- May 29, 2022
- 5 minutes
Path Traversal & LFI can be worst than you think
LFI and Path traversal are not a new thing, but what most people don’t understand is the full impact of the vulnerability.
In this post I’ll cover different attack scenarios when exploiting a LFI vulnerability, like enumerating process, dumping environment variables, and on more extreme …
- Feb 19, 2022
- 10 minutes
Securing Github Actions
Github actions are a thing more and more common nowadays, and I have to admit, I love them. But the security of Github Actions are usually ignored. In this post I’ll go through some of common flows and issues, and see some preventions
Terminology First its important to understand the …
- Nov 11, 2021
- 5 minutes
We are making authentication systems wrong
For a long time I’ve been struggling with the way authentication systems work, as they don’t protect your password as they should. If you search for login best practices, like in OWASP, they’ll tell you things like hashing the password with a strong algorithm, use salt and pepper, …
- Jun 13, 2021
- 6 minutes
What is and how to prevent Mass Assignment Vulnerabilities
First time I heard about mass assignment vulnerabilities was a long time ago, when I started learning Ruby & Rails. In fact I learnt a lot, security related back then, as Rails is a quite complex and secure framework, and to properly work with it you should understand the underlying mechanisms. …
- Mar 12, 2021
- 6 minutes
Attacks with Zip Files and Mitigations
Once again, I bring a topic that I don’t see getting enough attention , and a lot of times this ends up being a big security issue in the targeted systems… Attacks with zip files, two different and interesting attacks.
ZipSlip Zip Slip is a vulnerability discovered by Snyk and its a …
My Projects
