Offensive
Security Blog

Culture

Music to Hack To: A Bishop Fox Mixtape

Sep 3, 2020

Security consultants' favorite hacking music playlists that help them stay in the zone during engagements including classical, synthwave, and soundtracks.

By Britt Kemp

Advisory

Zamzar API Advisory

Aug 27, 2020

A high risk vulnerability allowing for server side forgery request (SSRF) and local file inclusion as the root user was found in the Zamzar API.

By Chris Flanagan

Industry

What Makes a Good Penetration Test?

Aug 25, 2020

Jake Miller highlights how to evaluate a penetration test for quality, including clear and actionable deliverables, remediation recommendations, and more.

By Jake Miller

Industry

20 Tips on How to Make the Most of Your Pen Test

Aug 19, 2020

Jake Miller shares guidance about how to get the most value from pen testing consulting services for companies at every stage of security program maturity.

By Jake Miller

Industry

8 Recommended Talks From DEF CON 28

Aug 18, 2020

Eight recommended talks from DEF CON 28 aka DEF CON Safe Mode, on infosec topics. Speakers include: Ankur Chowdhary, Daniel Miessler, Sean Metcalf and more

By Britt Kemp

Advisory

TinyMCE, Version 5.2.1 Advisory

Aug 12, 2020

Bishop Fox advisory on TinyMCE application in version 5.2.1. One high risk cross-site scripting vulnerability was found in the application.

By George Steketee, Chris Davis

Industry

Is This IoT App Safe to Drink?

Aug 11, 2020

Sound policies to legislate the of Internet of Things (IoT) can help government and industry regulate and improve IoT product security and transparency.

By Brianne Hughes

Industry

A Look Forward to the DEF CON Red Team Village CTF

Aug 5, 2020

CTF at 2020 DEFCON Red Team Village will be on a corporate Windows Active Directory environment that allows red teamers to improve security testing skills.

By Barrett Darnell

Industry

Are You Giving Out Cheat Codes if You Whitelist Pen Testers?

Jul 29, 2020

Have specific goals for a pen test to determine whether or not to whitelist (or safelist). Whitelisting IP addresses helps pen testers access a network.

By Brianne Hughes

Industry

An Updated Guide to Do-It-Yourself Network Segmentation

Jul 23, 2020

Bishop Fox's updated guide to do-it-yourself network segmentation shows how to practically and inexpensively ensure network security for home or business .

By Matt Keeley

Advisory

LibreHealth Version 2.0.0

Jul 14, 2020

Bishop Fox advisory on five vulnerabilities in LibreHealth application 2.0.0 including SQL injection, cross-site scripting and cross-site request forgery.

By Chris Davis

Industry

Delivering Peace of Mind About New Citrix Emerging Threat

Jul 8, 2020

CITRIX announced 11 CVEs that impact its ADC, Gateway, and SDWAN WANOP products. Bishop Fox's Continuous Attack Surface Testing team protected our clients.

By Barrett Darnell

Industry

SkillBridge Paves the Way for Service Members

Jul 8, 2020

Bishop Fox supports the SkillBridge program, which gives military personnel hands-on experience for the career they intend to pursue in civilian life.

By Brianne Hughes

Technical Research

Breaking HTTPS in the IoT: Practical Attacks For Reverse Engineers

Jun 30, 2020

Bishop Fox's Nathan Elendt discusses three attack techniques for performing Man-in-the Middle attacks against production-grade, HTTPS-protected Things.

By Nathan Elendt

Industry

Stop Treating Breaches Like Natural Disasters: A New Mindset for Application Security

Jun 25, 2020

Security Determinism puts application security within our control. Dan Petro shows how sound software engineering helps prevent vulnerabilities & breaches.

By Dan Petro

Technical Research

How to Set Up Your Hardware Lab

Jun 23, 2020

Jordan Parkin discusses hardware hacking and the tools and equipment for setting up a budget-friendly lab for product security reviews and device research.

By Jordan Parkin

Advisory

SecureAuth Version 9.3

Jun 19, 2020

Bishop Fox's Chris Davis and Robert Punnett identified a client-side template injection vulnerability in the SecureAuth application version 9.3.

By Chris Davis, Robert Punnett

Industry

A Guide to Digital Reconnaissance

Jun 16, 2020

Dan Wood gives insight into the world of digital reconnaissance, a way of collecting intelligence about a target without actively interacting with systems.

By Daniel Wood

Advisory

DigDash Enterprise: Versions 2018R2-2020R1

Jun 15, 2020

Bishop Fox advisory on three vulnerabilities in DigDash Version 2018 including server-side request forgery, cross-site scripting and content injection.

By Florian Nivette

Advisory

OOB to RCE: Exploitation of the Hobbes Functional Interpreter

Jun 12, 2020

Morgan Stanley's Hobbes lacks bounds checking, allowing exploitation of an OOB read/write vulnerability that leads to both local and remote code execution.

By Jake Miller

Industry

Lessons Learned from Years of Red Teaming in Cybersecurity

Jun 9, 2020

Daniel Wood discusses lessons learned from years of red teaming, involving critical thinking and adopting an adversarial mindset to prevent cyber attacks.

By Daniel Wood

Industry

Quantifying the Impact of Micro-Segmentation

Jun 4, 2020

Bishop Fox created a testing environment and assessment methodology for Illumio focused on network segmentation, reconnaissance, and network discovery.

By Bishop Fox

Industry

Invest in Trusted Partners, Not Crowdsourcing, for Continuous Security

Jun 3, 2020

Joe Sechman discusses the limitations of crowdsourcing vs. the security assurance, quality of service, and scalability of continuous attack surface testing

By Joe Sechman

Industry

Applying Elite Military Training to Civilian Assessments

May 26, 2020

By Brianne Hughes