Fuzzing can often be a very useful technical for finding bugs. Go-fuzz is a coverage-guided fuzzing solution for testing of Go packages. go-fuzz. This blog post will walk you through how to use it ...

Introduction Deserializing user-controlled object streams at runtime can allow attackers to execute arbitrary code on the server, abuse application logic, and/or lead to denial of service Java se...

Introduction OpenCATS is an application tracking system that is written in PHP. More about OpenCATS can be seen here: https://www.opencats.org/. OpenCATS is vulnerable to PHP Object injection, by ...

Notes I’ve written and Collected about PHP Deserialization Introduction serialize and unserialize Serialization functions are commonly used within software to store data to a file, a memory buff...

SonarSource is a company focused on code quality and static analysis. This year, SonarSource, along with RIPS Technologies will be tweeting code challenges from real world vulnerabilities on their ...

Security is something I have looked into in the past. In 2016, I conducted a workshop on AngularJS Security in MWR’s MWRICON which highlighted some common security issues and how they could be expl...

This is a cross post of the blog post written here:https://snyk.io/blog/demystifying-http-request-smuggling/. Often at my role as a Security Analyst within Snyk, I study trends within the dependenc...

This blog post contains a walk-through of https://webhacking.kr/ wargames which was recommended to me by a friend. Level 1 The following can be seen in level 1. The source code of the backend ...

Recently I went hunting for Zip traversal vulnerabilities within the PHP ecosystem. While looking at well known PHP ZIP dependencies, I noticed that, both pclzip and zipper were vulnerable to trave...

DOM-based Cross site Scripting (XSS) is a type of XSS where user input is written to a web pages’ Document Object Model without proper sanitization. This could be abused by an attacker to manipulat...