This article was originally published by Kacper Duda Often, very often it happens that we have at home items from THE PRUSSIAN or older, which do not have an emblem, a grille or other smaller or larger elements that spoil the overall first impression. By combining general indimeration with this… Continue reading →
TL;DR – date of birth or social security number is not a good idea to secure access to data. Puzzle – what's the difference between the two pictures below? But let's start from the beginning. Unfortunately, as is often the case in the IT world, convenience does not go hand… Continue reading →
JWT tokens have recently become a very popular authentication method in web applications. While this is one of the safest ways to protect resources, and there are no alternatives on the market – keep in mind that every rose has spikes and there are many potential risks lurking here too…. Continue reading →
I was recently invited to a 180-degree channel to talk about what I do professionally and the security of our digital lives. Below is a video/podcast resulting from this rather unusual meeting in the recording bus. If you would like to know how to make life difficult for hackers and… Continue reading →
When you run a penetration test of a web page that generates dynamic content using templates with user-provided values, you may encounter server-side template injection vulnerability. Manual identification of the template engine you are dealing with and subsequent exploitation can be easily automated using the Tplmap tool. Tplmap is able… Continue reading →
Come on burp suite tool has a built-in session mechanism, more and more often I meet situations where i just can not cope with keeping it active. This is most often caused by one of the following factors: Dynamic CSRF tokens hidden in different places of the request; JavaScript-based applications… Continue reading →
CSP (Content Security Policy) is a security mechanism implemented in all modern popular web browsers. Its main purpose is to protect against frontend attacks – especially against XSS vulnerabilities. Some common mistakes made in the development of CSP policies make it possible to circumvent it. To make sure we haven't… Continue reading →
Enumeration tools such as DIRB require a specially prepared dictionary that sometimes contains hundreds of thousands of the most common folder and file names. It's technologies are constantly changing, and with them the paths to seemingly hidden content. In order to successfully carry out enumeration attacks, you need to complete… Continue reading →
When participating in bug rebellions or penetration tests- it is extremely important to obtain as much information as possible about the purpose of your attack. We call this the reconnaissance phase. Sometimes interesting effects can be achieved by referting to old, forgotten or seemingly hidden domains, subdomains or IP addresses…. Continue reading →
The following example password policy takes into account the state of the art about the performance and capabilities of various types of attacks on cryptographic systems in 2020. If possible, I will try to update it (when it turns out that it is already too weak). Static passwords in IT… Continue reading →
Cześć podróżniku!
Jestem Michał. Cyberbezpieczeństwo jest moją pasją i pracą. Hobbystycznie zajmuję się drukiem 3d. W ramach tej strony staram się dzielić się wiedzą właśnie z tych obszarów. Mam nadzieję, że znajdziesz tutaj przydatne dla siebie informacje :)
Więcej o mnie...
Subscription
Wspieraj tę stronę
Jeżeli podoba Ci się moja twórczość możesz mnie wesprzeć kawą :)
