You may not know this, but an HTTP 403 response when browsing to an empty directory is a serious security risk. What the?! You mean if I go to my website which has a “scripts” folder where I put all my JavaScript and I have directory browsing disabled (as I rightly should) and the server returns a 403 “Forbidden” (which it rightly should), I’m putting my internet things at risks of being pwned?! Yes, because it discloses the presence of a folder called “scripts” which is a common directory. W...

I’ve long held the view that passwords should consist of as many crazy things as the owner deems fit. If I want to create a password that looks like a dog just ate the keyboard and threw up all the keys, then good for me. (Chances are that Fido is going to cough up a pretty unique password too but before PETA gets on my case, try using a password manager like 1Password [https://www.troyhunt.com/2011/03/only-secure-password-is-one-you-cant.html] instead.) Now I’m used to seeing all sorts of ridi...

A few years ago I was taking a look at the inner workings of some mobile apps on my phone. I wanted to see what sort of data they were sending around and as it turned out, some of it was just not the sort of data that should ever be traversing the interwebs in the way it was. In particular, the Westfield iPhone app to find your car caught my eye [https://www.troyhunt.com/2011/09/find-my-car-find-your-car-find.html]. A matter of minutes later I had thousands of numberplates for the vehicles in th...

I will not run web security analysers without first understanding web security. I will not run web security analysers without first understanding web security. I will not run web security analysers without first understanding web security. Are we clear now? Good, because as neat as tools like I’m about to discuss are, nothing good comes from putting them in the hands of people who can’t properly interpret the results and grasp the concepts of what dynamic analysis scanners can and cannot cover....

I know I’ve shared this a number of times now, but no matter how much I see it, it still cracks me up: [https://www.troyhunt.com/2012/07/lessons-in-website-security-anti.html] Make sense? Of course it doesn’t and therein lies the insanity of it all! But let us not single out Tesco alone, there are plenty of British companies that construct responses like this (sorry English people, I don’t know why, they just seem to feature disproportionately to the rest of the world). In fact earlier this w...

I was getting a little fed up with the craziness I kept seeing on the web when it comes to security, so I created this: [http://lh3.ggpht.com/-nAoaSvA-cZE/U_r33Cj89lI/AAAAAAAAHAc/TYQYwW3Kz_Q/s1600-h/Logo24.png] That’s right, a great big freakin’ padlock with a straightjacket or more to the point, I created the Twitter account @InfoSecInsanity [https://twitter.com/InfoSecInsanity]. So what exactly is InfoSec Insanity? We’ll let’s take this example from the weekend on restricting passwords wh...

How did you get started in this industry? I mean what made you go “Hey, sitting it a keyboard day in day out whilst focussed on screens and not seeing much sunlight sounds awesom…” – wait, it doesn’t sound quite so awesome when you think of it like that. In fact that was my original view of computers in general but as I told Shawn Wildermuth on his latest Hello World podcast [http://wildermuth.com/hwpod/36_Troy_Hunt], that view of the world soon changed. The change of heart was more than helped...

This is one of those “I keep doing this and it hurts each time and there’s never a good concise resource that explains it well so I’m writing one” posts. Yes, yes, I know it’s easy – if you have Ruby installed. Or you’re living in a *nix world. Or you have a reasonable understanding of Git. Or you get pleasure from pain. However, if you’re living on Windows and you just want to get the damn thing done, it can be painful. I keep setting up new machines and having to remember how to do this from...

We’ve become accustomed to the whole idea of us being electronically tracked based on our various personal habits. In fact just the other day I was asking online about Bose headphones, did a couple of searches then next thing I knew, my own blog was plugging them to me: But again, we’ve got a bit of a sense of tracking cookies now and that the same ad networks operate across seemingly independent websites therefore providing the ability to track and target information. Ratchet up the tracki...

A couple of Saturdays back I spent a day down in Melbourne at DDD [http://www.dddmelbourne.com/] doing the usual combination of showing people some of the ridiculous stuff we’re doing on the net in relation to privacy, how we as developers are building some woefully insecure apps and generally making everyone depressed about the state of web. I do mean that in a constructive way though and indeed that’s the entire premise behind the Hack Yourself First courses I’ve been writing [http://pluralsig...