Offensive Security Blog

The FBI's decision to pursue decryption on an Apple iPhone without their buy-in has far-reaching consequences for consumer privacy.

On Apple, Encryption, and Privacy: A Word About Decryption

Mar 31, 2016

By Carl Livitt

Bishop Fox's Mike Brooks discovered two vulnerabilities in the CA Single Sign-On application. If you use CA Single Sign-On, update your software immediately.

CA Single Sign-On Software Update: Stay Secure

Mar 23, 2016

By Bishop Fox

Two high-risk vulnerabilities were discovered in CA Technologies Single Sign-On (formerly CA SiteMinder®) application. A denial-of-service attack and ...

CA Single Sign-On Unspecified High-Risk Vulnerabilities Advisory

Mar 23, 2016

By Mike Brooks

Resident iPhone and iOS experts Joe DeMesy and Carl Livitt discuss Apple's stance on privacy + encryption in this Bishop Fox blog post.

On Apple, Encryption, and Privacy

Mar 2, 2016

By Joe DeMesy and Carl Livitt

Bishop Fox pentesters analyze the implications and benefits of Burp Suite's newest penetration testing feature, Collaborator. Read our take at our blog.

Burp, Collaborate, and Listen: A Pentester Reviews the Latest Burp Suite Addition

Feb 3, 2016

By Max Zinkus

Growing your security team? Dropbox Head of Trust & Security Patrick Heim shares his insights with Bishop Fox Partner Vincent Liu in this blog post.

Building a Winning Security Team From the Top Down

Oct 20, 2015

By Vincent Liu

Matt Bryant goes IP fishing in the AWS pool. Read about how he did it - and why expired digital assets can pose a threat.

Fishing the AWS IP Pool for Dangling Domains

Oct 7, 2015

By Matt Bryant

In the second part of this AWS security series, Ruihai Fang and Trevor Lawrence share some best practices for strengthening your infrastructure.

Stand Your Cloud #2: Host Server Hardening

Sep 23, 2015

By Trevor Lawrence & Ruihai Fang

Bishop Fox's Kevin Sugihara walks through a step-by-step exploit on the Active Directory service offered by Microsoft.

The Active Directory Kill Chain: Is Your Company at Risk?

Sep 8, 2015

By Kevin Sugihara

A reflected cross-site scripting vulnerability was found in the post-authentication administrative panel for ColdFusion, an Adobe web application development platform.

Adobe ColdFusion Reflected Cross-Site Scripting Flaw

Aug 27, 2015

By Shubham Shah

Shubham Shah discovered a vulnerability in the ColdFusion application. The Bishop Fox blog explains the vuln's details as well as how Adobe fixed the issue.

ColdFusion Bomb: A Chain Reaction From XSS to RCE

Aug 27, 2015

By Shubham Shah

At the Bishop Fox blog, Zach Julian discusses the intricacies and threats of BGP hijacking. His post serves as an introduction to the subject matter.

An Overview of BGP Hijacking

Aug 17, 2015

By Zach Julian

Bishop Fox's Dan Petro explains vulnerabilities found in the Brink's CompuSafe Galileo and how they can lead to smart safe hacking in this blog post.

On the "Brink" of a Robbery

Jul 28, 2015

By Dan Petro

This Bishop Fox security advisory describes a vulnerability identified by researcher Matt Bryant in NoScript.

NoScript Bypass

Jul 6, 2015

By Matt Bryant

This Bishop Fox security advisory describes vulnerabilities identified within the LastPass application.

LastPass Site Password-Stealing Clickjacking Vulnerability

Jul 1, 2015

By Matt Bryant

How does ISO 27018 affect cloud services users and providers? Bishop Fox's Birgit Mullen explains its ramifications in this blog post.

ISO 27018: The Long-Awaited Cloud Privacy Standard

May 20, 2015

By Birgit Thorup Mullen

In Part 2, Carl Livitt introduces a toolchain for enabling iOS application hacking tools on non-jailbroken devices and includes a step-by-step guide.

Rethinking & Repackaging iOS Apps: Part 2

May 4, 2015

By Carl Livitt

Security is dependent on the nature of the application in question, and must be taken into consideration when constructing security objectives.

Security Should Be Application-Specific

Apr 27, 2015

By Bishop Fox

Learn the basics of server-side request forgery vulnerabilities - and how to protect against them - in this blog post by Mike Brooks.

Vulnerable by Design: Understanding Server-Side Request Forgery

Apr 18, 2015

By Mike Brooks

The vulnerability discovery in the AirDroid web application leads to a far greater question: Are you aware of the permissions you grant your apps?

AirDroid: How Much Do Your Apps Know?

Apr 15, 2015

By Matt Bryant

This technical write-up details an AirDroid vulnerability discovered by former Bishop Fox researcher Matt Bryant.

AirDroid Web Application Authentication Flaw

Apr 15, 2015

By Matt Bryant

How do secure requirements differ from security requirements? And how do you create strong ones? Bishop Fox's Brenda Larcom explains in this blog post.

Beyond Security Requirements: Secure Requirements

Mar 17, 2015

By Bishop Fox

Learn how to modify App Store apps on jailed iOS devices. We'll show you how in this two-part series, complete with code and more.

Rethinking & Repackaging iOS Apps: Part 1

Feb 24, 2015

By Carl Livitt