As a developer, I admit that I’ve committed secrets to public Github repositories before. Hardcoded secrets have always been a problem in organizations and are one of the first things I look for during a penetration test.
When developers write secrets such as passwords and API keys directly into source code, these secrets can make their way to public repos or application packages, then into an attacker’s hands. As microservice architectures and API-centric applications become mainstream, developers often need to exchange credentials and other secrets programmatically. This means that developers can sometimes make mistakes when handling sensitive data.
One of the questions I get the most in my Twitter DMs is “How do I write better technical blog posts”?
Technical writing is a specialist skill, and I am by no means an expert. But over the past few years, writing my technical blog has taught me a lot about writing for the Internet. So today, here are my tips to help you produce better technical articles.
Good writing is easy to read. This is especially true when writing on the Internet. On the Internet, your technical blog post has the potential to be shared anywhere in the world…
Welcome back to AppSec simplified! In this tutorial, we are going to talk about how you can prevent XXEs in Java applications. If you are not already familiar with XXEs, please read my previous post first!
DTDs are used to define the structure of an XML document. Within DTDs, you can declare “XML entities”. There is a special type of XML entities called “external entities”, which are used to access local or remote content with a URL.
For example, this DTD declares an external entity named “file” that points to
file:///secrets.txton the local file system. …
Performing a source code review is one of the best ways to find security issues in an application. But how do you do it?
In this tutorial, I will go through some tactics for performing a security code review on your application.
Before you start reviewing code, learn what the most common vulnerabilities are for the target application type. Getting familiar with the indicators and signatures of those vulnerabilities will help you identify similar patterns in source code. For example, the signature for an XXE vulnerability is passing user-supplied XML to a parser without disabling DTDs or external entities. …
Welcome back to AppSec Simplified! Last time, we talked about the fascinating XXEs vulnerabilities and how they can affect your application. If you are not already familiar with XXEs, please read that post first!
This time, let’s hunt for XXEs for real! We will be analyzing the source code of an example application that is vulnerable to XXEs: the OWASP WebGoat. You can download the application here if you want to follow along with this exercise.
We’ll be using ShiftLeft’s NG-SAST scanner to hunt for XXEs. You can register for a free account here. …
Hey! And welcome to the first installment of AppSec Simplified. Today, we are going to explore a fascinating vulnerability called XML External Entity vulnerabilities, or XXEs!
To understand XXEs, we need to first talk about “DTDs” in XML documents.
XML documents can contain a Document Type Definition, or a “DTD”. DTDs are used to define the structure of an XML document and the data it contains. They are declared within the document using a “DOCTYPE” tag, like this:
<?xml version=”1.0" encoding=”UTF-8"?><!DOCTYPE ...INSERT DTD HERE...>
Within DTDs, you can declare “XML entities”. …
Wearing a face mask to prevent coronavirus is becoming the norm in my city. It was hit heavily by the COVID crisis, and now we have reached an unspoken consensus: wear masks, wherever you go.
This is quite different from where we were just a few months ago. Face masks had a bad reputation, and the local health department had a hard time getting people to wear them. What was stopping people from wearing masks? It turns out, people hate masks because they make breathing difficult, make glasses foggy, and can look quite awkward. But the pros of masks outweigh…
Here at ShiftLeft, we are gearing up for Shifting Left: ’21, a one-day application security conference for developers and security practitioners on Jan 28, 2021. I’ve been a huge fan of security conferences ever since I attended my first security conference, NorthSec in Montreal. This time, I am excited to be on the organizer’s side and present this conference to you.
Shifting Left: ‘21 is entirely online and free to register here. Now let’s get into it! …
Most of you know me as an offensive security gal. The fact that I decided to join a SAST team frankly surprised me as well. Now that I have officially started my job at ShiftLeft, I am taking this moment to reflect on how I got here and how I see the future of application security.
Confessions of a newbie web developer
I started my career as a web developer. And I absolutely loved it! I loved building tools that solve someone else’s problems. And there is no feeling like seeing your vision materialize right in front of your eyes.
Successful cyberattacks often start at the “network perimeter.”
As a company grows, it becomes increasingly difficult to secure the hundreds and thousands of machines on the network. Often, all an attacker needs to compromise a network is a single bug on a public-facing machine! Today, we will talk about a common vulnerability on the network perimeter: SSRF, how it allows attackers to pivot into a company’s network, and how to prevent it.
SSRF, or Server-Side Request Forgery, is a vulnerability that happens when an attacker can send requests on behalf of a server. It allows attackers to “forge” the request…