Professionally Evil Insights/Blogs

Secure Password Management in PowerShell: Best Practices

powershell | password

When working with PowerShell to automate tasks, managing credentials securely is a critical ...

Rolling for Resilience: A Strategic Guide to Cybersecurity Table-top Exercises

Training | incident response | cybersecurity

This is the first post in this series addressing my perspective on the current state of ...

Risk-Driven Approach: The Federal Government’s Shift in Cybersecurity Burden

penetration testing | Threat-Led Penetration Testing

From All-Hazards to Risk-Informed The New Risk-Informed Paradigm One of the most significant shifts ...

Understanding Garbage Findings

penetration testing | Reporting | Findings

There is a well-meaning desire among penetration testers to produce findings. The fact of the ...

Houston, We Have a Problem

penetration testing | Satellite

Satellite Security Testing: A Holistic Approach Last month, I had the opportunity to present at ...

Cybersecurity Essentials for SMBs: Building a Robust Program

cybersecurity | Security Program

When discussions arise around companies' cybersecurity programs, the focus often gravitates towards ...

The Essential Eight

NIST | Essential 8 | ASD

Australian Signals Directorate’s Top 8 Controls to Mitigate Cyber Security Incidents & How They ...

From Nmap to CSV

NMAP

How Experience and Management Skills Improve Data Analysis for Security Professionals The other ...

You Don’t Need PKINIT To Win It

PKINIT

Privilege Escalation using LDAP Part 1 Pass-the-certificate has become a common method used by ...

Built-In Network Capture with Windows 11

Windows 11

Did you know that Windows has a built-in network packet capture utility? And that it isn’t even GUI ...

Running and Debugging Non-native ELF Binaries Locally Using QEMU, BINFMT, and GDB

ELF | QEMU | BINFMT | GDB

Overview One of the common tasks that occurs when pentesting an embedded device is binary analysis ...

Who Really Owns Your Data?

data | Privacy

When we traded ownership for convenience, we never imagined that everything from our books to our ...

When Algorithms Aren’t Enough: Why the Human Element Still Matters in Modern Penetration Testing

penetration testing

The cybersecurity industry has evolved into two distinct approaches when it comes to penetration ...

OT: The Invisible World in Motion

Operational Technology

We are surrounded by technology, not just in what we carry but in nearly every aspect of our daily ...

Solicited Public Comment on HIPAA Security Rule NPRM To Strengthen the Cybersecurity of ePHI

penetration testing | HIPAA | Cybersecurity for Healthcare

The Department of Health and Human Services (HHS) wants to raise the benchmarks of the Security ...

Building a Custom Burp Suite Collaborator Everywhere BApp

Burp Suite

Have you ever run into an issue when using a BApp in Burp Suite that it didn’t quite work with your ...

Quick Bites Episode 12 - Hidden Treasures

web application security

Ever go on a treasure hunt? Ever find any hidden treasure? It’s a blast! One of my favorite ...

Operational Technology’s use of Wireless Networks

wireless

The Growing Importance and Challenges of Wireless Networks in Operational Technology

When Security Fails: What The DeepSeek Incident Can Teach Us About AI Security

AI Security | Generative AI | LLM

The advent of generative AI - particularly Large Language Models (LLMs) - marks a paradigm shift in ...

Navigating the Security Roadmap: TISAX for Automotive OEMs

As an Original Equipment Manufacturer, you stand at the helm of automotive innovation. Your ...

Best Practices and Risks Considerations in Automation like LCNC and RPA

best practices | LCNC | RPA

The Rise of Low-Code/No-Code and RPA in Digital Transformation Technologies such as ...

Understanding TISAX: Securing the Path Forward for Automotive Innovation

The automotive industry's digital transformation has created unprecedented security challenges ...

The Critical Need for API Security Testing

Application security penetration tests once were a novelty, a luxury that only organizations with ...

Stay safe from cybercrime with these five tips

cybersecurity | MFA

Cybercriminals will use every tactic in the book to steal data, drain bank accounts, and extort ...

