How to uncover leak secrets with regex + entropy analysis

Image for post
Image for post
Image is taken from

As a developer, I admit that I’ve committed secrets to public Github repositories before. Hardcoded secrets have always been a problem in organizations and are one of the first things I look for during a penetration test.

When developers write secrets such as passwords and API keys directly into source code, these secrets can make their way to public repos or application packages, then into an attacker’s hands. As microservice architectures and API-centric applications become mainstream, developers often need to exchange credentials and other secrets programmatically. This means that developers can sometimes make mistakes when handling sensitive data.

To put…

A guide for writing better technical articles + blog posts

Image for post
Image for post
Photo by Andrew Neel on Unsplash

One of the questions I get the most in my Twitter DMs is “How do I write better technical blog posts”?

Technical writing is a specialist skill, and I am by no means an expert. But over the past few years, writing my technical blog has taught me a lot about writing for the Internet. So today, here are my tips to help you produce better technical articles.


Good writing is easy to read. This is especially true when writing on the Internet. On the Internet, your technical blog post has the potential to be shared anywhere in the world…

Impact, exploitation, and prevention of XML External Entity Vulnerabilities

Image for post
Image for post
Photo by Piotr Chrobot on Unsplash

Welcome back to AppSec simplified! In this tutorial, we are going to talk about how you can prevent XXEs in Java applications. If you are not already familiar with XXEs, please read my previous post first!

Why XXEs happen

DTDs are used to define the structure of an XML document. Within DTDs, you can declare “XML entities”. There is a special type of XML entities called “external entities”, which are used to access local or remote content with a URL.

For example, this DTD declares an external entity named “file” that points to file:///secrets.txton the local file system. …

Performing a code review to find vulnerabilities in applications

Image for post
Image for post
Photo by Joshua Aragon on Unsplash

Performing a source code review is one of the best ways to find security issues in an application. But how do you do it?

In this tutorial, I will go through some tactics for performing a security code review on your application.


Before you start reviewing code, learn what the most common vulnerabilities are for the target application type. Getting familiar with the indicators and signatures of those vulnerabilities will help you identify similar patterns in source code. For example, the signature for an XXE vulnerability is passing user-supplied XML to a parser without disabling DTDs or external entities. …

Finding XXE vulnerabilities in applications via code analysis

Welcome back to AppSec Simplified! Last time, we talked about the fascinating XXEs vulnerabilities and how they can affect your application. If you are not already familiar with XXEs, please read that post first!

This time, let’s hunt for XXEs for real! We will be analyzing the source code of an example application that is vulnerable to XXEs: the OWASP WebGoat. You can download the application here if you want to follow along with this exercise.

Setting up

We’ll be using ShiftLeft’s NG-SAST scanner to hunt for XXEs. You can register for a free account here. …

Protect your XML parsers against malicious XML documents!

Image for post
Image for post
Photo by Jason Leung on Unsplash

Hey! And welcome to the first installment of AppSec Simplified. Today, we are going to explore a fascinating vulnerability called XML External Entity vulnerabilities, or XXEs!

What are XXEs?

To understand XXEs, we need to first talk about “DTDs” in XML documents.

XML documents can contain a Document Type Definition, or a “DTD”. DTDs are used to define the structure of an XML document and the data it contains. They are declared within the document using a “DOCTYPE” tag, like this:

<?xml version=”1.0" encoding=”UTF-8"?><!DOCTYPE ...INSERT DTD HERE...>

Within DTDs, you can declare “XML entities”. …

And why Application Security is like wearing masks

Image for post
Image for post
Photo by Kobby Mendez on Unsplash

Wearing a face mask to prevent coronavirus is becoming the norm in my city. It was hit heavily by the COVID crisis, and now we have reached an unspoken consensus: wear masks, wherever you go.

This is quite different from where we were just a few months ago. Face masks had a bad reputation, and the local health department had a hard time getting people to wear them. What was stopping people from wearing masks? It turns out, people hate masks because they make breathing difficult, make glasses foggy, and can look quite awkward. But the pros of masks outweigh…

What to watch for developers, ML enthusiasts, and hackers

Image for post
Image for post
Photo by Estée Janssens on Unsplash

Here at ShiftLeft, we are gearing up for Shifting Left: ’21, a one-day application security conference for developers and security practitioners on Jan 28, 2021. I’ve been a huge fan of security conferences ever since I attended my first security conference, NorthSec in Montreal. This time, I am excited to be on the organizer’s side and present this conference to you.

Shifting Left: ‘21 is entirely online and free to register here. Now let’s get into it! …

Why I Joined SAST company ShiftLeft

Most of you know me as an offensive security gal. The fact that I decided to join a SAST team frankly surprised me as well. Now that I have officially started my job at ShiftLeft, I am taking this moment to reflect on how I got here and how I see the future of application security.

Image for post
Image for post

Confessions of a newbie web developer

I started my career as a web developer. And I absolutely loved it! I loved building tools that solve someone else’s problems. And there is no feeling like seeing your vision materialize right in front of your eyes.

And how to protect your network from attackers

Fortress door
Fortress door
Photo by Ivan Aleksic on Unsplash

Successful cyberattacks often start at the “network perimeter.”

As a company grows, it becomes increasingly difficult to secure the hundreds and thousands of machines on the network. Often, all an attacker needs to compromise a network is a single bug on a public-facing machine! Today, we will talk about a common vulnerability on the network perimeter: SSRF, how it allows attackers to pivot into a company’s network, and how to prevent it.

What Is SSRF?

SSRF, or Server-Side Request Forgery, is a vulnerability that happens when an attacker can send requests on behalf of a server. It allows attackers to “forge” the request…

Vickie Li

Professional investigator of nerdy stuff. Hacks and secures. Creates god awful infographics.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store