Tag Archives: Application Security

Javascript Security Vulnerabilities Examples (DarwinBox)

In this post, you will learn quick tips on security vulnerabilities related to Javascript based on analysis of how Javascript assets are managed in DarwinBox, and how to fix those security vulnerabilities. Security Vulnerabilities found with Javascript Assets While assessing the Javascript assets of DarwinBox, the following was found: Coding: Javascript code could be easily read and understood. There is a need to minimize and uglify the code. Method naming: The name of methods leak the implementation details and the underlying technology used. This could be used by hackers for planning attacks. For example, the method such as “doElasticSearch”. This represents that ElasticSearch is used for the search. File naming: The name of files represented …

Continue reading

Posted in Application Security, Javascript, Web. Tagged with , .

Security Lessons from OnePlus Hacking & Credit Card being Stolen

Oneplus Store Checkout Page

OnePlus Store Website recently got discovered to be hacked as a result of which credit card details of more than 40,000 customers have been stolen. In this post, you will learn about somee of the following: How the attack might have happened on/from OnePlus Checkout page? Who could be the hackers? How to prevent such attacks? Malicious Code Injection may have resulted into Hack Hacker might have hacked into the OnePlus website and injected malicious Javascript code in one of their javascript files which get loaded as a result of loading of checkout page. The following represent the screenshot of checkout page which is loaded from Onestore website. Look at …

Continue reading

Posted in Application Security, Javascript, Web. Tagged with .

Angular – Top 10 Security Best Practices vis-a-vis Security Risks

angular security best practices

Are you concerned about security vulnerabilities in your angular app? Have you been wondering whether one or more of your angular apps are at security risks? Your worries regarding potential security bugs in your angular apps are well justified given security threats to web apps in general. This article would help you learn some of the top security best practices for your Angular apps. Some of these best practices may as well be applied for earlier versions of AngularJS. We shall be referring the security best practices in relation to some of the OWASP Top 10 Security Vulnerabilities. Some of the recommendations include out-of-box support from Angular Http utility such as DomSanitizer and HttpClient which is part of Angular 2, Angular 4 and Angular 5. Quick Recall …

Continue reading

Posted in AngularJS, Application Security, UI, Web. Tagged with , , , .

OWASP 2017 Top 10 Web App Security Vulnerabilities

OWASP Top 10 2017 Security Vulnerabilities

The following is a list of web application security vulnerabilities which made into the list of OWASP 2017 top 10 security vulnerabilities. Injection: Injection attack can lead to commands such as SQL, NoSQL, OS, LDAP executed by the related command interpretor resulting into execution of unintended commands thereby modifying the datasets or providing unauthorized access to the data. Broken authentication: Broken authentication attacks can lead to compromising passwords, keys or session tokens etc. Sensitive data exposure: Sensitive data exposure vulnerability would allow attackers to get an access to sensitive data such as identity related data (email address, mobile numbers), credit card related details etc. These data can be obtained from …

Continue reading

Posted in Application Security. Tagged with .

Application Security – Use NPM Request Package for APIs Access

This blog represents code sample and related details that can be used to hack into the system through unprotected APIs. The security vulnerability such as following can be exploited using the code sample given later in this article. Note that the security vulnerabilities mentioned below forms part of OWASP 2017 Top 10 security vulnerabilities. Insufficient attack protection Sensitive data exposure Unprotected APIs The code below has made use of NPM request package to send the request to the API hosted ast Paytm Catalog Site. The API below displays electronics items listed on PayTMMall.com. Put the code shown above in a file, say, test.js and execute the file using command such as …

Continue reading

Posted in Application Security, Javascript. Tagged with , , .

Dummies Notes – How SAML-based SSO Authentication Works?

This article represents dummies notes on how could one go for SSO implementation using SAML. Please feel free to comment/suggest if I missed to mention one or more important points. Also, sorry for the typos. Following are the key points described later in this article: What is SAML? How does SSO authentication happen using SAML? What are Key Components of SSO Design, in general?   What is SAML? For those of you unaware of what is SAML, here is the definition from WIKIPedia page on SAML: Security Assertion Markup Language (SAML, pronounced sam-el[1]) is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between …

Continue reading

Posted in Application Security, Software Engg. Tagged with .

Authentication using One Time Password (OTP) technique – Part 1

This gallery contains 3 photos.

Why two factor authentication? With the increase in password theft, phishing attacks and other hacking techniques, the conventional text based user name and password based authentication seem to be insufficient because of the rapid rise of network level threats. The traditional way of just memorizing the password to validate one’s identity is not enough and web sites and applications are now expecting one to possess email Id or a smartphone to communicate with another short-lived randomized password, One Time Password (OTP), as one more factor to the authentication. Here we will discuss the approach to generate the OTP and use it for the two factor authentication technique. In the next …

Continue reading

More Galleries | 4 Comments

Tips for Setting up Application Security Education/Training Plan

The article represents one of the education model that could be used to regularly educate your IT organization/team about latest security updates, attack patterns, mitigation techniques, security-related libraries and infrastructure, best practices and guidelines, etc . Now that application security is becoming an important aspect to take care, while laying out plan for application design and development, it becomes much more important to put a plan in place for educating application developers & testers. The primary objective is to create a security-aware development team (organization at large). Following is one of the model that could be used to achieve the above said objective: Security Awareness Training: Security awareness training to all …

Continue reading

Posted in Application Security, Software Engg. Tagged with .

