How to perform security analysis of jwt authentication libraries
I am working on security analysis of jwt python libraries. I want to analyze how the libraries work and how they were used in development. Not the source code. Also I have to check the jwt libraries...
View ArticleHow to find out if ClamAV current version has signature for specific...
I installed ClamAV(version 0.99.2/23581/Thu Jul 20 16:15:14 2017) and updated the installation to have latest signatures. I found on this website (https://lists.gt.net/clamav/virusdb/69755?page=last)...
View Article"int 0x2E" instruction
While trying to exploit vulnserver (GMON), on windows 10, using an egghunter, the program crash in the instruction "int 0x2E" of the egghunter.The exploit work if I use jumps.Do someone know if there...
View ArticleLooking for a solution: trusted identity with corresponding digital...
We are looking for a solution to meet the needs of a UK incorporated charity (CIO) that has three to seven trustees from at least three continents.Obligations as trustees of a board include signing (by...
View ArticleCrash on "int 0x2E" instruction
While trying to exploit vulnserver (GMON), on Windows 10, using an egghunter, the program crashes in the instruction int 0x2E of the egghunter.The exploit works if I use jumps.Does someone know if...
View ArticleDetecting BIOS changes on PC
I've seen this question: Is it possible to determine if the BIOS has been modified between two points in time?On my Linux PC, I've made a script that checks the MD5 hash of the boot partition to...
View ArticleCan't sign commit with yubikey, GPG missing something
I don't know much about how yubikeys work, but I'm trying to sign a commit with one of them and I don't even know how to debug the problem. I got:gpg...
View ArticleCommon attack vectors for Microsoft Exchange Server?
What are the common attack vectors for a Microsoft Exchange Server?My online searches only yield discussion into various APT groups, and technical write-ups of different 0day exploits. There does not...
View ArticleUse platform TPM as U2F for web applications
The Problem:Use the platform TMP of my Windows Laptop/PC (no external device or USB token) as U2F in a web application to check if it is a known device.My intended solution:I need to store/create...
View ArticleWhat software commonly generates RSA keys with public exponent 0x23 (35)?
Reviewing the SSH keys of hosts that I connect to (as gathered by PuTTY in registry key HKEY_CURRENT_USER\SoftWare\SimonTatham\PuTTY\SshHostKeys), I find that they all start with 0x10001 (65537) or...
View ArticleStoring Anti-CSRF token in cookie with samesite=strict
The (anti) CSRF Token should protect user from executing a action on the website by clicking a link or a form that is created by an attacker.In the application that I want to secure I can't use an...
View ArticleAppArmor Not Recognizing Files & Directories That Exist (Syntaxt Error)
I am on Ubuntu 20.04 server running AppArmor 2.13.3 and I have downloaded two additional apparmor profiles, from the [official apparmor repository][1]:usr.sbin.apache2php-fpmBecause I am running such...
View ArticleIs the Web Crypto API secure when the server is trusted?
I've heard a lot of people say that the Web Crypto API is not very safe. For example: https://tonyarcieri.com/whats-wrong-with-webcrypto, Problems with in Browser Crypto. However, I'm looking to use...
View ArticleAppArmor Not Recognizing Files & Directories That Exist (Syntax Error)
I am on Ubuntu 20.04 server running AppArmor 2.13.3 and I have downloaded two additional apparmor profiles, from the [official apparmor repository][1]:usr.sbin.apache2php-fpmBecause I am running such...
View ArticleClik here to view.
How to manage long-term access to profile data using OIDC?
I am designing an ecosystem of web applications that uses an Open ID Connect (OIDC) authorization server. The users authenticate to the authorization server using the Authorization Code Flow with Proof...
View ArticleHow does Windows Defender for Mac block applications and how can people evade...
I am using MS Defender for Mac to specify a list of unwanted applications on the managed devices in my company. I am concerned that some users try to evade the detection by altering the binaries of the...
View ArticlePerfect DMZ: LDAP auth to AD
My goal is to integrate a public facing service with AD using LDAP.While I vouch for federated approach to user authentication, the business dictates LDAP.We run a DMZ subnet and I insist on not...
View ArticleCVSS3 score for XSS leading to account takeover
Let's say there is a XSS vulnerability in a web application. The XSS allows an attacker to hijack the user's session. Within the session, the attacker can view/modify the user's credit card and billing...
View ArticleHow secure is OPAL 2.0?
I basically cannot find any credible information online as to how secure OPAL 2.0 drives are, and so I don't really know how much, or in what cases, I can trust their encryption to keep my data safe if...
View ArticleOutdoor backup: gocryptfs --init --reverse: alway same .diriv in 1st level...
IntroTrying to send encrypted backup of in productions filesystems, I was interested by the ability of using gocryptfs in reverse mode!The idea is touse gocryptfs --reverse from any existing...
View Article