How to configure BurpelFish

I recently was doing a pentest and was continuously looking up translations for words, and thought “there has to be a better way…”. That is when I landed on BurpelFish, which adds a google translate context option to your BurpSuite’s right click. When … Continue reading How to configure BurpelFish

Once upon a time there was a WebSocket

This is the story from one of our recent penetration testing engagements. Still, the story is a familiar one for those who are testing newer web applications that use one of the multitudes of evolving web app platforms built on a poorly understood tech… Continue reading Once upon a time there was a WebSocket

Fiddling with Windows: Proxy tools for Win10

If you have been following along with us, you know how to set up a Windows 10 Virtual Machine (VM) for web app pentesting. But now we have run into another problem. Let’s say that same client throws in a Windows 10 desktop app in scope. (You know… Continue reading Fiddling with Windows: Proxy tools for Win10

It’s Okay, We’re All On the SameSite

With Google’s recent announcement that all cookies without a SameSite flag will be treated as having SameSite=Lax set by default in Chrome version 80, surely Cross-Site Request Forgery will be dead? Well, not quite… In this post I’m g… Continue reading It’s Okay, We’re All On the SameSite

In Case of Fire: Break Windows

When a client calls us to pentest a web application that is only available in Internet Explorer. I cringe. I don’t know if it’s flashbacks from the countless hours spent getting a website compatible with IE, or the trauma from bad UX growin… Continue reading In Case of Fire: Break Windows

Hackers’ Operating System Kali Linux Released for Raspberry Pi 4

We’ve got some really exciting news for you…

Offensive Security has released an official version of Kali Linux for Raspberry Pi 4—the most powerful version of the compact computer board yet that was released just two weeks ago with the full 4GB of R… Continue reading Hackers’ Operating System Kali Linux Released for Raspberry Pi 4

Better API Penetration Testing with Postman – Part 3

In Part 1 of this series, we got started with Postman and generally creating collections and requests. In Part 2, we set Postman to proxy through Burp Suite, so that we could use its fuzzing and request tampering facilities. In this part, we will dig i… Continue reading Better API Penetration Testing with Postman – Part 3

Better API Penetration Testing with Postman – Part 2

In Part 1 of this series, I walked through an introduction to Postman, a popular tool for API developers that makes it easier to test API calls. We created a collection, and added a request to it. We also talked about how Postman handles cookies &#8211… Continue reading Better API Penetration Testing with Postman – Part 2

Better API Penetration Testing with Postman – Part 1

This is the first of a multi-part series on testing with Postman. I originally planned for it to be one post, but it ended up being so much content that it would likely be overwhelming if not divided into multiple parts. So here’s the plan: In th… Continue reading Better API Penetration Testing with Postman – Part 1

Three C-Words of Web App Security: Part 3 – Clickjacking

This is the third and final part in this three-part series, Three C-Words of Web Application Security. I wrote a sort of prologue back in April, called A Brief Evolution of Web Apps, just to set the scene for those less versed in web application histor… Continue reading Three C-Words of Web App Security: Part 3 – Clickjacking