Learn the top 10 website hacking techniques for the year.
Naenara Browser is the DPRK's version of Firefox that comes built into Red Star OS, the official operating system of North Korea is weirder than we thought
Common HTTP headers are components of the header section of request and response messages in the Hypertext Transfer Protocol (HTTP).
A long time ago I began to compile a list of lesser known but still very scary choke points on the Internet.
There’s a problem with the reflective Cross Site Scripting (“XSS”) filter in Microsoft’s Internet Explorer family of browsers that extends from version 8.0 (where the filter first debuted) through the most current version, 11.0, released in mid-October for Windows 8.1, and early November for Windows 7.
I think a lot of web designers and web masters have almost no idea what are the most important things to focus on beginning on day one.
It appears that an unconventional method of Cross Site Request Forgery may be made exploitable by using Firefox versions 21 and below.
Never use Web Storage data for access control decisions or trust the serialized objects you store here for other critical business logic. A malicious user is free to modify their localStorage and sessionStorage values at any time, treat all Web Storage data as untrusted.
This interview openly discusses criminal activities from the perspective of an admitted criminal.
The keys to the kingdom pretty much always come down to acquiring source code for the web application you’re attacking from a blackbox perspective.
Password Cracking AES-256 DMGs and Epic Self-Pwnage
IT security is a massive concern for many organizations of all shapes and sizes. The consequences of a security failure are often drastic, sometimes terminal. Over recent years, there has been a relentless upward trajectory in spending on IT security, and there are no signs of that trend abating.
Learn 7 ways vulnerability scanners may harm websites and what to do about it.
Session fixation, by most definitions, is a subclass of session hijacking.
X-Frame-Options (XFO) is an HTTP response header, mostly used to combat Clickjacking, that informs a Web browser if the page should be rendered in a or .
Content Security Policy (CSP) is a new(ish) technology put together by Mozilla that Web apps can use as an additional layer of protection against Cross-Site Scripting (XSS). This protection against XSS is the primary goal of CSP technology.
Learn about what is CSRF and developing CSRF prevention design principles.
HTTP Strict Transport Security (HSTS) is a new(ish) technology that allows an application to force browsers to use only SSL/TLS (HTTPS, not HTTP) when they visit that application.
Session cookies (or, to Java folks, the cookie containing the JSESSIONID) are the cookies used to perform session management for Web applications.
Clickjacking prevention is a type of “Web framing” or “UI redressing” attack.
X-Frame-Options allows an application to specify whether or not specific pages of the site can be framed. This is meant to help prevent the clickjacking problem.
Many penetration testers rarely test cryptographic vulnerabilities. In this post provides details of a length extension attack.
Please forgive the title, but today’s topic is something to be wary of if you write (or use) any access control / authorization type code in Web-based J2EE apps: HTTP URL path parameters.
These cookies hold the reference to the session identifier for a given user, and the same identifier − along with any session-scoped data related to that session id − is maintained server-side.
Error or exception handling is an important, but often ignored, part of any application. And although there’s a lot to be said on the topic I’m going to cover only a few of the most critical cases in J2EE Web applications.
A Single-Site Browser (SSB) is a highly restricted Web browser only capable of connecting to a single website. A “website” can be defined as a white-listed collection of one or more hostnames, IP addresses, ports, and protocols.
sIFR3 allows for the use of non-free fonts within a web application via Adobe Flash plugin. The sIFR3 module interfaces with an external JS file and utilizes the parameter "version" to ensure the two files are compatible.
For more than the last decade, PHP programmers have been wrestling with the equals-equals (==) operator. It’s caused a lot of issues. This has a particular implication for password hashes.
If you’ve done unique research in information security, work that others would be interested in learning, the conference circuit provides an amazing opportunity to travel the world (for free!), advance your career, and share it with others.