security Blogs
Written by Kiprosh, team of passionate and disciplined craftsmen turning your ideas into reality.
Kiprosh is now part of LawLytics
Written by Kiprosh, team of passionate and disciplined craftsmen turning your ideas into reality.
What is ReDoS? Regular expression Denial of Service (ReDoS) is a security vulnerability that can occur in a regular expression (regex) when the regex is applied to a long string. This attack is designed to make a system or network unavailable to its intended users. An example occurrence of a ReDoS Imagine that a website has a form that accepts user input and uses a regex to validate the input. The regex is designed to only allow alphanumeric characters in the input, so it looks like this: /^[a-zA-Z0-9]+$/. An attacker could potentially craft a string of input that consists of
To enhance the security of a web application having a user authentication workflow, we use a security method called 2FA. It is also known as Two Factor Authentication(type of Multi-Factor Authentication). In this blog post, we will see how to implement email-based 2FA in ActiveAdmin auth of a Ruby on Rails application. In the email-based 2FA approach, when logging in with an email and password, an OTP will be sent on a registered email address. Upon entering the OTP, it will successfully authenticate and the session will be started. Also, we will see the following additional functionality and customizations
1) URL manipulation through HTTP GET methods: The tester should check if the application passes important information in the query-string. This happens when the application uses the HTTP GET method to pass information between the client and the server. The information is passed in parameters in the query-string. The tester can modify a parameter value in the query-string to check if the server accepts it. Via HTTP GET request user information is passed to server for authentication or fetching data. Attacker can manipulate every input variable passed from this GET request to server in order to get the required information