Web Application Penetration Testing: What You Need to Know
As the world increasingly moves online, the importance of web application security grows. While there are many steps that organizations...
top of page
BLOG
Search
Komodo Research
Oct 29, 20215 min read
Baking Security Into the Development Lifecycle
Application security is not new. It has been around since the early 2000s and in a similar environment, where Code-Red, Nimda, and other...
309 views0 comments
Komodo Research
Jan 7, 20202 min read
Nginxproxy - An Open Source WAF to Protect against Malicious File Uploads
This project seeks to solve vulnerabilities caused by the upload of unwanted files to web application with the help of Nginx's reverse proxy
408 views0 comments
Komodo Research
Sep 10, 20193 min read
An Accidental SSRF Honeypot in Google Calendar
This is a story of what both I and Google engineers considered to be an SSRF vulnerability in Google Calendar – but turned out to be some...
6,463 views0 comments
Komodo Research
May 30, 20193 min read
When all else fails - find a 0-day
How a failing red-team engagement led us to find a silly zero day.
And why “insecure by default” is still an issue in 2019.
8,189 views20 comments
![Is MIME Sniffing XSS a real thing? [The story of weird Google bug bounties]](https://static.wixstatic.com/media/3184af_3139539f23c04694ae8706a1112fd2f7~mv2_d_3576_2630_s_4_2.jpg/v1/fill/w_1816,h_1364,fp_0.50_0.50,q_90,enc_auto/3184af_3139539f23c04694ae8706a1112fd2f7~mv2_d_3576_2630_s_4_2.jpg)
Komodo Research
May 15, 20194 min read
Is MIME Sniffing XSS a real thing? [The story of weird Google bug bounties]
Let’s start at the end. This one got me seriously confused. It all started a few months ago when a colleague was hacking away at some...
6,049 views0 comments
Komodo Research
Apr 25, 20193 min read
Through the cloud – remote debugging to crack MQ
In a simple penetration test the tester is presented with a target, say a web application, and attacks it from his workstation. However,...
764 views0 comments
Komodo Research
Mar 25, 20193 min read
Google Groups Authorization Bypass / $500 bounty
Tl;dr: I’ve recently been playing around with Google services, poking here and there for security vulnerabilities. It’s been a quite a...
2,110 views0 comments
Komodo Research
Feb 14, 20194 min read
DISTRIBUTED VERIFICATION OF SSL CERTIFICATES
Securing the (not so) Secure Socket Layer (SSSL).
130 views0 comments
Komodo Research
Jan 13, 20193 min read
FROM PUSH NOTIFICATIONS TO A BOTNET
One push too far / part 3 As we saw in part 1 and part 2 of this article series, we can use malicious notifications to gain persistent...
132 views0 comments
Komodo Research
May 17, 20185 min read
THE ARMY OF THE HEADLESS BROWSERS
How Facebook infrastructure can be used to perform DDoS. As a penetration tester, examining proprietary applications and repeatedly...
120 views0 comments
Komodo Research
Mar 11, 20183 min read
FILELESS ADWARE VIA WEB PUSH NOTIFICATIONS
One push too far / part 1 Push notifications are by no means anything new, and we know them well from our mobiles. However, in recent...
324 views0 comments
Komodo Research
Jan 12, 20184 min read
NOTIFICATION HIJACK: PERSISTENCY VIA REFLECTED XSS
One push too far / part 2 In part one of this article series I discussed a way for a website to abuse push notification permissions....
224 views0 comments
bottom of page