No really, that’s the whole idea and it goes back to my post from a couple of days ago about my new Pluralsight course [https://www.troyhunt.com/2013/08/its-time-to-hack-yourself-first-with.html]. You see what normally happens when you create a course is that you hand over all the code used in the videos and then if you’re a plus subscriber [http://pluralsight.com/training/Products/ExerciseFiles] you get to download it and have a play. That’s just great, but the thing with my Hack Yourself First...

I’ve had some very interesting web security discussions recently: how many rounds of various hashing algorithms should be used for modern day password storage, if response header obfuscation is pointless in a world of easy HTTP fingerprinting and some of the deficiencies in the X-Frame-Options header, to name but a few. But every now and then I see something that brings me back down to earth and reminds me of the level that requires the most attention security wise. Allow me to present Exhibit A...

Earlier this year I was doing my usual trick of browsing websites and writing about things that were readily observable with regards to some rather ordinary security practices. When I say “readily observable” I’m talking about things such as cookies not flagged as HttpOnly [https://www.troyhunt.com/2013/03/c-is-for-cookie-h-is-for-hacker.html] or SSL login forms embedded into HTTP pages [https://www.troyhunt.com/2013/06/the-security-futility-that-is-embedding.html]. This stuff is just so easy to...

Earlier this year I wrote about 5 ways to implement HTTPS in an insufficient manner (and leak sensitive data) [https://www.troyhunt.com/2013/04/5-ways-to-implement-https-in.html]. The entire premise of the post was that following a customer raising concerns about their SSL implementation, Top CashBack went on to assert that everything that needed to be protected, was. Except it wasn’t, at least not sufficiently and that’s the rub with SSL; it’s not about having it or not having it, it’s about un...

This content is now available in the Pluralsight course "Ethical Hacking: SQL Injection" [http://www.pluralsight.com/courses/ethical-hacking-sql-injection]Put on your black hats folks, it’s time to learn some genuinely interesting things about SQL injection. Now remember – y’all play nice with the bits and pieces you’re about to read, ok? SQL injection is a particularly interesting risk for a few different reasons: 1. It’s getting increasingly harder to write vulnerable code due to frameworks...

Last week I had a video chat with the guys over on PaulDotCom [http://pauldotcom.com/] (which, of course is at pauldotcom.com [http://pauldotcom.com/]) on a whole bunch of app sec related issues, specifically around how developers can become more security aware. We also spoke quite a bit on how developers and security people can generally get along with each other better than what they tend to at present which IMHO, is often a rather corrosive current state of affairs. There's a bit of banter i...

As regular readers will know by now, I’m not real fond of virus call centre scammers. You know, the ones who call you up while you’re making dinner or bathing and kids and tell you they’re from Microsoft and that your PC is infected with blah blah polymorphic blah? There’s a bunch of material on this blog already under the Scam tag [https://www.troyhunt.com/search/label/Scam] where I’ve captured the experience and shared it for fun and education. Thing is, the bloody galahs keep calling me so I...

As part of my general wish to be a good netizen and advocate of website security, I made a responsible disclosure the other day, you know, the kind where you privately email an organisation and pass on security flaws in their online presence that they might not otherwise be aware of. Anyway, the response was, well, you decide: > To date we've not had a single security issue stemming from [insert risk I sent to them here] Really? Not a single one? Clearly whatever defences this particular org...

I have two enduring loves beyond the commonly accepted ones of health and family: technology and fast cars. It’s hard to be passionate about these two and not lust after a GT-R so after some years of lusting, I bought one. Being a technology blog, it wouldn’t be right not to share some of the goodness found within this machine so allow me to give you a taste of what happens when you cram enough cycles of computing power into four wheels and forgive me if the excitement boils over just a little b...

I’ve been doing a number of smaller presentations to user groups and private audiences lately and one of the things I’ve been focussing on is trying to give a sense of how fundamentally broken the security of much of what we’re working with is. I’ve been focussing on three areas: broken web (easily discoverable flaws), broken developers (fundamental misunderstandings about important security concepts) and broken devices (vulnerable equipment on the web). This presentation was to the CIAOPS Virt...