AI-Powered Application Penetration Testing—Scale Security Without Compromise Learn More

bishopfox-logo-grey
Get Started
Customer header bg dark

Offensive
Security Blog

Expert insights on offensive security, AI vulnerabilities, and emerging threats from Bishop Fox's leading security researchers and penetration testers.

Advisories Culture Security Perspectives Product Technical Research View All
Advisory

OpenClinic Version 0.8.2 Advisory

OpenClinic Version 0.8.2 Advisory

Dec 1, 2020

Bishop Fox advisory on OpenClinic medical records software V. 0.8.2, including high risk missing authentication and insecure file upload vulnerabilities.

By Gerben Kleijn
Security Perspective

The Pen Testing Tools We’re Thankful for in 2020

The Pen Testing Tools We’re Thankful for in 2020

Nov 23, 2020

Recap of Bishop Fox's favorite penetration testing tools for 2020 including, Nuclei, Spyse Search Engine, Dufflebag, GadgetProbe, RMIScout and more.

By Britt Kemp
Security Perspective

Diverse Perspectives Offer a Broader Understanding of Your Attack Surface

Diverse Perspectives Offer a Broader Understanding of Your Attack Surface

Nov 17, 2020

Barrett Darnell discusses how having a diverse, specialized team of CAST pen testers on your side can make your organization less vulnerable to groupthink.

By Barrett Darnell
Culture

Hacking Into Cybersecurity: Security Interns Share Their Stories

Hacking Into Cybersecurity: Security Interns Share Their Stories

Nov 12, 2020

We have a robust internship program that has given many people an entry point to infosec. Learn more about breaking into the security industry.

By Nazariy Haliley
Security Perspective

Cheating at Online Video Games and What It Can Teach Us About AppSec (Part 3)

Cheating at Online Video Games and What It Can Teach Us About AppSec (Part 3)

Nov 10, 2020

Dan Petro delves into more methods of cheating at video games, highlighting lessons AppSec can learn from their complex and technical security challenges.

By Dan Petro
Advisory

Security Advisory: Immuta Version 2.8.2

Security Advisory: Immuta Version 2.8.2

Nov 4, 2020

Four vulnerabilities were identified within Immuta including XSS, content injection, insufficient authorization controls and improper session management.

By Chris Davis
Security Perspective

Cheating at Online Video Games and What It Can Teach Us About AppSec (Part 2)

Cheating at Online Video Games and What It Can Teach Us About AppSec (Part 2)

Nov 2, 2020

Dan Petro examines more methods of how cheating at video games applies to appsec, including having a computer or bot automate technically demanding tasks.

By Dan Petro
Security Perspective

Cheating at Online Video Games and What It Can Teach Us About AppSec (Part 1)

Cheating at Online Video Games and What It Can Teach Us About AppSec (Part 1)

Oct 29, 2020

Dan Petro examines some classic examples of online video game cheats and explores the lessons these cheats reveal in relation to application security.

By Dan Petro
Advisory

Winston Privacy Version 1.5.4

Winston Privacy Version 1.5.4

Oct 27, 2020

Advisory on nine vulnerabilities in the Winston Privacy VPN version 1.5.4 including critical risk command injection & high risk cross-site request forgery.

By Chris Davis
Security Perspective

Accidentally Secure Is Not Secure: A Case of Three Stooges Syndrome

Accidentally Secure Is Not Secure: A Case of Three Stooges Syndrome

Oct 20, 2020

During pen testing, components or features vulnerable to serious issues that aren't yet exploitable can become major problems after ordinary code changes.

By Dan Petro
Security Perspective

Bishop Fox Fights for Election Security

Bishop Fox Fights for Election Security

Oct 14, 2020

Vincent Liu was a technical expert in a case involving the State of Georgia election and digital voting machine security (Curling v. Raffensperger).

