Search for:
Solutions

GDPR: Technical Security Measures

Updated Dec 1. 2020

More than 2 years after the GDPR came into force (May 25, 2018), sanctions have been pronounced by several data protection authorities. These sanctions have important consequences, economic but above all for the reputation of the companies concerned, as they are publicly communicated.

While the essential principles of the GDPR (General Data Protection Regulation) are generally known, the main technical measures to put in place to secure a website or an information system are sometimes still not so clear. To remedy this, we detail in this article the technical security aspects of the GDPR.

Read More
Solutions

Phishing: How to identify suspicious emails?

Phishing evolved a lot. Whereas fraudulent email was before easily detected by its obvious spelling mistakes and its exaggerated request or threats (immediate bank transfer, account completely deleted…), it uses nowadays codes of trusted institutions. Phishing email involves besides personalized demand or known contacts of the attacked person (a manager for example), which makes it hard to detect.

Phishing aims an interaction with a tricked email. It is the most used method in social engineering, a branch of cybercrime.
Social engineering targets human behaviour. Its purpose is to lead a user to reveal confidential information and to realise harmful actions for themselves or for an organisation the user belongs to. You can raise awareness of your team about this risk by conducting a social engineering audit. 

We will see in this article how to avoid different phishing strategies, which can be tricky even for experienced and attentive users.

Read More
Technical

User enumerations on web applications

During our audits, we often encounter user enumerations that could be easily avoided with the right methods. In this article, we will discuss user enumerations on login forms, password reset forms, and account creation forms. However, user enumerations may be present on other features, such as search forms or message submissions.

Read More
Solutions

Exploiting google dorks to strengthen your security

Google Dorks _ security

[Article updated on November 8, 2022]

Have you used google dorks today? If you have searched for a word within quotes or combined two terms with AND, then the answer is yes.

Googles dorks are advanced search operators that allow you to better target your research.

They can even enable to identify vulnerabilities and strengthen your security, let’s see how.

Read More
Technical

How to Protect Your Website : PHP Security Tips and Tricks #3

Updated: 23 Dec. 2020

This article does not replace a good knowledge of security principles in PHP, but can give you some good advices that really boost security.
There will be nothing to copy/paste straight forward to your PHP files. But we believe that these tips and best practices will bring you long-term benefits if you understand and implement the different points according to your needs and context.

This article is the third of our series dedicated to PHP security. The first article gives you guidelines for PHP configuration, updates, data filtering and sanitization, as well as code organization.
The second article discusses protections against known and common attacks.

We will now take a look at file uploads, CRSF, cookies and security through obscurity.

Read More
Technical

How to Protect Your Website: PHP Security Tips and Tricks #2

Updated: 23 Dec. 2020

This article does not replace a good knowledge of security principles in PHP, but can give you some good advices that really boost security.
There will be nothing to copy/paste straight forward to your PHP files. But we believe that these tips and best practices will bring you long-term benefits if you understand and implement the different points according to your needs and context.

This article is the second of our series dedicated to PHP security. The first article “How to Protect Your Website: PHP Security Tips and Tricks #1” gives you basic guidelines for PHP configuration, updates, data filtering and sanitization, as well as code organization.

We will now look at common hacking attacks against PHP websites and how to defend yourself against them.

Read More
Technical

How to Protect Your Website : PHP Security Tips and Tricks #1

Updated: 1 Dec. 2020

PHP remains the most popular server-side programming language: it is used by almost 80% of websites (source). This language continues to be developed, and PHP 8 was released last week ! This version brings new features and should enhance security.

However, the security of PHP builds up from its ‘historical’ core features. The following article does not replace a good knowledge of PHP, and there will be nothing to copy/paste directly into your files. But we believe that these tips and best practices will bring you long-term benefits if you understand and implement the different points according to your needs and context.

Today we cover PHP configuration, updates, code organisation and data filtering/escaping.

Read More
Risks

What are Business Logic Flaws on Web Applications?

Updated: 16 Feb. 2021

Logic flaw

Business logic flaws remain a type of little-known vulnerability in IT-Security. They are not errors in the logical reasoning, but flaws related to the working of a web application. They are different from technical vulnerabilities, which directly relate to code, implementation or configuration errors.

We regularly find logic flaws during penetration tests, on all types of applications. We find them most frequently on e-commerce sites and SaaS software.

Read More