1. xssValidator v1.2.0 Released

    It has been quite a while since you’ve heard anything new about xssValidator, but today we bring good news! Version 1.2.0 has been released with some significant modifications.

  2. The AppSec Newb’s Journey Part I: Welcome to AppSec

    Welcome to the incredible and exciting world of Application Security (AppSec).

    In The AppSec Newb’s Journey series I want to provide a starting point for those interested in AppSec but may not know where to start. I am new to the industry myself, so I wanted to share some of the resources and tactics that have helped me along my journey. It should be noted that I decided to go down the self-learning path, so many of these resources are dependent on taking the time and effort to learn on your own. This doesn’t mean that you shouldn’t ask for help from anybody; there are plenty of people out there eager to help you!

  3. nVisium Announces Swift.nV

    Herndon, VA--(August 20, 2014) - nVisium, the leading provider of application security tools, services and research for software development, released Swift.nV, a new training tool for identifying and testing vulnerabilities in the Swift programming language today.

  4. Intro to BurpSuite V: Extracting Intrusions

    Hi, Folks,

    Since the last post on Intruder, I've been seeing questions come up on how to pull out data from a large number of results. I wanted to take some time to throw a quick post on how you can leverage some of the more advanced options in Intruder to automatically pull some information out. One of the suggestions that comes straight from PortSwigger is to use the Grep Extract option to pull data from responses.

    Today, I'm going to demonstrate this functionality using WebGOAT.NET, a project that's freely available on OWASP and Github so you can follow along.

  5. iOS Assessments with Burp + iFunBox + SQLite

    In January, I wrote a post on performing Android Assessments with GenyMotion + Burp so I thought it was about time I wrote a similar post on performing iOS assessments.

    Aside from a company by the name of Virtual that has a private beta on a virtualization platform for iOS, there are no other virtualization options.

    The three options for performing an iOS assessment at the moment are to use the iOS simulator that comes with XCode (only works with Macs, requires the application's code), a jailbroken/developer licensed iOS device, or a non-jailbroken iOS device with iFunBox (which I will go over in this post).

  6. Swift Core Data Format String Injection

    ...Or how I developed a love/hate relationship with format strings

    The last couple of months since WWDC have been an interesting exercise in forgetting the complexity of Objective-C (ObjC), falling in love with Swift, and then realizing Apple hasn't completely dropped ObjC for Swift. Programming an iOS application in Swift quickly becomes a translation effort in converting ObjC code to use Swift syntax and format, since even Apple's own developer site still references ObjC examples in documentation and Class References. In addition, the Xcode 6 beta and Swift are not a complete match. Auto-generated code often fails when using Apple's provided templates, including Cocoa Touch Classes. Pay attention to the compiler errors and warnings before trying to actually deploy anything.

    This post explores Swift's interaction with Core Data and how to break (and secure) format strings using wildcards and injection techniques. Core Data's is Apple's object graph and persistence framework that makes it easy for Mac and iOS developers to store and retrieve data without the overhead of dealing with databases or other network services. If you are unfamiliar with Core Data, Apple's tutorial is quite extensive and can take some time to get through. I would recommend Techtopia's iOS 7 Core Data tutorial to get the basic gist of working with the technology. The one issue is that most tutorials still only address Core Data use with ObjC, so translation to Swift is something you'll have to figure out.

  7. Intro to BurpSuite Part IV: Being Intrusive

    Welcome to our 4th installment of Intro to BurpSuite. This time around we're going to focus on using another tool in the BurpSuite arsenal to send targeted requests to a web server, rapid-fire. Intruder can be used for a variety of fuzzing and bruteforce techniques using premade lists or automatically generated input. This is amazingly useful for those list-based tasks as well, such as mapping a site or discovering hidden directories and errors.