JSON Hijacking Demystified
JavaScript Object Notation (JSON) is a language and platform independent format for data ...
Read More
CVSS for Penetration Test Results (Part II: Attack Sequences)
CVSS needs to be extended to accommodate combinations of vulnerabilities. The current documentation ...
Read MoreWherever you come from, you can meet BeEF
This year I've been very busy in terms of conferences, and developing/coordinating new features for ...
Read MoreAnalysing X-Cart Compromises
Recently I've found myself performing a lot of forensic examinations of X-Cart shopping carts. This ...
Read MoreThe First Few Months of Penetration Testing: What they don't teach you in School
I entered into school with the hope and dream of someday entering into the information security ...
Read MoreWeb Application Defense: Bayesian Attack Analysis
Regular Expressions for Input Validation If your web application defensive strategy against ...
Read MoreOracle DBMS_Scheduler Fun on Windows!
So, last time I showed how to get a Unix reverse shell up and running just by using Oracle PL/SQL ...
Read MoreThe New Zero-Day in Internet Exploder (Oops… Explorer)
The ride on the rollercoaster called the web security world never stops and keeps providing us, the ...
Read MoreExploiting Users By Non-technical Means; or, “S Users Do”
Numerous technical articles emerge each day about the latest vulnerabilities, flaws, exploits, and ...
Read MoreChat server fuzzing, Part 1. The Beginning
This article (along with subsequent articles) will cover the journey I've taken in learning about ...
Read MoreNo, the Internet Does Not ‘Just Work’
The recent GoDaddy DNS outage illustrates that the Internet does not just work and sometimes stuff ...
Read MoreMicrosoft Patch Tuesday September 2012 – Update those Certs!
As we mentioned last week there are only two patches this month! Not to mention they are only rated ...
Read MoreVulnerability Spidey Sense - Demystifying PenTesting Intuition
In Louisville, Kentucky next month at Derbycon, Daniel Crowley and I will be giving our ...
Read MorePenTesting: From Low Risk Issues to Sensitive Data Compromising
Yes, I imagine you are probably tired to see blog posts about "real-world" PenTesting, people ...
Read MoreMicrosoft Advanced Notification for September 2012 - Bad News, Good News
Microsoft has released its Advanced Notification for September 2012. The bad news is that there are ...
Read MoreGetting a Start in the Security Industry
This has been a fairly common topic over the last year and I've seen plenty of blog posts and ...
Read MoreHackers and Media Hype: Big Hacks that Never Really Happened
If you combine the dictionary definitions for 'media' and 'hype' you come up with "A means of ...
Read MoreCryptOMG Walkthrough - Challenge 1
It has been about 3 months since CryptOMG was released and I will start going through the ...
Read MorePhishing Evolves: Rogue IVRs
As someone who's worked in the financial industry for years, I'm fascinated by methods used by ...
Read MoreThe Patsy Proxy: Getting others to do your dirty work
Patsy (slang) - A person easily taken advantage of, cheated, blamed, or ridiculed. My girlfriend ...
Read MoreClient-side Payload - The Brazilian Way.
My name is Wendel Guglielmetti Henrique, and I'm a senior security consultant at Trustwave's ...
Read MoreTWSL2012-019: Cross-Site Scripting Vulnerability in Support Incident Tracker
Trustwave SpiderLabs has published a new advisory today for a Cross-Site Scripting vulnerability ...
Read MoreBackward Compatibility Plays to Malware’s Hands
Maintaining backward compatibility in software products is hard. Technology evolves on a daily ...
Read MoreHow to Get the Most Out of a PenTest
Being a PenTester for Trustwave Spiderlabs, I work with a huge amount of clients ranging from three ...
Read MoreStripe-CTF Walkthrough
I had the opportunity to do the Stripe-CTF (Capture The Flag) contest this past week, and enjoyed ...
Read MoreHow Antivirus Saved the Day…Sort of.
Recently, I found myself in a common situation—helping a comrade in our Incident Response division ...
Read MoreIt's a sunny (zero) day for Java
Java exploits have been used for distributing malware for a while. See for example our blog post ...
Read More