Thursday, August 13, 2015
nVisium is proud to announce the release of Django.nV, an intentionally vulnerable project management application. As with all of the 'nV' suite of applications, Django.nV demonstrates a series of common vulnerabilities in the context of a modern application. The flaws within the application include vulnerabilities ranging from the OWASP Top 10 (Injection, Insecure Direct Object Reference) to some Django-specific issues (Mass Assignment and Insecure Settings).
The project is hosted on Github and can be found here: Django.nV.
Wednesday, August 12, 2015
Thursday, July 30, 2015Cross-Site Scripting (XSS) is a vulnerability I personally spend a lot of time researching and writing about. This is largely due to the fact that XSS is EVERYWHERE!
Thursday, July 16, 2015The Go language released its Go 1.5 beta early last week with a host of new features: a self-hosted compiler, concurrent garbage collection, multiprocess usage for goroutines (equaling the number of cores on your system), and more. We last covered Go almost a year ago when we discussed some of the benefits of the language, like UTF-8 strings, concurrency with the CSP model, and superb performance.
With Go 1.5's changes in mind, it's worth taking a look at some of the security issues in Go applications to see how they fare. What kinds of concurrency issues emerge and what do they mean for web security?
Thursday, July 9, 2015Welcome to the next edition of the Intro to BurpSuite series. This time around I wanted to draw attention to one of the more advanced features of the BurpSuite toolset, Burp's built-in sequencer. The Sequencer tool has a lot to offer, but it is often overlooked and seen as a complex instrument to be used by only the most intelligent security engineers. If you've been following along in the series and have a few application assessments under your belt, this is a good addition to your mental toolkit to expand your capabilities as a security analyst or penetration tester.
Thursday, June 25, 2015Username enumeration is one of those vulnerabilities that appear to be everywhere. Facebook has it, Twitter has it, and basically every default Wordpress installation has it. Companies don't appear to see the risk associated with the vulnerability.