Category: Technical

Improving Application Security Through Automated Testing

Improving Application Security Through Automated Testing

Turn Your Software Development Security into a Repeatable Engineering Process Companies have long viewed application security testing as a black art that’s dependent upon a small number of experts wielding arcane tools to find vulnerabilities and develop exploits. However, as the velocity of software development increases, the old way of running security tests becomes less… Read more »

How to Build Your Own Mobile Application Testing Lab

How to Build Your Own Mobile Application Testing Lab

A key aspect of testing mobile applications is the ability to observe and modify network traffic. Learn how to use a router with modified firmware to perform HTTP/HTTPS-based traffic interception. 3 Methods for Intercepting Traffic 1. ARP cache poisoning Testers can use man-in-the-middle tools such as Bettercap to force mobile device traffic to a proxy… Read more »

PCI Scope Reduction Using Web Redirects/Reposts

PCI Scope reduction is a great way to make PCI compliance simpler and to reduce risk. Scope reduction reduces the attack surface area and the number of systems that must be maintained to the PCI standards…. “Less is more.” This blog post discusses web page redirects, which are an excellent method to get many systems… Read more »

PCI Scope Reduction by Using Tokenization

Tokenization techniques are rapidly evolving to address PCI scope reduction efforts and securing cardholder data from breaches. PCI scope reduction is integral in simplifying PCI compliance and reducing risk overall in the environment. Scope reduction effectively minimizes attack surface area and limits the number of systems that must be assessed to the PCI standards. Regardless… Read more »

Automating Jenkins Command Execution

Almost two years ago, Royce Davis (@r3dy__) published an article about leveraging a Jenkins application, which contained no password, to successfully compromise a system on an organization’s internal network environment. This was accomplished by using a functionality within the application to execute operating system commands. You can find more information about this post here: https://www.pentestgeek.com/penetration-testing/hacking-jenkins-servers-with-no-password/. To… Read more »

SuperSerial-Active – Java Deserialization Active Identification Burp Extender

Definitively Identifying Java Deserialization Vulnerabilities [Part 1 of this blog series can be found here: Deserialization Passive Detection] To help our customers and readers definitively identify Java Deserialization vulnerabilities, we have created an additional Burp Suite Extender called “SuperSerial-Active” to complement our previous release of “SuperSerial-Passive” (https://github.com/DirectDefense/SuperSerial). Unlike the previous extender, which only passively identifies potential instances… Read more »

SuperSerial – Java Deserialization Burp Extension

Locating your Java Deserializaiton Issues [UPDATE: Part 2 of this blog series can be found here: Deserialization Active Identification] The weekend started off with a bang for some when Foxglove Security posted a blog pertaining to Java Deserialization issues. For application security folks, we just have to shake our heads once more. It comes as no surprise that… Read more »