Web Application Testing with Python

AppSec USA 2015 Teaser

Michael Born

September 03, 2015 - Posted by Michael Born to Security Insight

With the OWASP 12th Annual Security Conference, AppSec USA 2015, right around the corner (September 22nd – September 25th), I wanted to give a teaser about a one-day class that I am co-teaching on September 23rd. A fellow Omaha OWASP chapter board member, Fred Donovan, and I are teaching a “Hands-on Website Exploitation with Python” class to teach the use of Python for Web application testing.

For the one-day training class, I chose to develop, from scratch, a vulnerable Web application to use in our discussions. Fred decided he wanted to tackle the scripting. The vulnerable Web application contains a number of commonly-found, and not so commonly-found, issues — all of which a little custom Python coding should be able to take advantage.

For the rest of this blog, I’m going to give an example of writing a script which will... read more >

Website Pen Test

Mirror, mirror on the wall, what does my website reveal about my business to all? #WarStoryWednesday

David Biser

September 02, 2015 - Posted by David Biser to Security Insight

Hacker

If you run a business, chances are that you have a presence on the Internet. A website is considered a critical aspect of a business. Establishing your product or business online is a must. As important as a website is, it is also a vulnerability point for your business – think about the Ashley Madison hack. Hackers can use your website to conduct reconnaissance and then infiltrate your company. When contracted to conduct a penetration test, white hat hackers try to simulate the actions of an actual attacker.

If your organization has a Web presence, this war story is for you.

Website Pen Test War Story: Background

In a recent penetration test, I was hired to simulate an attack against a company that handled PII (personal identifiable information).  The company wanted the test to simulate an attack from external sources (online), to be followed... read more >

FBI Warns Businesses About Email Scams

CEO fraud cost more than $1 billion worldwide

Joseph (JB) Blankenship

September 01, 2015 - Posted by Joseph (JB) Blankenship to Security Insight

Email Scam

Last week, the FBI released an alert warning businesses about Business Email Compromise (BEC) scams that are a growing threat to businesses worldwide. Also known as “CEO fraud,” these scams target business executives in attempts to initiate unauthorized wire transfers. Losses to individual victims range from hundreds of thousands of dollars to millions of dollars. The FBI figures suggest that the average loss per victim is $100,000.

Losses from these scams, however, can be significantly more. Blogger Brian Krebs reports that Ubiquiti Networks reported a $46.7 million loss because of a BEC scam. In another scam, an Omaha, Nebraska-based company with 800 employees lost $17.2 million after a company executive wired money overseas after receiving emails ordering the transfers.

BEC scams are nothing new. The FBI began keeping statistics on them in 2013.

Since the FBI’s Internet Crime Complaint Center (IC3) began tracking BEC scams in late 2013,... read more >

Web Application Security Testing

Clean those APIs with SOAP, give them some REST and put them through the ringer

Michael Born

August 27, 2015 - Posted by Michael Born to Security Insight

Since I first began my career as an Offensive Security consultant for Solutionary Professional Security Services, I’ve seen a massive shift in how Web applications are developed and deployed. Mainly, this shift has occurred in the increased development and use of REST-based and SOAP-based Web services. With this shift, comes the need to mature security testing processes — and I am not the only person to realize this need.

I currently sit on the Omaha OWASP chapter board, along with several very intelligent application development and application security practitioners. There have been several discussions around a more advance and mature security-testing processes for Web services.  Through our discussions, we were able to create the OWASP Web Service Security Testing Cheat Sheet.

In this... read more >

2015: A Pivotal Year for Cybersecurity

George Hulme

August 26, 2015 - Posted by George Hulme to Security Insight

2015 is a Pivotal Year for Cybersecurity

Typically, when it comes to gauging how a year is shaping up regarding cybersecurity, it is a straight count of breached enterprises or records exposed that contain sensitive personally identifiable information. Some years, there are more breaches than others, just as some years there are breaches involving bigger household names and other years are relatively ho-hum. Rarely do we see pivotal years in cybersecurity, but I’m convinced we are witnessing one now.

One of the biggest years, for me, was 1999. It became crystal clear that year that all of the Web applications that were sprouting up were exposing backend systems and databases to new attack vectors, and highly vulnerable endpoints never designed to be connected to the Internet were connecting in great numbers.

This year is looking like another pivotal year. It’s not that the number of breached records isn’t high – it is – and it certainly matters, especially if your record is... read more >

A First Timer’s DEF CON Takeaways

The goon, the bash and the uneducated

Chris Schwartz

August 25, 2015 - Posted by Chris Schwartz to Security Insight

Hacker

As I sit here now and try to recollect my memories from DEF CON 23, I find myself saying, “What just happened?” There was just so much, so quick, over what felt like a very short three days in Las Vegas.

Being my first time attending, a naive “noob” to this event, my eyes couldn’t be wide enough. I tried to plan everything out— and it failed spectacularly. For future DEF CON goers, my first piece of advice would be to plan a very loose schedule, and expect to change it around at some point.

I walked into the venue without any friends or co-workers and decided to rough it at the convention from day one. Well, I’d like to tell you that I didn’t get lost in the vendors/tracks section for 30 minutes, but I did. Therefore, my second piece of advice is to bring or find someone who is familiar with the event and buddy up with... read more >

Corporate and Government Domains Included in Ashley Madison Data Breach

Users not following security policies, putting themselves and their employers at risk

Joseph (JB) Blankenship

August 21, 2015 - Posted by Joseph (JB) Blankenship to Security Insight

Business Man

This week, hackers calling themselves Impact Team released two data dumps that are allegedly from the recent breach of cheating website Ashley Madison and its parent company Avid Life Media (ALM). The first data dump contained approximately 10 Gb of data, mostly user information dating back to 2008. This data includes names, street addresses, e-mail addresses and transaction amounts for the 32 million Ashley Madison users. The data also includes financial details, physical descriptions as well as users’ sexual preferences and fantasies.

Many government and corporate domains are included in the data. This means that many users used their work e-mail address to access this site. Most organizations have clear security policies in place that prohibit the use of work e-mails and equipment to access any websites that are not work related. A... read more >

1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | Older Entries >>

Voted Best Corporate Security Blog 2014
Solutionary is a leading managed security services provider. The Solutionary Minds blog is a place to learn about and discuss IT security and compliance topics.

Get the Solutionary Minds blog delivered to your inbox!

Enter your Email:

(We will not share your email or use it for anything else.)

Tags

LATEST TWEETS