Showing items from Cybersecurity

Invisible code and XSS attacks

• Sylvain Pollet-Villard
• 11 Min To Read
• 19 Jul, 2023
• • Cybersecurity

Trojan: Attacks from the inside

XSS attacks were quite common at the time of the early web. They were used to steal cookies, to redirect users to malicious websites, to inject malicious code in the page, etc. Websites were more vulnerable to XSS at that time because they used a lot server-side templating with technologies like PHP or JSP, with very few built-in protections for injecting JavaScript code into HTML responses. Today, we are much more careful about escaping user inputs and evaluating HTML dynamically. We use frameworks like React or Vue.js to build our web applications, which are based on declarative templating that escape all HTML by default and encourage sending serialized data instead of HTML on the wire. Dynamic code evaluation is considered a bad practice and injection patterns are catched by code analysis tools like ESLint or SonarQube. XSS attacks have therefore to find more creative ways to inject malicious code into the page. If they can’t inject from the outside, they will try to inject from the inside, targeting the code of the application itself. They can do that directly through project dependencies or pull requests to open source projects, or indirectly through StackOverflow answers, blog posts, AI chatbots, etc.

HSM in the cloud: opportunity or contradiction?

• Jurjen N.E. Bos
• 6 Min To Read
• 05 Apr, 2023
• • Cybersecurity

As many other companies, my employer (Worldline) is busy building cloud applications, and moving current applications to the cloud. Of course, cryptography is used in many ways in these applications. Many of these applications use HSMs (Host Security Modules) to improve the security of the cryptographic keys. This is what an HSM looks like:

Troubleshoot SSL/TLS mutual authentication with openssl s_server

• Gerben Castel
• 4 Min To Read
• 07 Mar, 2023
• • Cybersecurity

Each secure communication between a browser and a HTTP server begins with a SSL/TLS handshake.

ZTNA - For Machine Vendors

• Michael Zinsmaier
• 10 Min To Read
• 01 Feb, 2023
• • Cybersecurity

Zero Trust or as I prefer it Zero Implicit Trust is usually described from the perspective of an IT department, in charge, to protect its users and resources. Sometimes this perspective is extended to the shopfloor owner and I recommend Zero Trust connectivity in industrial environments , a free whitepaper published by Worldline to dive deeper into this topic.

Post-Quantum Cryptography Series - Second Newsletter

• Slim Bettaieb Mattias Westlund Jurjen N.E. Bos Nourredine Khadri
• 9 Min To Read
• 27 Apr, 2022
• • Cybersecurity

In this newsletter we will provide information of the context of the international competition organized by NIST to standardize post-quantum cryptographic algorithms and how Worldline contributed to it. We will also give an update on the ongoing competition and highlight the cryptographic primitives that NIST will develop.

ZTNA - Hacking Time

• Michael Zinsmaier Dimitri Marguerite
• 8 Min To Read
• 06 Jan, 2022
• • Cybersecurity

This is part two of a small series of ZTNA related pieces, today we take a closer look at some of the most prominent hacks of 2021 and examine how different techniques from ZTNA might have helped to prevent them. The intention of this article is to learn from examples, not to belittle others. The examples have been chosen because each of them reached wide media coverage and there is publicly accessible information. For a more thorough introduction see ZTNA fundamentals .