By Bishop Fox
Security Perspective

How to Keep Your Organization Safe From Social Engineering

How to Keep Your Organization Safe From Social Engineering

Oct 13, 2020

Daniel Wood reviews mistakes organizations make with social engineering and how to mitigate risks with better security controls, training, and processes.

By Daniel Wood
Security Perspective

Defining the Scope of Your Pen Test

Defining the Scope of Your Pen Test

Oct 6, 2020

A guide through the decisions that need to be made when planning a penetration test including defining the targets, boundaries, and depth of an assessment.

By Jake Miller
Security Perspective

When Automation Isn’t Enough: The True Impact of Human Expertise on Your Perimeter

When Automation Isn’t Enough: The True Impact of Human Expertise on Your Perimeter

Sep 30, 2020

Ori Zigindere highlights the need for human experts to conduct a thorough analysis of seemingly minor attack surface issues scanners often miss.

By Ori Zigindere
Technical Research

Design Considerations for Secure GraphQL APIs

Design Considerations for Secure GraphQL APIs

Sep 28, 2020

Discusses security risks and bugs to GraphQL deployments and migrations and covers high-risk authorization vulnerabilities and less familiar SSRF issues.

By Jake Miller
Security Perspective

More Important Than a TPS Report: Designing a Realistic CTF for DEF CON Safe Mode

More Important Than a TPS Report: Designing a Realistic CTF for DEF CON Safe Mode

Sep 22, 2020

Barrett Darnell discusses how the DEF CON Red Team Village The Office themed Capture the Flag competition and Continuous Attack Surface Testing are similar

By Barrett Darnell
Technical Research

Design Considerations for Secure Cloud Deployment

Design Considerations for Secure Cloud Deployment

Sep 15, 2020

Guidance on how to design a secure cloud deployment including reducing attack surface, simplifying maintenance, and ways to catch mistakes in the future.

By Jake Miller
Technical Research

h2c Smuggling: Request Smuggling Via HTTP/2 Cleartext (h2c)

h2c Smuggling: Request Smuggling Via HTTP/2 Cleartext (h2c)

Sep 8, 2020

Demonstrating how upgrading HTTP/1.1 connections to lesser-known HTTP/2 over cleartext (h2c) connections can allow a bypass of edge-proxy access controls.

By Jake Miller
Culture

Music to Hack To: A Bishop Fox Mixtape

Music to Hack To: A Bishop Fox Mixtape

Sep 3, 2020

Security consultants' favorite hacking music playlists that help them stay in the zone during engagements including classical, synthwave, and soundtracks.

By Britt Kemp
Advisory

Zamzar API Advisory

Zamzar API Advisory

Aug 27, 2020

A high risk vulnerability allowing for server side forgery request (SSRF) and local file inclusion as the root user was found in the Zamzar API.

By Chris Flanagan
Security Perspective

What Makes a Good Penetration Test?

What Makes a Good Penetration Test?

Aug 25, 2020

Jake Miller highlights how to evaluate a penetration test for quality, including clear and actionable deliverables, remediation recommendations, and more.

By Jake Miller
Security Perspective

20 Tips on How to Make the Most of Your Pen Test

20 Tips on How to Make the Most of Your Pen Test

Aug 19, 2020

Jake Miller shares guidance about how to get the most value from pen testing consulting services for companies at every stage of security program maturity.

By Jake Miller
Security Perspective

8 Recommended Talks From DEF CON 28

8 Recommended Talks From DEF CON 28

Aug 18, 2020

Eight recommended talks from DEF CON 28 aka DEF CON Safe Mode, on infosec topics. Speakers include: Ankur Chowdhary, Daniel Miessler, Sean Metcalf and more

By Britt Kemp
Advisory

TinyMCE, Version 5.2.1 Advisory

TinyMCE, Version 5.2.1 Advisory

Aug 12, 2020

Bishop Fox advisory on TinyMCE application in version 5.2.1. One high risk cross-site scripting vulnerability was found in the application.

By George Steketee, Chris Davis
Load More

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.