The Fellowship of the Phish: PayPal's Perilous Request Feature

phishing

In cybersecurity, we often find ourselves fixated on the latest sophisticated malware or zero-day ...

Secure Ideas is CREST-Certified. Here’s Why That Matters

CREST

Cybersecurity is no longer a monolithic topic – if it ever was. Specialization matters. ...

Step Into the Shadows: The Haunting of the Dark Web

Halloween | DarkWeb

Ready to venture into the unseen corners of the internet? Join us for a Halloween webcast, "The ...

Automating UART Command Injection with the Flipper Zero and JavaScript

UART | flipper zero

Overview The Flipper Zero recently came out with a JavaScript system built off of MJS that exposes ...

What’s new in the OWASP Proactive Controls for 2024

OWASP Top 10

I have taught a number of application security classes to developers. When it comes to ...

Many Hands Approach To AppSec

appsec

"If you want to frustrate a good developer, interfere with their ability to complete work." - ...

The CISO's Myopia

information security | penetration testing

Fifteen years ago, I wrote an article entitled "The CSO’s Myopia." At the time, I aimed to ...

Kubernetes Pentesting: The Hacker’s Harvest

Kubernetes

Are you ready to dive into the world of Kubernetes pentesting? Join us for our upcoming webcast, ...

From Code to Cloud: Strengthening IaC Security with SAST

IaC | SAST

Infrastructure as Code (IaC) is a cornerstone in modern DevOps and DevSecOps practices, but how do ...

NMAP in Action: API's

NMAP

In a recent blog post, my coworker Josh introduced the fundamentals of NMAP and highlighted its ...

Tartar Sauce for your Phishing Program

phishing

Phishing awareness exercises have become a common part of the larger security strategy for many ...

From Linux to PowerShell and Back: A Quick Command Reference

Linux | powershell

Quick Overview If you are like me, you are switching back and forth between Linux and Windows ...

Flipper Zero: Hardware Hacking JTAG and SWD Webcast

flipper zero

The Flipper Zero is known as a hacking multitool. It can cover a range of hacking from sub-ghz ...

The Client-Side Security Trap: A Warning For Developers

Considering the inherent complexities of modern web development, understanding the distinct roles ...

Top 5 Security Considerations for a New Web App: 5. Establishing a Dependency Patching Plan

web application security

Welcome to our comprehensive series on the Top 5 Security Considerations for a New Web App. This ...

Top 5 Security Considerations for a New Web App: 4. Logging & Monitoring

web application security

Welcome to our comprehensive series on the Top 5 Security Considerations for a New Web App. This ...

Top 5 Security Considerations for a New Web App: 3. Data Encryption & Protection

web application security

Welcome to my comprehensive series on the Top 5 Security Considerations for a New Web App. This ...

Top 5 Security Considerations for a New Web App: 2. Authentication & Authorization

cybersecurity | web application security

Welcome to my comprehensive series on the Top 5 Security Considerations for a New Web App. This ...

Top 5 Security Considerations for a New Web App: 1. Secure Coding

cybersecurity | web application security

Welcome to my comprehensive series on the Top 5 Security Considerations for a New Web App. For this ...

Top 5 Security Considerations for a New Web App

cybersecurity | web application security

There was a time when many folks responsible for building and deploying web applications were naive ...

Quick Bites Episode 11 – Ranking Application Risks

Threats often evolve faster than defenders can figure out how to prevent them. That’s why keeping ...

What are SQL Injection Vulnerability (SQLi), How to Identify Them, and How to Prevent

Vulnerability | SQL Injection | Secure by Design

Recently, the FBI and CISA released a Secure by Design alert calling for the elimination of SQL ...

Being Safe and Secure with Cross-Origin Messaging

security | JavaScript | application | web | cross-origin

Complex web and mobile apps often depend on cross-domain interactions between different online ...

Prompt Injection

What is Prompt Injection?

