• 2021-06-13
  • 5 minutes

What is and how to prevent Mass Assignment Vulnerabilities

First time I heard about mass assignment vulnerabilities was a long time ago, when I started learning Ruby & Rails. In fact I learnt a lot, security related back then, as Rails is a quite complex and secure framework, and to properly work with it you should understand the underlying mechanisms. At that time Rails […]
Continue Reading
  • 2021-03-12
  • 6 minutes

Attacks with Zip Files and Mitigations

Once again, I bring a topic that I don’t see getting enough attention , and a lot of times this ends up being a big security issue in the targeted systems… Attacks with zip files, two different and interesting attacks. ZipSlip Zip Slip is a vulnerability discovered by Snyk and its a really simple concept. […]
Continue Reading
  • 2021-03-06
  • 9 minutes

Are your mobile banking apps secure?

These past few days I’ve been doing some security checks in my mobile banking apps as I basically never did it since opening the accounts a lot of years ago. I was quite surprised with the difference of security among my bank applications, and it even motivated me to close one of the accounts. In […]
Continue Reading
  • 2021-01-10
  • 7 minutes

The Log Forging Vulnerability And How To Fix It

The Log Forging vulnerability, also known as Log Manipulation is a really low ranked vulnerability that in a lot of cases its to farfetched to be reliably exploited, but on others can be quite easy and cause real damage. In this post we’ll understand what is log forging and see many different conditions that can […]
Continue Reading
  • 2020-11-01
  • 3 minutes

Screen Caching

Screen Caching is another of those vulnerabilities nobody is paying attention to, and this one is quite important. As an example, even most bank applications are usually ‘vulnerable’ to this issue (most of mine are). And this is a reality even for those focusing on security, like web based only banks. So what is screen […]
Continue Reading
  • 2020-08-15
  • 6 minutes

How to use Facebook for Open Redirect attacks

Some days ago I found an Open Redirect in Facebook website, that I promptly reported to their Bug Bounty Program. There were a lot of warnings that Open Redirect’s are usually false positives, but this one looked legit to me. Facebook disregarded the report, saying that wasn’t exploitable as there are protections in place against […]
Continue Reading