Month: July 2014

localStorage – Are Cookies Too Good For You?

I’ve seen several web applications implementing the user session ID (or token) in a custom HTTP header parameters thus avoiding to store the session ID in cookies. Additionally, some public web platforms save the same kind of token to track their user analytics. For instance, recently I notice that this mechanism was utilised by the New Relic REST API platform which is storing the user ID in a HTTP parameter called X-NewRelic-ID.

During testing of an application, I have found both a cross-site scripting and the session ID sent as HTTP header parameter . My goal was to steal the user’s session ID, which was sent to the application as X-Auth-Token in a custom HTTP header parameter.



Pentesting Android Cheatsheet

This post contains a collection of instructions useful for pentesting an Android app I found on the Internet. Basically, It is my Android cheatsheet and it’s here so that it will be easily accessible in the future from me or anyone else that has to assess Android devices and apps.