Fuzzing the Front End!

September 8, 2020
So, who is testing the client-side components of Single Page Applications (SPAs)? What are you doing exactly, dropping a few cross-site scripting (XSS) polyglots into boxes like you used to do with “<ScRiPt>alert(123)</sCrIpT>” for traditional apps back in 2001?  Are you mostly holding out hope that all big problems will be in the back-end APIs?...

Prepare to Write A Scanner Plugin Before Your Next Platform Test!

April 16, 2020
BurpSuite is a remarkably extensible platform. While I have written a number of extensions for testing specific applications, as well as more general extensions, one type of extension I had never attempted before was creating my own BurpSuite Scanner plugin. Because modern applications are increasingly difficult to exhaustively test for certain types of issues, I...
computer icon

Building a “Quick” Lab Environment with Linux Containers

July 3, 2018
As a penetration tester, I often need to stand up small environments (and sometimes not so small) for a few different reasons—to try things out before making a mess of a client’s production system, to avoid being detected, or to use it simply for our own practice. A lot of us at TrustedSec are remote,...
TrustedSec Blogs + Articles logo

Ruby ERB Template Injection

September 13, 2017
Written by Scott White & Geoff Walton Templates are commonly used both client and server-side for many of today’s web applications.  Many template engines are available in several different programming languages.  Some examples are Smarty, Mako, Jinja2, Jade, Velocity, Freemaker, and Twig.  Template injection is a type of injection attack that can have some particularly...

SHIPS version 2 Released! (major release)

March 16, 2016
The Shared Host Integrated Password System (SHIPS) is an open-source solution created by Geoff Walton from TrustedSec to provide unique and rotated local super user or administrator passwords for environments where it is not possible or not appropriate to disable these local accounts. Our goal is to make post exploitation more difficult and provide a...

The Internet Gets a Dress Code!

August 5, 2015
Next generation firewalls have been the buzz for a few years now, but only on some of my more recent field experiences have I encountered organizations doing what I really like to see being done with them. Next generation firewalls are really all about one thing in my opinion: real honest egress monitoring and they...
  • Browse by Category

  • Clear Form