This is the third and final part in this three-part series, Three C-Words of Web Application Security. I wrote a sort of prologue back in April, called A Brief Evolution of Web Apps, just to set the scene for those less versed in web application history. The first part, which was on CORS (Cross-Origin Resource …
Three C-Words of Web App Security: Part 3 – Clickjacking Read More »
This post is the first in a series on Getting Started with information security tools. For more posts in this series, check out the Getting Started label on this post. BeEF, the Browser Exploitation Framework, is a testing tool designed to enable penetration testers to launch client-side attacks against target browsers. By using techniques similar …
Getting Started with BeEF: The Browser Exploitation Framework Read More »
How many times have you been told you have a vulnerability that you just don’t understand its relevancy? Cross-Site scripting comes to mind for many people. Sure, they get the fact that you can execute scripts in the user’s browser, but often times they really don’t fully understand the impact. Of course, we determine that …
During our penetration tests we often get asked about the amount of information that is leaking out via social networks, web pages and the like. In fact the first step in our methodology is Recon where we search the Internet and social networks for information about the company we are targeting. It is sometimes surprising what we find when …
Professionally Evil: Your Stealth Startup is Showing Read More »
So RSA 2013 in San Francisco is coming up and I will be there for two different parts of the event. First, on the 24th and 25th of February, I will be presenting a two-day class Security 571 from SANS. This course is a two day course about mobile device and application security. As the …
Beware of the Unknown IT Grunt I decided to continue on with the same theme as Kevin’s post about the delivery guy. Secure Ideas was recently asked to do a couple of physical penetration tests and I was assigned to both. I must confess that physical penetration tests cause the adrenaline to kick in and …
This post is part of our Professionally Evil series of posts that discuss some of the experiences we have had as Security Consultants. In Kevin’s previous post he talked about his experience doing a physical penetration test as a delivery guy. In this post, I want to take a moment to highlight how my job …
Here at Secure Ideas we have had a ton of fun experiences during our work. When we teach or present, people often ask us to talk about the things we have been able to do, such as pulling credit cards out of a network via a Facebook application or tricking staff at a client into …
Many organizations do not include phishing in their annual penetration tests, as they believe that most phishing emails will be stopped by their email filtering solutions. Any “phishy” emails that get through will likely be clicked on by their employees but stopped by anti-virus or web filtering controls. These controls are good, but they typically …