Category: Web Application Security

Heartbleed

CVE-2014-0160

A vulnerability exists in outdated version of OpenSSL which allows an attacker to cause the server to disclose up to 64kb of server memory contents. This can cause secret keys, authentication tokens, usernames and passwords to be compromised. This can lead to an attacker being able to impersonate users and decrypt data transferred between a user and the server.

Continue reading: Heartbleed

HSTS: HTTP Strict Transport Security

HSTS is a web security mechanism to prevent downgrade attacks, it’s a mechanism that allows a web server to instruct web browsers to only communicate with the server over SSL, so that all subsequent traffic is encrypted, even if a user attempts to visit an insecure link (the browser will ‘correct’ the user and request the secure site instead).

Continue reading: HSTS: HTTP Strict Transport Security

XXE: XML eXternal Entity Injection vulnerabilities

Here’s a quick write-up on XXE, starting with how to detect the vulnerability and moving on to how to fix it! XXE is a vulnerability in the way that XML parses handle¬†user¬†input and if an attacker is able to enter arbitrary or crafted data into an XML parser they may be able to inject entities and this could leave to file disclosure, denial-of-service attacks or in rare cases – code execution!

Continue reading: XXE: XML eXternal Entity Injection vulnerabilities