A little background… As I stood in front of a class of developers trying to explain cross-origin resource sharing (CORS), I knew I wasn’t conveying it well enough for a significant subset of the group. It was Autumn 2017 (not my password at the time, by the way), and I was on-site with one of …
As a company that is constantly working with our penetration testing clients on understanding where they should focus their efforts, qualifying risk is second-nature to us. On one hand, we never want to undersell a risk, and have a client accept that risk based on an improperly informed position. On the other hand, I think …
Waving the White Flag: Why InfoSec should stop caring about HTTPOnly Read More »
This is easy to fix. All we need to do is tell our browser that the Burp CA can be trusted. Because every new installation of Burp generates a different CA, this doesn’t create a risk of somebody else intercepting your traffic surreptitiously with their Burp instance. The actual steps to perform this vary slightly by operating system.
In our blog series on Better API Penetration Testing with Postman we discussed using Postman as the client for testing RESTful service APIs. Insomnia is an MIT-licensed open source alternative to Postman. Its commercial maintainer, Kong, is best known for their microservice API Gateway. Like Postman, Kong offers premium subscriptions for syncing and collaboration functionality. …
Getting Started API Penetration Testing with Insomnia Read More »
This is the final part of this series on putting together a better API testing tool-chain. In Part 1, I covered a basic introduction to Postman and how to use it to send requests. In Part 2, we set it up to proxy through Burp Suite. In Part 3, we added some more advanced usage …
Better API Penetration Testing with Postman – Part 4 Read More »
In Part 1 of this series, we got started with Postman and generally creating collections and requests. In Part 2, we set Postman to proxy through Burp Suite, so that we could use its fuzzing and request tampering facilities. In this part, we will dig into some slightly more advanced functionality in Postman that you …
Better API Penetration Testing with Postman – Part 3 Read More »
In Part 1 of this series, I walked through an introduction to Postman, a popular tool for API developers that makes it easier to test API calls. We created a collection, and added a request to it. We also talked about how Postman handles cookies – which is essentially the same way a browser does. …
Better API Penetration Testing with Postman – Part 2 Read More »
This is the first of a multi-part series on testing with Postman. I originally planned for it to be one post, but it ended up being so much content that it would likely be overwhelming if not divided into multiple parts. So here’s the plan: In this post, I’ll give you an introduction to setting …
Better API Penetration Testing with Postman – Part 1 Read More »
This is the third and final part in this three-part series, Three C-Words of Web Application Security. I wrote a sort of prologue back in April, called A Brief Evolution of Web Apps, just to set the scene for those less versed in web application history. The first part, which was on CORS (Cross-Origin Resource …
Three C-Words of Web App Security: Part 3 – Clickjacking Read More »
This series of daily mini-posts, running from December 12, 2018 to December 24, 2018, is intended to provide cross-site scripting (XSS) related tips. This will range from filter-evasion and payload minification tricks, to old (but still good) classic XSS tips, to scripts that make (or contribute to) interesting proof-of-concept payloads. Day 1 – Template Literals …