Subscribe to future posts

  1. The Evil Side of JavaScript: Server-Side JavaScript Injection

    Ever since its humble inception, JavaScript has gained a lot of traction in the world of software development. What originally started as an experimental language meant to increase responsiveness in the browser has evolved into a full-fledged language with the capability to produce full stack web applications.

    Full stack JavaScript development has quite a few perks, including enhanced performance times. For this reason, it can be an ideal solution for rapid development. That being said, JavaScript has been notorious for security vulnerabilities. Client-side JavaScript vulnerabilities have been extensively studied for years, but are still one of the most common classes of vulnerabilities in applications. For example, Cross-Site scripting (XSS) has been on the OWASP Top 10 vulnerability list since its inception in 2003. While client-side XSS is certainly a problem, server-side JavaScript injection (SSJI) can be much more dangerous in an application. In fact, one could argue that SSJI is one of the most crippling web application vulnerabilities on the web today.

  2. Introducing Django.nV: An intentionally vulnerable Django application

    nVisium is proud to announce the release of Django.nV, an intentionally vulnerable project management application. As with all of the 'nV' suite of applications, Django.nV demonstrates a series of common vulnerabilities in the context of a modern application. The flaws within the application include vulnerabilities ranging from the OWASP Top 10 (Injection, Insecure Direct Object Reference) to some Django-specific issues (Mass Assignment and Insecure Settings).

    The project is hosted on Github and can be found here: Django.nV.

  3. nVisium Makes Inc.'s 500 Fastest Growing Private Companies

    nVisium is extremely proud to be ranked #431 on the Inc. 500 list of America's fastest growing private companies this year. nVisium has seen a surge in growth over the last few years, with a three-year growth rate of 1,087.4%. As a privately funded and completely bootstrapped company, we attribute this success to several factors.

  4. Mitigating JavaScript context Cross-Site Scripting in PHP

    Cross-Site Scripting (XSS) is a vulnerability I personally spend a lot of time researching and writing about. This is largely due to the fact that XSS is EVERYWHERE!

    This post will demonstrate how we can mitigate JavaScript context XSS in PHP applications.

  5. Golang Security and Concurrency

    The Go language released its Go 1.5 beta early last week with a host of new features: a self-hosted compiler, concurrent garbage collection, multiprocess usage for goroutines (equaling the number of cores on your system), and more. We last covered Go almost a year ago when we discussed some of the benefits of the language, like UTF-8 strings, concurrency with the CSP model, and superb performance.

    With Go 1.5's changes in mind, it's worth taking a look at some of the security issues in Go applications to see how they fare. What kinds of concurrency issues emerge and what do they mean for web security?

  6. Intro to BurpSuite, Part VI: Burpsuite Sequencer

    Welcome to the next edition of the Intro to BurpSuite series. This time around I wanted to draw attention to one of the more advanced features of the BurpSuite toolset, Burp's built-in sequencer. The Sequencer tool has a lot to offer, but it is often overlooked and seen as a complex instrument to be used by only the most intelligent security engineers. If you've been following along in the series and have a few application assessments under your belt, this is a good addition to your mental toolkit to expand your capabilities as a security analyst or penetration tester.

  7. Time-Based Username Enumeration: Practical or Not?

    Username enumeration is one of those vulnerabilities that appear to be everywhere. Facebook has it, Twitter has it, and basically every default Wordpress installation has it. Companies don't appear to see the risk associated with the vulnerability.