Quick Bites Episode 10 – Half Shells and Full Shells

I wanted to share a really cool technique that I found out about recently. Now I will say this is ...

Intro to NMAP

Vulnerability | network security | NMAP

My journey into cybersecurity has been anything but easy. This field offers a wide range of ...

What does PCI require for Developer Training?

Training | PCI | developers | application security | appsec

The Payment Card Industry Security Standards Council (PCI SSC) defines compliance standards for all ...

Mitigating Exploitation Risks in Active Directory Certificate Services

Active Directory

A recent pentest of an Active Directory environment turned into a struggle to uncover an avenue for ...

Uncharted Waters: Network Depths with runZero & OPNsense

(artwork created by stable diffusion)

Everything You Need To Know About The Nist Cybersecurity Framework 2.0

This week NIST released the highly anticipated update to the Cybersecurity Framework (CSF). Here’s ...

Quick Bites 9 – Adventuring into the Unknown: The Hacker Subculture

Quick Bites | hacker | hacker culture | hacker history

One of the really cool things about being a hacker is that we get to discover new things. It’s kind ...

Mobile Testing Considerations

Testing In Mobile Applications In today’s world, the significance of mobile applications in our ...

The reason I stopped using Postman for API Pentests

penetration testing | pentesting | API

I’ve been a proponent of Postman for a number of years. I’ve written and spoken about using it in ...

Exploring Sentry Safe Exploit on the Flipper Zero with Logic Analyzer

Overview I recently had a friend that wanted to learn how to use a logic analyzer. Given the number ...

Webcast: Minor Flaws, Cumulative Risks

Cyber | webcast

Imagine unraveling a classic whodunit murder mystery, where every subtle clue—a misplaced glove, a ...

Mission Imfuzzable: How to Fuzz Web Apps you can't Intercept

Testing | application security | JavaScript

Introduction Fuzzing is a critical technique for finding vulnerabilities in web applications by ...

Journey to CISSP

Training | security awareness | getting started | CISSP | Ethics

Webcast: Thrift Store Cracking Server: Popping Hashes Guide

hardware | webcast | password | server builds | password cracking

(image was generated by Stable Diffusion, and is not an accurate representation of our cracking ...

Taming the Enterprise AI Beast Webcast

AI | webcast

As artificial intelligence (AI) continues to become more and more integral to business operations, ...

12 Hacks of Christmas Day 12: Twelve Drummers Deleting Digital Clutter

cybersecurity | 12 hacks of christmas

🎵 On the twelfth day, clear digital clutter with twelve drummers deleting. Regularly review and ...

12 Hacks of Christmas Day 11: Eleven Pipers Practicing Safe Browsing

cybersecurity | 12 hacks of christmas

🎵 On the eleventh day, practice safe browsing with eleven pipers practicing. Be mindful of the ...

12 Hacks of Christmas Day 10: Ten Lords a-Cautious Shopping

cybersecurity | 12 hacks of christmas

🎵 On the tenth day, be cautious when shopping with ten lords a-cautious shopping. Stick to ...

12 Hacks of Christmas Day 9: Nine Ladies Dancin' on Secured Networks

cybersecurity | 12 hacks of christmas

🎵 On the ninth day, keep your network secure with nine ladies dancin'. Protect your Wi-Fi network ...

12 Hacks of Christmas Day 8: Eight Maids-a-Back-Up Singing

cybersecurity | 12 hacks of christmas

🎵 On the eighth day, safeguard your data with eight maids-a-back-up singing. Regularly backup your ...

12 Hacks of Christmas Day 7: Seven Swans a-Encrypting

cybersecurity | 12 hacks of christmas

🎵 On the seventh day, protect your data with seven swans encrypting. Encrypt sensitive ...

12 Hacks of Christmas Day 6: Six Geese-a-Layered Security

cybersecurity | 12 hacks of christmas

🎵 On the sixth day, adopt six geese-a-layered security. Implement a multi-layered security ...

