877.791.9571 |

About the Author:

Dawid Czagan is Head of Security Consulting at Future Processing, where he leads a team of security engineers (FP Security Consulting). He is also Security Researcher at InfoSec Institute. Contact: dawid[at]czagan[dot]com
httponlyflag04072014

Cookies with HttpOnly Flag: Problem in Some Browsers

1. Introduction

When a cookie has HttpOnly flag set, then JavaScript cannot read it in case of XSS exploitation. This is actually the reason why HttpOnly flag was introduced. As […]

secureCookie03062014

Securing Cookies with HttpOnly and secure Flags

1. Introduction

Securing cookies is an important subject. Think about an authentication cookie. When the attacker is able to grab this cookie, he can impersonate the user. This article describes […]

sessionRegen02192014

The Importance of Session Regeneration

1. Introduction

Users of web applications are recognized by session IDs. That’s why it’s obvious that session management is an important subject. Session management flaws are related to weaknesses in […]

BurpSuite01242013

Session Randomness Analysis with Burp Suite Sequencer

1. Introduction

Users of web applications are identified by session IDs. An attacker can impersonate users when generated sessions are predictable. This article introduces Burp Suite Sequencer and shows […]

Remote01212014

From CSRF to Unauthorized Remote Admin Access

1. Introduction

The intention of this article is to show how dangerous a cross-site request forgery (CSRF) vulnerability can be. It will be presented for the D-Link DIR-600 router (Hardware […]

repudiation01092014

Non-repudiation and digital signature

1. Introduction

Non-repudiation is a much desired property in the digital world. This article describes that property and shows how it can be achieved by using digital signatures.

2. Defining the […]

cyber-attack-01082014

Attacking LAN hosts with ARP spoofing

1. Introduction

This article introduces the OSI model of internet communication, and describes ARP spoofing. It’s used to attack hosts in a Local Area Network (LAN). Passive and active sniffing […]

fuzzing-11082013

Fuzzing for SQL injection with Burp Suite Intruder

1. Introduction

This article introduces Burp Suite Intruder and shows how it can be used for SQL injection fuzzing.

2. Burp Suite Intruder

It is a part of Burp Suite, which is […]

risk

Quantitative Risk Analysis

1. Introduction

The goal of risk management is to deliver optimal security at a reasonable cost. This article introduces quantitative risk analysis. It also describes cost/benefit analysis, risk handling, […]

session-fixation-10312013

Understanding Session Fixation

1. Introduction

Session ID is used to identify the user of web application. It can be sent with the GET method. An attacker can send a link to the […]

Encryption

Symmetric and Asymmetric Encryption

1. Introduction

This article explains how symmetric and asymmetric encryption work. It also describes how to build a secure mail system using these two types of encryption.

2. Symmetric Encryption

Let’s assume […]

owasp_feature

CSRF Proof of Concept with OWASP ZAP

1. Introduction

This article introduces CSRF (cross-site request forgery) vulnerability and demonstrates how to prepare a CSRF proof of concept with OWASP ZAP.

2. Cross-site request forgery

The vulnerability allows an […]

xhydra09132013

Online Dictionary Attack with Hydra

1. Introduction

When an attacker wants to learn credentials for an online system, he can use brute force or a dictionary attack. This article introduces these two types of attack […]

Hashes09052013

Using Hashes in Computer Security

1. Introduction

Hashes are often used in computer security. This article presents how data integrity, authenticated data integrity and non-repudiation can be achieved using hashes. Finally it shows how to […]

onetimepassword-08212013

One-time passwords with token

1. Introduction

One-time passwords are used to achieve higher security than traditional static passwords. They’re often generated by tokens. This article presents how tokens (synchronous and asynchronous) can be used […]

cvss_07122013

Common Vulnerability Scoring System

1. Introduction

This article presents an open framework for scoring IT vulnerabilities— the Common Vulnerability Scoring System (CVSS) Version 2.0. It introduces metric groups, describes base metrics, vector, and scoring. […]

CryptoBuildingBlocks06042013

Crypto building blocks

1. Introduction

This article will explain how crypto building blocks can be used to achieve confidentiality, integrity, authentication and non-repudiation. It introduces symmetric and asymmetric ciphers, hashes, digital signatures and […]

Stack Analysis with GDB

Stack analysis with GDB

1. Introduction

This article describes the stack. GDB is used to analyze its memory. One needs to know this subject to play with low-level security.

Environment: x86, Linux, GCC, GDB.

2. Registers

The […]

Hacking Static Passwords

Hacking Static Passwords

1. Introduction

The static password is the most popular authentication method. It’s also the least secure one. This article describes how static passwords can be attacked and protected. It also […]

ebanking03052013

Hacking E-banking

1. Introduction

E-banking is an interesting target for attackers. The easiest way of stealing money in e-banking is to attack its weakest point – the client.

This article describes, in brief, […]