When I wrote last week post incipt, I wasn’t aware I was going to make a prophecy about 2013 and application security. But I did it. CVE-2013 and CVE-2013 and a framework that has bugs Looking at RoR community I may feel the sensation that people are comfortable their framework ... Read More

2013 is well promising for application security. Two days ago Aaron Patterson, a rails core member announced a SQL Injection vulnerability for ActiveRecord ORM included in Rails framework. Last June we talked about a similiar vulnerability affecting ActiveRecord. Dynamic finders The vulnerability is in ORM resource dynamic finder methods. Carefully ... Read More

Two weeks ago, I posted an article about a real world source code security review. Using regular expressions I was able to spot interesting things over JSP files I was reviewing. Client was happy. My workflow was smooth. And codesake engine has a great part of it. Disclaimer:Some of the ... Read More

Authentication is a cool topic in application security research nowadays. Last April I posted about a real world security assessment activities over a friend of mine PHP powered portal. Using a malformed HTTP verb to request a protected resource, it is possible to bypass the authentication mechanism for a PHP ... Read More

Nothing but solving a real world problem can help boosting a piece of software to evolve. In those days I’m engaged on a big Java written source code review. I submitted the code onto the commercial tool we use to scan very wide codebases but, since this tool output doesn’t ... Read More

In a previous post I talked about Rapid7 Nexpose) vulnerability assessment tool and how you can write some ruby code to search a server by IP address. Today I want to show you something I added to a rubygem I’m working on, nexty. The idea is to give a command ... Read More

Next time you point your browser to a /login url wait a minute before submitting your credentials. There is a complex system you’re going to use when you submit that form and it must be honored in some way. You’re a software craftman and you want to get the job ... Read More

In 2006 I started an ambitious project, an opensource SAST engine built in Java I called Owasp Orizon. Of course the name was intended to be horizon but I mispelled the word and I found silly to cover my lexical mistake. After 3 years without no fresh code, I think ... Read More

It was a yesterday’s news that anonymous and other cracker’s crews attacked and defaced large number of corporate websites. November 5 it is a very symbolic data in the anonymous underworld and a massive defacement attack was carry on, at least, against PayPal, Symantec and Telecom Italia Anonymous and other ... Read More