You would think that after several years, a well-known security vulnerability should no longer be found in production systems. It may, therefore, come as a surprise that famous Internet security issues such as the Heartbleed vulnerability linger on for many years after they have been…
Author Archives Tomasz Andrzej Nidecki
THE AUTHOR
Tomasz Andrzej Nidecki
Principal Cybersecurity Writer
Principal Cybersecurity Writer
Cross-Origin Resource Sharing (CORS) and the Access-Control-Allow-Origin Header
Modern browsers use the Same-Origin Policy (SOP) by default which means that fetching resources from other origins is not allowed. However, in some situations, such operations are necessary. Cross-Origin Resource Sharing (CORS) was designed to address such situations using HTTP response headers, which include Access-Control-Allow-Origin….
Agile and Secure SDLC – Best Practices
Agile development processes help businesses release software much quicker than it would be possible if using classic design and development cycles such as those based on the waterfall model. Most web applications require an agile methodology because they need to be updated very often and…
The HttpOnly Flag – Protecting Cookies against XSS
Cross-site scripting (XSS) attacks are often aimed at stealing session cookies. In such an attack, the cookie value is accessed by a client-side script using JavaScript (document.cookie). However, in everyday use, web applications rarely need to access cookies via JavaScript. Therefore, a method of protecting…
What Is Broken Link Hijacking
Broken link hijacking (BLH) is a type of web attack. It exploits external links that are no longer valid. If your website or web application uses resources loaded from external URLs or points to such resources and these resources are no longer there (for example…
SQL Injection Cheat Sheet for Developers
In this cheat sheet, we will assume that: You are a developer or you know programming You have limited web application security knowledge You need to know how SQL injection attacks happen You need to know how to fix SQL injection issues in your code…
Web System Hardening in 5 Easy Steps
To harden a computer system means to make it more difficult for a malicious hacker to attack. In formal terms, system hardening means reducing the attack surface – the attack surface is the combination of all the points where an attacker may strike. Many computer…
nginx Security: How To Harden Your Server Configuration
Currently, nginx is the most popular web server, recently beating Apache. It is lightweight, fast, robust, and supports all major operating systems. It is the web server of choice for Netflix, WordPress.com, and other high traffic sites. An nginx server can easily handle 10,000 inactive…
What Is the POODLE Attack?
The POODLE attack (Padding Oracle on Downgraded Legacy Encryption) exploits a vulnerability in the SSL 3.0 protocol (CVE-2014-3566). This vulnerability lets an attacker eavesdrop on communication encrypted using SSLv3. The vulnerability is no longer present in the Transport Layer Security protocol (TLS), which is the…