12 Hacks of Christmas Day 5: Five Golden Updates

cybersecurity | 12 hacks of christmas

🎵On the fifth day, gift yourself five golden updates. Ensure all your devices and software are up ...

Day 4: Four Calling Bird's Eye View of Scams

cybersecurity | 12 hacks of christmas

🎵On the fourth day, keep an eye on scams with four calling birds. Be cautious of phishing emails ...

Day 3: Three French Hens – Privacy for All Friends

🎵 On the third day, ensure privacy for all your friends with three French hens. Review your social ...

12 Hacks of Christmas Day 2: Two-Turtle Authentication Unveiled

cybersecurity | 12 hacks of christmas

🎵 On the second day of Christmas, enhance your security strategy with two-turtle authentication. ...

12 Hacks of Christmas Day 1: A Partridge in a Secure Password Tree

cybersecurity | 12 hacks of christmas

🎵 On the first day of Christmas, my true love gave to me: a partridge in a secure password tree. ...

The 12 Hacks of Christmas: Cybersecurity Edition Series

cybersecurity | 12 hacks of christmas

The holiday season is here, bringing with it a whirlwind of festivities, joy, and, unfortunately, a ...

Thanksgiving Hacks: Recipes for Cybersecurity Success

cybersecurity | password

As we gather around the table to celebrate Thanksgiving, it's essential to extend our gratitude to ...

What is Multi-Factor Authentication (MFA)?

Cyber Security Awareness

Multi-factor authentication (MFA), also known as two-factor authentication (2FA) or two-step ...

Encrypting Data on the Steam Deck with Plasma Vaults

encryption | Gaming | Privacy | Steam Deck

In my previous post about the Steam Deck we discussed some of the privacy and security concerns ...

Using PETaaS to Lower Your Cyber Insurance Costs

Modern networks have more than their fair share of risks, with the most damaging often being data ...

The Do's and Don'ts for Building a Strong Password

cybersecurity | Cyber Security Awareness Month | password

Cyber Security Awareness Series

Flipper Zero: A Hardware Hacking Multitool Webcast

Training | hacking | hardware | webcast | flipper zero

The Flipper Zero is known as a hacking multitool. It can cover a range of hacking from sub-ghz ...

CyberScream - Hacking Like a Ghost(face)

It’s that most hauntingly wonderful time of year again! Halloween is upon us, along with the dread ...

Top Ten AWS Security Configurations: Mitigating Risk in the Cloud

security controls | AWS | cloud | AWS Security | AWS Best Practices

In an era of increasing cloud adoption, businesses must prioritize implementation of robust ...

Backups Won't Stop Ransomware

webcast

Ransomware attacks can have devastating consequences for organizations of all sizes and sectors, ...

Navigating Cloud Security Webcast

AWS | cloud | Azure | GCP

In today's fast-paced digital landscape, organizations embrace the cloud as a cornerstone of their ...

Bird's Eye View: Navigating the Landscape of Kubernetes Security

container security | Containers | Kubernetes | Kubernetes Security

Ready to dig into the world of Kubernetes security like never before? Join Secure Ideas’ own Cory ...

Navigating Evolving Regulations: Staying Ahead of Change

In today's rapidly expanding business world, the only constant seems to be change itself. One of ...

Unleashing the Power of Flipper Zero: A Hacker's Multitool Webcast

Training | wireless | webcast | flipper zero

In the ever-evolving world of technology, the Flipper Zero has emerged as a game-changer, making ...

Sailing into the Unique Security Risks of AI Systems Part 1

AI

As we venture further into the vast ocean of Artificial Intelligence (AI) - employing it to ...

Finding Your Spidey Sense

Welcome, fellow web-slingers of the digital realm! Like our friendly neighborhood superhero, ...

Beyond Hacking: Expanding Your Security Arsenal

Understanding the Need for Penetration Testing You’ve been told you need a penetration test. Maybe ...

