Fluid Attacks logo
Contact Us
Young hacker smiling
Zero false positives

Expert intelligence + effective automation

Contact logo Contact Us
GET A DEMO
heartbleed official logo

My heart bleeds (but not for you)

Understanding the flaw behind Heartbleed

Back in April 2014, one of the biggest vulnerabilities in recent history was found, HeartBleed. The popular open source cryptographic software library OpenSSL, had a critical flaw, [1] in the...



Python proofreading a document

Pars orationis non est secura

Using parser combinators to detect flaws

We like bWAPP around here, because it’s very buggy!. We have shown here how to find and exploit vulnerabilities like SQL injection, directory traversal, XPath injection, and UNIX command...



Pickled cucumbers

Gherkin on steroids

How to document detailed attack vectors

In the field of information security, finding all vulnerabilities is as important as reporting them as soon as possible. For that, we need an effective means to communicate with all stakeholders....



Weak bicycle lock with words

Requiem for a p455w0rD

Why passphrases are better than passwords

What would you rather have at your home door: a simple, weak key that needs to be changed every other week, or a one-time-setup, state-of-the-art, virtually unpickable cruciform key? Figure 1....



Pythia and supplicant in the Oracle of Delphi

The Oracle of Code

About code as data

“Most programs are too large to understand in complete detail”. This was written in the 80’s.[1] Imagine the situation today. Hence the need for automated tools to aid in the process of analyzing...



O'Reilly XML book cover

XML: eXploitable Markup Language

XPath injection on XML files

Markup languages are “systems for annotating a document in a way that is syntactically distinguishable from the text.” [1] What does that really mean? I reckon that’d be better understood with...



Orion carrying Cedalion

Stand on the shoulders of giants

About software composition analysis

In our last post, we reproduced the discovery of a vulnerability in libpng. But that is only a small library, you might say, with a very limited scope and only 556 KiB installed. However, many,...



Person playing chess against a robotic arm

Will machines replace us?

Automatic detection vs. manual detection

More than 20 years have passed since Garry Kasparov, the chess world champion, was defeated by Deep Blue, the supercomputer designed by IBM. For many people, that event was proof that machines had...



Infinite Monkey Theorem

The infinite monkey fuzzer

Fuzz testing using American Fuzzy Lop

In our last entry, we argued that fuzzing is both “dumb” and surprising. In this article, we’ll continue exploring the possibilities of fuzzing. This time though, we’ll focus on desktop...



Fuzzy caterpillar

Fuzzy bugs online

Fuzz techniques for attacking web applications

In general, fuzzing means to try many inputs, well-formed or otherwise, in an application, protocol or other interaction with a computer, that it might trigger an unexpected behavior. Web fuzzing...



Cucumber slices

Is your app in a pickle?

Documenting vulnerabilities with gherkin

Gherkin is a simple language that can be used for software documentation and testing. It can be thought of as a tool for communication between stakeholders and developers which helps minimize...



Person working on the computer while looking at cellphone

Delimiting an Ethical Hacking

How to define the scope of your objectives

The main problem encountered by an organization when they need to perform an Ethical Hacking is to establish the boundaries of the hacking. Delimiting the scope of an Ethical Hacking by time is a...




Service status - Terms of Use