What to report and what to discard on assessments
POINT is a small company, just four employees, and I am the only tester. We do most of our work for other places that have overflow work, or a larger infosec departments that need appsec expertise...
View ArticleVulnerabilities I am seeing Winter 2024
Much has changes and much has remained the same in the vulnerability assessment space. Frameworks, having introduced neat new ways to create vulnerable code, have again managed to cover their tracks...
View ArticleHackers Teaching Hackers 2024
Hackers Teaching Hackers (henceforth HTH) is a information security conference held in Columbus (Well, OK, Canal Winchester) Ohio. It's at the BrewDog brewery and hotel, and features two days of...
View ArticleApplication Security This Week for November 18
Here's a new set of training wheels for MetaSploit. It's a little bumpy, but it is pretty decent as an intro to using scripting tools for exploitative...
View ArticleApplication Security This Week for December 2
A vulnerability was discovered in CSS (!) that will crash your browser. Please don't do this at work.https://cras.sh/ There is a new fuzzing list out there that I like a lot for searching for hidden...
View ArticleClik here to view.
Insecure Binary Deserialization
The OWASP Top 10 was updated last year, and there are a couple of new items. One of them is Insecure Binary Deserialization. Many of us use serialization in our applications, weather we know it or...
View ArticleApplication Security This Week for December 23
SplashData has their 100 worst passwords out again this year. Remember, at least, prevent these passwords in your signin...
View ArticleApplication Security This Week for January 6
New year, new vulnerabilities. Or old vulnerabilities. How about Open Redirects, the vulnerability no one cares about other than the bad...
View ArticleApplication Security This Week for February 24
Cool PoC of the Mac vulnerability CVE-2018-4193, an RCE in WindowServer.https://www.synacktiv.com/ressources/OffensiveCon_2019_macOS_how_to_gain_root_with_CVE-2018-4193_in_10s.pdf Terrifying...
View ArticleApplication Security This Week for March 3
A new tool for finding malicious JavaScript and securely using external libraries.https://blog.focal-point.com/a-new-tool-for-finding-malicious-javascript-and-securely-using-external-libraries Acunetix...
View ArticleApplication Security This week for June 30
Fascinating look into Internet routing that caused an outage last week. We are really building this city on a bed of...
View ArticleApplication Security This Week for October 6
This is a blog entirely dedicated to security analysis of mobine apps. No idea who writes it but it is good.https://theappanalyst.com/ Neat writeup on going from SQL Injection to Remote Code...
View ArticleWinner's writeup for CodeMash CTF 2020
Austin Schertz won the CodeMash CTF this year, and he dropped off his answers to all 19 challenges. Here they are: Access ControlWe got the password dump (400) This challenge provided a...
View ArticleApplication Security This Week for July 19
The Enterprise Security API for Java went to 2.2.1.0https://github.com/ESAPI/esapi-java-legacy/blob/esapi-2.2.1.0/documentation/esapi4java-core-2.2.1.0-release-notes.txt Microsoft's .NET Framework is...
View ArticleClik here to view.
Insecure Binary Serialization: 2018 Redux
Back in 2018, I wrote about Insecure Binary Deserialization, and I'd like to give an update here for C# Advent. Originally, OWASP had just added Insecure Binary Deserialization to the OWASP Top 10, and...
View ArticleThe Trouble With Teaching Secure Coding
Once a week or so, someone calls and asks for OWASP Top 10 testing. I have to make the call on the spot weather or not to explain that isn't what they want, or say "Sure!" and then give them actually...
View ArticleOn Tools
Not too long ago, I was asked to do a technical interview for a set of tests. This isn't unheard of, but it is odd. Usually, folks have heard about me from someone and that is good enough. In this...
View ArticleVulnerability Analysis is just fancy QA
Test an application for vulnerabilities is just like testing an application for meeting the business requirements. The analyst has to have access to the application, an understanding of how the...
View ArticleNew year, new updates
I finally got off my butt and decided what to do with this blog and the fifteen years of posts within. I'm very not trusting of someone else hosting my writing, so I am sticking with BlogEngine, got...
View ArticleThe scammers are getting ever better
Like many, I have parents. My mother and my father-in-law are still around and kicking, and we have all of the same tech problems with them that everyone has with folks that didn't grow up surrounded...
View Article