TL;DR: A new WhitePaper released “https://insight.claranet.co.uk/cybersecurity/defense-against-client-side-attacks” to help attackers understand client-side attacks and for developers to understand how to mitigate them. In the modern era, the web exploitation world is obsessed with server-side attacks however the data now resides equally on server and client side. Developers focus on fixing server-side Read more The post WhitePaper Release: Defense against Client-Side Attacks appeared first on NotSoSecure ..read more

TL;DR: A new tool released https://github.com/NotSoSecure/SerializedPayloadGenerator/ to help with “Serialized Payload Generation” Serialization bugs have been making rounds across the internet. The exploitation of serialization bugs has grown in leaps and bounds in the last few years. We have been closely monitoring this area and addressing it in our pentests Read more The post Tool Release: Serialized Payload Generator appeared first on NotSoSecure ..read more

TL;DR: NotSoSecure is releasing a new project to track security enhancements or downgrades in browsers: https://notsosecure.github.io/browser-security-enhancements/ Introduction Our lives have been slowly moving from desktop applications to browser-based applications and browsers have become an integral part of our life. Current top browsers have a special focus on security and have Read more The post Project Launch : Tracking Browser Security Enhancements appeared first on NotSoSecure ..read more

During one of our recent thick client application penetration tests, Sanjay encountered a scenario where the application was built on top of a Flutter framework and had an SSL pinning check in one of the embedded libraries. Due to this check, the application provided an SSL pinning error when it was Read more The post Flutter based Mac OSX Thick Client SSL Pinning Bypass appeared first on NotSoSecure ..read more

Introduction The concept of DevSecOps has introduced an array of changes to our traditional operations. One of the major changes was to move away from using tools, to learning to bake our own ‘code’. Of the many things required for an application or an environment to be production-ready, compliance is... Read More The post Let’s Cook ‘Compliance as Code’ with Chef InSpec appeared first on NotSoSecure ..read more

Overview Due to its massive adoption, cloud computing has become a critical component for every enterprise. A large number of organisations want to migrate to the cloud, however, its security posture is still a blind spot for everyone. Nevertheless, we have seen a big rise in the number of requests... Read More The post Security Architecture Review Of A Cloud Native Environment appeared first on NotSoSecure ..read more

Static Application Security Testing or SAST is a testing methodology that analyses application source code to identify security vulnerabilities (such as, but not limited to, the Injection vulnerabilities, any Insecure Functions, Cryptographic Weaknesses and more). Typically, SAST includes both manual and automated testing techniques which complement each other. In this... Read More The post Semgrep A Practical Introduction appeared first on NotSoSecure ..read more

Recently, NotSoSecure got an opportunity to explore the working of monitoring and alerting systems as a part of a project. In this blog post, Anand Tiwari will talk about his experience and challenges faced while setting up one such monitoring and alerting system.   Insufficient Logging and Monitoring In 2017, OWASP introduced... Read More The post Continuous Security Monitoring using ModSecurity & ELK appeared first on NotSoSecure ..read more

We have all heard about VLAN double tagging attacks for a long time now. There have been many references and even a single packet proof of concept for VLAN double tagging attack but none of them showcase a weaponized attack. In this blog Amish Patadiya will use VLAN double tagging... Read More The post Exploiting VLAN Double Tagging appeared first on NotSoSecure ..read more

During one of our recent web application penetration testing assignments, @realsanjay encountered a scenario where the application employed an integrity check on HTTP request content. The integrity check was maintained using a custom HTTP header that stored the HMAC of HTTP request content based on session-specific CSRF tokens. Any modification... Read More The post Automating Pentests for Applications with Integrity Checks using Burp Suite Custom Extension appeared first on NotSoSecure ..read more