It is not unusual these days, that in response to changing compliance requirements or customer expectations, your company finds itself called upon to conduct a “Penetration Test”. “Sounds painful”, you say, “and what the heck does that mean, anyway ?” […]
Information Leakage (CWE-200) is a category of software vulnerabilities in which information is unintentionally disclosed to end-users, potentially aiding attackers in their efforts to breach application security. The key criteria for Information Leakage is that the exposure is unintentional and […]
What Is CSV Injection ? It is not uncommon for applications to export data in comma-separated-values (CSV) format for subsequent analysis or downstream processing. Many times that later processing includes viewing and analyzing the exported data in Microsoft Excel or […]
Web developers are sometimes surprised to learn that it is NOT the default behavior of the browser to ensure that a site serving HTTP content over TLS/SSL (i.e. HTTPS) be required to use HTTPS for all content. “HTTP Strict Transport […]
“Server Side Request Forgery” (a.k.a. SSRF) is a class of web-application vulnerability in which an attacker can cause a website to access unintended server-side resources, including the unauthorized reading, writing, or execution of server resources. Web-applications designed to pass URLs (references […]
