Skip to main content

January 21, 2016

Breaking Credit Card Tokenization – Part 4

Remember that the main point of credit card tokenization is to keep PANs (Primary Account Numbers) out of the main application-hosting environment. Me...

See Details

January 07, 2016

Breaking Credit Card Tokenization – Part 3

Many commerce apps—especially ones using credit card tokenization—implement a “My Profile” type feature in which the customer can save a form of payme...

See Details

January 05, 2016

Breaking Credit Card Tokenization – Part 2

Side channels are unintended ways information can be observed in a system. Attackers can leverage side channels to make software divulge details that ...

See Details

December 17, 2015

Bypassing CSRF Tokens via XSS

Many web development platforms provide libraries that handle the creation and validation of tokens with each HTTP request to prevent Cross Site Reques...

See Details

December 09, 2015

Breaking Credit Card Tokenization – Part 1

This is the first in a series of blog posts on the topic of breaking credit card tokenization systems and is the written version of several conference...

See Details

November 06, 2015

Assessing WCF NET.TCP Endpoint Configurations

Several years back, Microsoft shipped Windows Communication Foundation (WCF) as part of its .NET platform. The idea was simple: create a framework tha...

See Details

September 11, 2015

How Not to Obfuscate Passwords in Code

Software programs, from client-server to web to mobile, often need credentials to access a resource like a database or a web service. Storing these pa...

See Details

May 04, 2015

How Not To Prevent CSRF in a RESTful Service

Last Friday, Bluecoat and CERT published security advisories for vulnerabilities in the administrative interface of the Bluecoat SSL Visibility Applia...

See Details