Topics
Our blog’s goal is to cover different topics related to security and
other topics of interest in the world of IT
. Our articles may also
reflect the author’s opinion about a specific issue related to security.
If you want to collaborate with us or submit an article of your own,
check our ideas list below. When we accept an article covering one of
the ideas on our list, we add it to our blog and update the
#TrendingTopics
list. Among the topics of interest are:
Attacks
-
Poodle
TLS
. -
Simple cracking of non-reversible keys.
-
Cracking with rainbow tables.
-
Web shells without collateral effects.
-
Reflected file download
-
Apache Struts 2 Framework Checks.
-
Apache Struts Detection.
-
Arbitrary File Upload.
-
ASP.Net
Misconfiguration. -
ASP.NET
Serialization. -
ASP.NET
ViewState security (ViewState Check). -
Autocomplete attribute/check.
-
Blind
SQL
Injection. -
Browser Cache directive (leaking sensitive information).
-
Browser Cache directive (web application performance).
-
Brute Force (
HTTP
Authentication). -
Brute Force Form based Authentication.
-
Business Logic Abuse.
-
Clients Cross-Domain Policy Files.
-
Collecting Sensitive Personal Information (Personal Sensitive Information).
-
Command Injection.
-
Cookie attributes.
-
Credentials Over Insecure Channel.
-
Credentials stored in clear text in a cookie (Password Exposure).
-
Cross Origin Resources Sharing (
CORS
). -
Cross-Site Request Forgery (
CSRF
) -
Cross-site scripting (
XSS
), (DOM based Reflected viaAJAX
Request). -
Cross-site scripting (
XSS
),(DOM
based). -
Cross-site tracing (
XST
– Web Method). -
CSP
Headers. -
Custom Directory Module.
-
Custom Parameter Module.
-
Custom Passive Module.
-
Directory Indexing.
-
Email Disclosure.
-
Expression Language Injection.
-
File Inclusion.
-
Forced Browsing.
-
Form Session Strength.
-
FrontPage Checks.
-
Heartbleed Check.
-
HTTP
Authentication over insecure channel. -
HTTP
Headers. -
HTTP
Query Session Check. -
HTTP
Response Splitting. -
HTTP
Strict Transport Security (HSTS
). -
HTTP
Verb Tampering (Request Method Tampering). -
HTTPS
Downgrade. -
HTTPS
Everywhere. -
Information Disclosure in comments.
-
Information Disclosure in Response.
-
Information Disclosure in scripts (Script Check).
-
Information Leakage In Response.
-
Java
Grinder. -
LDAP
Injection. -
Local Storage Usage.
-
Nginx
NULL
code. -
OS
Commanding. -
Out of Band Cross-site scripting (
XSS
). -
Out of Band Stored Cross-site scripting (
XSS
). -
Parameter Fuzzing
-
Persistent Cross-site scripting (
XSS
) (passive –XSS
Persistent). -
Persistent Cross-site scripting(
XSS
), (active -XSS
Persistent Active). -
PHP
Code Execution. -
Predictable Resource Location (Resource Finder).
-
Privacy Disclosure.
-
Privilege Escalation.
-
Reflected Cross Site Scripting (
XSS
,Reflected). -
Reflected Cross Site Scripting Simple (
XSS
,Simple). -
Reflection.
-
Reverse Clickjacking.
-
Reverse Proxy.
-
Secure and non-secure content mix.
-
Sensitive Data Exposure
-
Sensitive data over an insecure channel.
-
Server Configuration
-
Server Side Include (
SSI
) Injection. -
Session Fixation.
-
Session Strength.
-
Session Upgrade.
-
Source Code Disclosure.
-
SQL
Information Leakage (SQL
Errors). -
SQL
Injection. -
SQL
injection Auth Bypass. -
SQL
Parameter Check. -
SSL
Strength. -
Subdomain discovery.
-
Unvalidated Redirect.
-
URL
rewriting. -
Web Beacon.
-
Web Service Parameter Fuzzing.
-
X-Content-Type-Options.
-
X-Frame-Options.
-
XML
External Entity Attack. -
XPath
Injection. -
X-Powered-By.
-
X-XSS-Protection.
Recommendations
-
API
throttling. -
Recommended hashing function.
-
Recommended asymmetric encryption function.
-
Recommended symmetric encryption function.
-
How to stop effectively a
ddos
without proxies. -
IAST
. -
DAST
. -
SAST
. -
SecDevOps
. -
Why we use monorepo?
-
Why we use trunk based development?
-
Why we use continuous delivery?
-
Why we use infrastructure as code?
-
Why we use
staticgen
? -
Why we use
SLB
? -
Why we use
AsciiDoc
? -
Why
CI
security tools don’t break builds? -
Why automated tools have higher escapes rate?
-
Refactoring
JS
with linting. -
Who must detect changes in an
API
: provider or consumer? -
Should ethical hacking include vulnerabilities analysis?
Concepts
-
Immutable infrastructure.
-
Red team.
-
Blue team.
-
Purple team.
-
Capture the flag.
-
NixOS
-
Linters as normalizers.
-
Poor man linter:
check-all/changed
andgrep -P
. -
What is
SecDevOps
? -
Remediation Pipelines: One shot, Continuous, Breaking the
CI
. -
Black Box testing
-
Gray Box testing
-
White Box testing
Standards
-
Misra
Standard. -
Bearer authentication.
-
SOAP
basic authentication. -
SOAP
digest authentication. -
Correctness by Construction (
CbyC
). -
Security development lifecycle (
SDL
). -
Comprehensive software development model.
-
Lightweight application security process (
CLASP
). -
Team software process for secure SW/Dev (
TSP-Secure
). -
Conceptual security modeling (
CoSMo
). -
UMLSec
.
Summary
-
Bitcoin blockchain
security issues. -
Ethereum
security issues. -
Stellar
security issues. -
Machine learning for vulnerabilities searching.
-
Incidents associated with vulnerabilities.
Research
DVWA
with false positives.
Marketing
-
Who discards false positives?
-
How to prioritize vulnerabilities remediation?