AI-Powered Application Penetration Testing—Scale Security Without Compromise Learn More

bishopfox-logo-grey
Get Started
Customer header bg dark

Offensive
Security Blog

Expert insights on offensive security, AI vulnerabilities, and emerging threats from Bishop Fox's leading security researchers and penetration testers.

Advisories Culture Security Perspectives Product Technical Research View All
Security Perspective

How to Keep Your Business Secure During the COVID-19 Pandemic

How to Keep Your Business Secure During the COVID-19 Pandemic

Mar 17, 2020

Bishop Fox's Daniel Wood discusses how to keep businesses and their now remote employees secure from cyber attacks during the COVID-19 coronavirus pandemic

By Daniel Wood
Security Perspective

What Is XSS?: An Overview

What Is XSS?: An Overview

Mar 16, 2020

Bishop Fox explains cross-site scripting (XSS) - an OWASP Top 10 injection attack vulnerability- its different XSS varieties, and tips to prevent an attack

By Britt Kemp
Advisory

Twisted Version 19.10.0

Twisted Version 19.10.0

Mar 11, 2020

Bishop Fox advisory on two HTTP request splitting (HTTP request smuggling) high risk vulnerabilities that were identified in Twisted Web version 19.10.0

By Jake Miller
Security Perspective

Staying Ahead of Emerging Threats

Staying Ahead of Emerging Threats

Mar 5, 2020

Bishop Fox's Continuous Attack Surface Testing managed security service helped clients when a critical-severity vulnerability threatened Citrix appliances.

By Ori Zigindere
Advisory

From Emoji to Zero-Day: Latin Homoglyphs in Domains and Subdomains

From Emoji to Zero-Day: Latin Homoglyphs in Domains and Subdomains

Mar 4, 2020

Matt Hamilton published a security advisory about homograph domain names on gTLDs as well as subdomains within SaaS companies using homoglyph characters.

By Bishop Fox
Technical Research

GadgetProbe: Exploiting Deserialization to Brute-Force the Remote Classpath

GadgetProbe: Exploiting Deserialization to Brute-Force the Remote Classpath

Feb 17, 2020

GadgetProbe is a tool to probe endpoints consuming Java serialized objects to identify classes, libraries, and library versions on a remote Java classpath.

By Jake Miller
Technical Research

How to Set Up Zniffer for Z-Wave

How to Set Up Zniffer for Z-Wave

Feb 12, 2020

Bishop Fox helps hardware security testers with a detailed step-by-step process for setting up a Z-Wave Zniffer, a wireless communications protocol.

By Priyank Nigam
Security Perspective

How to Prevent the OWASP Top 10

How to Prevent the OWASP Top 10

Feb 10, 2020

Bishop Fox highlights how to prevent the OWASP top 10, the most common high risk vulnerabilities such as sensitive data exposure and cross-site scripting.

By Britt Kemp
Technical Research

Dufflebag: Uncovering Secrets in Exposed EBS Volumes

Dufflebag: Uncovering Secrets in Exposed EBS Volumes

Feb 3, 2020

Dufflebag is an open source tool that allows users to quickly look through public Amazon EBS volumes for snapshots of references to their organizations.

By Dan Petro
Security Perspective

Identifying the Modern Attack Surface

Identifying the Modern Attack Surface

Jan 28, 2020

For the new Bishop Fox Inside Engineering series, Brad Sickles shares how his team used the frameworks they built to define the modern attack surface.

By Brad Sickles
Advisory

ConnectWise Control 19.3.25270.7185 - Eight Vulnerabilities, Including Critical

ConnectWise Control 19.3.25270.7185 - Eight Vulnerabilities, Including Critical

Jan 22, 2020

This advisory from the Bishop Fox research team highlights eight vulnerabilities, including critical, in the ConnectWise Control application, version 19.3.25270.7185.

By Daniel Wood
Culture

Return to NetWars: Tournament of Champions

Return to NetWars: Tournament of Champions

Jan 21, 2020

By Barrett Darnell
Security Perspective

7 of the Most Memorable CVEs of 2019

7 of the Most Memorable CVEs of 2019

Dec 30, 2019

As we end this year, we’re taking a look back at some of the vulnerabilities that made headlines, scared us a little bit, and stirred us to apply patches.

By Britt Kemp
Advisory

Dradis Pro Version 3.4.1

Dradis Pro Version 3.4.1

Dec 30, 2019

Dradis Pro app was affected by an insecure direct object reference vulnerability allowing a user to extract project content and disclose information.

By Florian Nivette
Advisory

Big Monitoring Fabric Application

Big Monitoring Fabric Application

Dec 30, 2019

High-risk vulnerabilities in the Big Monitoring Fabric app that would grant a remote attacker admin access and SSH console access to the affected system.

By Chris Davis
Technical Research

Escalator to the Cloud: 5 Privesc Attack Vectors in AWS

Escalator to the Cloud: 5 Privesc Attack Vectors in AWS

Dec 19, 2019

Identify what to look out for to mitigate or remove AWS privilege escalation. Gerben Kleijn sorted the 21 methods across AWS services in five categories.

By Gerben Kleijn
Technical Research

Well, That Escalated Quickly: Privilege Escalation in AWS

Well, That Escalated Quickly: Privilege Escalation in AWS

Dec 19, 2019

For security professionals performing AWS cloud security reviews or pen tests. Explore methods that can be used in practice and explained clearly to clients.

By Gerben Kleijn
Technical Research

CVE-2019-18935: Remote Code Execution via Insecure Deserialization in Telerik UI

CVE-2019-18935: Remote Code Execution via Insecure Deserialization in Telerik UI

Dec 12, 2019

Telerik UI for ASP.NET AJAX insecurely deserializes JSON objects resulting in arbitrary RCE. Learn how to patch and securely configure this software.

By Caleb Gross
Technical Research

SFDC Secure Development Cheat Sheet

SFDC Secure Development Cheat Sheet

Dec 11, 2019

This guide helps developers build secure Salesforce web applications, whether the goal is to pass the AppExchange review or improve an application’s security.

By Zach Julian
Advisory

Solismed Version 3.3SP1

Solismed Version 3.3SP1

Dec 9, 2019

Bishop Fox's Chris Davis discovered several vulnerabilities in the Solismed application version 3.3SP1, which you can read about in this advisory.

By Chris Davis
Security Perspective

The Pen Testing Tools We’re Thankful for This Season

The Pen Testing Tools We’re Thankful for This Season

Nov 28, 2019

Recap of Bishop Fox's penetration testing tools for 2019.

By Britt Kemp
Technical Research

Reasonably Secure Electron

Reasonably Secure Electron

Nov 21, 2019

Many still consider the Electron framework insecure. This research describes how to effectively design applications that defend against attacks.

By Joe DeMesy
Security Perspective

Scary Security Stories to Tell in the Dark

Scary Security Stories to Tell in the Dark

Oct 31, 2019

Three scary cybersecurity stories for Halloween: hacking mass transit, deepfakes and smart homes.

By Britt Kemp
Technical Research

Glossary of Relevant AWS Terms

Glossary of Relevant AWS Terms

Oct 28, 2019

All entry text is from the AWS Glossary Version 1.0.

By Gerben Kleijn
Load More

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.