blog.blueinfy.com
Blueinfy's blog: Authored Books
http://blog.blueinfy.com/p/authored-books.html
Web 20 Security - Defending Ajax, RIA and SOA (Thomson). SOA, RIA, and Ajax are the backbone behind the now widerspread Web 2.0 applications such as MySpace, GoogleMaps, and Wikipedia. Although these robust tools make next generation web applications possible, they also add new security concerns to the field of web application security. Hacking Web Services (Thomson). Exposes complete methodologies showing the actual techniques and attacks. Shows countermeasures, tools, and eye-opening case studies.
blog.blueinfy.com
Blueinfy's blog: December 2012
http://blog.blueinfy.com/2012_12_01_archive.html
Saturday, December 29, 2012. Next Generation Application Architecture and HTML5. Figure 1 – Run time environment and execution. Traditional applications have clear layers like presentation, business and data access. Typically, only the presentation layer would run on the client side and the other components would exist on the server side. Hence, the business logic and data access are server side as shown in figure 1. Figure 2 – HTML5 application architecture. Business and Data layer – This layer ru...
blog.blueinfy.com
Blueinfy's blog: February 2012
http://blog.blueinfy.com/2012_02_01_archive.html
Wednesday, February 15, 2012. CSRF with upload – XHR-L2, HTML5 and Cookie replay. If we have a business functionalities for actual upload form then this type of HTTP request will get generated at the time of upload. Note, cookie is being replayed and request is multi-part form. Now, if CSRF payload has following XHR call. If you are interested in this analysis should visit @kkotowicz. Work - http:/ blog.kotowicz.net/2011/04/how-to-upload-arbitrary-file-contents.html. Subscribe to: Posts (Atom). This blog...
blog.blueinfy.com
Blueinfy's blog: August 2012
http://blog.blueinfy.com/2012_08_01_archive.html
Sunday, August 12, 2012. File System API with HTML5 – Juice for XSS. HTML5 has come up with several APIs and one of them is File System API ( http:/ www.w3.org/TR/file-system-api/. For example, if an application has created a token file on the file system using the API. We can see files by following URI on chrome. Labels: File System API. Wednesday, August 1, 2012. Blackhat 2012] HTML5 Top 10 Threats Stealth Attacks and Silent Exploits. HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits. Blueinfy...
blog.blueinfy.com
Blueinfy's blog: February 2010
http://blog.blueinfy.com/2010_02_01_archive.html
Thursday, February 25, 2010. Future Trainings and Talks . InfoSecWorld 10 - Orlando. Web 20 Hacking: Attacks and Defense HANDS-ON. InfoSecWorld 10 - Orlando. Defending Against the Worst Web-Based Application Vulnerabilities of 2010. Secure SDLC for Software Assurance. Web Application Security – Threats and Countermeasures. Subscribe to: Posts (Atom). Subscribe to the blog. Knowledge based and Tools. This blog is created to share our knowledge base with the industry.
blog.blueinfy.com
Blueinfy's blog: April 2015
http://blog.blueinfy.com/2015_04_01_archive.html
Tuesday, April 14, 2015. Impact of sensitive information sent to Analytics in modern world applications. Application analytics is becoming very important aspect from business standpoint across companies and ventures. It is even more important for consumer centric sites like eCommerece, portals, mobile apps etc. Analytics server are usually third party owned and application owner integrates the code and force browser session to push some data cross domain to those servers. Developers may have blindly inte...
blog.blueinfy.com
Blueinfy's blog: March 2013
http://blog.blueinfy.com/2013_03_01_archive.html
Monday, March 25, 2013. Cross Origin Resource Sharing Policy and its impact. The following are extra headers that are added for HTTP requests. Hence, when a browser transmits HTTP requests that originate from APIs like XHR, it automatically adds some of these headers. Access-Control-Allow-Origin Access-Control-Allow-Credentials Access-Control-Allow-Expose-Headers Access-Control-Allow-Max-Age Access-Control-Allow-Allow-Methods Access-Control-Allow-Allow-Headers. Now, the browser will pass on the JSON-data...
blog.blueinfy.com
Blueinfy's blog: January 2013
http://blog.blueinfy.com/2013_01_01_archive.html
Saturday, January 19, 2013. HTML5/Browser Evolution and Threats. It all started in 1991 when HTTP and HTML came into picture and browser started to evolve. From that time onwards several new set of technologies gradually coming into the browser as per requirements. By introduction of HTML5 it has bounced to the next level. Here is a quick curve of technologies with time. Figure 1 - HTML5 Evolution. Browser architecture would look like below to support HTML5 technology stack. Subscribe to: Posts (Atom).
blog.blueinfy.com
Blueinfy's blog: December 2011
http://blog.blueinfy.com/2011_12_01_archive.html
Thursday, December 22, 2011. Cross Origin Resource Jacking (CORJacking) - DOM based attack vector. Here is a small DEMO. Of CORJacking with Flash resource. Here is the object tag loading flash component. HTML page is loaded in the browser and this object which is coming from foobank.com domain is being loaded. Assuming this page has DOM based issue and possible to inject/manipulate this value. Hence, if we want to access src of this object tag then through DOM we get its access. Since browser is allowing...
blog.blueinfy.com
Blueinfy's blog: Impact of sensitive information sent to Analytics in modern world applications
http://blog.blueinfy.com/2015/04/dont-pass-sensitive-information-to.html
Tuesday, April 14, 2015. Impact of sensitive information sent to Analytics in modern world applications. Application analytics is becoming very important aspect from business standpoint across companies and ventures. It is even more important for consumer centric sites like eCommerece, portals, mobile apps etc. Analytics server are usually third party owned and application owner integrates the code and force browser session to push some data cross domain to those servers. Developers may have blindly inte...
