One of the preliminary activities when analyzing mobile application, more usually than not, is to be able to sniff HTTP/S traffic via A MITM PROXY. This is quite straightforward in the case o...
https://blog.mindedsecurity.com/2024/05/bypassing-certificate-pinning-on.html
Nowadays, millions of people rely on iOS mobile applications for almost everything. As a result iOS devices manage a significant amount of data including sensitive ones, such as: credentials,...
https://blog.mindedsecurity.com/2024/04/semgrep-rules-for-ios-application.html
ICS and Building Management Systems (BMS) support several protocols such as MODBUS, Bacnet, Fieldbus and so on. Those protocols were designed to provide read/write control over sensors and ac...
https://blog.mindedsecurity.com/2024/03/testing-security-of-modbus-services.html
INTRODUCTION The number of Android applications has been growing rapidly in recent years. In 2022, there were over 3.55 MILLION ANDROID APPS available in the Google Play Store, and this num...
https://blog.mindedsecurity.com/2023/10/semgrep-rules-for-android-application.html
In today's digital landscape, MOBILE APPLICATION SECURITY has become an PARAMOUNT CONCERN. With the increasing number of threats targeting ANDROID applications and the stored personal dat...
https://blog.mindedsecurity.com/2023/06/a-cool-new-project-semgrep-rules-for.html
Software security has come a long way in the past two decades. With the advent of new technologies and a rapidly evolving threat landscape, defending against cyber attacks has become more chall...
https://blog.mindedsecurity.com/2023/03/20-years-of-software-security-threats.html
The OWASP Global AppSec Dublin 2023 conference was a truly inspiring event for anyone involved in application security. As an attendee, I was able to catch up with OWASP colleagues and hear fr...
https://blog.mindedsecurity.com/2023/02/owasp-global-appsec-dublin-2023.html
On March the 31st, I gave a quick talk on automotive security at VTM titled "UN ECE 155 THREATS IN THE REAL WORLD: WIRELESS NETWORKING ATTACKS AND MITIGATIONS. A CASE STUDY" (slides here ). ...
https://blog.mindedsecurity.com/2022/07/un-ece-155-threats-in-real-world.html
There has been such a hype about the Log4j issue and since IMQ Minded Security mission has always been about fixing, this informal post is about what's going on, how to check if someone's s...
https://blog.mindedsecurity.com/2021/12/the-worst-log-injection-ever-log4j-200.html
ABSTRACT In the first part, after a fast overview on the DNS Rebinding technique, we considered a practical example in which UPnP services has been exploited to perform NAT Injection atta...
https://blog.mindedsecurity.com/2021/08/a-journey-into-beauty-of-dnsrebinding.html
MOBILE SCREENSHOT PREVENTION CHEAT SHEET - TESTING AND FIXING The following article will explain how to test mobile applications against any implemented screenshot prevention mechanism and...
https://blog.mindedsecurity.com/2021/05/mobile-screenshot-prevention-cheatsheet.html
Authors Giovanni Guido Alessandro Braccio ABSTRACT In this first blog post about DNS rebinding topic, we are going to show a practical example of DNS REBINDING ATTACK AGAINST UPNP SER...
https://blog.mindedsecurity.com/2021/02/journey-into-beauty-of-dnsrebinding.html
Authors Alessandro Brucato Giorgio Rando INTRODUCTION Did you know the word “Cache” comes from French and means “Hidden ”? If we transpose it to IT we can see why it has been n...
https://blog.mindedsecurity.com/2021/01/demystifying-web-cache-threats.html
INTRODUCTION It might occur that companies discover vulnerabilities on web application assets that were acquired by third party vendors. What happens if the asset is no longer supported/licens...
https://blog.mindedsecurity.com/2020/11/waf-journey-fixing-telerik-ui-remote.html
MOBILE SCREENSHOT PREVENTION CHEAT SHEET - RISKS AND SCENARIOS The following article will try to analyze and explain risks and attack scenarios affecting mobile applications without any implemen...
https://blog.mindedsecurity.com/2020/10/mobile-screenshot-prevention.html
Nowadays, almost every mobile device has a biometric sensor that allows developers to implement local authentication and also store sensitive data securely through dedicated APIs. Biometric au...
https://blog.mindedsecurity.com/2020/07/implementing-secure-biometric.html
BROWSING: WHAT COULD GO WRONG? There's so much literature about client side attacks, but most of the focus is usually about classical malware attacks, exploiting software vulnerabilities. ...
https://blog.mindedsecurity.com/2020/06/behave-monitoring-browser-extension-for.html
INTRODUCTION With recent worldwide events, a sharply increasing number of companies are offering remote services to their customers. Even traditional businesses are implementing new features o...
https://blog.mindedsecurity.com/2020/05/remote-working-web-chats-threats-and.html
OWASP SAMM V2 IS OUT! OWASP SAMM (Software Assurance Maturity Model) is the OWASP framework to help organizations assess, formulate, and implement, through our self-assessment model, a strat...
https://blog.mindedsecurity.com/2020/04/owasp-samm-v2-lessons-learned-after-9.html
INTRODUCTION A well-known, never out of fashion and highly impact vulnerability is the Path Traversal . This technique is also known as dot-dot-slash attack (../) or as a directory traversal, ...
https://blog.mindedsecurity.com/2020/03/how-to-path-traversal-with-burp.html
This is the last part of our 3 posts journey discussing the main Amazon Web Services and their security. In the previous two parts we discussed two of the most used Amazon services, namely AWS ...
https://blog.mindedsecurity.com/2020/02/a-practical-guide-to-testing-security.html
Observability and metrics paradox It is also about observability: ”If a tree falls in a forest and no one is around to hear it, does it make a sound?” …or… What is the return value (...
https://blog.mindedsecurity.com/2019/04/secure-development-lifecycle-sdl-value.html
Evolution of SDL practices: from custom to product to service The increasing visibility trend discussed in Part 1, of course, is impacting the current cybersecurity practices, in terms of matu...
https://blog.mindedsecurity.com/2019/04/secure-development-lifecycle-sdl-value_11.html
INTRODUCTION A well-known, never out of fashion and highly impact vulnerability is the Path Traversal. This technique is also known as dot-dot-slash attack (../) or as a directory traversal, a...
https://blog.mindedsecurity.com/2018/10/how-to-prevent-path-traversal-in-net.html
INTRODUCTION Model-View-Controller web applications may be difficult to pentest, since they strongly depend -for almost any aspect- on the technology they are developed and deployed with. From...
https://blog.mindedsecurity.com/2018/10/from-path-traversal-to-source-code-in.html