Samsung Fingerprint Scanning API & Mobile Wallet Security?

This article explores the recently released Samsung fingerprint scanning API also termed as “Pass API” in light of security for mobile wallets. Pass API is released as part of the Samsung Mobile SDK 1.5 beta1 during the launch of Samsung Galaxy S5 mobile phone. One of the key feature of Samsung galaxy S5 is fingerprint reader. The application could use fingerprint reader to scan user fingerprints and verify against the users’ stored fingerprints on the device. This article presents an overview on the PASS API and, then, talks about how it could be used for mobile wallets’ security. What is Pass API? As mentioned on Samsung Developers Page for Pass API, …

Continue reading

Posted in API Development, Application Security. Tagged with , .

Top 4 Security Books Developers Would Want to Keep Handy

security books

Off-late I have been doing an extensive research on application security to to come up with application security guidelines (minimum & most important ones) which could prove very handy and at the same time, very useful for different class of IT professionals including developers, and architects. This is where I have come across some of the following books which has helped me to fulfill my objectives. In one of my later blogs, I shall also list down those basic minimum knowledge that is needed by developers to write secure code. In the meantime, allow me to list down top 4 application security books that, I believe, every developer would want …

Continue reading

Posted in Application Security. Tagged with , .

Top 5 Bad Application Security Practices

bad security practices

We all come across good security practices and make ourselves familiar with them to develop secured code. However, it may also be good idea at times to know about some of the bad security practices such that we, for sure, try and avoid them. [adsenseyu2]   Following are top 5 bad practices you may want to know about: Do NOT interact with un-trusted programs: Make sure that the external programs that your program is invoking for reasons such as data or functionality, must have got reviewed and tested for security compliance. One of the common entry points into secured applications are these unsecured applications and hackers just love them. Hackers, …

Continue reading

Posted in Application Security, Code Review. Tagged with , .

Developer Analysis of Hacker’s Attack on Target Stores – Page 1

target attacked

This is a series of articles to represent developer’s point of view and learning from recent TARGET retail store security attack due to which various reports say that around 40 million customer credit and debit cards data must have got compromised. This hackers’ attck is currently talk of the town and is under analysis of various different security agencies including US secret service. In this article, we shall look at various different possibilities/attack vectors/security vulnerabilities that could have led to third attack. One of the many possibilities could have been installation of malware at the POS system where customers use to swipe their card for the purchases that they make. This could have …

Continue reading

Posted in Application Security. Tagged with , .

Top 7 Secured Practices for Securing Your Partner APIs

security threat partner API

If you are planning to publish partner APIs for exposing your business services or data to your partners and customers, you may want to consider following top 7 secured best practices to ensure application level security: [adsenseyu2] Access-token based Authentication: Have your partners’ applications authenticate itself (and its users) using access-tokens rather than actual passwords. This is because access-tokens may be easily time-boxed and can be enforced to be renewed at the regular time-intervals. And the theft of access token can not really compromise the actual users’ password with the parent application. In this relation, you may consider using OAuth based authentication technique. In addition to usage of access-token for …

Continue reading

Posted in API Development, Application Security. Tagged with , .

Tips for Gathering Security Requirements of your Web Application Project

web security

Gathering security requirements in relation with a project, sprint (if agile) is key to deliver secured applications. This is because security requirements would lead to appropriate design in relation with security. Following are key topics to consider for gathering security requirements: Authentication & password management: This is mostly a one-time activity and done as the start of the project and not in every sprint. One may want to ask questions such as following in relation with authentication and password management: Password policies: This is important to ask to avoid dictionary attack in relation with user credentials. Password hashing: This is important to make sure password is encrypted with appropriate encryption …

Continue reading

Posted in Application Security, Software Engg. Tagged with .

Top 7 Security Attack Questions While Analyzing Every Requirement

security attacks

Following are top 5 security attack related questions that you could ask while analyzing the each requirement in hand, the answers to which could help you put better design in relation with security: Security threats analysis related with data entering into/coming out of the system: How could an attacker inject SQL commands? (OWASP SQL Injection). Solution: Use parameterized SQL queries rather than building SQL statements dynamically using string concatenation How could an attacker perform a cross-site scripting attack? (OWASP Cross-Site Scripting – XSS). Solution: Use OWASP ESAPI to sanitize user input against scripts such as Javascript that could lead to XSS attacks.  This is more about doing input data validation as soon as …

Continue reading

Posted in Application Security. Tagged with , .

Tips for Designing Security for Your Public APIs

securing an api

[adsenseyu2] Before we look into tips & techniques to design security for your Public APIs, lets understand what do we mean by Public APIs? Public APIs are APIs that are published to the world including developers, or partners’ developers to create their custom application by making use of APIs. These APIs can be used by another program, mobile apps or web applications (Web UI), desktop client etc. Following are some tips/techniques for designing security for your Public APIs: IP Address Restrictions: To be able to control access to APIs based on IP address from which request arrived, the IP address restrictions policy should be imposed. This is very handy when …

Continue reading

Posted in API Development, Application Security. Tagged with , .