Offensive
Security Blog

Industry

Delivering Peace of Mind About New Citrix Emerging Threat

Jul 8, 2020

CITRIX announced 11 CVEs that impact its ADC, Gateway, and SDWAN WANOP products. Bishop Fox's Continuous Attack Surface Testing team protected our clients.

By Barrett Darnell

Industry

SkillBridge Paves the Way for Service Members

Jul 8, 2020

Bishop Fox supports the SkillBridge program, which gives military personnel hands-on experience for the career they intend to pursue in civilian life.

By Brianne Hughes

Technical Research

Breaking HTTPS in the IoT: Practical Attacks For Reverse Engineers

Jun 30, 2020

Bishop Fox's Nathan Elendt discusses three attack techniques for performing Man-in-the Middle attacks against production-grade, HTTPS-protected Things.

By Nathan Elendt

Industry

Stop Treating Breaches Like Natural Disasters: A New Mindset for Application Security

Jun 25, 2020

Security Determinism puts application security within our control. Dan Petro shows how sound software engineering helps prevent vulnerabilities & breaches.

By Dan Petro

Technical Research

How to Set Up Your Hardware Lab

Jun 23, 2020

Jordan Parkin discusses hardware hacking and the tools and equipment for setting up a budget-friendly lab for product security reviews and device research.

By Jordan Parkin

Advisory

SecureAuth Version 9.3

Jun 19, 2020

Bishop Fox's Chris Davis and Robert Punnett identified a client-side template injection vulnerability in the SecureAuth application version 9.3.

By Chris Davis, Robert Punnett

Industry

A Guide to Digital Reconnaissance

Jun 16, 2020

Dan Wood gives insight into the world of digital reconnaissance, a way of collecting intelligence about a target without actively interacting with systems.

By Daniel Wood

Advisory

DigDash Enterprise: Versions 2018R2-2020R1

Jun 15, 2020

Bishop Fox advisory on three vulnerabilities in DigDash Version 2018 including server-side request forgery, cross-site scripting and content injection.

By Florian Nivette

Advisory

OOB to RCE: Exploitation of the Hobbes Functional Interpreter

Jun 12, 2020

Morgan Stanley's Hobbes lacks bounds checking, allowing exploitation of an OOB read/write vulnerability that leads to both local and remote code execution.

By Jake Miller

Industry

Lessons Learned from Years of Red Teaming in Cybersecurity

Jun 9, 2020

Daniel Wood discusses lessons learned from years of red teaming, involving critical thinking and adopting an adversarial mindset to prevent cyber attacks.

By Daniel Wood

Industry

Quantifying the Impact of Micro-Segmentation

Jun 4, 2020

Bishop Fox created a testing environment and assessment methodology for Illumio focused on network segmentation, reconnaissance, and network discovery.

By Bishop Fox

Industry

Invest in Trusted Partners, Not Crowdsourcing, for Continuous Security

Jun 3, 2020

Joe Sechman discusses the limitations of crowdsourcing vs. the security assurance, quality of service, and scalability of continuous attack surface testing

By Joe Sechman

Industry

Applying Elite Military Training to Civilian Assessments

May 26, 2020

By Brianne Hughes

Technical Research

RMIScout: Safely and Quickly Brute-Force Java RMI Interfaces for Code Execution

May 26, 2020

Open source RMIScout performs wordlist and brute-force attacks against exposed Java RMI interfaces to safely guess method signatures without invocation.

By Jake Miller

Industry

Security Lessons From Hacker-Themed Board Games

May 22, 2020

A way to prepare for real security events is to simulate them through gamification. Test your crisis management abilities with hacker themed board games.

By Brianne Hughes

Industry

A Closer Look at the US-CERT Top 10 Vulnerabilities List

May 21, 2020

Bishop Fox's Daniel Wood analyzes the US-CERT Top 10 Vulnerabilities List, including attacks on Microsoft Office, VPNs, and the use of social engineering.

By Daniel Wood

Industry

An Introduction to the OWASP IoT Top 10

Apr 23, 2020

Bishop Fox highlights the OWASP IoT top 10 security risks, including weak passwords, insufficient privacy protection, and insecure ecosystem interfaces.

By Britt Kemp

Technical Research

The TL;DR on TF-IDF: Applied Machine Learning

Apr 9, 2020

Joe Sechman and Greg Mortensen discuss how machine learning algorithms help keep up with constantly changing attack surfaces to detect more vulnerabilities

By Greg Mortensen, Joe Sechman

Culture

Support Staff: Why You Should Rock The Boat

Mar 31, 2020

Rocking the boat can be scary, but making waves can show your manager that you bring something not everyone else has to offer. Plainly put, you have guts, a handle on the bigger picture, and a willingness to help find solutions to make the company better.

By Valerie Chargualaf

Industry

How to Keep Your Business Secure During the COVID-19 Pandemic

Mar 17, 2020

Bishop Fox's Daniel Wood discusses how to keep businesses and their now remote employees secure from cyber attacks during the COVID-19 coronavirus pandemic

By Daniel Wood

Industry

What Is XSS?: An Overview

Mar 16, 2020

Bishop Fox explains cross-site scripting (XSS) - an OWASP Top 10 injection attack vulnerability- its different XSS varieties, and tips to prevent an attack

By Britt Kemp

Advisory

Twisted Version 19.10.0

Mar 11, 2020

Bishop Fox advisory on two HTTP request splitting (HTTP request smuggling) high risk vulnerabilities that were identified in Twisted Web version 19.10.0

By Jake Miller

Industry

Staying Ahead of Emerging Threats

Mar 5, 2020

Bishop Fox's Continuous Attack Surface Testing managed security service helped clients when a critical-severity vulnerability threatened Citrix appliances.

By Ori Zigindere

Advisory

From Emoji to Zero-Day: Latin Homoglyphs in Domains and Subdomains

Mar 4, 2020

Matt Hamilton published a security advisory about homograph domain names on gTLDs as well as subdomains within SaaS companies using homoglyph characters.

By Bishop Fox