Security Testing

Showing posts with label CSRF Token. Show all posts
Showing posts with label CSRF Token. Show all posts

Wednesday, September 19, 2018

Ovely permissive CORS

Origin header is sent by the browser in a CORS request and indicates that origin request. It may be spoofed outside the browser, so need to check that application-level protocols for protect sensitive data.
Access-Control-Allow-Origin is a response header used by a server to indicate which domains are allowed to read the response.
Insecure configurations as for example using '*' wildcard as value of the Access-Control-Allow-Origin header means all domains are allowed. Other insecure example is when the server returns back the Origin header without any additional checks, what can lead to access of sensitive data. This configuration is very insecure, and is not acceptable, except in case of a public API that is intended to be accessible by everyone.

add_header Access-Control-Allow-Origin $cors_header;
add_header Access-Control-Allow-Credentials true;
Posted by at No comments:
Labels: , , , , , , , ,

Thursday, September 6, 2018

Security terms Salt, Nonce, Rainbow


Salt
A new salt (form of encryption) is randomly generated for each password. Setting a salt and a password are concatenated and processed with a cryptographic hash function, and the resulting output (but not the original password) is stored with the salt in a database.
Nonce
Nonce is an arbitrary number used only once in a cryptographic communication. It is a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks.
Rainbow
A rainbow table is a precomputed table. This table use for reversing cryptographic hash function, usually for cracking password hashes. Tables using for recover a plaintext password up to a certain length consisting of a limited set of characters. It take less computer processing time and more storage than a brute-force attack which calculates a hash on every attempt, but more processing time and less storage than a simple lookup table with one entry per hash.
Posted by at No comments:
Labels: , , , , , , , , , , ,

Thursday, July 5, 2018

CSRF(Cross Site Request Forgery)



Defense CSRF(Cross site request forgery)
1.       Check standard header to verify the request is the same origin

a.       The origin request is coming from (Source origin)
b.      The origin request is going to (target origin)

2.       Check CSRF token
d           Validate the cookie token and form token


Configure the webSEAL to validate the referrer header incoming HTTP request
Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)