What are types of Cross-Site Scripting (XSS) attacks?

We typically have 3 types of Cross-Site Scripting (XSS) attacks, this is outdated knowledge still circculating today. Current Application Security and Penetration Testing knowledge has 5 distinct categories of XSS The originalsStored, DOM, and Reflected. Where Stored XSS is simply described by one user entering the malicious attack into some…

Vulnerability or Defect?

AppSec tooling does not find any vulnerabilities, it finds defects. Even if you want to call it a vulnerability, vulnerabilities are Defects that are also exploitable as an added characteristic. Why do tools use the word Vulnerability?Mostly because it is impactful, defects don't have the same emergency reaction. The…

JWT and HMAC in the browser, safe?

Is using JWT and HMAC in the browser, safe? How could they be?Don't they require a pre-shared secret? How can it be "secret" in the browser!? Secrets can actually be "secret" in browsers and apps, but almost always isn't securely shared with the client.. If you participate in bug…

Zero-trust doesn't exist but that's OK

Where zero-trust might existScenarios that have no dataScenarios with data that are never connected to powerWhy? Because the moment data is accessible by a human, or a system with potential human access - you inherently trust that human. What about identity?Digital identity is the only identity. Digital identities can…

You don't know OWASP

About a year ago I was just getting involved with the CSA Working Group for CCM version 4 when I came across the OWASP CSA Project and went on a little adventure to learn more about OWASP. Many readers probably think they're aware of OWASP, as I once thought I…

Python pip requirements.txt lock file

OverviewOpinions vary on how one should make use of lock files, depending on whether the project is the main application, or the project is actually a library that is meant to be consumed by an application or another library. Lock files are unquestionably useful if you build any application. However,…