July 23rd, 2014
I’ve just published a new Node.js module that implements the P_SHA1 algorithm as specified in TLS spec, that is used on WS-Trust spec in scenarios where the service you want to call requires client and server entropy. It has been tested with Microsoft CRM Dynamics and ADFS. You can find the library here https://github.com/leandrob/node-psha1 A […]
June 24th, 2014
In this post I want to share with you an amazing tool called Man in the middle proxy. As you can imagine, this tool is an HTTP/HTTPS proxy that allow you to perform debug not only on HTTP communications but also on HTTPS/SSL calls. Here you can see it in action! I did the tests […]
June 13th, 2014
As you probably know, Google is migrating to Open Id Connect under the name of Google+ Sign-In, migration that I celebrate. As part of this process, they are deprecating a couple of endpoints and methods to authenticate. As any serious cloud service, they have announced this migration long time ago, publishing an schedule that clearly […]
June 6th, 2014
After the Heartbleed Bug a new critical vulnerably was found today on OpenSSL: CCS Injection. This new vulnerability is based on the fact that OpenSSL accepts ChangeCipherSpec (CCS) inappropriately during a handshake (The ChangeCipherSpec message is used to change the encryption being used by the client and the server) By exploiting this vulnerability an attacker could […]
May 3rd, 2014
Yesterday a vulnerability was published under the name of Covert Redirect as a new security flaw in OAuth 2.0 / OpenId. In the article says: Covert Redirect is an application that takes a parameter and redirects a user to the parameter value WITHOUT SUFFICIENT validation. This is often the of result of a website’s overconfidence […]