Offensive Security Blog

An insecure filesystem permissions vulnerability was identified in eCatcher version 6.6.4 and earlier. To exploit this vulnerability, an attacker must have a user account on the same machine as the victim and have access to the machine during an active VPN connection.

eCatcher Desktop, Version 6.6.4 Advisory

Aug 17, 2021

By Priyank Nigam

The Bishop Fox team discovered three vulnerabilities that could have a severe business and reputational risk for Wodify.

Wodify

Aug 13, 2021

By Dardan Prebreza

Technical Research

You're Doing IoT RNG

Aug 5, 2021

Learn why hardware random number generators (RNG) used by billions of IoT devices to create encryption keys don't always generate random numbers.

By Dan Petro, Allan Cecil

A look at DEF CON 29 security talks featuring Ian Coldwater, Chad Rikansrud, and Matt Bryant, plus Bishop Fox's own Dan Petro, and Allan Cecil.

10 DEF CON 29 Security Talks to Watch

Jul 27, 2021

By Britt Kemp

Nine tools we’ve found useful for our post-exploitation efforts including GhostPack, Metasploit, PowerHub, LOLBAS, Mimikatz, PHPSploit, and more.

9 Post-Exploitation Tools for Your Next Penetration Test

Jul 15, 2021

By Britt Kemp

Bishop Fox shares our favorite security podcasts.

Spark Your Curiosity With These Security Podcasts

Jun 27, 2021

By Britt Kemp

List of free, built-in, or open-source tools & reference material when planning a move to DevSecOps. It’s a starting point to try within your environment.

Free Tools and Add-Ons to Explore for Applying DevSecOps in Your Organization

Jun 24, 2021

By Tom Eston

Bishop Fox is joining our peers in the security industry in cautioning against Section 1201 of the Digital Millennium Copyright Act (DMCA).

Our Position on the Digital Millennium Copyright Act (DMCA) and the Need to Safeguard Tools for Responsible Security Researchers

Jun 23, 2021

By Bishop Fox

Technical Research

LEXSS: Bypassing Lexical Parsing Security Controls

Jun 22, 2021

Technical details of achieving cross-site scripting (XSS) attacks by using HTML parsing logic where lexical parsers are used to nullify dangerous content.

By Chris Davis

Learn why continuous testing will become a requirement for most organizations in the near future.

Why You Need Continuous Testing to Detect Emerging Threats and Discover the Unknowns

Jun 16, 2021

By Bishop Fox

One high risk XSS vulnerability was identified within the the RetroArch for Windows application version 1.9.0.

RetroArch for Windows, Versions 1.9.0 - 1.9.4 Advisory

Jun 15, 2021

By Daniel Fulford

Tom Eston describes the entire DevSecOps lifecycle and what aspects of tooling and testing you can build into the way your organization develops applications.

Applying DevSecOps in Your Organization

Jun 10, 2021

By Tom Eston

Alex Stamos, Charles Carmakal, & Vinnie Liu discussed the challenges facing supply chain post Solarwinds & Colonial Pipeline attacks. Read their takeaways.

New Insights on Supply Chain and Ransomware Attacks From Our Chat With Alex Stamos and Charles Carmakal

Jun 10, 2021

By Bishop Fox, Vincent Liu

Bishop Fox Lead Researcher Dan Petro provides his insights into how the latest CFAA Supreme Court ruling impacts pen testers and security research.

SCOTUS CFAA Ruling: What does it mean for pen testers and security?

Jun 4, 2021

By Dan Petro

One high risk XSS vulnerability was identified within the Froala application.

Froala Editor, Version 3.2.6 Advisory

Jun 2, 2021

By Chris Davis

Scoping is an important precursor to a successful security test. Explore the technical considerations needed when choosing a vendor for a network pen test.

Prepare for Scoping: The Technical Side

May 25, 2021

By Claire Tills

This Bishop Fox resource will help security professionals understand the pros and cons of obtaining an OSCP, CISSP, SANS GIAC, or other security cert.

Security Certifications: Choose Your Own Adventure

May 20, 2021

By Britt Kemp

In this CVE recap of March and April 2021, we review more notable unpatched security vulnerabilities attackers are continuing to target in the wild.

CVE Digest for March and April 2021: Exploits Gone Wild

May 6, 2021

By Britt Kemp

Expand hacking skills for software defined radio (SDR), learn radio basics and hardware/software setup, perform demos, and reverse engineer radio signals.

Ham Hacks: Breaking Into Software-defined Radio

Apr 29, 2021

By Kelly Albrink

Nine tools we’ve found useful for our red teaming engagements including CursedChrome, Sliver, Githound, Stormspotter, DumpsterFire, Overlord, and more.

9 Red Team Tools For a Successful Red Teaming Engagement

Apr 13, 2021

By Britt Kemp

URL shortening services can compromise system security and weaken the attack surface. Protect infrastructure and critical data by not using these services.

Don’t Shortchange Your Organization’s Security With URL Shortener Services

Apr 6, 2021

By Ori Zigindere

Hone your hacking, and soft skills with a Bishop Fox curated list of fiction and non-fiction cybersecurity, pen testing, and tech books to keep learning.

Selections From the Fox Den: Security and Tech Books We Recommend (and Enjoy!)

Apr 2, 2021

By Britt Kemp

Learn to write a winning abstract that gets selected when competitive calls for presentations open for conferences like DEF CON, BSides and Black Hat.

How to Write a CFP That Actually Gets Read

Mar 25, 2021

By Britt Kemp