Young hacker smiling

We hack your software

zero false positives

Expert intelligence + effective automation

Topics

Our blog articles seek to cover different topics related to security and/or topics of interest in the world of IT, they can also reflect the author’s opinion about a specific issue related to security. If you want to collaborate and you do not have a topic clear, in this section we give you ideas and once they are covered by an article we update the #TrendingTopics list. Among the topics of interest are:

Attacks

  • Poodle TLS.

  • Simple cracking of non-reversible keys.

  • Cracking with rainbow tables.

  • Web shells without collateral effects.

  • Reflected file download

  • Apache Struts 2 Framework Checks.

  • Apache Struts Detection.

  • Arbitrary File Upload.

  • ASP.Net Misconfiguration.

  • ASP.NET Serialization.

  • ASP.NET ViewState security (ViewState Check).

  • Autocomplete attribute/check.

  • Blind SQL Injection.

  • Browser Cache directive (leaking sensitive information).

  • Browser Cache directive (web application performance).

  • Brute Force (HTTP Authentication).

  • Brute Force Form based Authentication.

  • Business Logic Abuse.

  • Clients Cross-Domain Policy Files.

  • Collecting Sensitive Personal Information (Personal Sensitive Information).

  • Command Injection.

  • Cookie attributes.

  • Credentials Over Insecure Channel.

  • Credentials stored in clear text in a cookie (Password Exposure).

  • Cross Origin Resources Sharing (CORS).

  • Cross-Site Request Forgery (CSRF)

  • Cross-site scripting (XSS), (DOM based Reflected via AJAX Request).

  • Cross-site scripting (XSS),(DOM based).

  • Cross-site tracing (XST – Web Method).

  • CSP Headers.

  • Custom Directory Module.

  • Custom Parameter Module.

  • Custom Passive Module.

  • Directory Indexing.

  • Email Disclosure.

  • Expression Language Injection.

  • File Inclusion.

  • Forced Browsing.

  • Form Session Strength.

  • FrontPage Checks.

  • Heartbleed Check.

  • HTTP Authentication over insecure channel.

  • HTTP Headers.

  • HTTP Query Session Check.

  • HTTP Response Splitting.

  • HTTP Strict Transport Security (HSTS).

  • HTTP Verb Tampering (Request Method Tampering).

  • HTTPS Downgrade.

  • HTTPS Everywhere.

  • Information Disclosure in comments.

  • Information Disclosure in Response.

  • Information Disclosure in scripts (Script Check).

  • Information Leakage In Response.

  • Java Grinder.

  • LDAP Injection.

  • Local Storage Usage.

  • Nginx NULL code.

  • OS Commanding.

  • Out of Band Cross-site scripting (XSS).

  • Out of Band Stored Cross-site scripting (XSS).

  • Parameter Fuzzing

  • Persistent Cross-site scripting (XSS) (passive – XSS Persistent).

  • Persistent Cross-site scripting(XSS), (active - XSS Persistent Active).

  • PHP Code Execution.

  • Predictable Resource Location (Resource Finder).

  • Privacy Disclosure.

  • Privilege Escalation.

  • Reflected Cross Site Scripting (XSS,Reflected).

  • Reflected Cross Site Scripting Simple (XSS,Simple).

  • Reflection.

  • Reverse Clickjacking.

  • Reverse Proxy.

  • Secure and non-secure content mix.

  • Sensitive Data Exposure

  • Sensitive data over an insecure channel.

  • Server Configuration

  • Server Side Include (SSI) Injection.

  • Session Fixation.

  • Session Strength.

  • Session Upgrade.

  • Source Code Disclosure.

  • SQL Information Leakage (SQL Errors).

  • SQL Injection.

  • SQL injection Auth Bypass.

  • SQL Parameter Check.

  • SSL Strength.

  • Subdomain discovery.

  • Unvalidated Redirect.

  • URL rewriting.

  • Web Beacon.

  • Web Service Parameter Fuzzing.

  • X-Content-Type-Options.

  • X-Frame-Options.

  • XML External Entity Attack.

  • XPath Injection.

  • X-Powered-By.

  • X-XSS-Protection.

Recommendations

  • API throttling.

  • Recommended hashing function.

  • Recommended asymmetric encryption function.

  • Recommended symmetric encryption function.

  • How to stop effectively a ddos without proxies.

  • IAST.

  • DAST.

  • SAST.

  • SecDevOps.

  • Why we use monorepo?

  • Why we use trunk based development?

  • Why we use continuous delivery?

  • Why we use infrastructure as code?

  • Why we use staticgen?

  • Why we use SLB?

  • Why we use asciidoc?

  • Why we use CalVer over SemVer?

  • Why CI security tools don’t break builds?

  • Why automated tools have higher escapes rate?

  • Refactoring JS with linting.

  • Why Asserts don’t use OpenSSL?

  • Who must detect changes in an API: provider or consumer?

  • Should ethical hacking include vulnerabilities analysis?

Concepts

  • Immutable infrastructure.

  • Red team.

  • Blue team.

  • Purple team.

  • Capture the flag.

  • NixOS

  • Linters as normalizers.

  • Poor man linter: check-all/changed and pcregrep.

  • What is SecDevOps?

  • Remediation Pipelines: One shot, Continuous, Breaking the CI.

  • Black Box testing

  • Gray Box testing

  • White Box testing

Standards

  • Misra Standard.

  • Bearer authentication.

  • SOAP basic authentication.

  • SOAP digest authentication.

  • Correctness by Construction (CbyC).

  • Security development lifecycle (SDL).

  • Comprehensive software development model.

  • Lightweight application security process (CLASP).

  • Team software process for secure SW/Dev (TSP-Secure).

  • Conceptual security modeling (CoSMo).

  • UMLSec.

Summary

  • Bitcoin blockchain security issues.

  • Ethereum security issues.

  • Stellar security issues.

  • Machine learning for vulnerabilities searching.

  • Incidents associated with vulnerabilities.

Research

  • DVWA with false positives.

Marketing

  • Who discards false positives?

  • How to prioritize vulnerabilities remediation?


Service status - Terms of Use