Security – Lukas Vileikis

OWASP Mobile Top 10 Part 2: Insecure Data Storage

May 14, 2021 Colors Comments 0 Comment

Insecure data storage is the second vulnerability in the OWASP Mobile Top 10 list. Insecure data storage comes straight after improper platform usage – such an attack might occur after a malicious party has stolen a mobile device, gained control of a lost mobile device or simply managed to execute some kind of malware on the mobile device of a victim. What is Insecure Data Storage? Put simply, insecure data storage refers to, well, insecure storage of data that is…

Read More Read More

OWASP Mobile Top 10 Part 1: Improper Platform Usage

April 9, 2021 Colors Comments 0 Comment

The improper platform usage vulnerability is the first vulnerability in the OWASP Mobile Top 10. This blog will provide some insight into what it is and how it’s actually exploited in the wild while also telling you how to protect your own mobile applications. What is Improper Platform Usage? The improper platform usage vulnerability refers to a vulnerability that is derived from the improper usage of platforms in use by an application. In other words, this category covers the misuse…

Read More Read More

What is the OWASP Mobile Top 10?

February 16, 2021 Colors Comments 2 comments

If you ever heard of web application security, you probably heard of OWASP. And if you heard of OWASP, you probably heard about the OWASP Top 10. The Open Web Application Security Project, or OWASP for short, is an international non-profit organization dedicated to web-application security. OWASP is widely known for publishing materials covering their projects – one of their projects is OWASP Top 10 which is a regularly-updated report outlining security concerns for web application security. The OWASP Top…

Read More Read More

The Basics of MySQL Security

October 30, 2020 Colors Comments 0 Comment

If you have ever built a website, chances are you took care of security. Securing web applications does have its own caveats though – did you take care of the security of the database? In this post we will look at the options that can make MySQL perform at the very best of its ability security-wise. Keep in mind that this is not a very comprehensive guide (certain topics such as backup security etc. will not be touched) and some…

Read More Read More

WordPress Malware: WP-VCD

August 3, 2019 Colors Comments 0 Comment

Using nulled WordPress themes and plugins is bad. Why? Because sometimes (well, most of the time) nulled plugins or themes contain malicious code that looks something like this: That’s wp-vcd.php. When a WordPress website is infected with this piece of malware, the infected file resides in the “wp-includes” directory and every time a page on a WordPress website is accessed overwrites the functions.php file with malicious code that looks like this: Removing the code doesn’t do any good – as…

Read More Read More

Filtering user input in web applications: the basics

July 21, 2019 Colors Comments 0 Comment

SQL Injection. Cross-Site Scripting. These are just two of web application security flaws that can be prevented by effectively filtering user input. Web developers can filter user-supplied input in two ways – either by utilizing white-list or black-list input validation. Each method of input sanitization has their own pros and cons, so I will go through each of them individually. Black-list input sanitization Black-list input validation is one of the most common ways user-supplied input can be validated. The way…

Read More Read More

CSRF Tokens? What Tokens?

August 8, 2018 Colors Comments 0 Comment

In a previous blog post where I covered Cross-Site Request Forgery and what potential impacts and consequences such an attack may have, I wrote that a popular way to prevent such an attack from unfolding is to generate tokens. In that blog post, I noted that when a website generates tokens, a CSRF attack might be stopped. One thing I did not cover though is that whether the attack will be stopped or not depends on how the tokens are implemented. Confused?…

Read More Read More

Bank-grade Security or Why Blocking Password Pasting is not a Good Security Strategy

July 27, 2018 Colors Comments 0 Comment

Your friend creates a website. You are curious and you ask him: “is it secure?”, which, in your mind, probably means “did you secure your website to the best of your abilities?” and your friend replies: “Yes, it has bank-grade security”. Oh, “bank grade security”, damn! That means it’s very secure! Before you intervene, I am by no ways stating that banking websites are insecure – I am interested in how banks and other financial institutions deal with passwords though….

Read More Read More

Carriage Return Line Feed (CRLF) Injection Explained

July 20, 2018 Colors Comments 0 Comment

How does a server know when a new header begins and the old one ends or when a line is terminated? Simple. In order to note the termination of a line, \r\n or %0D%0A characters are used. These characters refer to Carriage Return (\r) Line Feed (\n). The characters can (and are) used in HTTP responses. To note the end of a line, they can also be used in files. Is it dangerous? A Carriage Return Line Feed (CRLF) Injection vulnerability occurs…

Read More Read More

2017 OWASP Top 10 for PHP Developers Part 10: Insufficient Logging & Monitoring

July 13, 2018 Colors Comments 0 Comment

Another day, another web application gets hacked. Most of the time web application hacks fly under the radar and are discovered years after the data breach occurred, but every so often, after learning what had happened, website administrators hire computer forensic experts in order to help reconstruct and solve high-tech (computer-related) crimes. Every computer forensic expert (or a team of computer forensic experts) has different methods of approaching and solving the problem – but in many cases, the very first thing computer…

Read More Read More