Professionally Evil Blog

A blog by experts of penetration testing and other security assessments.
    Hunting Secrets
    Applications are hemorrhaging sensitive data. In many cases, the culprit is marketing and analytics libraries that indiscriminately collect user behavior data. And sometimes, sensitive data gets leaked because of poor design or programming errors. A few years ago, I wrote an extension called ...
    Learn more

    Never miss a Professionally Evil update!

    Why your application needs a Content Security Policy (And How to Build One)
    Why your application needs a Content Security Policy (And How to Build One)
    As a web application owner, it is crucial to understand the concept of a content security policy ...
    Learn more
    Announcing Burp Co2!
    Announcing Burp Co2!
    This is for those of you who do web pen testing with Portswigger’s Burp proxy tool!  Over the past ...
    Learn more
    How to configure Android (Virtual) for Mobile PenTest
    How to configure Android (Virtual) for Mobile PenTest
    Setting up your environment for a mobile application penetration test can be a chore, especially if ...
    Learn more
    Cooking up Better Security Incident Communications
    Cooking up Better Security Incident Communications
    I am fond of meal kits. I enjoy the entire experience: the scrolling through delicious-looking meal ...
    Learn more
    Once upon a time there was a WebSocket
    Once upon a time there was a WebSocket
    This is the story from one of our recent penetration testing engagements. Still, the story is a ...
    Learn more
    Security Review of Nest Camera
    Security Review of Nest Camera
    I love tinkering with home automation and security solutions.  The simplicity of turning on a light ...
    Learn more
    Equifax Breach: Why I am not surprised
    Equifax Breach: Why I am not surprised
    The Equifax breach, announced in September 2017, is said to potentially impact some 143 million ...
    Learn more
    Are You Ready for Your Pen Test?
    Are You Ready for Your Pen Test?
    It is day three of a five-day penetration test engagement and we still don’t have all the ...
    Learn more
    Cloud-Base Host Discovery Is Easier Than You Think!
    Cloud-Base Host Discovery Is Easier Than You Think!
      During a recent conversation at DerbyCon it occurred to me that some security folks who are just ...
    Learn more
    Wireless Attacking EAP-TTLS with Kali 2 and ALFA AWUS051NH
    Wireless Attacking EAP-TTLS with Kali 2 and ALFA AWUS051NH
    Is your corporate wifi as secure as you think it is? A common configuration for WPA Enterprise ...
    Learn more
    Professionally Evil Insights: 2015
    Are you interested in knowing which vulnerabilities are the most commonly discovered in penetration ...
    Learn more