Due to the positive response I got on my previous write up, I figured I’d keep the ball rolling and do another. Thank you to everyone who shared the last post, and I hope that you find this write up just as enjoyable. Tutorial Mode Server Side Request Forgery (SSRF) is just a fun bug […]
Ignoring that fact that I’m less than consistent with my blog posts, you’d think that I’d do a bug bounty write up at some point. I recently reached the top 100 on Bugcrowd and I’ve spent some time on other self managed programs. Well, the time has finally come. I participated in an invite-only program […]
Buckle up, this is going to be quite the ride. Burp Suite is a web application penetration tester’s bread and butter, a powerful suite of tools that covers everything you could ever want, need, or dream. I’ll do my absolute best to cover everything in depth, but there’s quite a bit. Here’s a quick list […]
I apologize ahead of time if I start to ramble through this post. Script injections are major vulnerability in web applications due to the variety of attacks that can result from one injection point and there’s a lot we can talk about. If we take a look at the Verizon Data Breach Investigation Report, we […]
At this point, I think it’s a relatively well known fact that passwords should be hashed in storage. If you or your development teams are storing passwords in plain text, the keys to every user’s kingdom are sitting there begging to be stolen. Really, all it takes is one little SQL injection to expose every user’s password […]
Someone once said that “no security hole is too small”. The longer you work in the information security field, the more relevant this becomes. So many times, it’s been shown that the tiniest details can lead to massive data breaches. The 2013 Target breach is a prime example. Attackers first broke into Targets network on […]
When it comes to cross-site scripting, we want to find those script injection points that are frequently overlooked. A common source of stored cross-site scripting vulnerabilities is the file upload. Not only can we store a script in the application, but this script may be downloaded by other users. When we first explorer our application, […]
I think an attack vector that is often under-analyze is the web service. There’s no user interface, so what’s the real danger? Cross-Site Scripting (which accounts for about 53% of all application vulnerabilities) is completely useless since there is no HTML response. And how would one even use this tool without a user interface? Well, […]
Nearly every application relies on some type of data store, whether it’s a user database or a database of information related to the website. Without proper sanitation of inputs, these stores can be vulnerable to SQL injections, and attackers may be able to retrieve critical information with our permission. If you don’t have an understanding […]
ClickJacking Clickjacking is the malicious technique of tricking a user into clicking on something different than what the user intends to click on. This can result in confidential information being revealed or taking control of the user’s browser. Embedded code or scripts can execute without a user’s knowledge by clicking on a button that appears […]
Hack-Ed 