#Risks E-Commerce fraud cases
Full research here:
https://appriss.com/retail/wp-content/uploads/sites/4/2018/12/AR3018_2018-Customer-Returns-in-the-Retail-Industry_Digital.pdf
Full research here:
https://appriss.com/retail/wp-content/uploads/sites/4/2018/12/AR3018_2018-Customer-Returns-in-the-Retail-Industry_Digital.pdf
#BugBounty #Tools A cool checklist from whitespots.io for Android
https://docs.whitespots.io/mobile/android-checks
https://docs.whitespots.io/mobile/android-checks
Automate your scans with scanner aggregator
https://github.com/secureCodeBox/secureCodeBox-v2
https://github.com/secureCodeBox/secureCodeBox-v2
APT
Finding CORS misconfigurations #scripts site="example.com"; gau "$site" | while read url;do target=$(curl -s -I -H "Origin: evil.com" -X GET $url) | if grep 'evil.com'; then [Potentional CORS Found]echo $url;else echo Nothing on "$url";fi;done
Without any additional installations
docker run --rm -it --name corsfinder -e VULN_ID=1 -e DOMAIN=site.com whitespots/corsfinder
#bugbounty
Interesting article about request smuggling
https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c
Interesting article about request smuggling
https://labs.bishopfox.com/tech-blog/h2c-smuggling-request-smuggling-via-http/2-cleartext-h2c
Bishop Fox
Research on h2c Smuggling: Request Smuggling Via HTTP/2 Cleartext…
Upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections can allow a bypass of edge-proxy access controls.
Simple about threats and clouds
https://notsosecure.com/security-architecture-review-of-a-cloud-native-environment/
https://notsosecure.com/security-architecture-review-of-a-cloud-native-environment/
Someone stole $15m and returned $7m to the sleeping developer. The most interesting thing was that this network was not fully developed till the end.
https://twitter.com/AndreCronjeTech/status/1310763507890225152?s=19
https://twitter.com/AndreCronjeTech/status/1310763507890225152?s=19
Twitter
Andre Cronje 👻🐸
2/x 3. These contracts, nor the ecosystem are final, yesterday alone you will notice I deployed 2 separate batches of the contracts, this is my usual "test in prod" process 4. We started releasing some of the art teasers to showcase all the different clans…
#Risks
GitLab security trends report
https://about.gitlab.com/blog/2020/10/06/gitlab-latest-security-trends/
GitLab security trends report
https://about.gitlab.com/blog/2020/10/06/gitlab-latest-security-trends/
about.gitlab.com
GitLab's security trends report – our latest look at what's most vulnerable
From triage to containers and secrets storage, we took a look at the most vulnerable areas across thousands of hosted projects on GitLab.com. Here's what you need to know.
#Tools
DVWA is too old for you? Maybe you like some Crypto labs?
Here is something you will like 🙂
https://github.com/DamnVulnerableCryptoApp/DamnVulnerableCryptoApp/
DVWA is too old for you? Maybe you like some Crypto labs?
Here is something you will like 🙂
https://github.com/DamnVulnerableCryptoApp/DamnVulnerableCryptoApp/
GitHub
GitHub - DamnVulnerableCryptoApp/DamnVulnerableCryptoApp: An app with really insecure crypto. To be used to see/test/exploit weak…
An app with really insecure crypto. To be used to see/test/exploit weak cryptographic implementations as well as to learn a little bit more about crypto, without the need to dive deep into the math...
#owasp #Tools
If you need any guidelines - sonar has a lot of examples
https://rules.sonarsource.com/python/RSPEC-2755
If you need any guidelines - sonar has a lot of examples
https://rules.sonarsource.com/python/RSPEC-2755
It's nevel too late to learn pod&network security policy.
Here are k8s guidelines:
https://github.com/cloudogu/k8s-security-demos
Here are k8s guidelines:
https://github.com/cloudogu/k8s-security-demos
GitHub
GitHub - cloudogu/k8s-security-demos: Demos for several kubernetes security features
Demos for several kubernetes security features. Contribute to cloudogu/k8s-security-demos development by creating an account on GitHub.
APT
It's nevel too late to learn pod&network security policy. Here are k8s guidelines: https://github.com/cloudogu/k8s-security-demos
PS. some additional materials to play with for those who will like this format
https://github.com/whitespots/security-for-developers
https://github.com/whitespots/security-for-developers
GitHub
GitHub - whitespots/security-for-developers: Some demo scripts for education purposes
Some demo scripts for education purposes. Contribute to whitespots/security-for-developers development by creating an account on GitHub.
#bugbounty
Few words about a private BugBounty
https://medium.com/finn-no/one-year-with-a-private-bug-bounty-program-f928a57ad026
Few words about a private BugBounty
https://medium.com/finn-no/one-year-with-a-private-bug-bounty-program-f928a57ad026
Medium
One Year With a Private Bug Bounty Program at FINN.no
Over the years, FINN.no has been doing a lot of different security assessments: from the classical one test per release to regular on-site…