Ankit Giri

A complete tech enthusiast, who likes to learn new technologies. With his expertise in Application Security, Ankit works as Associate Security Consultant for TO THE NEW. A speaker, presenter, and a blogger, Ankit has a diverse background in writing informational blogs while working at TO THE NEW. He is a nature lover, photography enthusiast and avid follower of governance. Being in application security domain, Ankit also takes an interest in RTI activism and carry it as a skill with RTI certifications.

Application Security, DevOps

Preventing cryptographic protocols from “DROWN attack”

DROWN is an abbreviation for Decrypting RSA with Obsolete and Weakened encryption and is seems to be applicable on servers using SSLV2. Just like Heartbleed, it may impact more than 11 million websites using OpenSSL.This blog explains Preventing cryptographic protocols from "DROWN attack". What this vulnerability can do? DROWN...

07-Mar-2016

Application Security, Technology

Understanding the CSRF(Cross-site request forgery) Vulnerability

The basic principle of CSRF vulnerability Whenever we are accessing an application, the browser is sending a request to the server and the server responds to the request by sending some data to the browser called response. This two-way communication continues as we continue using the application. When we login to the application, the...

23-Jan-2016

Application Security, Technology

Experience at SANS Delhi Community Night, 2016

TO THE NEW has been organizing conferences and actively participating in various conferences as well. I was invited to attend a presentation at SANS Community Night in Delhi, India on 14th Jan 2016. The topic of the talk was “DIY vulnerability discovery with DLL Side Loading“, and it's use as stealthy persistence technique for malware...

15-Jan-2016

Application Security, Technology

How I discovered RCE through a Misconfigured plugin

We have seen a lot of applications where some sub-domains or sub-directories are publicly exposed (intently or by mistake). So, with experience from our past pentests we have made a habit of testing  for vulnerable or accessible sub-domains. During one of such testing, I was manually testing the URLs of different sub-domains of the...

13-Jan-2016

Application Security, Technology

Malicious exploitation of Unauthenticated Request submissions

During a recent penetration test on one of our client's application, we came across a case of malicious file propagation through the application server. The attack does not require an authenticated session. The vulnerable section is accessible by unauthenticated users. The attack involves an attacker submitting a malicious request (a...

13-Jan-2016

Application Security, AWS

Why compromised Jenkins can lead to a disaster?

I was recently searching for something on Google and came across this instance of what might be a logical vulnerability prevailing across multiple web applications. I was searching for publicly accessible Jenkins console through Google Dorking. My search query listed some of the websites that had Jenkins as a part of their domain...

04-Dec-2015

Application Security, Technology

Android 6.0(Marshmallow) : What’s new in Security

Android has been the most used mobile operating system till date. With the huge base of end-users, Android has been guilty of hosting numerous security related bugs in the past. With the latest version of Android 6.0 namely Marshmallow being released, I expected to see a few changes in the security model. Change in the permissions...

26-Nov-2015

Application Security, Technology

An essence of Application Security in E-commerce

Hackers and cyber criminals identify E-commerce sites as a source of information, such as credit cards and other PII (Personally identifiable information). To protect customers, it's necessary to know how to protect the application and the sensitive customer data it has. All this involves user's trust and assurance on the brand and...

19-Oct-2015

Application Security, Technology

Exploring iThemes Security Plugin to Secure WordPress websites – 2

In my previous blog on Ithemes Security, we went through Dashboard, Configuration and Global Settings. In this second part of the blog series,  A detailed understanding of sections 404 Detection, Away Mode, Banned Users will be covered. 404 Detection Hackers are always looking for vulnerabilities that can be exploited. Some...

16-Oct-2015

Application Security

An essence of Application Security in Healthcare Sector

Hackers and cyber criminals identify healthcare organizations as a source of assets, similar in a way that a bank has monetary assets. In case you have any doubt about the previous statement, I would like to reassure you that healthcare information has a monetary value and worth. And yes, it is at risk. What is wrong with the Healthcare...

06-Oct-2015

Application Security

Exploring iThemes Security Plugin to Secure WordPress websites

WordPress websites are mostly an easy target for attacks due to improper file permissions and vulnerable plugins being installed. Different factors that lead to attack on WordPress sites are :- Weak Passwords Vulnerable Plugins Obsolete version of WordPress being used Possible Solution Securing WordPress is a process and it...

23-Sep-2015

Application Security

Sleepy Puppy Tutorial : An XSS Payload Management Framework

Sleepy Puppy is a payload management framework for Cross Site Scripting that enables security engineers to simplify the process of capturing, managing, and tracking XSS propagations. Delayed XSS (a variant of stored XSS) Delayed XSS testing is testing that can be used to extend the scope of attack beyond the immediate effect of...

07-Sep-2015