TL;DR The same JSON document can be parsed with different values across microservices, leading to a variety of potential security risks. If you... continue reading
Bishop Fox works closely with Google to design the Partner security program, so we know what’s needed for you to pass the testing requirements.... continue reading
I'm excited to announce some new features that have been added to RMIScout. RMIScout is a tool to perform wordlist and brute-force attacks against... continue reading
Nov 23, 2020 6:00:00 AM |
By Britt Kemp Jake Miller,
Around this time last year, we released a list of our favorite pen testing tools for client engagements and in our own research. This year, we’re... continue reading
This article will walk you through the various decisions you’ll need to make when planning a penetration test. It will focus on high-level... continue reading
In this article, we are going to discuss a variety of security risks to GraphQL deployments and migrations that we’ve seen during our client... continue reading
Whether you are migrating an on-premise deployment to a cloud provider tasked with deploying a new cloud-hosted application, or looking to improve... continue reading
The revival of HTTP request smuggling has led to devastating vulnerabilities in our modern application deployments. An HTTP request smuggled past... continue reading
One of the hardest parts about working with any professional service is evaluating whether the service was performed well. Isn’t it funny how... continue reading
Spending money on penetration tests is an investment. And as a sizable investment in your product, you’ll want to ensure you are getting your... continue reading
ADVISORY SUMMARY CVE-2020-13656: In Hobbes through 2020-05-21, the array implementation lacks bounds checking, allowing exploitation of an... continue reading
Java Remote Method Invocation (RMI) is a Java API that performs remote procedure calls and allows a client application to access or invoke the... continue reading
You just found a Java deserialization bug, you ran all your ysoserial payloads, and.... you got nothing. Now what? How can you debug or build a... continue reading
GitGot is a semi-automated, feedback-driven tool that can rapidly search through troves of public data on GitHub for sensitive secrets. continue reading
What's Wrong With Scanners? Scanning tools are ubiquitous in the security industry. They can speed up manual workflows, provide security... continue reading
Over the past year, I came across two server-side attack vectors based on CSV injection (explained well here). The first case shows an instance of... continue reading
Patch Date Dec. 21, 2016 Vendor Cisco Systems Affected Cisco Jabber Guest Server Summary A vulnerability in the Cisco Jabber Guest Server could... continue reading