BLOG

As the world increasingly moves online, the importance of web application security grows. While there are many steps that organizations...

Application security is not new. It has been around since the early 2000s and in a similar environment, where Code-Red, Nimda, and other...

This project seeks to solve vulnerabilities caused by the upload of unwanted files to web application with the help of Nginx's reverse proxy

This is a story of what both I and Google engineers considered to be an SSRF vulnerability in Google Calendar – but turned out to be some...

How a failing red-team engagement led us to find a silly zero day. And why “insecure by default” is still an issue in 2019.

Let’s start at the end. This one got me seriously confused. It all started a few months ago when a colleague was hacking away at some...

In a simple penetration test the tester is presented with a target, say a web application, and attacks it from his workstation. However,...

Tl;dr: I’ve recently been playing around with Google services, poking here and there for security vulnerabilities. It’s been a quite a...

Securing the (not so) Secure Socket Layer (SSSL).

One push too far / part 3 As we saw in part 1 and part 2 of this article series, we can use malicious notifications to gain persistent...

How Facebook infrastructure can be used to perform DDoS. As a penetration tester, examining proprietary applications and repeatedly...

One push too far / part 1 Push notifications are by no means anything new, and we know them well from our mobiles. However, in recent...

One push too far / part 2 In part one of this article series I discussed a way for a website to abuse push notification permissions....