Blog
Page 1 of 4812345102030...Last »

May 23rd

2017

By scotsts_admin
Category: Uncategorized
Comments 0

Some password stupidity

The stupidity of the password complexity controls on many websites never ceases to amaze me – but I am particularly not amused when I notice today the idiocy of the official Scottish Government policy. They have a “password strength” meter which actively prevents many strong passwords, and promotes defective ones which are likely to be […]

Nov 25th

2016

By scotsts_admin
Category: Uncategorized
Comments 0

Paying for it all…

Of course it would be lovely just to be able to make a conference with all the bells and whistles without having to think about the costs – but back in the real world, one of the most important things was working out how to pay for everything. As we were largely independent under the […]

Nov 10th

2016

By scotsts_admin
Category: Uncategorized
Comments 0

XSS – The gift that just keeps giving

Vulnerabilities, on the whole, come and go. I’ve been testing for seven years now, and I’ve seen the rise and fall of a number of them. When I started off, for example SQL Injection was relatively common (it shouldn’t have been because it was pretty venerable even then, but it was); now with the adoption […]

Nov 10th

2016

By scotsts_admin
Category: Uncategorized
Comments 0

BSides Edinburgh – Venue

So one of the first things we had to thing about was getting a venue in Scotland. As we didn’t have sponsors lined up at this point and we have no idea what degree of interest we will have – our first thought was to try to get a venue that was either entirely free […]

Oct 19th

2016

By scotsts_admin
Category: Uncategorized
Comments 0

BSides Edinburgh

Myself and a couple of colleagues have decided to get together to organize a security conference for/in Scotland. Actually, we had meant to do this a few years ago and had actually got to the brainstorming stage before our move to Argyll curtailed matters for that time. But now with security conferences springing up like […]

Jul 1st

2016

By scotsts_admin
Category: Uncategorized
Comments 0

Just a few Mobile Devices

I’m doing an Android test next week so was just getting some of my testing kit charged up and ready to go.  It rather made me laugh looking at just a sample of the devices we have.   Pictured we have a Nexus 7 tablet, a Fire tablet, a Motorola Moto 2G Android phone, a nameless […]

Jun 22nd

2016

By scotsts_admin
Category: Uncategorized
Comments 0

The trouble with JWT

I ran across a test using JWT (JSON Web Tokens) for authentication/authorisation recently.  This was the first time I had seen a site using this, and it was quite interesting to compare it to oAuth (it is certainly a bit simpler). There is a good site for decoding these here:- https://jwt.io/ but basically they are made up […]

Jun 13th

2016

By scotsts_admin
Category: Uncategorized
Comments 0

Reverse Session Fixation

I came across an interesting issue on a test the other day.  I’ve never heard of this before (or come across it for that matter), so I am going to call it “Reverse Session Fixation” which describes it quite well. The site used ASP.NET and had quite a common problem where the developer had (presumably accidentally) […]

Apr 28th

2016

By scotsts_admin
Category: Uncategorized
Comments 0

Some more on Testing Environments

I was just giving my last post some more thought whilst working on a test which actually is in a UAT environment, and a few more things came to mind which I didn’t mention…. Firstly, there is of course not a lot of point in doing any kind of infrastructure testing as part of the […]

Apr 12th

2016

By scotsts_admin
Category: Uncategorized
Comments 0

Testing in Live Environments

It seems pretty obvious that carrying out web application testing in a live production environment is in general a bad idea. Exactly how bad an idea depends on the nature of the site, but considering that many testing functions involve deliberately creating data which is either badly formatted, or is in a location where it […]