Travis McCormackNov 29, 20213 minSimplifying Authorization Testing in Burp Part 2Automation is our friend Naturally, we will utilize tools and manual techniques to assess any given application. However, leveraging...
Travis McCormackNov 22, 20213 minSimplifying Authorization Testing in Burp Part 1Capturing multiple sessions can be annoying As anyone who works on appsec can probably tell you authorization testing is fundamental, but...
Travis McCormackNov 15, 20214 minFinding a 0 Day Race ConditionThe background Recently while performing an application penetration test for one of our clients we discovered a very serious arbitrary...
Travis McCormackNov 8, 20212 minWhen Input Reflections AttackDefining the issue Everyone is familiar with reflected issues like XSS and HTML tampering, but what about when this isn't glaringly...
Travis McCormackNov 1, 20213 minUser Enumeration VulnerabilitiesWhat do we mean by user enumeration? User enumeration is a simple class of vulnerability much like any other enumeration of data it means...
Travis McCormackOct 25, 20215 minSession Management IssuesSession Invalidation? Timeouts? Renewals? What exactly is session management? To start off we must define what session management...
Travis McCormackOct 18, 20213 minInformation Disclosure Issues ExplainedWhat Constitutes Information Disclosure? Information disclosure is a broad category of security flaws that appear at all severity levels....
Travis McCormackOct 11, 20214 minTLS Client Authentication While Testing ApplicationsSo what is TLS Client Authentication? TLS client authentication is not a new concept by any means, it is simply rarely used in most web...
Travis McCormackOct 4, 20213 minWhy Care About Unrestricted File Upload?So Why Do Those Unrestricted File Uploads Matter? Unrestricted File Upload Simplified So first of all let's go ahead define an...
Travis McCormackSep 27, 20214 minBrute Force Attacks and Rate LimitingSo what are brute force attacks and how do we prevent them? Brute force guessing attacks are some of the most common web application...
Travis McCormackSep 20, 20213 minYou really should fix those lowsDoes your Team Neglect Low Severity Findings? The elephant in the room So we all know that our pentest reports come in with low severity...