XSS: attack, defense – and C# programming

XSS – or cross-site scripting – is one of the most common vulnerabilities in web applications. It has been on the OWASP Top 10 list (the list of the most critical security risks to web applications) for a while now. So let’s figure out together how your browser can acquire and execute a script from a third-party website, and what this may lead to (spoiler: your cookies could get stolen, for example). And while we’re at it, we’ll talk about ways you can protect yourself from XSS.

Continue reading

Pentest Insights: Choosing a Tool for Traffic Analysis and Interception

GUEST POST

Author David Balaban

Traffic analysis is a very important stage of penetration testing. In packets transmitted over the network, you can find many interesting things, for example, passwords for accessing various resources and other valuable data. To intercept and analyze traffic, sniffers are used, which humanity has invented a great many. Today I will talk about several popular sniffers for Windows.

Continue reading

Earning Trust in Public Cloud Services

GUEST POST

Author David Balaban

Public cloud Infrastructure should be secured. Who is to ensure it? How to control cloud service providers? What indicates the cloud service is provided by a trusted party? This article reviews the above as well as some other security concerns.

Businesses are opting for the cloud more and more. The ongoing Coronavirus is intensifying this transition. Governments, NGO’s and enterprises of any size and profile are now subscribing to cloud provider services. A range of security concerns arise at this background ranging from the responsibilities to be distributed between the parties to the data integrity issues.

Continue reading

Safe Clearing of Private Data

We often need to store private data in programs, for example passwords, secret keys, and their derivatives, and we usually need to clear their traces in the memory after using them so that a potential intruder can’t gain access to these data. In this article we will discuss why you can’t clear private data using memset() function.

image1 (1)

Continue reading

Finding bugs in the code of LLVM project

About two months ago I wrote an article about the analysis of GCC using PVS-Studio. The idea of the article was as follows: GCC warnings are great, but they’re not enough. As proof of my words I showed errors that PVS-Studio was able to find the GCC code. A number of readers have noticed that the quality of the GCC code, and its diagnosis, aren’t really great; while Clang compiler is up to date, of high quality, and fresh. In general Clang is awesome! Well, apparently, it’s time to check LLVM project.

image1

Continue reading