The business of Authorization and Authentication flaws
business-logic
Ensuring security is one of the most daunting challenges that web applications are facing nowadays. Authentication and authorization are two main security fields that web applications must consider to be protected against unauthorized
Taxonomy of Business logic flaws
business-logic
In the previous article we defined and discussed Business Logic Flaws and its inherent risks. In software design, all the web applications can be modeled as set of use cases and workflows. A
Case Studies: Weak Crypto
ocular
For those who directly arrived to this post, I'd strongly suggest reading the following in sequence to gain contextFrom Code to Code Property GraphFrom Code Property Graph to OcularA Whirlwind Tour of OcularBroken
Case Studies: Cookie Poisoning
ocular
For those who directly arrived to this post, I'd strongly suggest reading the following in sequence to gain contextFrom Code to Code Property GraphFrom Code Property Graph to OcularA Whirlwind Tour of OcularThe
Case Studies: Detecting Sensitive Data Leaks
ocular
For those who directly arrived to this post, I'd strongly suggest reading the following in sequence to gain contextFrom Code to Code Property GraphFrom Code Property Graph to OcularA Whirlwind Tour of OcularA
A Whirlwind Tour of Ocular
ocular
In my study of learning styles, I came across the whole to part and part to whole concept. As with all learning style paradigms, this has a strong connection to communication styles, and
From Code Property Graph to Ocular
ocular
Information flow is fundamental to application security. We do not want sensitive information to reach untrusted principals (confidentiality), andWe do not want untrusted principals to corrupt trusted information (integrity)For example, it is
From Code to Code Property Graph
ocular
The most important security vulnerabilities thus far have been found via laborious code auditing. Also, this is the only way vulnerabilities can be found and fixed during development. However, as software production rates
Case Files: One (Bug)Mac please!
business-logic
Watch this video!Courtesy: Moshe TamssotA typical Big Mac has two juicy beef patties with melted American cheese, pickles, onions, lettuce and McDonald’s Special Sauce on a toasted sesame bun. Majority of
Case Files: Your data has been breached, now what?
business-logic
Act 6— Your data has been breached, now what?In my previous post we witnessed how a flawed design pattern of session management across SaaS vendors led for an exploit to manifest.Type
Case Files: Pusher in Coinbase cookie
business-logic
In my previous post we witnessed how a bidding process can be abused in an online auction marketplace.All of us are guilty of using SaaS services in this cloud era. Our systems
Case Files: Outbidding
business-logic
In my previous post we witnessed a vendor partnership flaw that was exploited. Let us now situate ourselves in an online auction event.Online auctions offer buyers and sellers of a wide variety
Case Files: The dynamic duo Andrew and Allen exploit Nordstorm with their FatWallet
business-logic
Fast forward 2012, from my last post that enacted Citibank’s exploit from 1999.The actors in this story are Andrew and Allen Chiu and their plot to defraud Nordstorm via a channel
Case Files: Attack like its 1999 (Citibank) in 2012 (Signet/Jared jewelers, Molina Health)
business-logic
In the prior installment I discussed and described the definition of a business logic flaw.Let us now turn back time to 1999 and recount events leading to Citibank attack on approximately 360,