• 2021-11-11
  • 5 minutes

We are making authentication systems wrong

For a long time I’ve been struggling with the way authentication systems work, as they don’t protect your password as they should. If you search for login best practices, like in OWASP, they’ll tell you things like hashing the password with a strong algorithm, use salt and pepper, limit attempts, and the most important, use […]
Continue Reading
  • 2021-06-13
  • 5 minutes

What is and how to prevent Mass Assignment Vulnerabilities

First time I heard about mass assignment vulnerabilities was a long time ago, when I started learning Ruby & Rails. In fact I learnt a lot, security related back then, as Rails is a quite complex and secure framework, and to properly work with it you should understand the underlying mechanisms. At that time Rails […]
Continue Reading
  • 2021-03-12
  • 6 minutes

Attacks with Zip Files and Mitigations

Once again, I bring a topic that I don’t see getting enough attention , and a lot of times this ends up being a big security issue in the targeted systems… Attacks with zip files, two different and interesting attacks. ZipSlip Zip Slip is a vulnerability discovered by Snyk and its a really simple concept. […]
Continue Reading
  • 2021-03-06
  • 9 minutes

Are your mobile banking apps secure?

These past few days I’ve been doing some security checks in my mobile banking apps as I basically never did it since opening the accounts a lot of years ago. I was quite surprised with the difference of security among my bank applications, and it even motivated me to close one of the accounts. In […]
Continue Reading
  • 2021-01-10
  • 7 minutes

The Log Forging Vulnerability And How To Fix It

The Log Forging vulnerability, also known as Log Manipulation is a really low ranked vulnerability that in a lot of cases its to farfetched to be reliably exploited, but on others can be quite easy and cause real damage. In this post we’ll understand what is log forging and see many different conditions that can […]
Continue Reading
  • 2020-11-01
  • 3 minutes

Screen Caching

Screen Caching is another of those vulnerabilities nobody is paying attention to, and this one is quite important. As an example, even most bank applications are usually ‘vulnerable’ to this issue (most of mine are). And this is a reality even for those focusing on security, like web based only banks. So what is screen […]
Continue Reading