Input validation of free-form Unicode text in Python


Input validation is one of the most important application security controls and still, there's a huge gap as it comes to implementation of one of the most popular types of user input — free-form text with Unicode characters. This article demonstrates a simple way of dealing with Unicode text using Python.

Stop reporting "Received UDP packet with IP ID of zero" vulnerability


tl;dr "Received UDP packet with IP ID of zero" is not a vulnerability nor a misconfiguration worth reporting even as an informational issue.

Understanding HTTP cookie SameSite flag usage scenarios


While implementing HTTP cookie SameSite flag for Django session cookies I also had to document it, which is always a good opportunity to create a brief but comprehensive description of the security control in general. As it will be surely used by security scanners in future, and SameSite can take two values, here's a brief discussion of their usage scenarios.

Generating CSP and HPKP headers in Ansible template


Content Security Policy headers can grow very long and as such are error prone if edited manually. One way to resolve that is generating them using a template language from a clean YAML structure, for example using Ansible.

Securing cloud servers with IPSec and Ansible


Back in 90's the IPSec suite of protocols was originally invented to provide host-to-host encrypted communications but as result of number of factors is ended up used almost exclusively as gateway-to-gateway protocol for VPN tunnels. Exploring options to secure my cloud infrastructure I found out that IPSec can be quite successful in this task, greatly reducing the burden of transport encryption at application layer.

Controversial HTTP Public Key Pinning bypass?


HTTP Public Key Pinning is now a pretty well established standard, as defined by RFC 7469, with a visible presence among production websites (e.g. There's one controversial topic that has been recently raised on a number of forums, including IETF and OWASP, but is little known outside.

Rooting the Moto G (2014) model XT1072, a success report


Switching a smartphone for me was usually a tough choice as I'm not very much into the consumer market and I get bored quickly by endless feature comparisons. ProductChart was helpful with initial narrowing of the choice and the Moto G 2nd generation 4G model from 2014 coded XT1072 was chosen as the preliminary candidate.

Securing your email domain with DMARC, DKIM and SPF


Having a number of domains that were registered long time ago and even once used for sending any email typically results in tons of spam being not only sent to these addresses — which you can just filter and ignore — but also from them as they are used to build fake headers by the spam software. Here's one method to deal with that.

Content Security Policy versus injection and man-in-the-middle attacks (MITM)

Can Content Security Policy prevent content injection and man-in-the-middle attacks? This is an expanded version of a discussion we had with @synackpse and @bryanbrake after my CSP podcast last month.

How much do GCC security features cost?


GCC has a number of useful features to mitigate possible bugs in the code and a whole new batch was added in version 4.9 with the arrival of Sanitizers. How feasible is their usage in production?

AdSense in a sandboxed IFRAME

Google AdSense is a convenient way to recover at least part of the hosting costs on a blog or community website, but a security counscious webmasters will be always a bit uncomfortable about embedding third party JavaScript in their websites.

Writing meaningful and professional penetration testing reports

I have been through hundreds of penetration tests over the last few years, both on the testing side and on the "defending" side. Actually, in many cases I'm doing routine, internal security testing on apps that then go through a 3rd party pentest, so I can compare their results with mine. It's probably not very surprising that BurpSuite is the tool of choice for almost everyone, because it's reliable, feature-rich and well priced — £199 per year in this business is really cheap.

Podpis elektroniczny oraz alternatywne metody autoryzacji na przykład Profilu Zaufanego platformy ePUAP


Praca licencjacka Marcina Prządło napisana pod kierunkiem prof. dr hab. Tadeusza Grabińskiego na Krakowkskiej Akademii im. Andrzeja Frycza Modrzewskiego na Wydziale Ekonomii i Zarządzania.

Content Security Policy and empty blocked-uri

Content Security Policy violation reports are usually very helpful in not only debugging your security policy, but actually for building it from scratch. There's however one case when they can be quite annoying...

First hand experience with Internet censorship in Russia

Spending two weeks in Russia I had an opportunity to look at how their Internet censorship system operates in practice. As human rights watchdogs alarmed already, the scope of blocked websites now goes way beyond the typical criminal content declared initially by the government and now routinely includes political content. The good news is that the system is still easily bypassable even by an unexperienced user.

Syndicate content