Blog
Page 2 of 4812345102030...Last »

Mar 22nd

2016

By scotsts_admin
Category: Uncategorized
Comments 0

Application Testing Maturity

After you’ve been testing for a few years, it is generally pretty easy to work out whether a site has been tested before. Greenfield sites which are on their first test are generally pretty obvious, not just because they tend to have the worst vulnerabilities, but because they have none of the mitigations against the […]

Mar 12th

2016

By scotsts_admin
Category: Uncategorized
Comments 0

Getting to Git

A few times recently we have run across Git repositories on live web servers. I’m not sure if this is just because GIT is becoming much more heavily used, or whether part of it is down to the recent change in development methodologies towards something more fast and fluid, but unless you are intending your […]

Feb 16th

2016

By scotsts_admin
Category: Uncategorized
Comments 0

Scary Trace

One vulnerability that VA scanners (Nessus et al) find quite readily is the ASP.NET Trace function being enabled. This is not the same thing as the TRACE verb on a web server – it is actually a debug function for .NET based websites. Nessus classifies it as a medium risk vulnerability, and this is one […]

May 4th

2015

By scotsts_admin
Category: Uncategorized
Comments 0

Testing a CMS

So often these days what is presented as a “Web Application” is in fact a CMS (content management system) which has been customized to a greater or lesser extent.  As so often, I sometimes feel that we take the wrong approach to this type of site.  Where it is important to be clear, is what […]

Mar 23rd

2015

By scotsts_admin
Category: Uncategorized
Comments 0

How to get rid of all those pesky mediums….

I’m being slightly disingenuous here, but it often occurs to me that there would be a very quick way to get rid of the vast majority of medium severity vulnerabilities generated by scanners…  Disable HTTPs and revert everything to clear text. At one stroke you get rid of SSLv2, SSLv3, weak ciphers, RC4, freak, beast, […]

Feb 17th

2015

By scotsts_admin
Category: Uncategorized
Comments 0

WordPress Mail and IIS

I ran into a problem with WordPress mail the other day (the sort of fundamental problem where it doesn’t work at all).  As usual, trying to find information for how to fix this on IIS was not easy – in the end this was the information and fix I came up with. Natively – WordPress […]

Jan 11th

2015

By scotsts_admin
Category: Uncategorized
Comments 0

Migrating a WordPress Site from Apache/Linux to IIS/Windows

I’m largely a Windows person, but in the search for some decent blogging software to run myself, I ended up with WordPress (frankly the best of a bad bunch) and to get it up and running quickly, I installed it on to the only web server I had around which happened to be Apache on […]

Jan 2nd

2015

By scotsts_admin
Category: Uncategorized
Comments 0

My personal Web Site

It occurred to me that for anyone who liked the photos on this site – there are many more on my personal web site at www.donich.co.uk

Sep 3rd

2014

By scotsts_admin
Category: Software Security
Comments 0

Through Obscurity?

An on-going theme I see on Security sites is the controversy around ‘Security through Obscurity’ which is generally felt to be a bad thing. So the justification of this tends to be something along the lines of ‘Don’t think that because you’ve not put a great big link to /supersecretfunctionality on the front page of […]

Jul 1st

2014

By marionmccune
Category: Uncategorized
Comments 0

OWASP AppSec EU

Rory and I just returned from OWASP AppSec EU where (for once) I was presenting but Rory wasn’t (as he was on the selection panel – though barred from reviewing my presentation!). The quality of the talks was very high – though in my opinion there was rather too much of an emphasis on mobile […]