Quick Bites Episode 8 - (Back From the) Dead Space

For the last couple weeks, I’ve been replaying the original Dead Space trilogy - for those of you ...

Understanding Server-Side Template Injection (SSTI)

Web applications play a vital role in delivering dynamic content to users. To achieve this, ...

Introducing SamuraiWTF 5.3: A Powerhouse for Web App Pen Testing

We are thrilled to announce the release of SamuraiWTF (Web Training Framework) version 5.3! This ...

Introducing BILE - Groundbreaking Classification for Web App

As a seasoned web application penetration tester, I've always felt that there should be a more ...

Hardware Hacking: Interfacing to UART with Your Computer

hacking | hardware | UART

In my previous article, we covered identification and mapping of the UART interface. In that ...

Hardware Hacking: Finding UART Pinouts on PCBs

hacking | hardware | UART

In my previous article, we started to explore the Universal Asynchronous Receiver/Transmitter ...

Hardware Hacking: Introduction to the UART Interface

hacking | IoT | hardware | UART

I wanted to provide some information about hardware and firmware hacking in our blogs. To get the ...

Introducing PETaaS®: Professionally Evil Testing as a Service

penetration testing | PETaaS | advisory services

We're thrilled to announce the launch of our latest offering: Professionally Evil Testing as a ...

Ace CISSP Exam Prep with ChatGPT: Your AI Study Buddy

Are you preparing for the CISSP exam or any other exam that requires a deep understanding of ...

NMAP NSE Scripting By Example: Wordpress Version Detection

NMAP | version | NSE | Detection | WordPress

In my last blog post, I gave a high-level introduction to the Nmap Scripting Engine (NSE). In this ...

Why we ditched LastPass

Lastpass

LastPass is a very popular password management service with both personal and business solutions. ...

Is the CISSP Mentorship for me?

Training | CISSP

“Knowledge is power.” That quote has been said more times than you can count because it’s true. The ...

What happened to CVE-2022-23529? And what can we learn from it?

Vulnerability | developers | information security | analysis

If you saw the disclosure notice for the flaw CVE-2022-23529, it would have been presented as a ...

Risks of AI Generated Content, According to an AI Content Generator

AI and Machine Learning (ML) have become increasingly popular tools in various industries, ranging ...

Quick Bites 7 - Dr. TamperMonkey (Or: How I Learned to Stop Worrying and Love JavaScript)

getting started | coding | JavaScript

We get really excited here at Secure Ideas about sharing knowledge with others. Our mission ...

Steam Deck Privacy and Security

security | Gaming | Privacy

Like any portable computing device, there are going to be questions about privacy and security. The ...

ZAPmas Feedback

Sometimes Christmas comes early, and in this case for me it was the publication of the Twelve Days ...

12 Days of ZAPmas - Day 12 Testing a new Content-Security-Policy

Testing | application security | OWASP | web application security

What is the CSP? The Content-Security-Policy (CSP) is a widely recommended control and is ...

Twelve Days of ZAPmas - Day 11 - ZAP impressions from a Burp user

web penetration testing | Burp Suite | OWASP | web application security

It probably seems a bit odd to do this on Day 11 and not at the end of the series, but I have one ...

Twelve Days of ZAPmas - Day 10 - Manual Web App Testing Unproxied

web penetration testing | OWASP | web application security

Most of the time, proxying the browser doesn’t present any sort of trouble. You should be able to ...

Twelve Days of ZAPmas - Day 9 - Automated Scanning and ATTACK mode

application security | OWASP | automation | scanning

Automated scanning against an application is useful. It’s a faster and less labor-intensive way to ...

Twelve Days of ZAPmas - Day 8 - Spidering

OWASP | web application security

Spidering is an automated process that recursively finds and follows all the navigation from an ...

Twelve Days of ZAPmas - Day 7 - API Testing with Postman and ZAP

application security | OWASP | API

If you’ve done any significant amount of API development, there’s a good chance you’ve used ...

