This is the third and final part in this three-part series, Three C-Words of Web Application Security. I wrote a sort of prologue back in April, called A Brief Evolution of Web Apps, just to set the scene for those less versed in web application history. The first part, which was on CORS (Cross-Origin Resource …
Three C-Words of Web App Security: Part 3 – Clickjacking Read More »
This series of daily mini-posts, running from December 12, 2018 to December 24, 2018, is intended to provide cross-site scripting (XSS) related tips. This will range from filter-evasion and payload minification tricks, to old (but still good) classic XSS tips, to scripts that make (or contribute to) interesting proof-of-concept payloads. Day 1 – Template Literals …
This is the second in a three-part series, Three C-Words of Web Application Security. I wrote a sort of prologue back in April, called A Brief Evolution of Web Apps, just to set the scene for those less versed in web application history. In July, I posted part one, which was Three C-Words of Web App Security: …
Three C-Words of Web App Security: Part 2 – CSRF Read More »
For those less versed in web applications and how they’ve evolved, I wrote a sort of prologue to this post back in April 2018, titled A Brief Evolution of Web Apps. This is the first in a three-part series, Three C-Words of Web Application Security. This one will deal with CORS, while the next will …
Three C-Words of Web App Security: Part 1 – CORS Read More »
Author’s Note: This was actually meant to be the first part of a series called Three C-Words of Web App Security, dealing with CORS, CSRF, and Clickjacking, each in its own post. But as I started writing the exposition necessary to provide context around these issues, I realized that I really had so much background …
Samurai Web Testing Framework, if you’re not familiar with it, it’s a linux environment that is primarily now used for teaching web application penetration testing. It has a number of target web applications to train against, and a curated collection of attack tools. For the newest major version, we have made some changes to how …
I recently got the opportunity to speak at B-Sides Charleston on cross-site scripting (XSS) payload development. For me, this was a really enjoyable opportunity because of my background. I was a software developer specializing in web apps for about 10 years. I did web development as a hobby for more than 10 years before that. …