Good things happen when Forensics and Malware Analysis work together.

The SpiderLabs Incident Response team worked a case earlier this year where previously unseen ...

Read More

Smart Phone + Mail Server = Location Tracking

My last two posts have touched on the privacy perspective in relation tomobile applications. This ...

Read More

Adding Anti-CSRF Support to Burp Suite Intruder

In the web application penetration testing industry, Burp Suite is considered a must-have tool – it ...

Read More

Using Mobile Applications for attacking Web Applications

This simple blog post was motivated by my desire to look at some mobile applications that I happen ...

Read More

FinSpy Mobile - Configuration and Insight

A couple of weeks ago, Citizen Lab announced the discovery of the mobile component to the ...

Read More

Getting in with the Proxmark 3 and ProxBrute

As a member of the Physical Security team here at SpiderLabs, some of my job responsibilities ...

Read More

Oops, I pwned your router - Part Two

In the last blog post, "Opps I pwned your router Part One", I talked about some of poor security ...

Read More

Guidance for firms using the NetAccess N-1000

SpiderLabs' Incident Response team has recently seen credit card fraud involving the suspected ...

Read More

Hey, I just met you, and this is crazy, but here's my hashes, so hack me maybe?

Those familiar with password cracking know that KoreLogic's rule set for John the Ripper has become ...

Read More

Did I do that? (PenTest Faux Pas)

Many times, in the course of explaining what I do to others that are unfamiliar with information ...

Read More

JSON Hijacking Demystified

JavaScript Object Notation (JSON) is a language and platform independent format for data ...

Read More

CVSS for Penetration Test Results (Part II: Attack Sequences)

CVSS needs to be extended to accommodate combinations of vulnerabilities. The current documentation ...

Read More

Wherever you come from, you can meet BeEF

This year I've been very busy in terms of conferences, and developing/coordinating new features for ...

Read More

Analysing X-Cart Compromises

Recently I've found myself performing a lot of forensic examinations of X-Cart shopping carts. This ...

Read More

The First Few Months of Penetration Testing: What they don't teach you in School

I entered into school with the hope and dream of someday entering into the information security ...

Read More

Web Application Defense: Bayesian Attack Analysis

Regular Expressions for Input Validation If your web application defensive strategy against ...

Read More

Oracle DBMS_Scheduler Fun on Windows!

So, last time I showed how to get a Unix reverse shell up and running just by using Oracle PL/SQL ...

Read More

The New Zero-Day in Internet Exploder (Oops… Explorer)

The ride on the rollercoaster called the web security world never stops and keeps providing us, the ...

Read More

Exploiting Users By Non-technical Means; or, “S Users Do”

Numerous technical articles emerge each day about the latest vulnerabilities, flaws, exploits, and ...

Read More

Chat server fuzzing, Part 1. The Beginning

This article (along with subsequent articles) will cover the journey I've taken in learning about ...

Read More

No, the Internet Does Not ‘Just Work’

The recent GoDaddy DNS outage illustrates that the Internet does not just work and sometimes stuff ...

Read More

Microsoft Patch Tuesday September 2012 – Update those Certs!

As we mentioned last week there are only two patches this month! Not to mention they are only rated ...

Read More

Vulnerability Spidey Sense - Demystifying PenTesting Intuition

In Louisville, Kentucky next month at Derbycon, Daniel Crowley and I will be giving our ...

Read More

PenTesting: From Low Risk Issues to Sensitive Data Compromising

Yes, I imagine you are probably tired to see blog posts about "real-world" PenTesting, people ...

Read More

Microsoft Advanced Notification for September 2012 - Bad News, Good News

Microsoft has released its Advanced Notification for September 2012. The bad news is that there are ...

Read More

Getting a Start in the Security Industry

This has been a fairly common topic over the last year and I've seen plenty of blog posts and ...

Read More

Hackers and Media Hype: Big Hacks that Never Really Happened

If you combine the dictionary definitions for 'media' and 'hype' you come up with "A means of ...

Read More

CryptOMG Walkthrough - Challenge 1

It has been about 3 months since CryptOMG was released and I will start going through the ...

Read More