Clik here to view.
Virtualization – the promised land?
Someone somewhere is still getting compromised after investing a lot in security. Now there’s something called ‘virtualization’ which seems to be some kind of a promised land – a ‘solution’ to all...
View ArticleClik here to view.
Common mistakes in two-tier applications
In previous articles, we have talked about some of the attack techniques and defenses that are possible with two-tier applications. An important thing to note in two-tier applications is that a...
View ArticleClik here to view.
Quiz: Safe Authentication Controls
Which of the following is/are required as safe authentication controls at login page? Enable SSL Define acceptable Inputs Use Salted Hash technique Disable password save and AutoComplete/fill-in All of...
View ArticleClik here to view.
URL Redirection Flaw
Harry gets an email from his bank stating that he has received some promotion offers so he should click on the link below to avail those offers. Harry ensures that the site is authentic by checking the...
View ArticleClik here to view.
Mobile Banking - Threats and Mitigation
In my previous article, I had explained the two common mobile banking architectures and exchange of information using one of the architectures. In this article, I’ll be explaining the threats observed...
View ArticleClik here to view.
CSRF - The hidden menace
Cross Site Request Forgery (also known as XSRF, CSRF, Sea Surf, Session Riding, and Cross Site Reference Forgery) is an attack that tricks the victim into taking some action on the vulnerable...
View ArticleClik here to view.
Quiz: Cross Site Printing
What is Cross Site Printing? A typo for Cross Site Scripting A new Printing technology from Microsoft A new attack that prints to your internal printers when you visit a website None of these
View ArticleClik here to view.
Defend against Reverse Engineering
Software reverse engineering is the technique of getting the original source code from the binary. Competitors might use reverse engineering to figure out how you implemented that cool feature....
View ArticleClik here to view.
The Payment Application Data Security Standard (PA DSS)
PA DSS fills a gap in the more well known PCI DSS standard. Today, we’ll discuss this lesser-known standard. Remember that the biggies of the credit card industry put their heads together and came up...
View ArticleClik here to view.
Cache Control Directives Demystified
Many years ago, HTTP 1.1 introduced specialized Cache Control directives to control the behavior of browser caches and proxy caches. These were a refinement over the HTTP 1.0 headers that programmers...
View ArticleClik here to view.
Quiz: Proposal to amend Same Origin Policy
Same origin policy of browser prevents scripts loaded in one domain to access resource from another domain. However, this policy imposes several limitations to Web 2.0 apps and restricts interactivity...
View ArticleClik here to view.
Database Links Security
Database links (DBLinks in Oracle) are a technique for one database to connect to a remote database and execute queries. The originating database uses an account in the remote destination database to...
View ArticleClik here to view.
Defeating Encryption in Some Thick Clients
While testing thick client applications we sometimes encounter the client encrypting pieces of the request. At such times, many of our variable manipulation attacks are foiled. To overcome this...
View ArticleClik here to view.
SAP Baseline Security Audit
A SAP Baseline Security Audit tells enterprises how their SAP security posture stacks up against industry best practices. The Baseline Security Audit is the first step in a comprehensive security audit...
View ArticleClik here to view.
Quiz: Specifying life time for a webpage
We have often come across the message “Webpage has expired” when attempting to access a recently accessed page. This message comes as a result of the web server specifying an expiration time for the...
View Article
