Introduction Many of us have probably been faced with testing an application with custom HTTP request authentication or message signing. The requests from these applications can be proxied but they have built-in replay protection mechanisms in some form. As such, it isn’t possible to resend these requests outside of the application therefore making all external […]
Firebase Applications – The Untold Attack Surface
Introduction In this blogpost, we will review some of the basic components of a Firebase application from a Security Perspective and talk about common issues that don’t get enough attention. What is Firebase? Firebase is a complete backend as a service with many different features that we can plug straight into our applications. For example: There […]
Understanding the Android clearTextTrafficPermitted Flag
Introduction The cleartextTrafficPermitted flag is one of the options in Android’s Network Security Configuration file. The online documentation (https://developer.android.com/training/articles/security-config) explains that from Android 9 (API level 28) and higher, it will be set by default to false and it is intended to prevent insecure communication attempts using clear-text HTTP originating from Android applications. OK, so what does this […]
A Taxonomy on Brute Force Attacks
A brute force attack is a well-known technique of trial and error attempts used by attackers to gain access to unauthorized data. It can be leveraged against servers as an online attack and also against files as a local attack. The common denominator of all these types is that the same pattern is almost always […]