Touch ID auth - a boon or bane?

With advancement of technology, applications are moving towards modern way of authentication from a traditional one. More and more biometric based authentication are being used apart from the password based. One of such example would be- Touch ID. Touch ID uses users' fingerprint to authenticate the user to device/ app.
How does it work- On a high level, when a user registers to choose to authenticate to his phone using his/ her fingerprints, the fingerprints are gets stored on the device in form of hashes. Next time when user tries authenticate self and submits his/ her fingerprints, the device matches the submitted fingerprint hash with the ones with already stored and takes decision whether to authenticate him/ her or not.
Sounds good, but what's the issue- It's a very convenient technology to open the phone with just a mild touch of your fingerprint. No need to remember/ change/ maintain PIN or passwords. It's more secure because it's completely unique, and it…

Certificate Pinning in mobile apps

What is certificate pinning:
Certificate pinning is an countermeasure to any attempt of MITM (Man in the middle) attacks where an attacker tries to inject his own certificate to sniff the traffic between the client and the server.

Why cert pinning is required:
The question here is why it's required for mobile apps, why not for browsers? The reason is mobile apps are very obscure and very difficult to get about what's going behind the scene. The end user does not get any warning from the app about any possible malicious activities going on. However in case of a browsers on desktops the user is presented with various warnings about TLS such as domain name not matching etc. This alerts the user to sense that something is not right there. And he has option to accept/ reject it , while in mobile apps it's not the case.

How to do it:
Generally it's done on code level, where the developer binds (pins) a certificate with the app. It's sort of hard coding the cert name, CA…

When authentication is not really an authentication

When authentication is not really an authentication- just identity. We'll talk about a design flaw.
Identity is just identification of entities such as a person, object etc- who they are. But when it comes to prove that who they are, the entities must supply some sort of credentials, such as passwords, certificates etc to prove their identity claim.
Let's consider a hypothetical app which is thick client and 2-tier (which is never a good idea), but let's think about it. It has got following design:

1.The UI is protected by a login screen which requires AD (Windows) authentication of logged in user. The login screen is a separate exe.
2. Once the user is authenticated, a separate UI exe is launched with the logged in user's privilege.
3. The same login screen also provides details of the DB to be connected by this app once the authentication is successful.

What risks we see here apart from the traditional 2-tier risks such as decompiling, business logic at client side,…

ZigBee test cases

Zigbee is an IEEE 802.15.4-based specification for a suite of high-level communication protocols used to create personal area networks with small, low-power digital radios, such as for home automation, medical device data collection, and other low-power low-bandwidth needs, designed for small scale projects.

Here are some generic test cases (please enlarge for the clearer view) :

Nice aricle on recent Equifax hack

Americans who either applied for new jobs, loans, or just wanted to check their credit score via Equifax are having a difficult time getting answers as to whether they are part of the breach of 143 million records that occurred Thursday. The company disclosed yesterday it was the victim of a massive cyberattack. From mid-May to the end of July this year, Equifax said criminals accessed files including names, Social Security numbers, birth dates, addresses and even driver’s license numbers. Since the revelation, the company’s site has been overwhelmed with worried website visitors that have brought the site to a crawl and at times rendered it unreachable.

LFI to DB and backdoor

I am decribing a high level, theortical way of converting LFI to DB compromise and creating a backdoor. A long time ago, came across an application which was vulnerable to LFI (Local File Inclusion).
The LFI found was different from traditional one, since the filenmames were not being passed in any parameter, so was hard to detect also. A file called default.cgi contained code that which looks for a file in the directory and include it for some sort of processing, that was a business requirement, if not found, displayed 'File not found' error. So in order to exploit it one need to append a file name just after default.cgi?.  This way, could view any file from app server to OS level. Many sensitive files are easily accessible even from other folders too. /etc/passwd was accessible but /etc/shadow was not present, unfortunately. 
After browsing through almost all the files present at the server, came across a few interesting files (conn.cgi) which contained the logic of connect…

Solving SSL error in python: certificate verified failed

To do away the below SSL handshake errors, where the urllib is very strict in verifying ssl certificates, we can ask it to relax:

Add the below lines: