Blog

Jan
03
Introduction to Hash DoS Attacks
Written By Josh Zlatin

    Someone asked me about the Hash DoS attack recently disclosed at CCC, so I thought I would give a high level explanation of it here in case it benefits others as well. Hash tables are often used in programming languages to map data keys and values together. A comparable real world example could be a phone book which maps a person's name (the key) to their phone number (the value).

0 Comments
| 1,369 Hits
Read More
Dec
02
Virtual Patching Session Fixation
Written By Josh Zlatin

    On a recent engagement we gained unrestricted administrative access to a certain proprietary web application by exploiting a Session Fixation flaw. According to the WASC Threat Classification v2, Session Fixation is an attack technique that forces a user's session ID to an explicit value.

0 Comments
| 605 Hits
Read More
ModSecurity, purewaf
Nov
16
Speeding Up Lua Script Execution in ModSecurity
Written By Josh Zlatin

    Often when implementing customised ModSecurity solutions we need to extend the built-in functionality via Lua scripting. One of the disadvantages to this approach is the added latency penalty paid for not using the native rules language. When web site performance is critical for business continuity, every additional millesecond counts. The current trunk code fixes a long-standing limitation where ModSecurity needed to create a new VM for each request, which added latency every time a Lua script was executed.

0 Comments
| 1,252 Hits
Read More
Lua, ModSecurity, purewaf, security
Oct
15
Remove Lost iPhone Backup Password
Written By Ty Miller

Lets say that at some point you decided to adhere to security best practices and set a password on your iPhone backups so that they are encrypted. A year or two later you have upgraded your iPhone to a new version and you want to transfer all of your data across to the new phone. You attempt to restore from your backup and, doh, you need to remember the password you set. You try every password you could have set but none of them work.

0 Comments
| 4,382 Hits
Read More
backup password, cydia, hacking, iPhone, ty miller
Jul
27
Finding the level of risk you are comfortable with
Written By Rob McAdam
0 Comments
| 1,169 Hits
Read More
apetitie, ISMS, risk, risk appetite, security

Most Popular List

Skype 0day vulnerabilitiy d...
06/05/2011 | Written By Gordon Maddern | 44,314 Hits
About a month ago I was chatting on skype to a colleague about a payload for...
Building dependable enterpr...
28/06/2011 | Written By Sandeep Nain | 6,834 Hits
Coming from a family of civil engineers, I always knew that it is a rigorous...
PHP/Java Floating Point DoS...
17/02/2011 | Written By Josh Zlatin | 6,014 Hits
Recently a floating point DoS vulnerability surfaced in both PHP and Java. Th...
Remove Lost iPhone Backup P...
15/10/2011 | Written By Ty Miller | 4,382 Hits
Lets say that at some point you decided to adhere to security best practices...

Most Recent Posts List

Introduction to Hash DoS At...
03/01/2012 | Written By Josh Zlatin | 1,369 Hits
Someone asked me about the Hash DoS attack recently disclosed at CCC, so...
Virtual Patching Session Fi...
02/12/2011 | Written By Josh Zlatin | 605 Hits
On a recent engagement we gained unrestricted administrative access to...
Speeding Up Lua Script Exec...
16/11/2011 | Written By Josh Zlatin | 1,252 Hits
Often when implementing customised ModSecurity solutions we need to...
Remove Lost iPhone Backup P...
15/10/2011 | Written By Ty Miller | 4,382 Hits
Lets say that at some point you decided to adhere to security best practices...