On CRLs, OCSP, and a Short Review of Why Revocation Checking Doesn't Work (for Browsers)

Today I am going to talk about some regulation details of SSL/TLS connections. These connections rely on a chain of trust. This chain of trust is established by certificate authorities (CAs), which serve as trust anchors to verify the validity of who a device thinks it is talking to ...

more ...

A Closer Look at Chrome's Security: Understanding V8

In 2008, Google released a sandbox-oriented browser, that was assembled from several different code libraries from Google and third parties (for instance, it borrowed a rendering machinery from the open-source Webkit layout engine, later changing it to a forked version, Blink). Six years later, Chrome has become the preferred browser ...

more ...

A List of Common Web Vulnerabilities

Although nomenclatures don't help much when you are facing a security problem, I am keeping this list for a systematic organization. It is constantly been updated.

In addition to this list, you can check some specific web exploration older posts: Exploiting the web in 20 lessons and D-Camp CTF ...

more ...

Exploring D-CTF Quals 2014's Exploits

Last weekend I played some of the DEFCAMP CTF Quals. It was pretty intense. For (my own) organizational purposes, I made a list of all the technologies and vulnerabilities found in this CTF, some based on my team's game, some based on the CTF write-ups git repo.

Vulnerabilities

Remote ...

more ...

Exploiting the Web in 20 Lessons (Natas)

cyber

Continuing my quest through the Wargames, today I am going to talk about the 20 first levels of Natas, the web exploitation episode.

I divide the exploits into two parts. The first part contains the easy challenges that don't demand much art (and are a bit boring). The second ...

more ...