Recently, cyber attacks have been on a rise, and it appears that every other day due to these attacks, businesses are being held to pay ransom to protect themselves or go out of business. There are businesses who have shut shop and then there are businesses which have paid ransom to secure themselves, however that doesn’t guarantee...
Some applications require to store and show last login of the user which is quite common. With this feature a user can verify the last login date and time upon successful login. I would like to explain this through a use case - One of the administrative application on Grails required to hold last login date and time of the user, so...
Application Security, Technology
This blog discusses the utility and benefits of using a Host-based Intrusion Detection System (HIDS) tool: OSSEC in your environment. A host-based intrusion detection system provides real-time visibility into what activities are taking place on the servers, which adds to the additional security. There are various tools available in...
One security challenge we face these days is how to prevent our web servers from DDOS attacks. This blog illustrates how we can automatically block unwanted traffic based on request rate by using AWS WAF and Lambda. This setup automatically detects traffic based on request rate, and then updates AWS WAF configurations to block...
Application Security, Technology
We have seen a lot of applications where some sub-domains or sub-directories are publicly exposed (intently or by mistake). So, with experience from our past pentests we have made a habit of testing for vulnerable or accessible sub-domains. During one of such testing, I was manually testing the URLs of different sub-domains of the...
Introduction to Web Application Security Several times in a year does your personal or work computer ask you to update its security features despite the worldwide spending on information security standing around $80 billion in 2015. World Wide Web has become a vulnerable place, the more it saw a lot of sophistications and developments...
The more the e-commerce sector has flourished with the advent of technology in the recent years, the more it has become susceptible to attacks. Smart hackers deploy a number of crafty techniques to steal data including customer credit card information, phone numbers etc. These information can be sold in the black market that will earn...
Application Security, Technology
Many applications provide an option to download some data as a CSV file. More often than not, this downloaded data is user controlled data. For instance, take the scenario where an administrator can export the data of all the users as a CSV file. The fields in the file include the details filled by the users. So technically, the...
I was recently searching for something on Google and came across this instance of what might be a logical vulnerability prevailing across multiple web applications. I was searching for publicly accessible Jenkins console through Google Dorking. My search query listed some of the websites that had Jenkins as a part of their domain...
Application Security, Technology
We saw different implementations of a password reset functionality to ensure application security along with their best practices in the first and the second blogs of the series. In this final blog of the series, we will discuss the concept of Multi-Factor Authentication (One Time Passwords i.e. OTP) for the implementation of a reset...
Application Security, Technology
Digital innovation has been evolving and growing in the financial space with time. It is no secret that the financial companies today see digital presence as a key component to their company's success. Customers can now manage their finances from anywhere and at anytime using these digital offerings. But, this raises a serious issue. With...
Application Security, Technology
Hackers and cyber criminals identify E-commerce sites as a source of information, such as credit cards and other PII (Personally identifiable information). To protect customers, it's necessary to know how to protect the application and the sensitive customer data it has. All this involves user's trust and assurance on the brand and...