Twelve Days of ZAPMAS - Day 6 - Passive Flaw Detection and Using the HUD

application security | OWASP | web application security | scanning

One of the awesome things about a security-focused interception proxy like ZAP is its ability to ...

Twelve Days of ZAPmas - Day 5 - Scope and Contexts

application security | OWASP | web application security | scope

Normally I don’t like having my interception proxy hide out-of-scope traffic. Doing so creates a ...

Twelve Days of ZAPmas - Day 4 - Fuzzing for Injection

web penetration testing | application security | web application security | how-to

I briefly introduced fuzzing earlier in the series, citing it as the second primitive upon which ...

Twelve Days of ZAPmas - Day 3 - CYA (Cover Your Auth)

application security | OWASP | web application security | how-to

Access control is one of the crucial elements to application security. The vast majority of ...

Twelve Days of ZAPmas - Day 2 - The Edge of Tomorrow

Day 2 - The Edge of Tomorrow - Replaying and Tampering with Requests Fuzzing and tampering are like ...

Twelve Days of ZAPmas - Day 1 - Setting Up ZAP

web penetration testing | application security | OWASP | web application security | how-to

This holiday season, I’m going to run down some of the ins and outs of working with OWASP Zed ...

Quick Bites Ep 6 - Good Hygiene is IMPORTANT, PEOPLE!

So, I just missed a week of work because of the flu (it wasn’t COVID, I got tested). The flu SUCKS. ...

How to iterate through advfirewall rules

There are several ways to pull firewall information from a Windows system. Today we will leverage ...

Introduction to Writing Nmap Scripting Engine (NSE) Scripts

NMAP | programming | NSE

One thing I notice a lot of people are missing in their skill set as security professionals is the ...

Quick Bites Ep 5 - The Call Is Coming From INSIDE THE HOUSE

hacking | Quick Bites | Insider Threat | Attacks | Halloween

Man, I’ll be honest - I’m super excited to be doing a Halloween-themed blog post this year. So, ...

Working With Data: IP and Port Filtering

During our day-to-day work, there’s a lot of data that we interact with. In order to make good use ...

Coming Soon - Twelve Days of ZAPmas

Training | web penetration testing | application security | web application security

In December of 2018, I published a twelve-day series of cross-site scripting tips, tricks, and ...

Nmap vs. Masscan

hacking | NMAP | port scanning | masscan | host discovery

If you are in IT, chances are you have at least heard of Nmap and Masscan. Both are free and ...

Quick Bites Ep 4 - Let's Talk About SSRF, Baby!

web penetration testing | web application security | SSRF | exploits

Let’s talk about you and (application) secur-i-ty! Let’s talk about all the good things and the bad ...

View Wireless Profile Password Information Using PowerShell or CMD

There are a couple different ways for you to access your Windows wireless password information. If ...

What are the key requirements of the GLBA Safeguards Rule?

The Gramm-Leach-Bliley Act (GLBA) contains the Safeguards Rule. This requires financial businesses ...

JuiceShop Workshop in less than 5 minutes

Have you ever deployed 10-30 containers in AWS with the single stroke of a key? (well if you don’t ...

How to Obfuscate Strings in Rust the Easy Way Using the litcrypt Crate

application security | programming | rust | Obfuscate | litcrypt

Overview Static strings in a binary can make the life easier for reverse engineers, be those ...

Application Security 202: Vulnerabilities Accepted

vul·ner·a·bil·i·ty The quality or state of being exposed to the possibility of being attacked or ...

(Not So) Quick Bites - Episode 3 - Writing About Writer's Block

So, sometimes I have a real problem with writing, specifically reports and blog posts. Somehow, ...

How to allow multiple RDP sessions

The goal of this article is to walk through how to set up a Windows host to allow multiple remote ...

Hunting Secrets

Burp Suite | application security

Applications are hemorrhaging sensitive data. In many cases, the culprit is marketing and analytics ...

