owasp Archives » Rainbow and Unicorn

Upcoming Features of Subresource Integrity 2.x

12th May 201612th May 2016 Gabor

As a response to the growing number breaches involving CDNs, the first release of the Subresource Integrity (SRI) was published hastily in late 2015. The W3C WebAppSec Working Group decided to leave certain useful features out, in favour of an early release. Although SRI already does the job, there is some room for improvement with regards to user experience. The good news is that some of these features will be added to the next iteration of SRI.

The following article gives a brief, speculative overview of the upcoming features of Subresource Integrity.

Passwordcard.org Wordlist Generator

2nd May 20164th May 2016 Gabor

Passwords suck, bit time. They should be unique per each website, and we are supposed to remember all of them. Password cards help to remember the myriad of passwords. Sadly, these cards are vulnerable to brute-forcing attacks and here is why.

This post introduces a tool called Munchkin, which is a wordlist generator for attacking passwords derived from password cards.

Scanning Sites for SRI Usage with sritest.io

Scanning Websites for SRI Hash Usage with sritest.io

4th January 20166th June 2020 Gabor

Third-party hosted website assets, such as JavaScript libraries, are vulnerable to tampering. However, a new technique named Subresource Integrity (SRI) is here to protect these external assets.

One problem is the slow implementation of SRI, thus sritest.io was born. The new service enables website owners and frontend developers to evaluate their sites for SRI hash usage. Sritest.io aims to help the widespread implementation of SRI, thus, ultimately protect website visitors from malicious code.

Credentials in the Ashley Madison Sources

7th September 20159th December 2015 Gabor

One of the security risks of software development is passwords and other credentials hard-coded into the source code.

A quick analysis of the leaked Ashley Madison dumps shows that software developers of AM forgot about these risks. Their source code contains AWS tokens, database credentials, certificate private keys and other secret credentials.

The consequence of this is a more vulnerable infrastructure, which probable made the lateral movement easier for the Impact Team.

Session IDs as Query Parameters Must Die

5th May 20159th December 2015 Gabor

Purge those nasty JSESSIONID and PHPSESSID parameters from the URL bar. Now. Sensitive data in GET parameters are bad. Even over HTTPS.

Check out this session ID killer proxy built on nginx, that converts these sensitive query parameters into safe and secure cookies.

Tag: owasp

Upcoming Features of Subresource Integrity 2.x

Passwordcard.org Wordlist Generator

Scanning Websites for SRI Hash Usage with sritest.io

Credentials in the Ashley Madison Sources

Session IDs as Query Parameters Must Die

Related Sites

Recent

Categories