Blog

Posts tagged "Application Security"

My Time at NetWars Tournament of Champions

EPISODE ONE: THE CTF AWAKENS Each and every December, some of the best and brightest hackers from around the world travel to Washington D.C. for the NetWars Tournament of Champions. Champion golfers may have their prestigious green sportscoats, but NetWars champions receive the coveted black hoodie. Who am I? Let’s start with the basics: I …

Is CORS Becoming Obsolete?

Lately, we have received a lot of questions from our clients about CORS becoming obsolete. They are rightfully concerned about this possibility because so much of Web 2.0 depends on the interoperability mechanisms that CORS provides. In this write-up, we shed some light on whether this is a valid fear, and the actual reality of …

How I Built An XSS Worm On Atmail

This blog post was authored by Senior Security Analyst Zach Julian; you can connect with him on Twitter here. Atmail is a popular provider for cloud-based and on-premises email hosting. It is used by companies, hosting providers, and ISPs including DreamHost, LegalShield (US), m:tel (Bosnia), iiNet, and Optus (Australia). Being an atmail user on …

ColdFusion Bomb: A Chain Reaction From XSS to RCE

During an audit of ColdFusion 10 and 11’s administration panel, I discovered a reflected, DOM-based cross-site scripting flaw, and in this blog post, I will show you how to leverage that vulnerability to gain remote code execution on the ColdFusion application server. After discovering this vulnerability, I participated in the responsible disclosure process with the …