Event Viewer – Filtering user events for forensics and audits
Skip the story Let’s say you are tracking down some user, or trying to find users that logged in to a common Windows workstation at a timeline. Sounds downright easy with Event Viewer right? Create a...
View ArticleDevouring Security: OWASP ZAP – Successfully Ajax Spidering a website with...
OWASP ZAP – Successfully Ajax Spidering a website with Authentication (Northwind Products Management) 0. Make sure you are proxying via Zap (I love FoxyProxy) 1. Identify the session cookie 1.1...
View ArticleDevouring Security: Insufficient Data Validation Risk – Cross Site Scripting...
Devouring Security Insufficient data validation risks Cross Site Scripting from gmaran23 Agenda in <ul><li> · Risk, Stories & the news · XSS Anatomy ·...
View ArticleIf it’s EASY, it’s not WORTH it – SECURITY is NOT Easy !
The complexity of security is often underestimated. While we, as software professionals, understand how common vulnerabilities can be prevented, putting those practices into place is often easier said...
View Article10 Signs you are doing your Clean Desk Policy wrong
What is a Clean Desk Policy? By definition, a clean desk policy specifies how employees should leave their working space when they aren’t there. Sensitive information must be protected at all times...
View ArticleDisabling Anonymous Authentication in IIS
Anonymous authentication gives users access to the public areas of your Web or FTP site without prompting them for a user name or password. By default, IIS 7 uses Anonymous authentication. You must...
View ArticleHow to get the Clean Desk Policy working
In my previous post I spoke about what you should NOT do to avoid Clean Desk Policy violation. In this post I shall give you a solution to the problem and tips on setting up the Clean Desk Policy...
View ArticleHow to remove unnecessary HTTP Response Headers in IIS 7
If you are building and deploying public facing web applications, security has to be one of your key consideration. Whenever a browser makes an HTTP request to a web server, it sends along several HTTP...
View ArticlePlug-n-Hack and OWASP ZAP: manually changed proxy settings after initial pnh...
Plug-n-Hack introduces and proposes new standards to integrate security tools with the browsers, enabling communication between them. OWASP ZAP has inbuilt support for Plug-n-Hack (pnh) which allows...
View ArticleOWASP ZAP : Workaround – Html Report from APIs daemon mode
Ok, may be the title is a bit misleading. The below post is going to show you a few workarounds that you can use to generate (or mimic) a html report when running OWASP ZAP automated in a headless...
View ArticleLeveraging Open Source for Continuous Application Security at Agile...
This post is an abstract of my submission to nullcon 2015. With more and more web applications enabling us to converse, communicate, conspire, collaborate, contribute, capture, compute, credit,...
View ArticleLet your IIS worker process crash with StackOverflowException
There was a Login page, that did some sort of authorization check beyond authenticating the user, and displayed an Access Denied page for those who weren’t lucky enough. This was all done by the...
View ArticleDevouring Security: Sslstrip and arpspoofing for credential harvesting
You may think you are connecting to a website over ssl, but did you forget to check https at the address bar? http://www.thoughtcrime.org/software/sslstrip/ Victim - Windows 7 –...
View ArticleDevouring Security: Sqlmap for login protected sites and JSON data
sqlmap http://sqlmap.org/ How do I test a log in protected website with sqlmap? use the –cookie parameter / or capture the request, pass it on with the -r parameter / or use...
View ArticleEvent Viewer – Filtering user events for forensics and audits
Skip the story Let’s say you are tracking down some user, or trying to find users that logged in to a common Windows workstation at a timeline. Sounds downright easy with Event Viewer right? Create a...
View ArticleSecure your application from Cross-Site Request Forgery(CSRF)
Intention of this post is show how to dynamically append anti-forgery token to all your post requests in your application without explicitly adding it to every form . Implementation will be focused...
View Article