Posts

Protection against OTP abuse

Image
The first factor identification with any internet application happens through sign up functionality and if there is a requirement to associate the user with phone number for the apps like e-commerce, food delivery, medicine delivery, events lookup etc, then the Signup is programmed to happen to OTPs. Since any and every user is expected to produce OTP while signing up, the feature as such should not be bound by any security headers. This makes the OTP generation and delivery of OTP SMS vulnerable to an array of attacks like 1. DDoS attack - No further SMSes can be sent when the allocated SMS threshold for a given time for an application from the SMS service provider is reached due to increased requests. 2. Resource exhaustion attack - Exhausting allocated cost per unit time for sending SMS due to DDoS 3. Unintentional sending of SMS to customers that lead to annoyance and even to unregistered customers Some of the counter measures to stop the abuse 1. Rate limiting - Bot
Post a Comment
Read more

SSL Handshake

Image
This is no rocket science either. All communication over the internet happens with the SSL(Secure sockets layer) handshake which is now called as the TLS(Transport layer security) handshake. SSL was designed for HTTP connections and TLS has replaced the SSL. The TLS handshake happens between the client and the server. The two parties involved will do the following Specify the version of TLS they are using  The type of cipher suite  Identify the server and authenticate it through server's public key or SSL certificate authority's digital signature. Establish session keys to use the symmetric encryption for further data in transit.  Below are the exact steps that occur during the TLS DH handshake The browser(client) will send the "Hello" message to server with details of its TLS version and cipher suites. It also sends string of random bytes known as client random The server replies with to the client with its SSL certificate, cipher suite and s
Post a Comment
Read more

Homomorphic encryption

Image
Homomorphic encryption is a type of encryption where the data in transit can be accessed, computed, analysed all the while the data remains encrypted. This can be extension of both symmetric and asymmetric encryption(See Symmetric and Asymmetric Encryption for more details). This can be used for outsourcing encrypted data for storage and computation to the cloud environments In plain language homomorphic encryption is like this - Assume there are many things in a bag and you put your hands inside, manipulate their positions, access them and sense them but you cant pull them out and see for real what they are. This kind of data transmission is required in healthcare where the privacy is of most concern. The same holds good for voting purposes where the data needs to be encrypted for privacy purpose but also should be assessed. In the banking sectors too this is used to protect the PII and still perform the required processing on the data. The computations on the data are rep
Post a Comment
Read more

Symmetric and Asymmetric encryption

Image
This is no rocket science that I am writing about. Its the next post that will need this information. Symmetric encryption Its the encryption where the source thats encrypting the information and the destination thats decrypting it will make use of the same key. This means to say that you encrypt and decrypt using the same key. This key is often called as secret key. The key is generally a password or code or a random generated number(RNG). Two types of symmetric encryption - Block algorithms: Set lengths of bits are encrypted in blocks of electronic data with the use of a specific secret key. As the data is being encrypted, the system holds the data in its memory as it waits for complete blocks Stream algorithms:  Data is encrypted as it streams instead of being retained in the system’s memory.  Symmetric Encryption use cases:  Due to the better performance and faster speed of symmetric encryption (compared to asymmetric), symmetric cryptography is typi
Post a Comment
Read more

Bug bounty - Simple tips and tricks

Image
Its been a couple of months that I am bug hunting and I think I got hang of it now. Bug bounties are the most fancied way of earning money among the ethical hackers and otherwise engineers. I get many requests on Linkedin and Telegram to teach them about bug bounty. I have followed a few big time bug hunters and learnt from them. There are awesome writeups, podcasts and tutorials on Pentester.Land Here are a few tips and tricks to get started with any bounty program. Follow platforms like HackerOne and BugCrowd. They have organised bounty programs which reward in points and money according to the priority of the bug found. They have charity programs too if you wish to donate. So, when there are new programs launched for websites, mobile apps and APIs, you get to see whats in scope of the program and whats not. If you are reporting a bug thats not in scope, you get -ve points. There will be rules of the program which you MUST read carefully to understand the type of progra
Post a Comment
Read more

Hashing, Salting, Encoding and Encrypting

Image
One of the most asked questions when you say you are a cybersecurity engineer is that whats the difference between hashing, encoding and encryption. Many great blogs are available out there to answer that question. I try to make things simple so a layman gets it right. Hashing Hashing is a one way function where the given string is converted to fit in to a fixed length string using hashing algorithms. Simply put its a set of rules that convert the text in to a fixed length text. Hashing is basically used to check the authenticity of data. Assume you have a file that should be downloaded from a website. First you hash the file and digitally sign it. Now you hash the signed file too and encrypt(will talk about this later). The browser that downloads the file at the client end will get these two hash values from the file. Now it employes the same hashing mechanism and generates its own set of hashes. If these two hashes match the ones with the file downloaded, then the browser kn
Post a Comment
Read more

Decompiling android apps using apktool

There aren't many tools required for this one. Its a simple procedure. If one knows what to look for once the app is decompiled, then the whole activity takes less than 10 min to tear apart the application. First - Check for the java version installed. It should be more than 1.8.  If there is no java installed, follow this and make it the default. (Make sure to install <1.8) https://java.com/en/download/help/download_options.xml Second - Install apktool  https://ibotpeaches.github.io/Apktool/install/ 1. Download the mac wrapper script as "apktool" - https://raw.githubusercontent.com/iBotPeaches/Apktool/master/scripts/osx/apktool 2. Download apktool-2 - https://bitbucket.org/iBotPeaches/apktool/downloads/ 3. Rename downloaded jar to apktool.jar 4. Move both files apktool.jar and apktool to /usr/local/bin using root 5. Make both the files executables using chmod +x 6. From CLI - run apktool --version 7. Download the apk(yourapp) file you want to decomp
Post a Comment
Read more