Page 1 of 4812345102030...Last »

May 23rd, 2017

Comments: 0
Category: Uncategorized
Read More

Some password stupidity

The stupidity of the password complexity controls on many websites never ceases to amaze me – but I am particularly not amused when I notice today the idiocy of the official Scottish Government policy. They have a “password strength” meter which actively prevents many strong passwords, and promotes defective ones which are likely to be […]

Nov 25th, 2016

Comments: 0
Category: Uncategorized
Read More

Paying for it all…

Of course it would be lovely just to be able to make a conference with all the bells and whistles without having to think about the costs – but back in the real world, one of the most important things was working out how to pay for everything. As we were largely independent under the […]

Nov 10th, 2016

Comments: 0
Category: Uncategorized
Read More

XSS – The gift that just keeps giving

Vulnerabilities, on the whole, come and go. I’ve been testing for seven years now, and I’ve seen the rise and fall of a number of them. When I started off, for example SQL Injection was relatively common (it shouldn’t have been because it was pretty venerable even then, but it was); now with the adoption […]

Nov 10th, 2016

Comments: 0
Category: Uncategorized
Read More

BSides Edinburgh – Venue

So one of the first things we had to thing about was getting a venue in Scotland. As we didn’t have sponsors lined up at this point and we have no idea what degree of interest we will have – our first thought was to try to get a venue that was either entirely free […]

Oct 19th, 2016

Comments: 0
Category: Uncategorized
Read More

BSides Edinburgh

Myself and a couple of colleagues have decided to get together to organize a security conference for/in Scotland. Actually, we had meant to do this a few years ago and had actually got to the brainstorming stage before our move to Argyll curtailed matters for that time. But now with security conferences springing up like […]

Jul 1st, 2016

Comments: 0
Category: Uncategorized
Read More

Just a few Mobile Devices

I’m doing an Android test next week so was just getting some of my testing kit charged up and ready to go.  It rather made me laugh looking at just a sample of the devices we have.   Pictured we have a Nexus 7 tablet, a Fire tablet, a Motorola Moto 2G Android phone, a nameless […]

Jun 22nd, 2016

Comments: 0
Category: Uncategorized
Read More

The trouble with JWT

I ran across a test using JWT (JSON Web Tokens) for authentication/authorisation recently.  This was the first time I had seen a site using this, and it was quite interesting to compare it to oAuth (it is certainly a bit simpler). There is a good site for decoding these here:- https://jwt.io/ but basically they are made up […]

Jun 13th, 2016

Comments: 0
Category: Uncategorized
Read More

Reverse Session Fixation

I came across an interesting issue on a test the other day.  I’ve never heard of this before (or come across it for that matter), so I am going to call it “Reverse Session Fixation” which describes it quite well. The site used ASP.NET and had quite a common problem where the developer had (presumably accidentally) […]

Apr 28th, 2016

Comments: 0
Category: Uncategorized
Read More

Some more on Testing Environments

I was just giving my last post some more thought whilst working on a test which actually is in a UAT environment, and a few more things came to mind which I didn’t mention…. Firstly, there is of course not a lot of point in doing any kind of infrastructure testing as part of the […]

Apr 12th, 2016

Comments: 0
Category: Uncategorized
Read More

Testing in Live Environments

It seems pretty obvious that carrying out web application testing in a live production environment is in general a bad idea. Exactly how bad an idea depends on the nature of the site, but considering that many testing functions involve deliberately creating data which is either badly formatted, or is in a location where it […]