Brace expansion is a nice feature in the Bash interpreter that happened to be exactly what I needed during an audit. A good thing to log away in memory in case you ever find yourself in a pen-test environment with similar constraints.
An easily exploited vulnerability in Google App Engine’s SDK can put your development servers at risk. While this bug is trivial to fix, engineers at Google have declined to address the vulnerability, so be cautious when using the SDK to develop your web service.
CWSandbox is one of the most comprehensive and full featured platforms for automated malware analysis. In this post, we detail how a malware sample being analyzed by CWSandbox may detect and evade the monitoring functionality of CWSandbox in order to disguise its malicious activities.
Facebook’s new-fangled applications functionality seemed like a ripe opportunity for nasty cross-site scripting bugs. As it turns out, multiple XSS vulnerabilities were present in the fb:swf tag of the Facebook Markup Language.
During an independent audit, I discovered a critical vulnerability in Cosign, a web-based single sign-on (SSO) platform which is currently in use at numerous large universities.
Mozilla’s auto-update system is a feature recently added to Firefox and Thunderbird that promises to bring prompt security updates to users without manual interaction. Unfortunately, this feature contains a vulnerability allowing attackers to hijack the update process and deliver malicious updates, resulting in the victim’s host being compromised.
While arranging my class schedule at the University of Michigan, I discovered a vulnerability in Wolverine Access that allowed unrestricted access to the social security numbers, names, and addresses of every student in the University including recent alumni.
