production servers running in four different AWS accounts. One solution was to create an automation script to be run on an AWS EC2 instance running in each aws account which would create AMI of all production servers running in each account. This would have...
Hackers and cyber criminals identify healthcare organizations as a source of assets, similar in a way that a bank has monetary assets. In case you have any doubt about the previous statement, I would like to reassure you that healthcare information has a monetary value and worth. And yes, it is at risk. What is wrong with the Healthcare...
In continuation to my last blog about possible attacks on a password reset functionality, this part of the same series will look into below two implementations: • Email sent with a temporary password or current password • Secret questions asked and then given the option to reset the password I will mention possible issues which...
Application Security, Technology
A high-severity vulnerability was announced by OpenSSL. This vulnerability is marked as CVE-2015-1793. Common Vulnerabilities and Exposures is a system that provides a reference-method for publicly known security vulnerabilities and exposures. This blog explains OpenSSL Vulnerability (CVE-2015-1793) and Remediation. OpenSSL Team released...
In one of my recent projects, while working on Jenkins, I was required to create and implement a Project-based Matrix Authorization Strategy. Installation of Jenkins is a simple task, but it took me a while to implement this strategy and later I found it quite easy enough and thought of writing a blog. Project-based Matrix...
We were trying to implement SSL-based login and registration (i.e. HTTPS) in an e-commerce web application which was otherwise using the non-secure protocol (i.e. HTTP) for the entire website. Instead of moving the entire web application to SSL, which would have increased response times, we thought it would be best if only the...
