Quantitative risk analysis [updated 2021]
Utilizing a quantitative risk analysis is an integral part of security and ensuring a positive cost and benefit.
Dawid Czagan
Dawid Czagan (@dawidczagan) has found security vulnerabilities in Google, Yahoo, Mozilla, Microsoft, Twitter, BlackBerry and other companies. Due to the severity of many bugs, he received numerous awards for his findings.
Dawid is founder and CEO at Silesia Security Lab, which delivers specialized security auditing services with a results-driven approach. He also works as Security Architect at Future Processing.
Dawid shares his bug hunting experience in his workshop entitled “Hacking web applications – case studies of award-winning bugs in Google, Yahoo, Mozilla and more”. To find out about the latest in Dawid’s work, you are invited to visit his blog (https://silesiasecuritylab.com/blog) and follow him on Twitter (@dawidczagan).
Securing cookies with httponly and secure flags [updated 2020]
Securing cookies is an important subject. Think about an authentication cookie. When the attacker is able to grab this cookie, he can impersonate the user....
Non-repudiation and digital signature [updated 2018]
The digital certificate is a critical component of a public key infrastructure. It is an electronic document that associates the individual identity of a...
Tunneling, Crypto and VPNs
1. Introduction
The idea of Virtual Private Network (VPN) is to simulate a private network over a public network. A VPN tunnel can be used to securely connect...
Bypassing Packet Filters with IP Fragmentation Overlapping
1. Introduction
The process of IP fragmentation occurs when the data of the network layer is too large to be transmitted over the data link layer in one piece....
HTTPS and mixed content vulnerability
HTTPS is used to make communication between the server and the browser secure. However, a problem occurs when an HTTPS page loads HTTP content: this is called...
Cookies with Secure Flag: Undesired Behavior in Modern Browsers
Introduction
When a cookie has secure flag set, it will only be sent over secure HTTPS, which is HTTP over SSL/TLS. This way, the authentication cookie will...
Effective Risk Reduction
1. Introduction
Risk reduction is often associated with prevention only. Effective security, however, also needs detection and response. Those three (prevention,...
Qualitative risk analysis with the DREAD model
This article introduces two types of risk analysis (quantitative, qualitative) and presents how to perform qualitative risk analysis with the DREAD model. Finally,...
Cookies with HttpOnly Flag: Problem in Some Browsers
1. Introduction
When a cookie has HttpOnly flag set, then JavaScript cannot read it in case of XSS exploitation. This is actually the reason why HttpOnly flag...