Offensive
Security Blog

Security Perspective

What We Know (And Don’t) About The SolarWinds Orion Hack So Far

Dec 15, 2020

Bishop Fox Lead Researcher Dan Petro provides a detailed explanation of what we know and don’t know about the recent SolarWinds Orion hack.

By Dan Petro

Security Perspective

Continuous Testing Finds Major Risks Under the Surface

Dec 15, 2020

Nate Robb discusses how Continuous Attack Surface Testing operators use automation and human intel to identify emerging threats and protect perimeters.

By Nate Robb

Security Perspective

cyber.dic 2.0: Expand Your Computer’s Vocabulary

Dec 10, 2020

Update of cyber.dic, the spell checker add-on specializing in cybersecurity terms. The tool offers support for industry-specific terms in word processors.

By Catherine Lu

Security Perspective

The Stolen FireEye Red Team Tools Are Mostly Open Source

Dec 9, 2020

After an attack against FireEye by a nation-state group, we provide context about what’s in the GitHub repository and what these stolen red team tools do.

By Bishop Fox

Technical Research

Lessons Learned on Brute-forcing RMI-IIOP With RMIScout

Dec 8, 2020

New features that have been added to RMIScout, a pen testing tool that performs wordlist and brute-force attacks against exposed Java RMI interfaces .

By Jake Miller

Advisory

OpenClinic Version 0.8.2 Advisory

Dec 1, 2020

Bishop Fox advisory on OpenClinic medical records software V. 0.8.2, including high risk missing authentication and insecure file upload vulnerabilities.

By Gerben Kleijn

Security Perspective

The Pen Testing Tools We’re Thankful for in 2020

Nov 23, 2020

Recap of Bishop Fox's favorite penetration testing tools for 2020 including, Nuclei, Spyse Search Engine, Dufflebag, GadgetProbe, RMIScout and more.

By Britt Kemp

Security Perspective

Diverse Perspectives Offer a Broader Understanding of Your Attack Surface

Nov 17, 2020

Barrett Darnell discusses how having a diverse, specialized team of CAST pen testers on your side can make your organization less vulnerable to groupthink.

By Barrett Darnell

Culture

Hacking Into Cybersecurity: Security Interns Share Their Stories

Nov 12, 2020

We have a robust internship program that has given many people an entry point to infosec. Learn more about breaking into the security industry.

By Nazariy Haliley

Security Perspective

Cheating at Online Video Games and What It Can Teach Us About AppSec (Part 3)

Nov 10, 2020

Dan Petro delves into more methods of cheating at video games, highlighting lessons AppSec can learn from their complex and technical security challenges.

By Dan Petro

Advisory

Security Advisory: Immuta Version 2.8.2

Nov 4, 2020

Four vulnerabilities were identified within Immuta including XSS, content injection, insufficient authorization controls and improper session management.

By Chris Davis

Security Perspective

Cheating at Online Video Games and What It Can Teach Us About AppSec (Part 2)

Nov 2, 2020

Dan Petro examines more methods of how cheating at video games applies to appsec, including having a computer or bot automate technically demanding tasks.

By Dan Petro

Security Perspective

Cheating at Online Video Games and What It Can Teach Us About AppSec (Part 1)

Oct 29, 2020

Dan Petro examines some classic examples of online video game cheats and explores the lessons these cheats reveal in relation to application security.

By Dan Petro

Advisory

Winston Privacy Version 1.5.4

Oct 27, 2020

Advisory on nine vulnerabilities in the Winston Privacy VPN version 1.5.4 including critical risk command injection & high risk cross-site request forgery.

By Chris Davis

Security Perspective

Accidentally Secure Is Not Secure: A Case of Three Stooges Syndrome

Oct 20, 2020

During pen testing, components or features vulnerable to serious issues that aren't yet exploitable can become major problems after ordinary code changes.

By Dan Petro

Security Perspective

Bishop Fox Fights for Election Security

Oct 14, 2020

Vincent Liu was a technical expert in a case involving the State of Georgia election and digital voting machine security (Curling v. Raffensperger).

By Bishop Fox

Security Perspective

How to Keep Your Organization Safe From Social Engineering

Oct 13, 2020

Daniel Wood reviews mistakes organizations make with social engineering and how to mitigate risks with better security controls, training, and processes.

By Daniel Wood

Security Perspective

Defining the Scope of Your Pen Test

Oct 6, 2020

A guide through the decisions that need to be made when planning a penetration test including defining the targets, boundaries, and depth of an assessment.

By Jake Miller

Security Perspective

When Automation Isn’t Enough: The True Impact of Human Expertise on Your Perimeter

Sep 30, 2020

Ori Zigindere highlights the need for human experts to conduct a thorough analysis of seemingly minor attack surface issues scanners often miss.

By Ori Zigindere

Technical Research

Design Considerations for Secure GraphQL APIs

Sep 28, 2020

Discusses security risks and bugs to GraphQL deployments and migrations and covers high-risk authorization vulnerabilities and less familiar SSRF issues.

By Jake Miller

Security Perspective

More Important Than a TPS Report: Designing a Realistic CTF for DEF CON Safe Mode

Sep 22, 2020

Barrett Darnell discusses how the DEF CON Red Team Village The Office themed Capture the Flag competition and Continuous Attack Surface Testing are similar

By Barrett Darnell

Technical Research

Design Considerations for Secure Cloud Deployment

Sep 15, 2020

Guidance on how to design a secure cloud deployment including reducing attack surface, simplifying maintenance, and ways to catch mistakes in the future.

By Jake Miller

Technical Research

h2c Smuggling: Request Smuggling Via HTTP/2 Cleartext (h2c)

Sep 8, 2020

Demonstrating how upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections can allow a bypass of edge-proxy access controls.

By Jake Miller

Culture

Music to Hack To: A Bishop Fox Mixtape

Sep 3, 2020

Security consultants' favorite hacking music playlists that help them stay in the zone during engagements including classical, synthwave, and soundtracks.

By Britt Kemp