I think all of us are aware of what phishing is. It is basically the use of an email to target a victim. This is a form of social engineering where the attacker wants to get something from the target. The two most common attacks with this are: - Download or open an attachment that is malicious. - Click a link that redirects the user to a malicious site. This often leads to trying to trick the user into entering their credentials. There is a fairly new tactic that is becoming more popular that … [Read more...] about Phishing With QR Codes?
blog
Client vs. Server Validation
How many times have we thrown a vulnerability over to the development team assuming they understand what the issue is? How many times have we sat with the development team to show them what we do? This isn't a point of showing how to attack to build up the next generation of security people. Instead, it is focused on showing the development team how at attacker looks at their application so they better understand the issue identified. Let's walk through a really simple scenario You have an … [Read more...] about Client vs. Server Validation
Technical Debt vs. New Dev
When it comes to application vulnerabilities, there are 2 common groups we might view them: Technical Debt and New Development. I break these down because the way in which we address vulnerabilities is fundamentally different. Something that might not be exploitable receives a very low priority when it is technical debt. However, during new development, it can be addressed with little cost. Much of this comes down to if soemthing is syntactically insecure vs. actually vulnerable. Let’s look at … [Read more...] about Technical Debt vs. New Dev
Ep. 120: Addressing Root Cause – Vulnerable Components
In this episode we talk about addressing the root cause of an issue versus the symptoms. How can the process of keeping application components updated be improved? For more info go to https://www.developsec.com or follow us on twitter (@developsec). DevelopSec provides application security consulting and training to add value to your application security program. Contact us today to see how we can help. Transcript: In this episode, James talks about root cause analysis versus treating … [Read more...] about Ep. 120: Addressing Root Cause – Vulnerable Components
Ep. 119: Risks of SpellCheck
In this episode we talk about the spell check feature of the browser and how it could present a risk to sensitive data. Listen to the Episode: Link to article referenced: https://www.darkreading.com/application-security/spellchecking-google-chrome-microsoft-edge-browsers-leaks-passwords For more info go to https://www.developsec.com or follow us on twitter (@developsec). … [Read more...] about Ep. 119: Risks of SpellCheck
The risk of Spell Checking
Did you know that input fields on a web form support spell checking by default in many web browsers? This is a feature of the browser that can help catch errors early for the end user. Recently, some testers found that some data may be leaked during the spell checking function to 3rd parties. Here is a reference article describing this: https://www.darkreading.com/application-security/spellchecking-google-chrome-microsoft-edge-browsers-leaks-passwords The first point to make here is this is … [Read more...] about The risk of Spell Checking