luisfontes19
  • May 29, 2022
  • 5 minutes

Path Traversal & LFI can be worst than you think

LFI and Path traversal are not a new thing, but what most people don’t understand is the full impact of the vulnerability. In this post I’ll cover different attack scenarios when exploiting a LFI vulnerability, like enumerating process, dumping environment variables, and on more extreme …
Continue Reading
luisfontes19
  • Feb 19, 2022
  • 10 minutes

Securing Github Actions

Github actions are a thing more and more common nowadays, and I have to admit, I love them. But the security of Github Actions are usually ignored. In this post I’ll go through some of common flows and issues, and see some preventions Terminology First its important to understand the …
Continue Reading
luisfontes19
  • Nov 11, 2021
  • 5 minutes

We are making authentication systems wrong

For a long time I’ve been struggling with the way authentication systems work, as they don’t protect your password as they should. If you search for login best practices, like in OWASP, they’ll tell you things like hashing the password with a strong algorithm, use salt and pepper, …
Continue Reading
luisfontes19
  • Jun 13, 2021
  • 6 minutes

What is and how to prevent Mass Assignment Vulnerabilities

First time I heard about mass assignment vulnerabilities was a long time ago, when I started learning Ruby & Rails. In fact I learnt a lot, security related back then, as Rails is a quite complex and secure framework, and to properly work with it you should understand the underlying mechanisms. …
Continue Reading
luisfontes19
  • Mar 12, 2021
  • 6 minutes

Attacks with Zip Files and Mitigations

Once again, I bring a topic that I don’t see getting enough attention , and a lot of times this ends up being a big security issue in the targeted systems… Attacks with zip files, two different and interesting attacks. ZipSlip Zip Slip is a vulnerability discovered by Snyk and its a …
Continue Reading
>