Cross Site Scripting (XSS)

Cross Site Scripting is the second most prevalent issue in the OWASP (Open Source Foundation for Application Security) top 10, found in roughly 2/3 of all applications. While automated tools can find some of these problems, there are also automated tools designed to detect and exploit these vulnerabilities, making…

Block and Stream Ciphers

Cryptography is the science of using codes and ciphers to protect messages. Encryption is encoding messages with the intent of only allowing the intended recipient to understand the meaning of the message. It is a two way function (you need to be able to undo whatever scrambling you’ve done…

Cross Site Request Forgery (CSRF or XSRF)

CSRF occurs when a malicious site or program causes a user's browser to perform an unwanted action on a trusted site when the user is authenticated. Any malicious action is limited to the capability of the website to which the user is authenticated. For example, Jane might login to her…

Buffer Overflow Attacks

A buffer overflow occurs when the size of information written to a memory location exceeds what it was allocated. This can cause data corruption, program crashes, or even the execution of malicious code. While C, C++, and Objective-C are the main languages which have buffer overflow vulnerabilities (as they deal…

SQL Injection

SQL injection is the insertion or injection of a SQL query via input data from the client to the application. Successful attacks can lead to an attacker accessing sensitive data from the database, modifying database data, potentially shutting the database down or issuing other admin commands, recovering the contents of…

Learning to Speak the Security Lingo

A quick and dirty guide to some of the most commonly asked interview questions in entry-level security jobs. What's the difference between an allowlist and a denylist?Allowlist: Everything is denied access, except items which are on the list. For example, a company might compile a list of all authorized…

Making Goals that Actually Stick

It's January, which means for a lot of people, it's New Year's Resolution time. Personally, I've never liked the idea of waiting until January to set resolutions for change, but I do like using it as a chance to review what I've accomplished in the last year and set goals…

An Intro to Bug Bounty Programs

Bug bounty programs allow independent security researchers to report bugs to an organization and receive rewards or compensation. These bugs are usually security exploits and vulnerabilities, though they can also include process issues, hardware flaws, and so on. The reports are typically made through a program run by an independent…