Home     RSSRSS

Archives: Security

Special HTTP Verb to request and view Documents online

May 28, 2019 by kiranbadi1991 | Comments Off on Special HTTP Verb to request and view Documents online | Filed in Development, Others, Process, Project Management, Security

First American Financial Corp’s recently exposed good amount of data(885 million files related to real estate data) to the external folks.Probably this leak impacted close 885 million folks assuming each file relates to one property and one person or family.

The leak mainly happened by modifying the URL parameter of the request. I have written quite a bit of code to fetch some files for viewing online, downloading etc. etc..

Most common way of writing these type of functionality is that you write a controller class to get file for viewing(render document on browser for viewing),you have some service layer which populates file template, and then some data access layer which either fetches data based on some id from database or cache store to populate the template.All these steps along document viewing happens most frequently via GET verb. Of Course you can have secured GET requests.

The whole purpose of GET verb is to fetch the resource which it does as described  in specs. However I feel document viewing is special type of use case which I believes requires a special http verb to deal which browsers most of the times can provide inbuilt protection for cases like First American Financial Corp (similar as Browsers prompt for double submits).

This verb will help to solve other issues as well like malware, excessive ads, virus problems, etc. etc.. This verb will make web much cleaner.

PS : Though I know that First American Financial Corp’s leak is due to poor development practices but I believe that generally browser or Web specs should provide first level of defense against these types of lapses.

Compromised Passwords/Account Verification

August 21, 2018 by kiranbadi1991 | Comments Off on Compromised Passwords/Account Verification | Filed in Development, Security

I browse a internet a lot and have accounts across many sites. Sometimes I forget and tend to reuse my password. My account has been compromised many times.

Today while resetting the password for GitHub, I came across the interesting site which helps users to prevent reuse of compromised passwords and informs the user if his password has been compromised.

As a developer we often need to provide some extra security to our users and this site seems to be best effort by the individual that serves the larger purpose(It exposes information via Rest API).

Hopefully community notices this effort and we secure ourselves by sharing information.

Thank you Troy Hunt.

Technorati Tags: ,,

Is Facebook Hacked Today

September 8, 2011 by kiranbadi1991 | Comments Off on Is Facebook Hacked Today | Filed in Security, Testing

Just trying to logon to the Facebook account gave me below screen shot and making sure I am indeed keying the url of Facebook,I checked with IE Developer toolbar, Seems like something is wrong with Facebook today.Perhaps its time that Facebook hire some Security testers.

Untitled

Untitled1

Tags: ,