Showing 84 results for: 2012 ×Application Security ×

Exploiting Users By Non-technical Means; or, "S*** Users Do"

Numerous technical articles emerge each day about the latest vulnerabilities, flaws, exploits, and whatnot. That's great and all (who hasn't simultaneously groaned and cheered when they find an MS08-067 exploitable machine on a pentest, 4+ years after the vulnerability was...

Chat server fuzzing, Part 1. The Beginning

This article (along with subsequent articles) will cover the journey I've taken in learning about the XMPP (eXtensible Messaging and Presence Protocol) standard and how I used that knowledge to fuzz various servers, starting with the eJabberd server available from...

Getting a Start in the Security Industry

This has been a fairly common topic over the last year and I've seen plenty of blog posts and presentations about the subject. For me personally, many just don't cover the information I've found to be essential during my entrance...

CryptOMG Walkthrough - Challenge 1

It has been about 3 months since CryptOMG was released and I will start going through the challenges one-by-one. CryptOMG is CTF-style testbed for exploiting various flaws in cryptographic implementations. It is available for free on the SpiderLabs Github. The...

The Patsy Proxy: Getting others to do your dirty work

Patsy (slang) - A person easily taken advantage of, cheated, blamed, or ridiculed. My girlfriend (@savagejen) and I will be presenting at Derbycon this year about some research we've done into systems not configured as proxies, but which will pass...

WAF Normalization and I18N

Submitted By Breno Silva Pinto and Ryan Barnett WAF Normalization and I18N Web application firewalls must be able to handle Internationaliztion (I18N) and thus properly handle various data encodings including Unicode and UTF-8 in order to prevent not only evasion...

One Factor, Two Factor, Three Factor, More

There has been a lot of talk online today about how Matt Honan, a reporter for Gizmodo, was the victim of a cyber attack that left his iPhone, iPad and even MacBook erased and useless. Matt is placing a lot...

PenTest Manager 2.0 - Attack Sequences

Trustwave recently launched PenTest Manager 2.0, a major enhancement of the innovative Trustwave reporting tool used by SpiderLabs team member during penetration testing. PenTest Manager 2.0 provides a significant reporting upgrade in the form of Attack Sequences. These allow for...

Announcing the availability of ModSecurity extension for IIS

This blog post has also been posted on the Microsoft Security Research and Defense site: By: Greg Wroblewski, Microsoft Security Engineering Center Ryan Barnett, Trustwave SpiderLabs Vulnerabilities in on-line services, like cross-site scripting, cross-site request forgery, or even information disclosure,...

Beyond Apache: ModSecurity for IIS/Nginx is Coming

The Trustwave SpiderLabs Research Team is proud to announce that, through a collaboration with the Microsoft Security Response Center (MSRC) Team and community member Alan Silva (@AlanJumpi), we will be releasing ModSecurity versions for both the Microsoft Internet Information Services...

Apex Secure Coding Considerations

Apex is an on-demand language that extends the Force.com platform by providing the ability to write applications that run on salesforce.com servers. Unlike other general-purpose languages such as C# or Java which can be used to build many different types...

I Forgot Your Password

I'm now going into my second year in application security, and as I learn more and more, my favorite attacks are still some of the things I learned when I first began here in SpiderLabs. For example, using an application's...

Five E-Commerce Security Myths (Part 2)

In part 1 of this series I gave an introduction into how most merchants accept payments and how most bad guys steal this data. In this post, I'm going to delve into the misconceptions about e-commerce security that we hear...

Introducing CryptOMG

CryptOMG is CTF-style testbed for exploiting various flaws in cryptographic implementations. Cryptography is very easy to do incorrectly, which is pretty apparent throughout the web if you know what to look for. CryptOMG will help train your eye to look...