• 2021-03-12
  • 6 minutes

Attacks with Zip Files and Mitigations

Once again, I bring a topic that I don’t see getting enough attention , and a lot of times this ends up being a big security issue in the targeted systems… Attacks with zip files, two different and interesting attacks. ZipSlip Zip Slip is a vulnerability discovered by Snyk and its a really simple concept. […]
Continue Reading
  • 2021-03-06
  • 9 minutes

Are your mobile banking apps secure?

These past few days I’ve been doing some security checks in my mobile banking apps as I basically never did it since opening the accounts a lot of years ago. I was quite surprised with the difference of security among my bank applications, and it even motivated me to close one of the accounts. In […]
Continue Reading
  • 2021-01-10
  • 7 minutes

The Log Forging Vulnerability And How To Fix It

The Log Forging vulnerability, also known as Log Manipulation is a really low ranked vulnerability that in a lot of cases its to farfetched to be reliably exploited, but on others can be quite easy and cause real damage. In this post we’ll understand what is log forging and see many different conditions that can […]
Continue Reading
  • 2020-11-01
  • 3 minutes

Screen Caching

Screen Caching is another of those vulnerabilities nobody is paying attention to, and this one is quite important. As an example, even most bank applications are usually ‘vulnerable’ to this issue (most of mine are). And this is a reality even for those focusing on security, like web based only banks. So what is screen […]
Continue Reading
  • 2020-08-15
  • 6 minutes

How to use Facebook for Open Redirect attacks

Some days ago I found an Open Redirect in Facebook website, that I promptly reported to their Bug Bounty Program. There were a lot of warnings that Open Redirect’s are usually false positives, but this one looked legit to me. Facebook disregarded the report, saying that wasn’t exploitable as there are protections in place against […]
Continue Reading
  • 2020-07-23
  • 6 minutes

Understanding CORS and SOP bypass techniques

CORS which stands for Cross-Origin Resource Sharing is a system designed to help ‘bypass’ some of the restrictions introduced by Same Origin Policy (SOP prevents javascript code from interacting with resources from other origins). Basically CORS lets us define a set of ‘rules’ to specify which resources can access responses from our server. By default no […]
Continue Reading