Understanding Server-Side Template Injection (SSTI)
Web applications play a vital role in delivering dynamic content to users. To achieve this, developers often utilize server-side templates, which provide a powerful and consistent way to generate dynamic web pages. However, along with this power comes the risk of Server-Side Template Injection ...
Continue Reading
Introducing SamuraiWTF 5.3: A Powerhouse for Web App Pen Testing
Testing |
Training |
samuraiWTF |
web penetration testing |
application security |
professionally evil |
Secure Ideas |
hacking |
OWASP |
Project
We are thrilled to announce the release of SamuraiWTF (Web Training Framework) version 5.3! This ...
Continue Reading
Introducing BILE - Groundbreaking Classification for Web App
Training |
penetration testing |
OWASP |
web application security |
BILE |
OWASP Top 10 |
BILE Classification Scheme |
vulnerability classification
As a seasoned web application penetration tester, I've always felt that there should be a more ...
Continue Reading
ZAPmas Feedback
Testing |
open source |
web penetration testing |
OWASP |
mobile application |
web application security |
API
Sometimes Christmas comes early, and in this case for me it was the publication of the Twelve Days ...
Continue Reading
12 Days of ZAPmas - Day 12 Testing a new Content-Security-Policy
What is the CSP? The Content-Security-Policy (CSP) is a widely recommended control and is ...
Continue Reading
Twelve Days of ZAPmas - Day 11 - ZAP impressions from a Burp user
It probably seems a bit odd to do this on Day 11 and not at the end of the series, but I have one ...
Continue Reading
Twelve Days of ZAPmas - Day 10 - Manual Web App Testing Unproxied
Most of the time, proxying the browser doesn’t present any sort of trouble. You should be able to ...
Continue Reading
Twelve Days of ZAPmas - Day 9 - Automated Scanning and ATTACK mode
Automated scanning against an application is useful. It’s a faster and less labor-intensive way to ...
Continue Reading
Twelve Days of ZAPmas - Day 8 - Spidering
Spidering is an automated process that recursively finds and follows all the navigation from an ...
Continue Reading
Twelve Days of ZAPmas - Day 7 - API Testing with Postman and ZAP
If you’ve done any significant amount of API development, there’s a good chance you’ve used ...
Continue Reading
Twelve Days of ZAPMAS - Day 6 - Passive Flaw Detection and Using the HUD
One of the awesome things about a security-focused interception proxy like ZAP is its ability to ...
Continue Reading
Twelve Days of ZAPmas - Day 5 - Scope and Contexts
Normally I don’t like having my interception proxy hide out-of-scope traffic. Doing so creates a ...
Continue Reading