Category Archives: Security

Window.postMessage part 2 – an example

In Part 1 of the series, I talked about the basics of Window.postMessage and showed some sample code.  This post will show some real code with a demo link.   This code purposefully has some security issues which will be … Continue reading

Posted in Javascript, Security | Leave a comment

Window.postMessage part 1 – the basics

What is Window.postMessage? Window.postMessage is a way to safely communicate cross-origin between windows. Normally, pages are only allowed to interact with each other if they share the same origin(protocol+host+port matching). postMessage allows the a developer to get around that. Syntax … Continue reading

Posted in Javascript, Security | Leave a comment

Playing with Content Security Policy (CSP) today…

Playing around with Content Security Policy (CSP) today.  Found these resources so far that I like. CSP Is Awesome Report URI Content Security Policy (CSP) Quick Reference Guide Any other suggestions?

Posted in Security | Leave a comment

Injection on Windows

So, I’ve been playing around a bit with DLL injection on Windows. The basic process is- Identify the process Open the target process Create a buffer in the target process that’s large enough to hold the path to the DLL … Continue reading

Posted in Security | Leave a comment

The Witchcraft Compiler Collection by @endrazine

In case you missed Defcon 24 or were there and happened to miss this talk, this is some amazing stuff. It’s called the Witchcraft Compiler Collection (WCC) by my co-worker and friend, Jonathan Brossard. Some things you can do with … Continue reading

Posted in Open Source, Security, Uncategorized | 1 Comment

An Overview of HSTS

What is HSTS? HSTS stands for HTTP Strict Transport Security.  It’s a web security policy that allows a web server to inform a web browser that it should only be accessed over HTTPS and never HTTP.  It also helps prevent … Continue reading

Posted in Security | Leave a comment

XML External Entity attack (XXE) in a Nutshell

The XXE attack has been around for a few years, but hasn’t gotten much attention until the last couple of years with some high-profile cases in Facebook and PayPal. So, what is the XML External Entity attack? XXE is an … Continue reading

Posted in Security | Leave a comment

javax.net.ssl.SSLPeerUnverifiedException when proxying SoapUI through Burp

Ever try to proxy SoapUI through Burp when accessing an endpoint over ssl and get this error? Here’s how to fix- First, in your SoapUI script(s), change the protocol of all of the endpoints from https to http. Then go … Continue reading

Posted in Security | Leave a comment

Ruby and Security Presentation

So, a couple of weeks ago I presented to the Indy OWASP Chapter about a topic near and dear to my heart- ruby and security. I really had a great time creating and giving the presentation and hope to expand … Continue reading

Posted in Ruby, Security | Leave a comment

Recommended Security Reading List Link

Those of you that know me know that books are my vice. I have a ton of books. I have them at my house, in my car, at my office, etc. I have paperbacks, hardbacks, and e-books. I’ve recently started … Continue reading

Posted in Security | Leave a comment