Website Security Testing: the POODLE attack, featuring TLS Downgrade

The KBID XXX – TLS Downgrade I almost every course I teach I discuss the perils of “TLS fallback,” a fatal misconfiguration that negotiates a web server back to an old, insecure SSL/TLS version. From there it’s simple to use known exploits against the web server and boom, now it’s a Russian crimeware server! This …

XSS Game :: Learn Cross-Site Scripting, Bug-Test Google Apps, Step 3: Profit

Here’s another Google Appspot pen-testing practice site, this one focused on XSS (Cross-Site Scripting). Oh, it’s so fun to have sites where you can rampage like Hannibal’s elephants without getting condemned to death by gladiator! “In this training program, you will learn to find and exploit XSS bugs. You’ll use this knowledge to confuse and …

Gruyere :: A Cheesy Web App For Your Hacking Delectation

I’ll let them say it: “This codelab is built around Gruyere /ɡruːˈjɛər/ – a small, cheesy web application that allows its users to publish snippets of text and store assorted files. ‘Unfortunately,’ Gruyere has multiple security bugs ranging from cross-site scripting and cross-site request forgery, to information disclosure, denial of service, and remote code execution. …

OWASP Juice Shop :: Get Your Web Hacking Jollies Here [ Hacker Night School ]

OWASP Juice Shop: Hmm, let’s see what we can hack here. This isn’t for beginners, but this realistic e-commerce site lets you root around and find things to break without the local gendarmerie knocking at your door. It’s pretty, it’s well-designed and well-coded, and it keys to the OWASP Top 10 Web Vulnerabilities (which you’d …

NYS DFS Cybersecurity Regulations are going to create a lot of CISO jobs, and a lot of pain for just about every business

This ominous-sounding set of regulations is going to apply to a lot more businesses than they will expect. And they’re deep, and specific. Most organizations are going to be required to have a CISO, for instance, and that’ll be a bitter surprise to some. It’s likely that the responsibility will be loaded onto some existing …

Interactions, Trust and Google Chrome: my Veracode article

Glenn Norman on Veracode

During my time as Project Manager of Hacker Highschool (2012-2016) I had the opportunity to write articles for several security publications. This article, “Interactions, Trust, and Google Chrome”, appeared on January 14, 2016, and looked at the obvious and not-so-obvious trusts we give Google and interactions we allow with them. I’m not a Google Hater; …

A fellow consultant asks me to define Pen Testing and Vuln Testing

Recently my friend and fellow IT consultant Marc Mintz (Mintz Infotech, https://mintzit.com/) asked me to clarify some of what I do for his clients. Here’s his question: *** Glenn: I don’t know if my target market really understands pen and vulnerability testing, but since they should, I’d like to have some information for them. I. …