Professionally Evil Blog

A blog by experts of penetration testing and other security assessments.
    What happened to CVE-2022-23529? And what can we learn from it?
    If you saw the disclosure notice for the flaw CVE-2022-23529, it would have been presented as a remote code execution flaw (via JWT secret poisoning) in the `jwt.verify` method of a main Node.js package for working with JSON Web Tokens (JWTs). The package in question is Auth0’s node_jsonwebtoken ...
    Learn more

    Never miss a Professionally Evil update!

    Twelve Days of ZAPmas - Day 12 - Testing a new Content-Security-Policy
    Twelve Days of ZAPmas - Day 12 - Testing a new Content-Security-Policy
    What is the CSP? The Content-Security-Policy (CSP) is a widely recommended control and is ...
    Learn more
    Twelve Days of ZAPmas - Day 11 - ZAP impressions from a Burp user
    Twelve Days of ZAPmas - Day 11 - ZAP impressions from a Burp user
    It probably seems a bit odd to do this on Day 11 and not at the end of the series, but I have one ...
    Learn more
    Twelve Days of ZAPmas - Day 10 - Manual Web App Testing Unproxied
    Twelve Days of ZAPmas - Day 10 - Manual Web App Testing Unproxied
    Most of the time, proxying the browser doesn’t present any sort of trouble. You should be able to ...
    Learn more
    Twelve Days of ZAPmas - Day 9 - Automated Scanning and ATTACK mode
    Twelve Days of ZAPmas - Day 9 - Automated Scanning and ATTACK mode
    Automated scanning against an application is useful. It’s a faster and less labor-intensive way to ...
    Learn more
    Twelve Days of ZAPmas - Day 8 - Spidering
    Twelve Days of ZAPmas - Day 8 - Spidering
    Spidering is an automated process that recursively finds and follows all the navigation from an ...
    Learn more
    Twelve Days of ZAPmas - Day 7 - API Testing with Postman and ZAP
    Twelve Days of ZAPmas - Day 7 - API Testing with Postman and ZAP
    If you’ve done any significant amount of API development, there’s a good chance you’ve used ...
    Learn more
    Twelve Days of ZAPMAS - Day 6 - Passive Flaw Detection and Using the HUD
    Twelve Days of ZAPMAS - Day 6 - Passive Flaw Detection and Using the HUD
    One of the awesome things about a security-focused interception proxy like ZAP is its ability to ...
    Learn more
    Twelve Days of ZAPmas - Day 5 - Scope and Contexts
    Twelve Days of ZAPmas - Day 5 - Scope and Contexts
    Normally I don’t like having my interception proxy hide out-of-scope traffic. Doing so creates a ...
    Learn more
    Twelve Days of ZAPmas - Day 4 - Fuzzing for Injection
    Twelve Days of ZAPmas - Day 4 - Fuzzing for Injection
    I briefly introduced fuzzing earlier in the series, citing it as the second primitive upon which ...
    Learn more
    Twelve Days of ZAPmas - Day 3 - CYA (Cover Your Auth)
    Twelve Days of ZAPmas - Day 3 - CYA (Cover Your Auth)
    Access control is one of the crucial elements to application security. The vast majority of ...
    Learn more
    Twelve Days of ZAPmas - Day 2 - The Edge of Tomorrow
    Twelve Days of ZAPmas - Day 2 - The Edge of Tomorrow
    Day 2 - The Edge of Tomorrow - Replaying and Tampering with Requests Fuzzing and tampering are like ...
    Learn more