few realize how absolutely devastating and omnipresent this vulnerability can be

Pour vous donner un exemple de la vulnérabilité des outils comme la messagerie Outlook, en 2016, l’Annudef’ (l’annuaire du ministère de la Défense) a été téléchargé deux fois et on ne sait toujours pas par qui.

😲😱😩

1. XML internal entities
2. Billion laughs attack / quadratic blowup
3. XML external entity (XXE)

Or how I obtained direct publish access to 14% of npm packages (including popular ones)

"Here you have a trivially simple method of injecting legit-looking messages into text conversations with anyone, providing you know how your target stores the spoofee sender in their contacts. In the UK, that’s largely the difference between starting with 07, and +447.

The utterly exquisite reality is that, if your target then replies, that reply goes to the real sender, who is overwhelmingly likely to reply something like “what the hell are you on about?”, this being the first they’ve heard of this shady business. Does that look like backtracking or denial? I ain’t no Member of Parliament, but it sure sounds like it to me."

afl = american fuzzy lop
cf. http://lcamtuf.coredump.cx/afl/

"Luckily, afl-fuzz can leverage lightweight assembly-level instrumentation to its advantage - and within a millisecond or so, it notices that although setting the first byte to 0xff does not change the externally observable output, it triggers a slightly different internal code path in the tested app."

On peut facilement se créer l'équivalent d'un token d'authentification avec son smartphone. Il existe des applications respectant un protocole standardisé pour cela: OTP (One Time Password). L'intérêt de l'OTP est que vous n'avez pas besoin de connexion entre votre client OTP (votre smartphone) et le serveur. Ils peuvent générer et contrôler la validité des OTP de manière déconnectée. Ce système peut donc fonctionner même si vous n'avez pas de réseau GSM à portée.

Ce protocole permet de créer un code qui ne sera utilisable qu'une seule fois. Nous allons juste ajouter un champ de saisie dans le formulaire de login. Vous allez voir, ce n'est vraiment pas compliqué.

...password reset feature readily disclosing whether an email address already existed on the site...
Frankly, it's an exception when a site doesn't leak data through one of these enumeration risks in the password reset, registration and login features.

TL;DR : do not use autocomplete

Use rel="noopener noreferrer"

So which security considerations are relevant at an early stage?

• What security concerns were raised by customers willing to pay for your product?
• What are the security expectations in your industry (Medical, Finance, Enterprise)?
• What are the target market (country) regulations (Data Privacy, Data Residency)? Europeans are known to have tougher regulations. Different US States have different regulations.
• Which tools and policies would not hurt your team's morale.
• How long would it take you to prepare a security risk plan (see example at the bottom of this document)?

reverse - Reverse engineering for x86 binaries. Generation of pseudo-C.

A step-by-step account of an overnight digital heist