Ensuring Web Security via Ansible (Apache)

NOTE: even though this will require Ansible, you can run this on any operating system contrary to ...

Application Security 101

Why your application needs a Content Security Policy (And How to Build One)

web application security

As a web application owner, it is crucial to understand the concept of a content security policy ...

Quick Bites Episode 2 - HTTP Security Headers and Why You NEED Them

security | application security | web application security | methodology | technology tips

Hi everybody! So, after some feedback about the last “quick” Quick Bites (thanks Josh!), I’ve ...

Privilege Escalation via File Descriptors in Privileged Binaries

Today I wanted to cover an application security topic that applies to SetUID binaries. As we all ...

How to Update the Nmap OUI Database

Overview In a previous blog post, I covered what an OUI is, how to extract them from a MAC address, ...

Of MAC Addresses and OUI: A Subtle, but Useful, Recon Resource

When it comes to reconnaissance, every little bit of information can be helpful. Today, we will ...

The Other Replicating Directory Changes

Quick Summary The Replicating Directory Changes right in Active Directory allows you to request ...

Quick Bites - Finding Open Windows File Shares

Hi there, ladies and gentlemen! My name is Aaron Moss, and welcome to the first edition of Quick ...

Secure Copy with SSH

Surveillance System with No Monthly Fees!

security | network | camera | Free | surveillance

LD_PRELOAD: Making a Backdoor by Hijacking accept()

Today I want to continue the series on using LD_PRELOAD. In previous posts, we covered how to ...

PowerShell Tips: How do I Mount a VHD or Lock a BitLocker Drive?

PowerShell Tips How do I Mount a VHD or Lock a BitLocker Encrypted Drive?

How to Create Custom Probes For NMAP Service/Version Detection

Overview NMAP is a fantastic tool for performing initial reconnaissance and enumeration. A simple ...

How to verify PGP signatures

PGP (Pretty Good Privacy) is an encryption software that is mostly known for its use in email. It ...

Digging Between the Couch Cushions - CouchDB CVE-2021-38295 Breakdown

Introduction In this blog post we’re going to take a look at the recent CouchDB vulnerability, ...

Linux X86 Assembly - How To Test Custom Shellcode Using a C Payload Tester

Overview In the last blog post in this series, we created a tool to make it easy to build our ...

Low Hanging Fruit Ninja: Slashing the Risks of the Human Element

A long time ago in a galaxy far, far away, I was not a Security Consultant. I was a Chef. And I ...

How to configure BurpelFish

I recently was doing a pentest and was continuously looking up translations for words, and thought ...

Linux X86 Assembly - How To Make Payload Extraction Easier

Overview In the last blog post of the X86 Linux assembly series, we focused on how to make our ...

Linux X86 Assembly - How to Make Our Hello World Usable as an Exploit Payload

Overview In the last two tutorials, we built a Hello World program in NASM and GAS for x86 ...

Run as Admin: Executive Order on Cybersecurity

On May 12, 2021, President Biden issued an executive order on cybersecurity. This new order ...

Linux X86 Assembly - How to Build a Hello World Program in GAS

Overview In the last tutorial, we covered how to build a 32-bit x86 Hello World program in NASM. ...

Linux X86 Assembly - How to Build a Hello World Program in NASM

Overview A processor understands bytecode instructions specific to that architecture. We as humans ...

AppSec Cheat Code: Shift Left, Shift Right, Up, Down & Start

Seamless and unobtrusive security is the future. We are huge advocates of shifting left and moving ...

A Hacker’s Tour of the X86 CPU Architecture

Overview The Intel x86 CPU architecture is one of the most prolific CPU architectures for desktops, ...

Three Excellent API Security Practices Most People Neglect

We are very much in the age of APIs. From widely-used single-purpose products like Slack to ...

LD_PRELOAD: How to Run Code at Load Time

Today I want to continue the series on using LD_PRELOAD. In previous posts, we covered how to ...

Announcing Burp Co2!

