| CORS Concept |
https://github.com/rinku191/AppSec_Topics_for_Interview/wiki/CORS-Concept |
|
| HTTP Security Headers |
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP, https://www.searchenginejournal.com/http-security-headers/#415404/close , https://www.keycdn.com/support/what-is-mime-sniffing |
|
| Same Origin Policy |
https://web.dev/same-origin-policy/ ,https://en.wikipedia.org/wiki/Same-origin_policy |
|
| Cookie |
https://www.javatpoint.com/http-cookies , https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies |
A cookie has been set without the “samesite” attribute treat as cross site cookie communication. |
| SSL handshaking |
https://www.ibm.com/docs/en/ibm-mq/7.5?topic=ssl-overview-tls-handshake , https://www.ibm.com/docs/en/ibm-mq/7.5?topic=ssl-how-tls-provide-authentication-confidentiality-integrity |
|
| Perfect forward Secrecy |
http://www.cs.sjsu.edu/faculty/pollett/masters/Semesters/Fall13/akash/PFS_Presentation.pdf |
|
| Certification chain verification |
https://docs.apigee.com/how-to-guides/validating-certificate-chain |
|
| Code Signing |
https://codesigningstore.com/how-code-signing-certificate-works |
|
| Same Site |
https://web.dev/samesite-cookies-explained/ |
|
| Cross Site |
https://jub0bs.com/posts/2021-01-29-great-samesite-confusion/ |
|
| CSRF mitigation |
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html ,https://security.stackexchange.com/questions/90023/get-and-post-request-vulnerable-to-csrf-attack |
Note: GET and POST method does not send pre-flight request. PUT & DELETE send. In some case POST also sends pre-flight when HTTP customs header is set or requests are JSON/XML. |
| Oauth |
https://connect2id.com/learn/oauth-2 , https://dropbox.tech/developers/pkce--what-and-why, |
|
| Oauth, Server to Server Communication |
https://www.oauth.com/oauth2-servers/access-tokens/client-credentials/ |
|
| Template Injection |
https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection |
|
| XXE |
https://www.acunetix.com/blog/articles/xml-external-entity-xxe-vulnerabilities/ |
|
| Software signing |
https://codesigningstore.com/how-code-signing- certificate-works |
|
| DLL Injection |
https://i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-Catch-Them-All-wp.pdf |
|
| NTLM |
https://www.crowdstrike.com/cybersecurity-101/ntlm-windows-new-technology-lan-manager/ |
|
| Kerberos |
https://en.wikipedia.org/wiki/Kerberos_protocol |
|
| NTLM VS Kerbros vs lady |
https://ramprasadtech.com/difference-between-ntlm-kerberos-ldap-authentication/ |
|
| Digital Rights Management(DRM) |
https://imagen.io/blog/what-is-digital-rights-management/ |
SetWindowDisplayAffinity API->For disabling screen capture in windows |
| Re-captcha |
https://datadome.co/learning-center/invisible-recaptcha-choosing-recaptcha/ ,https://security.stackexchange.com/questions/184619/prevent-against-otp-abuse-in-app-sign-up-flow, https://www.digitalocean.com/community/tutorials/how-to-integrate-google-recaptcha-in-java-web-application , https://www.quora.com/How-does-the-new-invisible-captcha-work |
|
| C vulnerable code snippet |
https://vimeo.com/30001189 |
|
| Frida tool use |
https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/instrumenting-windows-apis-with-frida |
|
| Red Team activity useful for Thick client Pentest |
https://www.ired.team/offensive-security/code-execution |
|
| Android fundamental |
https://developer.android.com/guide/components/fundamentals |
|
| Android ART, Dalvik, JVM |
https://medium.com/android-news/virtual-machine-in-android-everything-you-need-to-know-9ec695f7313b |
|
| SSL Pinning |
https://tech.groww.in/ssl-pinning-in-android-part-2-b591dfc8c2f1 |
|
| Common-android-vulnerabilities |
https://drive.google.com/file/d/1IOhRBYUAqGWE-MigR8hyENYe_2LA1tgo/view?usp=sharing |
|
| Oauth Mobile |
https://medium.com/l-r-engineering/oauth2-in-android-authorization-code-flow-ffc4355dd473 , https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-proof-key-for-code-exchange-pkce ,https://oauth.net/2/grant-types/implicit/ |
|
| Android vul list |
https://github.com/muellerberndt/android_app_security_checklist |
|
| Biometric Auth |
https://proandroiddev.com/biometric-authentication-with-backend-verification-6feaa0188963 |
|
| Regular expression |
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions , https://www.regextester.com/ |
(.* vs .*?) Suppose I take a string like? "can cats eat plants?" Using the greedy c.s will match the entire string since it starts with c and ends with s, being a greedy operator it continues to match until the final occurrence of s is found, i.e."can cats eat plants". Whereas using the lazy c.?s will only match until the first occurrence of s is found, i.e. string "can cats". |
| SAML Concept |
https://github.com/rinku191/AppSec_Topics_for_Interview/wiki/SAML-Concept-and-Security |
|
| Design review some key points |
https://github.com/rinku191/AppSec_Concept_URLs_for_Interview_Preparation/wiki/Design-review-some-key-points |
|