Application Security

teacher and chalkboard

The Death and Rebirth of Musashi.js OR How I turned personal failure into better teaching tools.

A little background… As I stood in front of a class of developers trying to explain cross-origin resource sharing (CORS), I knew I wasn’t conveying it well enough for a significant subset of the group. It was Autumn 2017 (not my password at the time, by the way), and I was on-site with one of …

The Death and Rebirth of Musashi.js OR How I turned personal failure into better teaching tools. Read More »

Better API Penetration Testing with Postman – Part 3

In Part 1 of this series, we got started with Postman and generally creating collections and requests. In Part 2, we set Postman to proxy through Burp Suite, so that we could use its fuzzing and request tampering facilities. In this part, we will dig into some slightly more advanced functionality in Postman that you …

Better API Penetration Testing with Postman – Part 3 Read More »

Android App Testing on Chromebooks

Update: As of March 2021, I’d recommend using Android Virtual Devices over Chromebooks.  Chromebooks still work (in many cases) but the AVDs are much easier to build and use. Jason wrote a great blog on how to set them up and can be found here: https://secureideas.com/blog/2020/09/how-to-configure-android-virtual-for-mobile-pentest.html.  If you are still interested in using a Chromebook, …

Android App Testing on Chromebooks Read More »

Twelve Days of XSSmas

This series of daily mini-posts, running from December 12, 2018 to December 24, 2018, is intended to provide cross-site scripting (XSS) related tips. This will range from filter-evasion and payload minification tricks, to old (but still good) classic XSS tips, to scripts that make (or contribute to) interesting proof-of-concept payloads. Day 1 – Template Literals …

Twelve Days of XSSmas Read More »

Three C-Words of Web App Security: Part 2 – CSRF

This is the second in a three-part series, Three C-Words of Web Application Security. I wrote a sort of prologue back in April, called A Brief Evolution of Web Apps, just to set the scene for those less versed in web application history. In July, I posted part one, which was Three C-Words of Web App Security: …

Three C-Words of Web App Security: Part 2 – CSRF Read More »

Scroll to Top