Young hacker smiling
Pickled cucumbers

Gherkin on steroids : How to document detailed attack vectors

Quill icon Rafael Ballestas   Folder icon documentation   Tag icon documentation,  vector,  software

In the field of information security and ethical hacking, finding all vulnerabilities is as important as reporting them as soon as possible. For that, we need an effective means to communicate with all stakeholders. We have proposed before using the bussiness-readable, domain-specific language Gherkin. In that...

Weak bicycle lock with words

Requiem for a p455w0rD : Why passphrases are better than passwords

Quill icon Rafael Ballestas   Folder icon identity   Tag icon password,  credential,  security

What would you rather have at your home door: a simple, weak key that needs to be changed every other week, or a one-time-setup, state-of-the-art, virtually unpickable cruciform key? Figure 1. Lock key comparison via Locksmith Ledger. That’s just the difference between rotating short passwords vs having one good …

Pythia and supplicant in the Oracle of Delphi

The Oracle of Code : About code as data

Quill icon Rafael Ballestas   Folder icon techniques   Tag icon testing,  application,  detect

“Most programs are too large to understand in complete detail”. This was written in the 80’s.[1] Imagine the situation today. Hence the need for automated tools to aid in the process of analysing code. The solution, according to Oege de Moor from Semmle, is obvious: treat code as …

O'Reilly XML book cover

XML: eXploitable Markup Language

Quill icon Rafael Ballestas   Folder icon techniques   Tag icon xml,  xpath,  injection

Markup languages are “systems for annotating a document in a way that is sintactically distinguishable from the text.” [1] What does that really mean? I reckon that’d be better understood with examples. But before, a warning: if you use them for sensitive information storage, you should be really careful …

Orion carrying Cedalion

Stand on the shoulders of giants

Quill icon Rafael Ballestas   Folder icon techniques   Tag icon testing,  dependency,  vulnerability

In our last post, we reproduced the discovery of a vulnerability in libpng. But that is only a small library, you might say, with a very limited scope and only 556 KiB installed. However, many, many packages depend on it. To see how many packages in the Arch Linux repository …

Person playing chess against a robotic arm

Will We Be Replaced By Machines?

Quill icon Andres Cuberos   Folder icon philosophy   Tag icon application,  detect,  vulnerability,  scanner

More than 20 years have passed since Garry Kasparov, the chess world champion, was defeated by Deep Blue, the supercomputer designed by IBM. For many people, that event was proof that machines had managed to exceed human intelligence [1]. This believe raised many doubts and concerns regarding technological advance, that …

Infinite Monkey Theorem

The infinite monkey fuzzer

Quill icon Rafael Ballestas   Folder icon techniques   Tag icon fuzzing,  application,  testing

In our last entry, we argued that fuzzing is both “dumb” and surprising. In this article, we’ll continue exploring the posibilities of fuzzing. This time though, we’ll focus on desktop application fuzzing, especifically UNIX applications written in C. When developing in C, you usually have to handle memory …

Fuzzy caterpillar

Fuzzy bugs online

Quill icon Rafael Ballestas   Folder icon techniques   Tag icon sql,  fuzzing,  injection

Web fuzzing is a technique to find bugs and vulnerabilities in an automated fashion. If you thought protecting your site was a matter of boring attackers by blocking the most common types of malicious requests, think again. Read on. Injecting SQL into a vulnerable site A fairly common situation is …

Cucumber slices

Is your app in a pickle? Document it with a Gherkin!

Quill icon Rafael Ballestas   Folder icon documentation   Tag icon documentation,  vector,  software

Gherkin is a simple language that can be used for software documentation and testing. It can be thought of as a tool for communication between stakeholders and developers which helps minimise misunderstandings and regressions through precision in the definition of use-case scenarios. Figure 1. Behaviour-driven...

Person working on the computer while looking at cellphone

How to properly delimit an Ethical Hacking?

Quill icon Felipe Gómez   Folder icon philosophy   Tag icon ethical hacking,  pentesting,  security testing

The main problem encountered by an organization when they need to perform security testing is establishing the boundaries of the test. Delimiting the scope of a Pentest by time is a common mistake since it is not possible to know when a test, that is measured solely by effort, has …

Blank CSV document icon

Is that CSV Secure?

Quill icon Jonathan Armas   Folder icon techniques   Tag icon security,  csv,  code,  web

Comma-Separated Values file (or CSV) is a type of file that stores tabular data, numbers and text in plain text. Each line of the file is a data record and each record consists of one or more fields separated by commas. CSV is a common data exchange format that is …

Hands typing in a text editor

Protect your company against Hackers, not Lamers

Quill icon Felipe Gómez   Folder icon philosophy   Tag icon security,  protect,  information

Without a doubt, the recent events in relation to the infringement of privacy such as the theft of personal information from celebrities, the Sony, Target and Equifax hacks and the big ransomware that affected Telefonica, make us reflect about how organizations protect their information. All of this in addition to …

Page 1 of 2

Check the status of FLUIDAttacks services - Here