Recent Posts



Crafting your way through JSON Web Tokens

May 3, 2016

JSON Web Token is a compact mechanism used for transferring claims between two parties. These are generally represented as JSON objects and can be signed to protect the integrity of the underlying message using a Message Authentication Code (MAC) and/or encrypted. The mechanism followed by JWTs is governed by the… Read More

Bypassing Jailbreak Detection in iOS

February 5, 2016

In today‚Äôs connected modern world every organization wants to have a mobile application for its own services. This also requires that these applications go through a security check / penetration test. We at NotSoSecure constantly receive such requests and work on various mobile assessments. In this blog post Anto Joseph… Read More

ICMP Tunnels – A Case Study

October 15, 2015

On a recent Pen Test project, we encountered a situation where the outbound traffic on the server was not allowed. Only ICMP (and DNS) traffic was allowed. In this blog post Shyam discusses how we manage to ex-filtrate the data over an ICMP tunnel. Just to set the scene, the… Read More

Remote code execution via PHP [Unserialize]

September 24, 2015

At NotSoSecure, we conduct Pen Test/ Code Reviews on a day-to-day basis and we recently came across an interesting piece of PHP code that could lead to RCE, but the exploitation was bit tricky. After spending some sleepless nights trying to break this code, we identified that both application and… Read More

How Cross-Site WebSocket Hijacking could lead to full Session Compromise

November 27, 2014

WebSockets is an HTML5 feature providing full-duplex communications channel over a single TCP connection. This enables building real-time applications by creating a persistent connection between the browser and the server. The most common use case for Websockets is when adding a chat functionality to a web application. This image below… Read More