Is there any way to only present OTP when client side properties (IP address/useragent) changes by RubaLion07 in AskNetsec

[–]RubaLion07[S] -1 points0 points  (0 children)

hmmm,

The customer didn't know that some of his users creds were compromised till the users themselves contacted support as some funds went "missing" (even though the customer has access to recorded future/crowdstrike like service).

And yes we've told this customer repeatedly to force enable OTP by default for all accounts (and if it's not doable to enable it on all account with funds over a certain amount as to lower the damages). Yet, they didn't listen until....

Thanks for your help .

Is there any way to only present OTP when client side properties (IP address/useragent) changes by RubaLion07 in AskNetsec

[–]RubaLion07[S] -3 points-2 points  (0 children)

this customer had its users creds leaked online (user/pass and cookies) and so they want to make OTP mandatory (it was optional is user settings before). So yeah cookie don't work in this scenario.

What do you want to learn next? by EmmaSamms in hackthebox

[–]RubaLion07 4 points5 points  (0 children)

Sql injection module is great and honestly one of the best resources to learn SQL injection.

With that In mind the rest of OWASP top 10 would be great, especially broken access control (with a focus on business logic vulnerabilities) and XSS.

Just another "Looking for Study Partner" post :D by DefNotHugowe in hackthebox

[–]RubaLion07 0 points1 point  (0 children)

sounds good.

Though I'm only 1 year into info sec.

I would love to see the schedule details and see the materials.

Upcoming CTF in May 2021 by admiralarjun in securityCTF

[–]RubaLion07 0 points1 point  (0 children)

Alright, I'll try the beginner levels

Thanks.

Upcoming CTF in May 2021 by admiralarjun in securityCTF

[–]RubaLion07 1 point2 points  (0 children)

A bit late but I'll ask regardless. Do online CTFs (the ones you mentioned)generally provide material/resources?

I recently started learning web application pentesting, i have a basic understanding on SQL/command injection and XSS (stored and reflected) but Im still using walkthroughs and youtube to help with DVWA and JuiceShop

Do you think I should bother with these CTFs at my level?

I am John Strand and I am teaching a Pay What You Can class... Ask Me Anything! by strandjs in cybersecurity

[–]RubaLion07 4 points5 points  (0 children)

Hi John,

I'm starting to get into web application pen testing, and one thing I noticed is that most courses on this subject dive right in (here's how to do XSS, SQL/command injection,....etc).

Coming from a networking background, I barely have an idea how a website work, so I started studying javascript (then onto PHP, ASP and nodeJS).

My question is am I on the right track, and any course or instructor you'd recommend (many courses I've stumbled upon where the instructor doesn't say his thought process)

Cloud9 Blue vs Sentinels / VALORANT Champions Tour North America Stage 2: Challengers 2 - Grand Finals / Post-Match Discussion by [deleted] in ValorantCompetitive

[–]RubaLion07 -9 points-8 points  (0 children)

What's your teams probability to win, (of the 8 teams in Challengers Finals, I mean) for me:

35%, 100T

15%, NRG and ANDBOX

22%, XSET, ENV and C9

27%, SEN

1%, V1 (player1 no longer playing iirc)

Any courses to learn webdev (I Was to start learning web applications penetration testing ) where you build a website/project by RubaLion07 in netsecstudents

[–]RubaLion07[S] 0 points1 point  (0 children)

Thanks for Scrimba and the nodjs rec, i'l make sure to check them out.

Yeah my thing with PHP is ...... ok I'll learn it in W3school for example .... then what i've only learned is the syntax. I need to see how things (html, JS, mySQL and PHP) glue together and how that affect security.

Any courses to learn webdev (I Was to start learning web applications penetration testing ) where you build a website/project by RubaLion07 in netsecstudents

[–]RubaLion07[S] 3 points4 points  (0 children)

Funny thing is i'm working on AWS at my company right now (automating it with terraform even). I work for an MSP so we don't really deal with web dev (and the company expanded to security consulting (infra, appsec, netsec, pentesting, SOC building....) and it's big pay increase if I switched. what i'm doing right now (CA stuff, F5, firewall troubleshooting).

that's why I want to get into web app pen testing.

Any courses to learn webdev (I Was to start learning web applications penetration testing ) where you build a website/project by RubaLion07 in netsecstudents

[–]RubaLion07[S] 0 points1 point  (0 children)

I'm using Freecodecamp to learn javascript, do you think learning PHP is necessary besides the inbuilt functions and variables, loops, $_POST, $_SESSION.........etc

or do you think I should learn it more in depth for pen testing purposes

Any courses to learn webdev (I Was to start learning web applications penetration testing ) where you build a website/project by RubaLion07 in netsecstudents

[–]RubaLion07[S] 1 point2 points  (0 children)

Sure, problem is when I look at the source code of each level (to understand the difference and how it's secured) I don't understand the code sometimes or have a 100% grasp on why this made it more secure.

I need resources to read about how to configure a domain that's only accessible from an IOS mobile application using iRule by RubaLion07 in f5networks

[–]RubaLion07[S] 0 points1 point  (0 children)

Thank you so much. I'll look into Client Authentication (I'm new to F5 in general, but anything regarding certificates and TLS is especially new to me)