HTTP Response Splitting

HTTP Response Splitting

1. EXERCISE BACKGROUND The vulnerable application pane loads the online shopping application LotsOfGoods.me. It aggregates data from multiple off-line shops and presents it on a single platform. To offer each customer a personalized offer from the shops that are located near them, LotsOfGoods.me prompts its users to specify their location.Alice is a legitimate user of this application. She wants to find a place nearby where she can buy a new laptop. She specifies the city where she rents her apartment….

Read More Read More

HTTP Headers that are misused for security purposes

HTTP Headers that are misused for security purposes

There are headers (like Referer and Host) that developers tend to use in the security mechanisms they develop, but it is considered bad practice: data that is passed in those headers is derived from user inputs and shouldn’t, therefore, be trusted.Also, there are headers that are not actually security headers by definition (like Content-Type and X-Content-Type-Options headers), but nevertheless, they play an important role in application security. You should NEVER use the following headers in implementations of security mechanisms: Host…

Read More Read More

HTTP COOKIES

HTTP COOKIES

An HTTP cookie is a small piece of data that a server sends to a client. The server sends the cookie using the Set-Cookie header in the response. It looks like that:Set-Cookie: trackingCookie=user1357272User-agent saves a cookie from the response and sends it back in the Cookie request header like that:Cookie: trackingCookie=user1357272Cookies are used for the following purposes:1. Session managementHTTP is a stateless protocol meaning that two requests cannot be correlated to the same source or to each other even if…

Read More Read More

HTTP Security Headers

HTTP Security Headers

There is a number of HTTP response headers that you should use to increase the security of your web application. They are referred to as HTTP security headers.Once implemented, HTTP security headers restrict modern browsers from running into easily preventable vulnerabilities. They also provide yet another, additional layer of security by helping to mitigate security vulnerabilities and prevent attacks (like XSS, Clickjacking, information leakage, etc.). But it is important to mention that HTTP security headers are not intended to replace…

Read More Read More

Deployment Pipelines

Deployment Pipelines

Deployment pipelines (or Continuous Delivery pipelines) are the cornerstone of Continuous Delivery as they automate all the stages (build, test, release, etc.) of your software delivery process. There are numerous benefits to using Continuous Deployment pipelines. An automated pipeline allows all stakeholders to monitor the progress, eliminates the overhead of all the manual work, provides quick feedback, and more importantly builds confidence on the code quality. Continuous Delivery Pipeline (CDP) The deployment pipeline run starts with a developer committing source…

Read More Read More

Continuous Integration, Continuous Delivery, Continuous Deployment. (CI/CD)

Continuous Integration, Continuous Delivery, Continuous Deployment. (CI/CD)

Continuous Integration Continuous Integration is an agile engineering practice originating from the extreme programming methodology. It primarily focuses on automated build and test for every change committed to the version control system by the developers. According to Martin Fowler, “Continuous Integration (CI) is a software development practice where members of a team integrate their work frequently; usually each person integrates at least daily – leading to multiple integrations per day. Each integration is verified by an automated build (including test)…

Read More Read More

Tagging Azure Resources

Tagging Azure Resources

Tag Limits Not all resource types support tags. This means that you will not be able to apply tags to everything in Azure. A resource or resource group is limited to 15 tags. Each resource can have different tags. Tag names cannot exceed 512 characters. For storage accounts, tag names are limited to 128 characters. Tag values cannot exceed 256 characters. VMs cannot exceed 2048 characters for all tag names and values combined. Tags are not inherited by child resources….

Read More Read More

Decode Windows Autounattend.xml password using PowerShell

Decode Windows Autounattend.xml password using PowerShell

Recently I needed to recover the password that I forgot from Windows unattended installer file Autounattend.xml. Password is stored in this file as Base64 encoded value which can be easily decoded with following lines of PowerShell script. $EncodedText = “UABhAHMAcwB3AG8AcgBkAA==” $DecodedText = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($EncodedText)) $DecodedText To encode using PowerShell: $EncodedText = “UABhAHMAcwB3AG8AcgBkAA==” $DecodedText = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($EncodedText)) $DecodedText

Securing Azure Storage Account

Securing Azure Storage Account

In this post, we will look into possible options to secure an Azure storage account. I will describe security following two security controls Network-level security Access Security Storage Account Access Keys Access Keys Shared Account Signatures Encryption Azure Storage automatically encrypts your data with 256-bit AES encryption. Data in Azure Storage is encrypted and decrypted transparently. Azure Storage encryption is enabled for all new and existing storage accounts and cannot be disabled. All Azure Storage account tiers and deployment models…

Read More Read More