Articles in category "Appsec" (4)
2022-10-29
Measuring attack paths in web applications
Recently a customer asked us after our penetration test against their web application, the percentage of possible attack paths we had covered. It was a difficult question to answer because, a) the customer wanted us to focus on SQL injection and XSS (long …
2022-07-01
My thoughts on Secure Code Review
In this article I would like to share my thoughts, methodologies and techniques on how I perform secure code review. By secure I mean code review with the purpose of finding unknown vulnerabilities. My focus is generally on web applications, but the ideas …
2022-06-29
Python gems to look out for
A few weeks ago I was looking into Python specific code patterns that would lead to vulnerabilities. I was surprised when I found a few patterns that I hadn’t really thought about, most likely because I never write Python code like the examples I …
2021-11-01
Overwriting HttpOnly cookies with Javascript
So I got in contact with Sam Anttila on twitter regarding his article about overwriting HttpOnly enabled cookies using Javascript, which should not be possible. I asked him if he had verified if Firefox exhibits the same behavior. He answered yes and the …