I want to share one feature when setting COOKIE values, which is often overlooked by the web developers.
According to my experience as for research of the web application vulnerabilities for 2009-2011, this error occurred in 87% of the web applications that were written in PHP.
In order to reduce this rate, I have decided to write this article.
I will not even talk about httpOnly flag, though its use is very important and necessary.
Let’s look at the example of code:
A few days ago, the earliest Half-Life 2 version was released in the network for the media. Obviously, this version has not been finished yet, as the main game’s character is not known to the whole world of players a theorist physicist, who wears glasses and a protective suit and holds in his hand a crowbar, but bearded dwarf Ivan, a space biker, who is opposing against the staff of the research center. 15 years ago, the disk contents was reserved exclusively for members of the regular publishers.
This morning I found a letter in my mail:
In fact, this letter does not have any files attached, it just has 6 links (View, Download...), and they lead to the same address: http://188.8.131.52/~ru1/account.googlemail.com/viewer/13083e7f5f2c0890&
First I got to fake Google Docs with the message "document cannot be displayed", and then I was redirected to fake Google Account, where I was asked to enter a password. I guess for my own safety :). After I entered “screw you”, I got to the third fake page of docs with a list of some components.
It is known that any system reliability is determined by its weakest link. Now we take a good look at the protection from copying of one popular toy that was released a few days ago for OS X and the way of its bypass. In addition, we just look at one of the options for implementing the protection from copying. Of course, this research was conducted in the study purposes, and you still should buy the good software and games.
Let’s run the game and see the registration form or purchase. The registration is done online by entering a serial number, or manually by entering a name and the key in accordance with the displayed identifier of a specific computer. Next, we run gdb and get program exited with code 055.
This article is not a panacea for all security lacks, and it does not reveal any new attack vectors. I just saw a serious implementation of the fake for Google mail and decided to warn all UMumble users.
Recently, I have received an interesting letter, supposedly to confirm / cancel automatic forwarding to my mailbox.
It would be true to say that everything new is well forgotten old.
A feature to embed remote resources (such as images from other websites) on the page of your website is a very bad practice that at some point may lead to quite serious consequences for the website. As far back as 10 years ago, I was surprised to read about that possibility. Now after 10 years nothing changed, and it seems that it hardly ever will change.
Many people have faced the DDoS attacks and HTTP flooding. No, this is not just another tutorial on setting up nginx, but I would like to introduce my module that works as a quick filter between the bots and backend during L7 DDoS attacks, as well it allows filtering the garbage requests.
The module can do:
• To set cookies in a standard way through HTTP header Set-Cookie. After the cookies are set it redirects the user using the response code 301 and Location header.
• After the cookies are set it redirects the user using the response code 200 and HTML tag Meta refresh.
• To count the number of attempts to set the cookies and to direct the user to a specified URL after exceeding the maximum number of unsuccessful attempts.
Hello, UMumble users!
Recently, Dr. Web’s researchers have discovered a botnet of more than 550 thousands infected Mac’s machines. Probably, you may say "it is started all over again”. Presently, more than 670 thousands the infected computers were found around the world (see map):
Once again, we will try to debunk the myth about the platform impregnability and to help some people to understand this process.
I used to work for a long while in the field of banking software, in particular with all kinds of electronic payments. At that time, I made together with my colleagues a mini-FAQ about the banking plastic cards. There many questions are obvious and some may be very vague. The plastic cards are getting very popular around the world, and it is better to know some important things about that.
Here are 10 most common delusions:
1. The certain amount of money is kept on the card.
A regular credit or debit card (even with the chip) does not have any money register. The card itself is just a simple identifier. There are some exceptions in the form of special add-on application-purses on the cards with the chip. Usually, they can be discounted promos, virtual money (e.g., gallons of gasoline), etc. In general, it could be something that does not relate directly to the regular usage of the card. However, these special applications are only accepted in retail outlets involved in supporting this particular type of cards.
Skype security lapses allow identifying the user’s IP address, even if user is not using Skype, but it is running in the background, an attacker could still get the IP address.
The study's author Keith Ross, a professor of computer science at NYU-Poly explains the essence of vulnerability, which allows setting up a direct connection (P2P) between the attacked computers and a hacker’s computer in order to get a Skype ID and the user’s IP address.