Offensive
Security Blog

Advisory

TinyMCE, Version 5.2.1 Advisory

Aug 12, 2020

Bishop Fox advisory on TinyMCE application in version 5.2.1. One high risk cross-site scripting vulnerability was found in the application.

By George Steketee, Chris Davis

Security Perspective

Is This IoT App Safe to Drink?

Aug 11, 2020

Sound policies to legislate the of Internet of Things (IoT) can help government and industry regulate and improve IoT product security and transparency.

By Brianne Hughes

Security Perspective

A Look Forward to the DEF CON Red Team Village CTF

Aug 5, 2020

CTF at 2020 DEFCON Red Team Village will be on a corporate Windows Active Directory environment that allows red teamers to improve security testing skills.

By Barrett Darnell

Security Perspective

Are You Giving Out Cheat Codes if You Whitelist Pen Testers?

Jul 29, 2020

Have specific goals for a pen test to determine whether or not to whitelist (or safelist). Whitelisting IP addresses helps pen testers access a network.

By Brianne Hughes

Security Perspective

An Updated Guide to Do-It-Yourself Network Segmentation

Jul 23, 2020

Bishop Fox's updated guide to do-it-yourself network segmentation shows how to practically and inexpensively ensure network security for home or business .

By Matt Keeley

Advisory

LibreHealth Version 2.0.0

Jul 14, 2020

Bishop Fox advisory on five vulnerabilities in LibreHealth application 2.0.0 including SQL injection, cross-site scripting and cross-site request forgery.

By Chris Davis

Security Perspective

Delivering Peace of Mind About New Citrix Emerging Threat

Jul 8, 2020

CITRIX announced 11 CVEs that impact its ADC, Gateway, and SDWAN WANOP products. Bishop Fox's Continuous Attack Surface Testing team protected our clients.

By Barrett Darnell

Security Perspective

SkillBridge Paves the Way for Service Members

Jul 8, 2020

Bishop Fox supports the SkillBridge program, which gives military personnel hands-on experience for the career they intend to pursue in civilian life.

By Brianne Hughes

Technical Research

Breaking HTTPS in the IoT: Practical Attacks For Reverse Engineers

Jun 30, 2020

Bishop Fox's Nathan Elendt discusses three attack techniques for performing Man-in-the Middle attacks against production-grade, HTTPS-protected Things.

By Nathan Elendt

Security Perspective

Stop Treating Breaches Like Natural Disasters: A New Mindset for Application Security

Jun 25, 2020

Security Determinism puts application security within our control. Dan Petro shows how sound software engineering helps prevent vulnerabilities & breaches.

By Dan Petro

Technical Research

How to Set Up Your Hardware Lab

Jun 23, 2020

Jordan Parkin discusses hardware hacking and the tools and equipment for setting up a budget-friendly lab for product security reviews and device research.

By Jordan Parkin

Advisory

SecureAuth Version 9.3

Jun 19, 2020

Bishop Fox's Chris Davis and Robert Punnett identified a client-side template injection vulnerability in the SecureAuth application version 9.3.

By Chris Davis, Robert Punnett

Security Perspective

A Guide to Digital Reconnaissance

Jun 16, 2020

Dan Wood gives insight into the world of digital reconnaissance, a way of collecting intelligence about a target without actively interacting with systems.

By Daniel Wood

Advisory

DigDash Enterprise: Versions 2018R2-2020R1

Jun 15, 2020

Bishop Fox advisory on three vulnerabilities in DigDash Version 2018 including server-side request forgery, cross-site scripting and content injection.

By Florian Nivette

Advisory

OOB to RCE: Exploitation of the Hobbes Functional Interpreter

Jun 12, 2020

Morgan Stanley's Hobbes lacks bounds checking, allowing exploitation of an OOB read/write vulnerability that leads to both local and remote code execution.

By Jake Miller

Security Perspective

Lessons Learned from Years of Red Teaming in Cybersecurity

Jun 9, 2020

Daniel Wood discusses lessons learned from years of red teaming, involving critical thinking and adopting an adversarial mindset to prevent cyber attacks.

By Daniel Wood

Security Perspective

Quantifying the Impact of Micro-Segmentation

Jun 4, 2020

Bishop Fox created a testing environment and assessment methodology for Illumio focused on network segmentation, reconnaissance, and network discovery.

By Bishop Fox

Security Perspective

Invest in Trusted Partners, Not Crowdsourcing, for Continuous Security

Jun 3, 2020

Joe Sechman discusses the limitations of crowdsourcing vs. the security assurance, quality of service, and scalability of continuous attack surface testing

By Joe Sechman

Security Perspective

Applying Elite Military Training to Civilian Assessments

May 26, 2020

By Brianne Hughes

Technical Research

RMIScout: Safely and Quickly Brute-Force Java RMI Interfaces for Code Execution

May 26, 2020

Open source RMIScout performs wordlist and brute-force attacks against exposed Java RMI interfaces to safely guess method signatures without invocation.

By Jake Miller

Security Perspective

Security Lessons From Hacker-Themed Board Games

May 22, 2020

A way to prepare for real security events is to simulate them through gamification. Test your crisis management abilities with hacker themed board games.

By Brianne Hughes

Security Perspective

A Closer Look at the US-CERT Top 10 Vulnerabilities List

May 21, 2020

Bishop Fox's Daniel Wood analyzes the US-CERT Top 10 Vulnerabilities List, including attacks on Microsoft Office, VPNs, and the use of social engineering.

By Daniel Wood

Security Perspective

An Introduction to the OWASP IoT Top 10

Apr 23, 2020

Bishop Fox highlights the OWASP IoT top 10 security risks, including weak passwords, insufficient privacy protection, and insecure ecosystem interfaces.

By Britt Kemp

Technical Research

The TL;DR on TF-IDF: Applied Machine Learning

Apr 9, 2020

Joe Sechman and Greg Mortensen discuss how machine learning algorithms help keep up with constantly changing attack surfaces to detect more vulnerabilities

By Greg Mortensen, Joe Sechman