Cloud is the term we hear very frequently now days. I have also covered some of the aspects of cloud in my previous blogs. So in this blog we will actually learn about the cloud security and its architecture. How the things works in the cloud and its architecture.
There are different type of cloud models and their architecture depending on the ownership or hosting location they are classified into these following
CSP (Cloud service provider) provide some cloud services over internet and these cloud machines of infrastructure are on public facing internet.
Advantage:
User has to pay only as…
For communication between client and server Internet, protocol suite uses HTTP.
HTTP work as request and response protocol between client and server means when a user visit application on browser a request is send to server and server send the response back. In response, we can see response code i.e. according to the request. It all happen with the help of HTTP.
To perform all HTTP have different methods and each method has its own significance.
Note: HTTP method name are case sensitive and everywhere they are used in UPPER CASE.
1. GET: To retrieve the information from server for…
Before moving forward towards EC2, lets get familiar with AWS Access keys and their security if you interested then go ahead and check my previous blog for that.
https://gupta-bless.medium.com/securing-and-managing-aws-access-key-88aa8ae938a
What is Amazon Elastic Compute Cloud/EC2?
EC2 is web based service provided by amazon that is used to provide resizable compute capacity in the cloud in short they are virtual machine in cloud.
Instance: Computing in EC2 is handled by launching it. Therefore, whenever we launch ec2 instance it depends on two factors:
· The operation system we are going to use in that, it will make the configuration which support…
If organization have less no of AWS account then management of those accounts is simple since it is easy to manage the logs and their workaround. Admin can easily perform changes but if organization have large no of AWS account of different departments then this task gets hectic so we need to create a admin for each and every department . So with every account we have different sets of keys. So here we have 2 approaches:
i. Simplest is to create login in each account and mange those changes but this is not an ideal approach.
ii. Creation of…
Before moving further we must get familiar with XXE. So please check my previous blogs on it.
https://medium.com/@gupta.bless/exploitation-xml-external-entity-xxe-1f5f3e7bc5c4
We have learnt about XXE previously but there is one more thing we need to understand before going ahead, unrestricted file upload vulnerabilities. So you can read my previous blog for that one as well.
https://gupta-bless.medium.com/exploiting-unrestricted-file-upload-vulnerabilities-4831aa839b25
If the application has the image or file upload functionality then there might be possibility that we can upload an SVG file ,
Scalable Vector Graphics/SVG: SVG file actually defines graphics in XML format.
Since it defines graphics in XML format then these files create a…
As name indicates, “things” means physical objects, Collection of physical objects which are connected over the internet. In IOT, we see inter connected devices, embedded sensors or multiple other software’s which can communicate data over Wi-Fi like creating processing the user interaction and other stuff without human intervention.
We see IoT devices all around like the smart speaker in our home which can actually run the whole house just by voice commands.
We now have smart fridges washing machines lights and much more which can actually be considered as the IoT devices
Whole IOT devices are part of four-layer infrastructure.
…
PKI is a process where exchange of encrypted information happens between two or more parties on interconnected servers that provide a suite of cryptographic services. It includes SSL certificates and certifying authorities. There are two related keys for communications:
i. Public Key: Used for encrypting the data so whenever data is travelling between the user and the server. An attacker will not able to see the information travelling in between since it is encrypted.
ii. Private Key: In is used to decrypt the information which was encrypted using the public key. …
Whenever we see a login page in any application we usually try to check whether the default credentials are working or not sometime, we also go ahead with the bruteforcing of username and password. The Bruteforcing of username and password is known as enumeration.
In username enumeration, hacker tries to enumerate valid username in the application. On basis of verbose error hacker can differentiate between the valid and invalid usernames
Example: In below application I provided a wrong username.
Accessing those resources for which user do not have authorization by escalating the privilege comes under Privilege escalation.
There are multiple ways to achieve this such as by modifying user, directly accessing URL. Ultimate goal of attacker is to access sensitive data, API tokens, bypassing user controls or performing any malicious actions. It has two types:
i. Horizontal Privilege Escalation: If user accesses the resource of the another user who have same level access rights then its known as the horizontal privilege escalation.
As name indicates two factor, it means we needs authentication of two layers in order to access any application/resource. Like first entering the password and then entering the a code or something sent to the mobile by the application we usually call it 2 Factor Authentication (2FA)
As breach towards credentials are more common, so company wants extra protection. For this company generally ask:
i. Asking Couple of security question which you entered at the time of registrations
ii. Sending OTP on your registered mobile no
iii. Authenticating you by using google authenticator
iv. Asking to click on a link…