#appsec
Link
#vulnerability#PenetrationTesting#RedTeam#BlueTeam#Hacking#VAPT#Exploit#Malware#Bugbounty#OSINT#InfoSec#Appsec#PrivilegeEscalation#LateralMovement
5 notes
·
View notes
Text
rock around the security flaw
youtube
dual life - rock and security flaws
0 notes
Text
Don't let CVEs distract you: Shift your AppSec team's focus to malware
Rather than wasting cycles on non-exploitable or remediated security holes, teams should focus on exploitability, and look for compromises including malware and tampering. Here's why.
https://jpmellojr.blogspot.com/2023/11/dont-let-cves-distract-you-shift-your.html
0 notes
Text
How to use OWASP Security Knowledge Framework | CyberSecurityTV
youtube
Learn how to harness the power of the OWASP Security Knowledge Framework with expert guidance on CyberSecurityTV! 🔒 Dive into the world of application security and sharpen your defenses. Get ready to level up your cybersecurity game with this must-watch video!
#OWASP#SecurityKnowledge#CyberSecurity#InfoSec#WebSecurity#AppSec#LearnSecurity#HackProof#OnlineSafety#SecureYourApps#CyberAware#Youtube
0 notes
Text
0 notes
Text
youtube
How To Generate Secure PGP Keys | CyberSecurityTV
🌟In the previous episodes we learned about encryption and decryption. Today, I will show you a couple methods to generate PGP keys and we will also see some of the attributes that we need to configure in order to generate a secure key. Once you have the key, we will also see how to use them to securely exchange the information.
#owasptop10#webapppentest#appsec#applicationsecurity#apitesting#apipentest#cybersecurityonlinetraining#freesecuritytraining#penetrationtest#ethicalhacking#burpsuite#pentestforbegineers#Youtube
0 notes
Text
Application Security : CSRF
Cross Site Request Forgery allows an attacker to capter or modify information from an app you are logged to by exploiting your authentication cookies.
First thing to know : use HTTP method carefully. For instance GET shoud be a safe method with no side effect. Otherwise a simple email opening or page loading can trigger the exploit of an app vulnerability
PortSwigger has a nice set of Labs to understand csrf vulnerabilities : https://portswigger.net/web-security/csrf
Use of CSRF protections in web frameworks
Nuxt
Based on express-csurf. I am not certain of potential vulnerabilities. The token is set in a header and the secret to validate the token in a cookie
Django
0 notes
Text
youtube
Content Security Policy provides defense in depth against XSS and other injection vulnerabilities. Let's look through the Facebook CSP policy for evaluation. This tool is a very easy way to review and evaluate CSP.
#owasptop10#webapppentest#appsec#applicationsecurity#apitesting#apipentest#cybersecurityonlinetraining#freesecuritytraining#penetrationtest#ethicalhacking#burpsuite#pentestforbegineers#Youtube
0 notes
Text
AppSec Startup ArmorCode Raises $14 Million
AppSec Startup ArmorCode Raises $14 Million
Home › Application Security
AppSec Startup ArmorCode Raises $14 Million
By Ionut Arghire on November 16, 2022
Tweet
Application security startup ArmorCode today announced that it has raised $14 million in Series A funding, bringing the total raised by the company to $25 million.
The new investment round was led by Ballistic Ventures, with participation from Sierra Ventures, Cervin Ventures, and…
View On WordPress
0 notes
Text
A few things to check when looking at a web application
From: https://twitter.com/rhynorater/status/1585640808568348674
How is CSRF protection implemented? Does the application use only application/json content-type? Can you convert {"name":"Justin"} to name=Justin and change the content-type? Is CSRF token tied to account? Session? Are there any "unauthed" CSRF tokens?
Can you switch POST -> GET? If not, what are you getting? If 405, then it is parsing the route, but GET is disallowed at this endpoint. Try other endpoints.
Is caching implemented? If so, is it tied to certain paths such as /assets? Can you path traverse - /assets/..;/test - does that cache? Can you find a place where HTML content-type will be cached? Try to %3f.css or %23.css trick to see if you can trick the caching mechanism
Sometimes it's as simple as adding ?.png at the end of a URL. In such cases it is often very possible to get web cache deception.
How is information passed between various parts of the system (different domains, etc)? Does the system pass codes via query parameters? URL Fragments? PostMessage? Are there any pages where the X-frame-options header is mysteriously missing?
Cross-domain interactions are almost always sketchy. Look deep into how each piece of these systems is implemented and try to wiggle your way in-between the pieces.
How do all the pieces of authentication work? Is the application using cookies? Auth tokens in the headers? Both? Where do these values appear? I often use the Burp Plugin RequestMinimizer to help identify which pieces of the request are actually essential.
Are there any half-authenticated states? 2-FA not verified states? States before your email/phone is verified? Is authentication ever based solely off of text (such as an email in a JWT token vs an ID)? If so, are there Unicode normalization attacks here?
Is there any documentation for this application? I have legit never regretted reading the documentation for an application. I ALWAYS get something valuable out of it. It takes at MAX 1 hour (most of the time) and you walk away with a much better understanding of the app.
So much of web application hacking is about finding funky states you can get the application into. Reading the documentation will help you understand which parts of the application you (and thus other hackers) have not seen yet, and how to get to them. Priceless.
0 notes
Link
#vulnerability#OffensiveSecurity#payloads#VAPT#RedTeam#Blueteam#ProcessInjection#Enumeration#Bugbounty#Infosec#Appsec#Hacking#Cyber#ap#expl
0 notes
Video
youtube
Free AppSec courses!
Hacking apps is just too easy. Learn how to protect them for free 😀
YouTube video: https://youtu.be/nyhytT2tRN0
#appsec#owasp#api#code#coding#python#javascript#java#rust#swift#hack#hacker#hacking#infosec#cyber#cybersecurity
0 notes
Text
Zero trust and threat modeling: Is it time for AppSec to get on board?
Zero trust can benefit threat modeling, so why not extend it to your AppSec? Understand the key benefits and challenges.
https://jpmellojr.blogspot.com/2023/11/zero-trust-and-threat-modeling-is-it.html
0 notes
Photo
Security as a Service- NAMISITE
SaaS consists of a multi-faceted business model
that provides subscribers with cyber-security services designed to protect
subscriber information systems, data, and reputation.
NAMISITE,
P-202, Plumeria Garden Estate, Sector-Omicron 3,
Gautam Budh Nagar,
Greater Noida, Uttar Pradesh, India – 201310
Email Id: [email protected]
Phone No :-
India-+91-926-797-1645
USA- +1(201)-282-1003
Visit: - https://www.namisite.com/
0 notes
Text
Top 2024 AppSec predictions
http://securitytc.com/T152qj
2 notes
·
View notes
Last Seen Blogs
arealmdivided-rp-blog
A Realm Divided
jirocchi
Fate.
kashlainn
in la kash
ja-vuu
_javuuu_
coalharbour
Coal Harbour