Application SecurityTechnology
This blog discusses the utility and benefits of using a Host-based Intrusion Detection System (HIDS) tool: OSSEC in your environment. A host-based intrusion detection system provides real-time visibility into what activities are taking place on the servers, which adds to the additional security. There are various tools available in the market for this purpose: IBM […]
Security Best Practices More and more organizations today realize how important it is to manage security of their websites and applications on cloud or on-premise datacenters. Organizations are rapidly adopting Hybrid Cloud models in which managing security is of paramount importance. In order to cater to rapidly changing business realities, organizations are constantly evaluating methods […]
You may wonder why an arrangement of servers, constructed of hard metal, which tend to run hot and weigh thousands of pounds, be called a “cloud”? This can be propped up only by an engineering diagram, in which data travels by an undefined pathway from beginning to end. So, the cloud refers to the randomized […]
Application SecurityDevOpsTechnology
DROWN is an abbreviation for Decrypting RSA with Obsolete and Weakened encryption and is seems to be applicable on servers using SSLV2. Just like Heartbleed, it may impact more than 11 million websites using OpenSSL.This blog explains Preventing cryptographic protocols from “DROWN attack”. What this vulnerability can do? DROWN vulnerability enables attackers to break the encryption mechanism […]
Application SecurityTechnology
To make authenticated REST API calls in applications, several authentication schemes are used by developers. Some of them use HTTP Basic Authentication scheme, and others, as per their needs(or wants), use custom authentication schemes. Now, it’s good to experiment but not at the cost of security. In this blog, we will look into the common […]
Application SecurityTechnology
The basic principle of CSRF vulnerability Whenever we are accessing an application, the browser is sending a request to the server and the server responds to the request by sending some data to the browser called response. This two-way communication continues as we continue using the application. When we login to the application, the login […]
Application SecurityTechnology
TO THE NEW has been organizing conferences and actively participating in various conferences as well. I was invited to attend a presentation at SANS Community Night in Delhi, India on 14th Jan 2016. The topic of the talk was “DIY vulnerability discovery with DLL Side Loading“, and it’s use as stealthy persistence technique for malware […]
Application SecurityTechnology
We have seen a lot of applications where some sub-domains or sub-directories are publicly exposed (intently or by mistake). So, with experience from our past pentests we have made a habit of testing for vulnerable or accessible sub-domains. During one of such testing, I was manually testing the URLs of different sub-domains of the application and […]
Application SecurityTechnology
During a recent penetration test on one of our client’s application, we came across a case of malicious file propagation through the application server. The attack does not require an authenticated session. The vulnerable section is accessible by unauthenticated users. The attack involves an attacker submitting a malicious request (a malicious file is uploaded by […]