Life Cycle of a Web App 0 Day

Life Cycle of a Web App 0 Day

Summary Over the past few months, I’ve been monitoring the proliferation of exploits for some of my disclosed WordPress Plugin and Joomla Extension vulnerabilities against Akamai customers. I started this observation process which leads to an expected conclusion – severe vulnerabilities like SQL Injection, RFI and LFI would receive the ... Read More
Wordpress DoS Attack:  CVE-2018-6389

WordPress DoS Attack: CVE-2018-6389

Overview On February 5, an Israeli security researcher, Barak Tawily, discovered a Denial of Service (DoS) attack impacting all 3.x-4.x versions of the Wordpress content management platform. The vulnerability is currently unpatched and relies on a performance boosting feature in ... Read More

Part 2: Reading SPAM For Research

A couple weeks ago, I posted a blog that is a follow up of an article I published in Information Security Magazine. In that post I wrote about collecting phishing samples and identifying domain squatters that might be looking to ... Read More
Sql Injection using SQLmap with multipart/form-data Encoding

Sql Injection using SQLmap with multipart/form-data Encoding

I’ve spent a fair amount of my time examining code for vulnerabilities, I recently began to focus specifically on SQL injection. While investigating this specific type of vulnerability in web applications, I ran across a few examples where the injection point was in a POST request but it wasn’t your ... Read More
Screen Shot 2017-08-01 at 4.20.01 PM.png

Larry’s Cabinet of Web Vulnerability Curiosities

One of my responsibilities as a member of the Akamai Security Intelligence Response Team (SIRT) is to research new web application vulnerabilities. For the last year, I have focused on Wordpress plugin vulnerabilities, and looking for any interesting code tidbits ... Read More
media-20170725 (3).jpg

Part 1: Reading SPAM for Research

I recently wrote an article for Information Security Magazine where I explained how internet security researchers could use their spam folders as a resource tool. It got me thinking about going into greater detail on what I've found in ... Read More
Vulnerability Researcher to Software Developer: The Dark Side of the Coin

Vulnerability Researcher to Software Developer: The Dark Side of the Coin

| | Features
I’ve been finding bugs in software since 1999 or so, I’ve reported over 150 vulnerabilities in that time, ranging from format string vulnerabilities to XSS. I also started developing my own web server in C around 1994. I did this to learn more about programming and not lose the skills ... Read More