Blog

What is the PCI DSS (Payment Card Industry Data Security Standard) – a beginner-friendly guide of the 12 requirements

Posted on by Andrei Agape

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that all companies that deal with credit card information maintain a secure environment. The PCI DSS is the global data security standard administered and managed by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB).

According to Complyify, “over 30 million companies are subject to PCI compliance through their contracts with payment card brands, banks, and payment service providers” making it “by far the world’s furthest reaching cybersecurity obligation“. [1]

While you may think companies would put alot of emphasis and work to ensure their compliance, according to Brian Pick at goanywhere.com [2], in 2017 “only 29% of companies were still compliant a year after validation” and pcidssguide.com tells us that the fines for non-compliance range from $5,000 to $100,000 a month! [3]

Continue reading “What is the PCI DSS (Payment Card Industry Data Security Standard) – a beginner-friendly guide of the 12 requirements”

7 Security risks to consider before migrating to mastodon

Posted on by Andrei Agape

In the light of recent aquisition of Twitter by Elon Musk, more and more people are migrating to Mastodon, a similar social media platform. Here are seven security risks that you should be aware before opening a new account on Mastodon.

What is mastodon?

Mastodon has been around since 2016 and is an open-source micro-blogging platform similar to Twitter. Here users submit “toots” instead of “tweets”, the length limit is increased from 280 to 500 characters and liking (mark as favorite) a post does not have much impact.

What really makes it different from Twitter is that anyone can host their own independent Mastodon server and admins are responsible to set it up, keep it running, managing the community and setting up the content rules. Even you can host a server and be an admin. In some ways similar to Reddit communities, except that the Mastodon servers are also hosted by the admins and there is nothing else above them.

Continue reading “7 Security risks to consider before migrating to mastodon”

How I made 300 GitHub repos point to my blog using Azure subdomains takeover

Posted on by Andrei Agape

Playing around in Azure portal, I saw that it is pretty easy to register/unregister an azurewebistes.com subdomain while deploying an application. The idea that came into my mind was “how many references to azurewebistes.com are out there which are no longer maintained, and are available for takeover?”

So I decided to look through GitHub repos, collect the URLs, check them, register them myself, and redirect the traffic to my own blog.

Continue reading “How I made 300 GitHub repos point to my blog using Azure subdomains takeover”

Create an Azure Vulnerable Lab: Part #6 – AAD Enumeration and Password Spraying

Posted on by Andrei Agape

This article is part of a blog series where I explain common Azure vulnerabilities, how to create a lab such that it reproduces the issues, and how to exploit it. To follow this tutorial, you’ll need an Azure account and Azure CLI tool installed on your machine both of which you can get for free.

Continue reading “Create an Azure Vulnerable Lab: Part #6 – AAD Enumeration and Password Spraying”

Create an Azure Vulnerable Lab: Part #5 – Cloud Init

Posted on by Andrei Agape

This article is part of a blog series where I explain common Azure vulnerabilities, how to create a lab such that it reproduces the issues, and how to exploit it. To follow this tutorial, you’ll need an Azure account and Azure CLI tool installed on your machine both of which you can get for free.

Continue reading “Create an Azure Vulnerable Lab: Part #5 – Cloud Init”

Create an Azure Vulnerable Lab: Part #4 – Managed Identities

Posted on by Andrei Agape

This article is part of a blog series where I explain common Azure vulnerabilities, how to create a lab such that it reproduces the issues, and how to exploit it. To follow this tutorial, you’ll need an Azure account and Azure CLI tool installed on your machine both of which you can get for free.

Continue reading “Create an Azure Vulnerable Lab: Part #4 – Managed Identities”

Create an Azure Vulnerable Lab: Part #3 – Soft Deleted Blobs

Posted on by Andrei Agape

This article is part of a blog series where I explain common Azure vulnerabilities, how to create a lab such that it reproduces the issues, and how to exploit it. To follow this tutorial, you’ll need an Azure account and Azure CLI tool installed on your machine both of which you can get for free.

Continue reading “Create an Azure Vulnerable Lab: Part #3 – Soft Deleted Blobs”

Create an Azure Vulnerable Lab: Part #2 – Environment Variables

Posted on by Andrei Agape

This article is part of a blog series where I explain common Azure vulnerabilities, how to create a lab such that it reproduces the issues, and how to exploit it. To follow this tutorial, you’ll need an Azure account and Azure CLI tool installed on your machine both of which you can get for free.

Continue reading “Create an Azure Vulnerable Lab: Part #2 – Environment Variables”

Create an Azure Vulnerable Lab: Part #1 – Anonymous Blob Access

Posted on by Andrei Agape

This article is part of a blog series where I explain common Azure vulnerabilities, how to create a lab such that it reproduces the issues, and how to exploit it. To follow this tutorial, you’ll need an Azure account and Azure CLI tool installed on your machine both of which you can get for free.

Continue reading “Create an Azure Vulnerable Lab: Part #1 – Anonymous Blob Access”