James Bond's Dry Erase Marker: The Hotel PenTest Pen
You may have seen the talk and demonstration by Cody Brocious that allows him to open an Onity ...
Read MoreAnnouncing the availability of ModSecurity extension for Nginx
ModSecurity for Nginx ModSecurity for Nginx is a web server plug-in for the Nginx web server ...
Read MoreHow Should WAFs Handle Authorized Vulnerability Scanning Traffic?
I have been asked this question more and more over the years as organizations are dealing with both ...
Read MoreUpdate from Trustwave SpiderLabs EMEA
Europe, Middle East and Africa consists of around 120 countries depending on the definition of each ...
Read MoreGood things happen when Forensics and Malware Analysis work together.
The SpiderLabs Incident Response team worked a case earlier this year where previously unseen ...
Read MoreSmart Phone + Mail Server = Location Tracking
My last two posts have touched on the privacy perspective in relation tomobile applications. This ...
Read MoreAdding Anti-CSRF Support to Burp Suite Intruder
In the web application penetration testing industry, Burp Suite is considered a must-have tool – it ...
Read MoreUsing Mobile Applications for attacking Web Applications
This simple blog post was motivated by my desire to look at some mobile applications that I happen ...
Read MoreFinSpy Mobile - Configuration and Insight
A couple of weeks ago, Citizen Lab announced the discovery of the mobile component to the ...
Read MoreGetting in with the Proxmark 3 and ProxBrute
As a member of the Physical Security team here at SpiderLabs, some of my job responsibilities ...
Read MoreOops, I pwned your router - Part Two
In the last blog post, "Opps I pwned your router Part One", I talked about some of poor security ...
Read MoreGuidance for firms using the NetAccess N-1000
SpiderLabs' Incident Response team has recently seen credit card fraud involving the suspected ...
Read MoreHey, I just met you, and this is crazy, but here's my hashes, so hack me maybe?
Those familiar with password cracking know that KoreLogic's rule set for John the Ripper has become ...
Read MoreDid I do that? (PenTest Faux Pas)
Many times, in the course of explaining what I do to others that are unfamiliar with information ...
Read MoreJSON Hijacking Demystified
JavaScript Object Notation (JSON) is a language and platform independent format for data ...
Read MoreCVSS for Penetration Test Results (Part II: Attack Sequences)
CVSS needs to be extended to accommodate combinations of vulnerabilities. The current documentation ...
Read MoreWherever you come from, you can meet BeEF
This year I've been very busy in terms of conferences, and developing/coordinating new features for ...
Read MoreAnalysing X-Cart Compromises
Recently I've found myself performing a lot of forensic examinations of X-Cart shopping carts. This ...
Read MoreThe First Few Months of Penetration Testing: What they don't teach you in School
I entered into school with the hope and dream of someday entering into the information security ...
Read MoreWeb Application Defense: Bayesian Attack Analysis
Regular Expressions for Input Validation If your web application defensive strategy against ...
Read MoreOracle DBMS_Scheduler Fun on Windows!
So, last time I showed how to get a Unix reverse shell up and running just by using Oracle PL/SQL ...
Read MoreThe New Zero-Day in Internet Exploder (Oops… Explorer)
The ride on the rollercoaster called the web security world never stops and keeps providing us, the ...
Read MoreExploiting Users By Non-technical Means; or, “S Users Do”
Numerous technical articles emerge each day about the latest vulnerabilities, flaws, exploits, and ...
Read MoreChat server fuzzing, Part 1. The Beginning
This article (along with subsequent articles) will cover the journey I've taken in learning about ...
Read MoreNo, the Internet Does Not ‘Just Work’
The recent GoDaddy DNS outage illustrates that the Internet does not just work and sometimes stuff ...
Read MoreMicrosoft Patch Tuesday September 2012 – Update those Certs!
As we mentioned last week there are only two patches this month! Not to mention they are only rated ...
Read MoreVulnerability Spidey Sense - Demystifying PenTesting Intuition
In Louisville, Kentucky next month at Derbycon, Daniel Crowley and I will be giving our ...
Read More