This is for those of you who do web pen testing with Portswigger’s Burp proxy tool! Over the past ...

Converting NMAP XML Files to HTML with xsltproc

NMAP is a wonderful network scanner and its ability to log scan data to files, specifically XML, ...

3 Reasons to Pentest with Brave

3 Reasons to Pentest with Brave November 30, 2020 March 19, 2021 / By Ochaun Marshall Penetration ...

Not-So-Random: Using LD_PRELOAD to Hijack the rand() Function

Today I wanted to continue the series on using LD_PRELOAD. In today’s post we are going to use ...

Boolean Math (NOT Logic) – CISSP Domain 3

Hello everyone. We’ve got another Boolean math session lined up for you today. This time we’re ...

The Death and Rebirth of Musashi.js OR How I turned personal failure into better teaching tools.

A little background… As I stood in front of a class of developers trying to explain cross-origin ...

Boolean Math (XOR Logic) – CISSP Domain 3

Hello everyone. We’ve got another Boolean math session to look over today. Our focus this time will ...

LD_PRELOAD - Introduction

Today I wanted to start what I plan to be a small series of blog posts about LD_PRELOAD. LD_PRELOAD ...

Boolean Math (OR Logic) – CISSP Domain 3

Today we are going to take another look at some Boolean mathematics. In particular, we’re going to ...

Proxies, Pivots, and Tunnels - Oh My!

Forward When talking about a proxy or a pivot or a tunnel, we could be talking about very different ...

Boolean Math (AND Logic) - CISSP Domain 3

Today we’re going to take a quick look at the AND Boolean logic, which is covered in Domain 3 of ...

How to configure Android (Virtual) for Mobile PenTest

Setting up your environment for a mobile application penetration test can be a chore, especially if ...

Game Hacking Part 1 - Equipping Your Loadout

Why Bother with Video Game Security? Video games are more than just entertainment. Gaming is a ...

The OPSEC of Protesting

For the past three months thousands of people have been protesting in the United States due to the ...

Encryption – CISSP Domain 3

We’re circling back to some more CISSP-related materials. Today’s topic will be encryption, which ...

Encoding – CISSP Domain 3

Today we’re going to take a quick look at encoding, as covered in Domain 3 of the CISSP common body ...

Summer Internship at Secure Ideas

This past summer, I worked as an intern for Secure Ideas. My role at the company was that of ...

Bash Tips and Tricks

I know I definitely identify with being a visual learner, and I am happy to help where I can with ...

Hashing Functions – CISSP Domain 3

Today we’re going to take a quick look at hashing functions, as covered in Domain 3 of the CISSP ...

Visual Learner? Look no further!

Secure Ideas has been in the business for 10 years and over the last ten years we have found that ...

Waving the White Flag: Why InfoSec should stop caring about HTTPOnly

best practices | web application security | cookies

As a company that is constantly working with our penetration testing clients on understanding where ...

Proxying HTTPS Traffic with Burp Suite

The Problem For newcomers to application penetration testing, a reasonably common question is How ...

Einstein Told Us: Why User Awareness is NOT the right focus

“The definition of insanity is doing the same thing over and over again and expecting different ...

Cooking up Better Security Incident Communications

I am fond of meal kits. I enjoy the entire experience: the scrolling through delicious-looking meal ...

Asset Discovery

The first step in securing any organization is to understand what you have. Unless you have a ...

Getting Started API Penetration Testing with Insomnia

In our blog series on Better API Penetration Testing with Postman we discussed using Postman as the ...

[Update] Using Components with Known Vulnerabilities

When an organization has a breach, you would like to imagine that the attacker crafted a new ...

Kubernetes Security - A Useful Bash One-Liner

Whether you’re an administrator, pentester, devop engineer, programmer, or some other IT person, ...

How I Became a Security Consultant: AbsoluteAppsec Interview

Training | open source | penetration testing | business | web application security

Every so often, podcasts and such will invite me to speak on a variety of topics. And this week, I ...