Due to the positive response I got on my previous write up, I figured I’d keep the ball rolling and do another. Thank you to everyone who shared the last post, and I hope that you find this write up just as enjoyable. Tutorial Mode Server Side Request Forgery (SSRF) is just a fun bug […]

Ignoring that fact that I’m less than consistent with my blog posts, you’d think that I’d do a bug bounty write up at some point. I recently reached the top 100 on Bugcrowd and I’ve spent some time on other self managed programs. Well, the time has finally come. I participated in an invite-only program […]

Buckle up, this is going to be quite the ride.  Burp Suite is a web application penetration tester’s bread and butter, a powerful suite of tools that covers everything you could ever want, need, or dream.  I’ll do my absolute best to cover everything in depth, but there’s quite a bit. Here’s a quick list […]

I apologize ahead of time if I start to ramble through this post.  Script injections are major vulnerability in web applications due to the variety of attacks that can result from one injection point and there’s a lot we can talk about.  If we take a look at the Verizon Data Breach Investigation Report, we […]

At this point, I think it’s a relatively well known fact that passwords should be hashed in storage.  If you or your development teams are storing passwords in plain text, the keys to every user’s kingdom are sitting there begging to be stolen.  Really, all it takes is one little SQL injection to expose every user’s password […]

Someone once said that “no security hole is too small”.  The longer you work in the information security field, the more relevant this becomes.  So many times, it’s been shown that the tiniest details can lead to massive data breaches.  The 2013 Target breach is a prime example.  Attackers first broke into Targets network on […]

When it comes to cross-site scripting, we want to find those script injection points that are frequently overlooked.  A common source of stored cross-site scripting vulnerabilities is the file upload.  Not only can we store a script in the application, but this script may be downloaded by other users.  When we first explorer our application, […]