NodeJS URL Shortener

Recently I wrote an article on Ghost blog integration with a URL shortener (the dirty way). This is in sequence to it but with custom URL shortener running on my own machine. While most of this code is shared from codebyte article, I have enhanced it to serve two purposes, Authenticate using API Key Validate URL(s) or ID(s) for duplicate Response support in JSON or TXT format At present the setup is running...

Ghost Blog Image Alignment

Its around 2:00 AM, and before I call it a day (a long day), I thought to post a quick blog on custom image alignment in Ghost Blog Platform. Without further ado, as of Sep, 2016 Ghost doesn't support custom image alignments and ruling. It means all images in the blog are aligned default (none) and text breaks around it. Default Alignment:It means the images are aligned with the page, and the text...

Ghost Blog and custom URL Shortening

It's been 2 years and Ghost Blogging Platform is doing well and the downloads are going up. Kudos to the team. While the platform is doing good, we are miles from reaching the point where we have apps, plugins and smooth migrations/ customisation etc. And in this blog I would mention one such thing which I personally like - URL Shortener(s); specially when we share the links over social media. I have had discussions...

Target _Blank - The Infamous Issue

This is one of those vulnerabilities which hasn't got enough spotlight, and therefore vendors are still reluctant to fix it. Some of the vendors do not consider this a vulnerability at all. Here via this blog post, I would like to highlight this issue, and also possible workaround(s). What is "target="_blank""? If you have done the HTML coding you must be aware of the target=_blank when you write your links via href....

NIST Digital Auth and Password Rules

Passwords are important and it's no secret that we are bad in finding complex passwords during sign-up processes. The initial idea of OneID, or OAuth is not doing very well for the common user, and therefore people are registering on 100s of websites - commercial, social networks, banks etc. without managing well with password complexities. While the tools to crack 8-10 characters passwords are speeding up the process, people are still resenting to keep passwords...

Linux TCP ACK Issue (Part 1)

A flaw in the Linux kernel used since late 2012 allows adversaries to inject malicious traffic, without MITM. In a Wednesday presentation at the USENIX Security Symposium researchers showed that this flaw lies in the Transmission Control Protocol (TCP) used by Linux since late 2012. In their research paper - Off-Path TCP Exploits: Global Rate Limit Considered Dangerous, the researchers document possible use cases, and attack scenarios on how this global limit be exploited to...

Lessons from LinkedIn DB Breach

We are aware that social networking site LinkedIn was breached in June, 2012 and nearly 6 million user credentials were stolen. In May 2016 it's confirmed that nearly 115+ million credentials were stolen, and are now available for sale. So, it's time we revisit what went wrong, and what can we learn from it. First and foremost, there were vulnerabilities (or at-least one) in the web-application and the way it queries the DB was not...

NIST: Cyber Threat Information Sharing

Reference: 800_150_Draft Document Note: This article summarizes the draft paper, and may contain snippet(s) from it. I love you NIST (National Institute of Standards and Technology). I admire the contribution and knowledge available @NIST and we all have gained a lot from these standards. Now, when I read the draft on “Cyber Threat Information Sharing” (SP800-150) my first reaction was – Oh good God, finally its here! Its been so long I was...

You aid spammers! LION vs. Sheep

It’s 21st century, the year 2014 and we are still on ground zero talking about spam emails and attacks like spear phishing. No matter how stringent your controls are, how much you have invest in your "defense in depth" approach, a single human being of your firm clicking a link on an unsolicited email can crumble your empire. This is not at all melodramatic as it sounds. It is for real, is scary and...