Cybersecurity & ePrivacy

OWASP ZAP (Zed Attack Proxy)   is an open source penetration testing application developed by large society of volunteers linked with  Open Web Application Security Project organisation. ZAP is a cybersecurity testing tool capable of performing a wide range of attacks against any web application. It is designed for various level of skills, from trainee web developers to cybersecurity professionals. It act as an attacker's proxy, similarly to man in the middle attack.   This software is capable of performing various web service attacks such as hidden services scanning, checks against known vulnerabilities, brute-force password cracking, intercepting data and much more. With vast library of mods delivered by whole society ZAP is able to launch an attack against very specific aspect of certain type web app, and the most recently recognized exploits. It can also act as a browser plug-in, providing attacker with normally hidden information, for example HTTP headers and conten...

Primary Research Questionnaire In order to learn about security and privacy concerns of wide public regarding website and online services, I created a questionnaire. I would encourage to help with the research and complete the quick and anonymous survey: Web Apps Survey Survey should take no more than 3 minutes. The main part consists of 18 "tick" questions divided into 4 categories: 1: Demographic details Beneficial for the research could be to assign results with demographic factors such as age range, gender or computer proficiency. 2: Service preferences  Results from this section would allow to learn more about users' engagement with online services compared to other methods of service provision. 3&4: Personal opinions How users feel about their privacy and security while using websites providing different kinds of services.   And finalized with opportunity to provide more complex answer: 5: Optional comments It is always worthy to learn about opinion expressed d...

Protocols in ICT are set of rules that enforce certain manner of communication between different devices to allow them understand each other. HTTP is one of numerous protocols used to transfer information over the Internet and shortly it was designed in purpose of serving websites.  HTTP version 1.0 or HTTP/1 was documented and published in 1996, followed by improved version 1.1 a year later, in 1997. HTTP/1.1 is still broadly used at present. Work on HHTP/2 was officially finalized in 2015 and the new version delivered number of performance and security improvements. Especially important advantage was multiplexing that created the possibility to request multiple files without the need of waiting for previous request to be completed. Version 3 of HTTP introduces substantial changes to the protocol, altering the way of communication towards the manner known from live online applications like video games; maintaining open connection between client and server, and streaming all reques...

Cookies are almost essential in every web application as extremely useful tool. While they are harmless by themselves, good practices of securing them correctly should develop into standards to ensure end user's privacy is well protected and respected. However, when common sense is applied both from developer and consumer, cookies should not be considered as a threat.

The first question that need to be addressed is very straight forward - whether cookies could harm user or device directly, and the answer seems to be simple: no, they are not able to cause any harm on their own. While cookies actually may carry a computer virus, there is no possibility to execute it and therefore user's device could not be infected directly from cookie (Kaspersky, n.d.). However, saving data without user's control on their devices poses serious privacy issue that has to be further regulated by both legislation and ICT standards. Since 2018 EU and UK residents are protected by GDPR: General Data Protection Regulations. Among other issues the new law namely addressing issues related to cookies, regulating and protecting consumer's rights in this area. However, possibilities of enforcing GDPR are limited. According to different statistics from 51% to 74% websites in EEA failed surface compliance tests. Despite all efforts the law itself is not really consumer...

Cookies: are they really a threat? At present,  Internet is  flooded with requests to accept cookies, but it is worth to know what are cookies and why they suddenly emerged and instantly they are everywhere. Cookies are not a fresh invention - they were designed in 1994 and from the developer point of view they are special variables that are saved on client's device (Kaspersky, n.d.) . Often within web applications data is saved in database for long-term bulk storage, in session files within server for short-term storage or as variables for runtime use only. All those three methods are using server resources to store and process data, therefore environment is fully controlled and secure. In opposition, cookies are stored on client device where data could be intercepted in transit or altered at rest, and it could be considered the least secure way to store data. Web authentication relays on three factors: something you know, something you have and something yo...

Man in the Middle, or MITM for short, a hacking attack that is useful to achieve various goals. Attack commences usually from infecting victim's device or network, and attacker engage in initial Internet transaction called handshake, which aims to establish identities between user/client and server. Simplified, attacker act as a proxy between client and server without knowledge of both. User believes attacker is actually a server, and server consider attacker as an authenticated user. At this point, attacker is able to capture all data even if connection is encrypted. This includes data originating from user such as credentials, and data from server. Also attacker is having full control over data transferred and is able to alter it in any way, freely changing response from web service for own convenience - for example after successfully capturing credentials display the message to the user that service is unavailable and user should try again in few minutes so attacker may disengag...