Page 2 of 4812345102030...Last »

Mar 22nd, 2016

Comments: 0
Category: Uncategorized
Read More

Application Testing Maturity

After you’ve been testing for a few years, it is generally pretty easy to work out whether a site has been tested before. Greenfield sites which are on their first test are generally pretty obvious, not just because they tend to have the worst vulnerabilities, but because they have none of the mitigations against the […]

Mar 12th, 2016

Comments: 0
Category: Uncategorized
Read More

Getting to Git

A few times recently we have run across Git repositories on live web servers. I’m not sure if this is just because GIT is becoming much more heavily used, or whether part of it is down to the recent change in development methodologies towards something more fast and fluid, but unless you are intending your […]

Feb 16th, 2016

Comments: 0
Category: Uncategorized
Read More

Scary Trace

One vulnerability that VA scanners (Nessus et al) find quite readily is the ASP.NET Trace function being enabled. This is not the same thing as the TRACE verb on a web server – it is actually a debug function for .NET based websites. Nessus classifies it as a medium risk vulnerability, and this is one […]

May 4th, 2015

Comments: 0
Category: Uncategorized
Read More

Testing a CMS

So often these days what is presented as a “Web Application” is in fact a CMS (content management system) which has been customized to a greater or lesser extent.  As so often, I sometimes feel that we take the wrong approach to this type of site.  Where it is important to be clear, is what […]

Mar 23rd, 2015

Comments: 0
Category: Uncategorized
Read More

How to get rid of all those pesky mediums….

I’m being slightly disingenuous here, but it often occurs to me that there would be a very quick way to get rid of the vast majority of medium severity vulnerabilities generated by scanners…  Disable HTTPs and revert everything to clear text. At one stroke you get rid of SSLv2, SSLv3, weak ciphers, RC4, freak, beast, […]

Feb 17th, 2015

Comments: 0
Category: Uncategorized
Read More

WordPress Mail and IIS

I ran into a problem with WordPress mail the other day (the sort of fundamental problem where it doesn’t work at all).  As usual, trying to find information for how to fix this on IIS was not easy – in the end this was the information and fix I came up with. Natively – WordPress […]

Sep 3rd, 2014

Comments: 0
Category: Software Security
Read More

Through Obscurity?

An on-going theme I see on Security sites is the controversy around ‘Security through Obscurity’ which is generally felt to be a bad thing. So the justification of this tends to be something along the lines of ‘Don’t think that because you’ve not put a great big link to /supersecretfunctionality on the front page of […]

Jul 1st, 2014

Comments: 0
Category: Uncategorized
Read More

OWASP AppSec EU

Rory and I just returned from OWASP AppSec EU where (for once) I was presenting but Rory wasn’t (as he was on the selection panel – though barred from reviewing my presentation!). The quality of the talks was very high – though in my opinion there was rather too much of an emphasis on mobile […]