Three Excellent API Security Practices Most People Neglect
We are very much in the age of APIs. From widely-used single-purpose products like Slack to cloud-based solutions like Amazon Web Services (AWS) and...
The Death and Rebirth of Musashi.js OR How I turned personal failure into better teaching tools.
A little background… As I stood in front of a class of developers trying to explain cross-origin resource sharing (CORS), I knew I wasn’t conveying...
best practices
Waving the White Flag: Why InfoSec should stop caring about HTTPOnly
As a company that is constantly working with our penetration testing clients on understanding where they should focus their efforts, qualifying risk...
Proxying HTTPS Traffic with Burp Suite
This is easy to fix. All we need to do is tell our browser that the Burp CA can be trusted. Because every new installation of Burp generates a...
Getting Started API Penetration Testing with Insomnia
In our blog series on Better API Penetration Testing with Postman we discussed using Postman as the client for testing RESTful service APIs. Insomnia...
Better API Penetration Testing with Postman – Part 4
This is the final part of this series on putting together a better API testing tool-chain. In Part 1, I covered a basic introduction to Postman and...
Better API Penetration Testing with Postman – Part 3
In Part 1 of this series, we got started with Postman and generally creating collections and requests. In Part 2, we set Postman to proxy through...
Better API Penetration Testing with Postman – Part 2
In Part 1 of this series, I walked through an introduction to Postman, a popular tool for API developers that makes it easier to test API calls. We...
Better API Penetration Testing with Postman - Part 1
This is the first of a multi-part series on testing with Postman. I originally planned for it to be one post, but it ended up being so much content...
Three C-Words of Web App Security: Part 3 – Clickjacking
This is the third and final part in this three-part series, Three C-Words of Web Application Security. I wrote a sort of prologue back in April,...
Twelve Days of XSSmas
This series of daily mini-posts, running from December 12, 2018 to December 24, 2018, is intended to provide cross-site scripting (XSS) related tips....
Three C-Words of Web App Security: Part 2 – CSRF
This is the second in a three-part series, Three C-Words of Web Application Security. I wrote a sort of prologue back in April, called A Brief...