PSHA1 Algorithm for WS-Trust Server and Client Entropy Scenarios on Node.js

July 23rd, 2014

I’ve just published a new Node.js module that implements the P_SHA1 algorithm as specified in TLS spec, that is used on WS-Trust spec in scenarios where the service you want to call requires client and server entropy. It has been tested with Microsoft CRM Dynamics and ADFS. You can find the library here https://github.com/leandrob/node-psha1 A […]

HTTP/HTTPS debugging on Mobile Apps with Man In The Middle

June 24th, 2014

In this post I want to share with you an amazing tool called Man in the middle proxy. As you can imagine, this tool is an HTTP/HTTPS proxy that allow you to perform debug not only on HTTP communications but also on HTTPS/SSL calls. Here you can see it in action! I did the tests […]

Windows Azure ACS Google Authentication Broken or “The difference between a serious cloud service and Windows Azure ACS”

June 13th, 2014

As you probably know, Google is migrating to Open Id Connect under the name of Google+ Sign-In, migration that I celebrate. As part of this process, they are deprecating a couple of endpoints and methods to authenticate. As any serious cloud service, they have announced this migration long time ago, publishing an schedule that clearly […]

CCS Injection: New vulnerability found on OpenSSL

June 6th, 2014

After the Heartbleed Bug a new critical vulnerably was found today on OpenSSL: CCS Injection. This new vulnerability is based on the fact that OpenSSL accepts ChangeCipherSpec (CCS) inappropriately during a handshake (The ChangeCipherSpec message is used to change the encryption being used by the client and the server) By exploiting this vulnerability an attacker could […]

Covert Redirect: Facebook and ESPN Security, oh my god…

May 3rd, 2014

Yesterday a vulnerability was published under the name of Covert Redirect as a new security flaw in OAuth 2.0 / OpenId. In the article says: Covert Redirect is an application that takes a parameter and redirects a user to the parameter value WITHOUT SUFFICIENT validation. This is often the of result of a website’s overconfidence […]