Automation is our friend Naturally, we will utilize tools and manual techniques to assess any given application. However, leveraging...

Capturing multiple sessions can be annoying As anyone who works on appsec can probably tell you authorization testing is fundamental, but...

The background Recently while performing an application penetration test for one of our clients we discovered a very serious arbitrary...

Defining the issue Everyone is familiar with reflected issues like XSS and HTML tampering, but what about when this isn't glaringly...

What do we mean by user enumeration? User enumeration is a simple class of vulnerability much like any other enumeration of data it means...

Session Invalidation? Timeouts? Renewals? What exactly is session management? To start off we must define what session management...

What Constitutes Information Disclosure? Information disclosure is a broad category of security flaws that appear at all severity levels....

So what is TLS Client Authentication? TLS client authentication is not a new concept by any means, it is simply rarely used in most web...

So Why Do Those Unrestricted File Uploads Matter? Unrestricted File Upload Simplified So first of all let's go ahead define an...

So what are brute force attacks and how do we prevent them? Brute force guessing attacks are some of the most common web application...

Does your Team Neglect Low Severity Findings? The elephant in the room So we all know that our pentest reports come in with low severity...