Fun With CORS
Cross-Origin Resource Sharing On a recent penetration test, we found an interesting misconfiguration that allowed us to use a CORS attack to steal session tokens directly. This made account compromise […]
web application security
Server-Side Request Forgery Attack & Fix
SSRF Attack We recently came across a privilege escalation attack avenue during a web application / thick client penetration test. In this blog post, I will be talking about a […]
Unauthenticated: XXE Edition
Welcome to another installment of Unauthenticated! In this post, we will look at a recent web application penetration test where an XML external entity (XXE) expansion vulnerability was exploited without […]
Invisible Data in Web App Pentesting – Don’t Believe Everything You See
Don’t believe everything you see! Invisible or hidden data in web application pentesting could be revealing details like SSNs, like in this example by White Oak.
How to Prepare for an API Pentest – Postman
This is one part of a series of posts on how to prepare your API for a pentest. Other posts are located here: Insomnia. Similar to web applications, web APIs […]
How To Prepare for an API Pentest – Insomnia
This is one part of a series of posts on how to prepare your API for a pentest. Check back in the near future for additional content. Similar to web […]
Accessibility Within Application Security Tools
Before we get into the nuts and bolts of this post, I need to provide a little background. The COVID-19 pandemic has brought a number of changes to our day […]
Think Of The Children (part 2 – the Second Born)
While researching daycare software online we identified multiple providers / companies that offered daycare software. In this instance we looked at an application that was configured worse than the first […]
Think Of The Children (part 1)
As my wife recently started an at-home daycare, we have done testing of different child activity tracking applications that provide parents with updates about their child throughout the day (e.g. […]
Building An Application Security Program: Part 2
Read Part 1 here.. Last time we talked about how you would start an application security program and I want to try to move into a discussion around how you […]