A7 2017 – XSS (Part 1)

Most of the time scripts come from other places than web site itself. These scripts are allowed to operate on the page and usually there’s some mechanism in place to control their behavior. You can think of it as a sand box – each web site runs pretty much independently. This also means that one site opened in a tab of browser isn’t allowed to access data from another site in a tab next to it. So, in theory Cross-Site Script (or XSS) is basically a violation of this principle. And it’s much worse in practice.a7-1

Continue reading “A7 2017 – XSS (Part 1)”

A4: 2017 – XML External Entities (XXE)

XML is a very good way to store and to organize data, and XXE vulnerability takes advantage of XML parsers not data itself. It works like every other injection, but has its own features. Overall in my opinion, it’s little more complex than any other injection around.

a4_03

Continue reading “A4: 2017 – XML External Entities (XXE)”

What is CISSP, how to get it, not to lose and why nobody needs it

So
It is an exaggeration to say that my road to CISSP began when I decided to study Cyber Security at my local University.  People at the age of 17 are generally very bad at planning their lives, especially when it comes to some new professions.

In fact, the decision to obtain CISSP was taken in 2017, when it became obvious that professional certificates of major vendors have finally ceased to fulfill their main function – to confirm the knowledge and experience of specialists. I have no idea whom to blame – online collections of dumps, the general level of questions in the tests, unscrupulous test centers and a lot of other factors.

Continue reading “What is CISSP, how to get it, not to lose and why nobody needs it”