I noticed a suspicious behavior on the weekly email from my coffee shop’s subscription; it was offering I edit my preferences directly through a dedicated link. I was able to bypass the cookie and authentication token (no tricks) and was able to reach an account details panel changing password / account email etc. Essentially the shop was exposed to severe authentication and authorization issues, leading to IDOR of PII (exposure of private identifiable information). On top of that, not CORS nor CSRF mitigations were in place, allowing me to create a malicious link leading to a one-click account takeover.
After hunting for security bugs I’ve realized clients I’m working with are not familiar enough (or at all) with basic “hacking” techniques. API keys, passwords, SSH encrypted keys, and certificates are all great mechanisms of protection, as long they are kept secret. Once they’re out in the wild, it doesn’t matter how complex the password is or what hash algorithm was used to encrypt it somewhere else. In this post, I’m going to share concepts, methods, and tools used by researchers both for finding secrets and exploiting them. I’ll also list mitigation action items that are simple to implement.
Originally published at https://omerxx.com/csrf-attacks
“CSRF is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated. With a little help of social engineering (such as sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker’s choosing.”
TL;DR: CSRF is as easy to attack as it is easy to protect from! There’s no reason any web-facing application should not implement the relevant protection. Lots of known frameworks have it built in as a feature or an opt-in…
Originally published at https://omerxx.com/sql-injection-intro
SQL Injection (SQLi) accounted for more than 72% of all attacks when looking at all verticals during (2018–2019) period.
- State of the internet 2019, Akamai
The quote above says it all. If there’s one attack vector to get familiar with as a web developer it’s an injection and this one in particular. On the OWASP top 10 list injections are ranked first with SQL staring high. The infamous SQLi is very common, easy to automate and can create a lot of unrepairable damage.
This post is a personal attempt at getting to the bottom of…
Using Vim is by-far the most productiveness-enhancing, enjoyable and rewarding tool you’ll ever adopt. This post was an idea I had for a long time; there are literally endless pieces of information about Vim out there, and every time I started writing I thought I was just adding to the chaos. I feel it became too important to ignore, too much of a productivity change, and probably the best tool I have ever decided to take upon learning, and so I’m sharing my process. This an opinionated post about how I think anyone should start. …
China tech market is one of leading in the world in terms of size and value. Its cloud adoption, however, is far slower than in the west, making it the most significant unfulfilled potential of cloud computing markets in the world. This continuously narrowing gap produces countless opportunities which western tech companies seek. They are being slowed down only by two significant factors; a general disbelieve of Chinese tech leaders in public clouds, and a significant operational challenge dealing with China’s firewall which we’ll discuss in this post.
According to a recent McKinsey report:
“public-usage rates could rise more than…
ELK (Elasticsearch, Logstash, and Kibana) is more or less a consensus when it comes to log aggregation and visualizing. As an open source software, it’s happily adopted by a wide range of companies in the world. Many competitors even built solutions on top of Elastic.co’s product like Coralogix, Logz.io, Loggly and also AWS itself with its ES service; all are used as a paid SAAS.
There’s also a fully open source distro managed by Apache powered by community contributions.
However, when implemented locally, using the open source product, companies tend to create their pipelines between their applications and Elasticsearch. These…
I use VIM.
These lines are written in VIM, and so does every single line of code I write.
Git has become an integrated tool of almost everyone in tech and merge-conflicts are often a part of work.
Conflicts generally arise when two people have changed the same lines in a file…
In these cases, Git cannot automatically determine what is correct.
Conflicts only affect the developer conducting the merge, the rest of the team is unaware of the conflict.
Git will mark the file as being conflicted and halt the merging process. …
After completing a 4-month period on a client’s project that included a complete migration from “raw” K8S-yaml-files to Helm Charts, I figured I need to put the things I’ve learned in writing for others to read, and for me to better learn.
You can install dependencies and proprietary software on your K8S cluster with a simple:
helm install stable/mysql, there are hundreds of available installations like this one, but you can also do that with your own product/services!
Regulations, compliance, security, long-term contracts, and even politics are common answers to “Why are you not deployed on a public cloud?”
But the most common answer I keep hearing is “It’s just too expensive”.
Is that so?
The words below are written with AWS terminology for convenience but are very much relevant to any public cloud provider.
“On-prem” resources — the term is usually referring to the physical machines hosted in a non-public-cloud environment in companies’ storage floors, basements or in a remote server farm that’s usually leased for long periods bounded by unbreakable contracts. These machines, which require physical…