Collaborate Disseminate
A little background… As I stood in front of a class of developers trying to explain cross-origin resource sharing (CORS), I knew I wasn’t conveying it well enough for a significant subset of the group. It was Autumn 2017 (not my password at the time, b… Continue reading The Death and Rebirth of Musashi.js OR How I turned personal failure into better teaching tools.
As a company that is constantly working with our penetration testing clients on understanding where they should focus their efforts, qualifying risk is second-nature to us. On one hand, we never want to undersell a risk, and have a client accept that r… Continue reading Waving the White Flag: Why InfoSec should stop caring about HTTPOnly
In our blog series on Better API Penetration Testing with Postman we discussed using Postman as the client for testing RESTful service APIs. Insomnia is an MIT-licensed open source alternative to Postman. Its commercial maintainer, Kong, is best known … Continue reading Getting Started API Penetration Testing with Insomnia
In Part 1 of this series, we got started with Postman and generally creating collections and requests. In Part 2, we set Postman to proxy through Burp Suite, so that we could use its fuzzing and request tampering facilities. In this part, we will dig i… Continue reading Better API Penetration Testing with Postman – Part 3
In Part 1 of this series, I walked through an introduction to Postman, a popular tool for API developers that makes it easier to test API calls. We created a collection, and added a request to it. We also talked about how Postman handles cookies –… Continue reading Better API Penetration Testing with Postman – Part 2
This is the first of a multi-part series on testing with Postman. I originally planned for it to be one post, but it ended up being so much content that it would likely be overwhelming if not divided into multiple parts. So here’s the plan: In th… Continue reading Better API Penetration Testing with Postman – Part 1
This is the third and final part in this three-part series, Three C-Words of Web Application Security. I wrote a sort of prologue back in April, called A Brief Evolution of Web Apps, just to set the scene for those less versed in web application histor… Continue reading Three C-Words of Web App Security: Part 3 – Clickjacking
This is the second in a three-part series, Three C-Words of Web Application Security. I wrote a sort of prologue back in April, called A Brief Evolution of Web Apps, just to set the scene for those less versed in web application history. In July, … Continue reading Three C-Words of Web App Security: Part 2 – CSRF
For those less versed in web applications and how they’ve evolved, I wrote a sort of prologue to this post back in April 2018, titled A Brief Evolution of Web Apps. This is the first in a three-part series, Three C-Words of Web Application Securi… Continue reading Three C-Words of Web App Security: Part 1 – CORS
Author’s Note: This was actually meant to be the first part of a series called Three C-Words of Web App Security, dealing with CORS, CSRF, and Clickjacking, each in its own post. But as I started writing the exposition necessary to provide contex… Continue reading A Brief Evolution of Web Apps