Our blog’s goal is to cover different topics related to security
and other topics of interest in the world of IT
.
Our articles may also reflect the author’s opinion about a specific issue
related to security.
If you want to collaborate with us or submit an article of your own,
check our ideas list below.
When we accept an article covering one of the ideas on our list,
we add it to our blog and update the #TrendingTopics
list.
Among the topics of interest are:
Poodle TLS
.
Simple cracking of non-reversible keys.
Cracking with rainbow tables.
Web shells without collateral effects.
Reflected file download
Apache Struts 2 Framework Checks.
Apache Struts Detection.
Arbitrary File Upload.
ASP.Net
Misconfiguration.
ASP.NET
Serialization.
ASP.NET
ViewState security (ViewState Check).
Autocomplete attribute/check.
Blind SQL
Injection.
Browser Cache directive (leaking sensitive information).
Browser Cache directive (web application performance).
Brute Force (HTTP
Authentication).
Brute Force Form based Authentication.
Business Logic Abuse.
Clients Cross-Domain Policy Files.
Collecting Sensitive Personal Information (Personal Sensitive Information).
Command Injection.
Cookie attributes.
Credentials Over Insecure Channel.
Credentials stored in clear text in a cookie (Password Exposure).
Cross Origin Resources Sharing (CORS
).
Cross-Site Request Forgery (CSRF
)
Cross-site scripting (XSS
), (DOM based Reflected via AJAX
Request).
Cross-site scripting (XSS
),(DOM
based).
Cross-site tracing (XST
– Web Method).
CSP
Headers.
Custom Directory Module.
Custom Parameter Module.
Custom Passive Module.
Directory Indexing.
Email Disclosure.
Expression Language Injection.
File Inclusion.
Forced Browsing.
Form Session Strength.
FrontPage Checks.
Heartbleed Check.
HTTP
Authentication over insecure channel.
HTTP
Headers.
HTTP
Query Session Check.
HTTP
Response Splitting.
HTTP
Strict Transport Security (HSTS
).
HTTP
Verb Tampering (Request Method Tampering).
HTTPS
Downgrade.
HTTPS
Everywhere.
Information Disclosure in comments.
Information Disclosure in Response.
Information Disclosure in scripts (Script Check).
Information Leakage In Response.
Java
Grinder.
LDAP
Injection.
Local Storage Usage.
Nginx
NULL
code.
OS
Commanding.
Out of Band Cross-site scripting (XSS
).
Out of Band Stored Cross-site scripting (XSS
).
Parameter Fuzzing
Persistent Cross-site scripting (XSS
) (passive – XSS
Persistent).
Persistent Cross-site scripting(XSS
), (active - XSS
Persistent Active).
PHP
Code Execution.
Predictable Resource Location (Resource Finder).
Privacy Disclosure.
Privilege Escalation.
Reflected Cross Site Scripting (XSS
,Reflected).
Reflected Cross Site Scripting Simple (XSS
,Simple).
Reflection.
Reverse Clickjacking.
Reverse Proxy.
Secure and non-secure content mix.
Sensitive Data Exposure
Sensitive data over an insecure channel.
Server Configuration
Server Side Include (SSI
) Injection.
Session Fixation.
Session Strength.
Session Upgrade.
Source Code Disclosure.
SQL
Information Leakage (SQL
Errors).
SQL
Injection.
SQL
injection Auth Bypass.
SQL
Parameter Check.
SSL
Strength.
Subdomain discovery.
Unvalidated Redirect.
URL
rewriting.
Web Beacon.
Web Service Parameter Fuzzing.
X-Content-Type-Options.
X-Frame-Options.
XML
External Entity Attack.
XPath
Injection.
X-Powered-By.
X-XSS-Protection.
API
throttling.
Recommended hashing function.
Recommended asymmetric encryption function.
Recommended symmetric encryption function.
How to stop effectively a ddos
without proxies.
IAST
.
DAST
.
SAST
.
SecDevOps
.
Why we use monorepo?
Why we use trunk based development?
Why we use continuous delivery?
Why we use infrastructure as code?
Why we use staticgen
?
Why we use SLB
?
Why we use asciidoc
?
Why CI
security tools don’t break builds?
Why automated tools have higher escapes rate?
Refactoring JS
with linting.
Why Asserts don’t use OpenSSL
?
Who must detect changes in an API
: provider or consumer?
Should ethical hacking include vulnerabilities analysis?
Immutable infrastructure.
Red team.
Blue team.
Purple team.
Capture the flag.
NixOS
Linters as normalizers.
Poor man linter: check-all/changed
and grep -P
.
What is SecDevOps
?
Remediation Pipelines: One shot, Continuous, Breaking the CI
.
Black Box testing
Gray Box testing
White Box testing
Misra
Standard.
Bearer authentication.
SOAP
basic authentication.
SOAP
digest authentication.
Correctness by Construction (CbyC
).
Security development lifecycle (SDL
).
Comprehensive software development model.
Lightweight application security process (CLASP
).
Team software process for secure SW/Dev (TSP-Secure
).
Conceptual security modeling (CoSMo
).
UMLSec
.
Bitcoin blockchain
security issues.
Ethereum
security issues.
Stellar
security issues.
Machine learning for vulnerabilities searching.
Incidents associated with vulnerabilities.
DVWA
with false positives.
Who discards false positives?
How to prioritize vulnerabilities remediation?
Copyright © 2021 Fluid Attacks, We hack your software. All rights reserved.