Salt Labs | Oh-Auth - Abusing OAuth to take over millions of accounts
It’s extremely important to make sure your OAuth implementation is secure. The fix is just one line of code away. We sincerely hope the information shared in our blog post series will help prevent major online breaches and help web service owners better protect their customers and users.
Content Security Policy, Your Future Best Friend — Smashing Magazine
The benefits of using a “content security policy” are many. In this article, Nicolas Hoffmann will introduce you to this technology, and he’ll explain why awareness is the most important advantage of CSP for website maintainers.
How To Secure Your Web App With HTTP Headers — Smashing Magazine
Web applications, be they thin websites or thick single-page apps, are notorious targets for cyber-attacks. In 2016, approximately 40% of data breaches originated from attacks on web apps — the leading attack pattern. Indeed, these days, understanding cyber-security is not a luxury but rather **a necessity for web developers**, especially for developers who build consumer-facing applications.
HTTP response headers can be leveraged to tighten up the security of web apps, typically just by adding a few lines of code. In this article, we’ll show how web developers can use HTTP headers to build secure apps. While the code examples are for Node.js, setting HTTP response headers is supported across all major server-side-rendering platforms and is typically simple to set up.
Adversaries can steal credentials, cookies and other private data from browsers using various techniques. We cover how you can simulate Credential Stealing From Browser s and detect it with your security tools. Sigma Rules Inside.
50 Shades of Vulnerabilities: Uncovering Flaws in Open-Source Vulnerability Disclosures
Nautilus researchers evaluated the disclosure process of open-source projects and found flaws that allowed harvesting the vulnerabilities before patched
How the Wikimedia Foundation Balances Security and Open Information in Web Development - OpenJS Foundation
Background The Wikimedia Foundation is the non-profit that hosts Wikipedia and other free knowledge and open data projects. These projects are made possible by a global community who, together with...
The UK Online Safety Bill Becomes Law, What Does It Mean?
We’ve previously reported from the UK about the Online Safety Bill, a piece of internet safety legislation that contains several concerning provisions relating to online privacy and encryptio…
crowdsecurity/crowdsec: CrowdSec - the open-source and participative IPS able to analyze visitor behavior & provide an adapted response to all kinds of attacks. It also leverages the crowd power to generate a global CTI database to protect the user network.
A deep dive into Deno and its comparison with Node.js
Explore Deno and Node.js differences. Learn about Deno's enhanced module system, stable APIs, and security. Discover its use cases and drawbacks in the tech world.
Cyberattacks Are Inevitable. Is Your Company Prepared?
Preparing for the unexpected is much easier said than done. In the case of cyberattacks, many companies have vulnerabilities in their defenses and reactions they haven’t prepared for that hackers will test. Many organizations can benefit from instituting fire drills and tabletop exercises, which test a company’s response plan at every level. These exercises will almost certainly reveal gaps in security, response plans, and employees’ familiarity with their own roles. While investing in external facilitators for these exercises will often allow for a more rigorous test separate from internal dynamics, there is guidance for organizations who wish to execute internal exercises to better prepare for a cyberattack.
In this post, I am going to show the readers how I was able to abuse Akamai so I could abuse F5 to steal internal data including authorization and session tokens from their customers.