A boilerplate for building API services in Restify, CoffeeScript for Node.js.
It is fully documented and Heroku ready. Also features basic security features such as exception handling and input validation.
Author: Gabor
Gabor Szathmari is a cybersecurity expert and digital privacy enthusiast. In his professional life, Gabor helps businesses, including many small and mid-size legal practices, with their cybersecurity challenges at Iron Bastion.
Session IDs as Query Parameters Must Die
Purge those nasty JSESSIONID and PHPSESSID parameters from the URL bar. Now. Sensitive data in GET parameters are bad. Even over HTTPS.
Check out this session ID killer proxy built on nginx, that converts these sensitive query parameters into safe and secure cookies.
Sun Tzu as a Service
Do you regularly cite The Art of War from Sun Tzu in your cyber security reports? Have you run out of relevant quotes? Today we are proudly announcing our API. It provides an endless feed of bogus, auto-generated quotes from this masterpiece.
Never Say ‘No’ to Direct Database Access
Direct access to databases is usually a privilege of DBAs and not end-users. Nonetheless, end-users have to access DBs in certain situations like generating sales reports, making ad-hoc queries, exporting data into spreadsheets and so on. From the security perspective, this is clearly not ideal, as a typical application was never designed to be utilised this way. Instead of saying ‘no’ to […]
Suit Up and Protect WordPress
In the final part of the series, I am going to show a few practical tips and tricks for protecting your WordPress blog. We have seen earlier how a simple XSS vulnerability can lead to the total compromise of the hosting environment. We not only managed to deploy a backdoor, dump all data from the databases and retrieve each file from […]
Data Exfiltration with XSS
We had an XSS vulnerability, we created a fake login page, we stole the WordPress admin’s credentials, now what? Over the following pages, I am going to walk you through the complete data exfiltration process. We are going to get shell access to the OS, dump the databases and configure the compromised WordPress server as a pivot for launching further attacks.