• 2020-07-23
  • 6 minutes

Understanding CORS and SOP bypass techniques

CORS which stands for Cross-Origin Resource Sharing is a system designed to help ‘bypass’ some of the restrictions introduced by Same Origin Policy (SOP prevents javascript code from interacting with resources from other origins). Basically CORS lets us define a set of ‘rules’ to specify which resources can access responses from our server. By default no […]
Continue Reading
  • 2020-03-27
  • 9 minutes

Security of the NPM Packages

Javascript (and typescript) is now one of the most used languages in new projects. It has an awesome performance, and Promises came to improve it even more. With it came tons of new tools and projects like Node and NPM. But not all is good, the security of the NPM packages is a worrying problem. […]
Continue Reading
  • 4 minutes

Auth Token in LocalStorage

Getting right to the point: storing a token in LocalStorage is insecure.It’s getting more and more common to use token based authentication, specially on Single Page Applications (SPA) that need to communicate with an API. That is a good thing, and I really like the idea of JWT tokens. Why localStorage is bad Well, when […]
Continue Reading
  • 2020-01-18
  • 8 minutes

Breaking C# SecureString

As discussed previously in Heap Inspection post keeping passwords and other sensitive data in memory may be insecure as they can be inspected or dumped. Although it is almost impossible to completely mitigate Heap Inspection there are several techniques to reduce the time frame sensitive data keeps in memory, lowering the risk of exposure. Lets […]
Continue Reading
  • 2019-10-30
  • 6 minutes

Secure Password Hashing

Password Hashing 101: MD5 and SHA1 which are quite common, are already considered unsafe. So if you are using them, replace them with a secure algorithm. Even for checksums should not considered secure. Check references for more info. Now that we put that aside lets start from the basics. User passwords should always be stored […]
Continue Reading
  • 2019-07-19
  • 6 minutes

Hardcoded Passwords

Hardcoded passwords… This is a problem quite common, and most of the projects that I get my hands on have a hardcoded password somewhere. But, what’s the problem of having for example the password of the database in the code? Well, actually, a lot! Lets start by the most straightforward scenario. Hardcoded passwords, (and when […]
Continue Reading