In this episode, James talks about some of the risks and recommendations around security questions and their implementation. For more info go to https://www.developsec.com or follow us on twitter (@developsec). DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. … [Read more...] about Ep. 113: What is your mother’s maiden name?
XSS in Script Tag
Cross-site scripting is a pretty common vulnerability, even with many of the new advances in UI frameworks. One of the first things we mention when discussing the vulnerability is to understand the context. Is it HTML, Attribute, JavaScript, etc.? This understanding helps us better understand the types of characters that can be used to expose the vulnerability. In this post, I want to take a quick look at placing data within a <script> tag. In particular, I want to look at how embedded … [Read more...] about XSS in Script Tag
Ep. 112: Application Fingerprinting
Does your application give away details about it server, framework, or other components? How is this information used by an attacker? Check out this episode to learn more. For more info go to https://www.developsec.com or follow us on twitter (@developsec). DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. … [Read more...] about Ep. 112: Application Fingerprinting
Ep. 111: Authentication Alerts
Would you know if someone authenticated to your account? With the breaches we see in the news, and attacks like credential stuffing, there must be a way to be alerted to account access. James talks about authentication alerts, what they are, and why you may want to use them. For more info go to https://www.developsec.com or follow us on twitter (@developsec). DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to … [Read more...] about Ep. 111: Authentication Alerts
Ep. 110: Implementation Matters
James discusses how implementation matters with security controls and how it changes priorities. This came about after reading the following story: https://www.theverge.com/2018/12/31/18162541/vein-authentication-wax-hand-hack-starbug For more info go to https://www.developsec.com or follow us on twitter (@developsec). DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. … [Read more...] about Ep. 110: Implementation Matters
What is the difference between Brute Force and Credential Stuffing?
Many people get confused between brute force attacks and credentials stuffing. To help clear this up, here is a simple description of the two. These are both in regards to the login form only. Brute Force Brute force attacks on the login form consist of the attacker having a defined list (called a dictionary) of potential passwords. The attacker will then try each of these defined passwords with each username the attacker is trying to brute force. Put simply, this is a 1 (username) too many … [Read more...] about What is the difference between Brute Force and Credential Stuffing?