Offensive Security Blog

The Bishop Fox cybersecurity style guide is a one-of-a-kind resource that bridges the gap between the infosec industry and the general public. This invaluable resource is available for download at our

Hello World! Introducing the Bishop Fox Cybersecurity Style Guide

Feb 15, 2018

By Brianne Hughes, Catherine Lu

Security Analyst Kelly Albrink got the chance to compete at SANS Rocky Mountain NetWars.

My Time at NetWars Tournament of Champions

Jan 24, 2018

By Kelly Albrink

A threat modeling how-to authored by Bishop Fox's Joe Ward. Learn how your organization can start implementing this important (but simple) process.

Your Worst Case Scenario: An Introduction to Threat Modeling

Dec 11, 2017

By Joe Ward

AWS security can often be achieved thanks to proper provisioning + access requests. In this write-up, Gerben Kleijn explores how to handle these processes.

Stand Your Cloud #3: AWS Provisioning and Access Requests

Nov 14, 2017

By Gerben Kleijn

A bug has no name - multiple heap buffer overflows in windows dns client - CVE-2017-11779 was fixed by Microsoft in October of 2017. This bug was discovered by Bishop Fox's consultant, Nick Freeman.

A Bug Has No Name: Multiple Heap Buffer Overflows In the Windows DNS Client

Oct 10, 2017

By Nick Freeman

CVE-2017-11779 could lead to takeover of user’s device - this technical write-up covers implications, the actual exploit, and remediation steps.

Windows DNS Client – Memory Corruption Vulnerabilities

Oct 10, 2017

By Nick Freeman

Culture

My Life at Bishop Fox

Sep 15, 2017

I’m picky about where I work. I don’t like companies that seem to run an internship program simply because everyone else has one. Bishop Fox proved to me that it’s possible to find an impactful, rewarding, and fun internship outside of the traditional options.

By Alex Lynch

CORS is not obsolete as feared - but rather, it's become part of a larger standard known as FETCH.

Is CORS Becoming Obsolete?

Sep 6, 2017

By Tim Sapio

Sarahah, the chat app marketed as being "anonymous," has a disturbing secret - a Sarahah leak may endanger the contact info of possibly millions of users.

Hot New ‘Anonymous’ Chat App Hijacks Millions of Contact Data

Aug 28, 2017

By Zach Julian

In this Marten Mickos interview, Vincent Liu chats with HackerOne's CEO on his beliefs in transparency and the changing face of the security industry.

Bug Bounties & Beyond: An Interview With HackerOne's Mårten Mickos

Aug 23, 2017

By Vincent Liu

Breaking Drone Defenses: Using Chicken Wire to Defeat Net Projectile-Based Products

Breaking Drone Defenses: Using Chicken Wire to Defeat Net Projectile-Based Products

Aug 3, 2017

By Francis Brown

Read an account of creating an XSS worm on a popular email hosting service provider.

How I Built An XSS Worm On Atmail

Jun 23, 2017

By Zach Julian

A stored XSS vulnerability was identified in the webmail component of atmail 7. This security advisory by Zach Julian discusses it in detail.

atmail 7 Stored XSS Vulnerability

Jun 23, 2017

By Zach Julian

Nathan Elendt breaks down implications of the newly drafted NIST password guidelines in this post. Learn how your organization can best harness them.

What the Newly Drafted NIST Password Guidelines Mean to You

May 30, 2017

By Nathan Elendt

Email spoofing is an antiquated attack that 98 percent of the internet is vulnerable to - even in the modern age. Defend yourself with our tool, SpoofCheck.

How We Can Stop Email Spoofing

May 23, 2017

By Alex DeFreese

An improper access control vulnerability was discovered by Baker Hamilton in the SolarWinds’ Log & Event Manager (LEM) management console (CMC).

SolarWinds Log & Event Manager - Improper Access Control

May 12, 2017

By Baker Hamilton

The Bishop Fox assessment team discovered an arbitrary command injection vulnerability within the SolarWinds’ Log & Event Manager (LEM) management console (CMC).

SolarWinds Log & Event Manager - Arbitrary Command Injection

May 12, 2017

By Baker Hamilton

Read Bishop Fox's VPN guide before making a VPN choice for the privacy of your browsing experience.

A Guide to Choosing the Right VPN

Apr 6, 2017

By Kevin Sugihara

A closer examination of the CIA Leak: Don’t get lost in the hype. There is a bright side to strife...

The CIA Leak: A Look On the Bright Side...

Mar 8, 2017

By Dan Petro

BGP hijacking was utilized by the Iranian government in early January 2016. In this microblog, Zach Julian analyzes the technical implications of the event.

In the News: A BGP Hijacking Technical Post-Mortem

Jan 18, 2017

By Zach Julian

A vulnerability in the Cisco Jabber Guest Server could allow an unauthenticated, remote attacker to initiate connections to arbitrary hosts.

Cisco Jabber Guest Server HTTP URL Redirection Vulnerability

Dec 21, 2016

By Jake Miller

Was a lack of network segmentation what foiled the Empire? According to Fran Brown, it was. Right in time for "Star Wars: Rogue One," here is his take.

Star Wars: I Find Your Lack of Segmentation Disturbing

Dec 4, 2016

By Francis Brown

Want to keep your network secure? Working with a shoestring budget? Check out our do-it-yourself network segmentation guide.

A Guide to Do-It-Yourself Network Segmentation

Nov 30, 2016

By Cory Johnson