SANS Penetration Testing: Category - web pen testing

Modern Web Application Penetration Testing Part 1, XSS and XSRF Together

By: Adrien de Beaupre I enjoy performing penetration tests, I also enjoy teaching how to do penetration testing correctly. I will be teaching SANS SEC642: Advanced Web App Penetration Testing, Ethical Hacking, and Exploitation Techniques at many events this year. This is one of the many techniques that I will be exploring in … Continue reading Modern Web Application Penetration Testing Part 1, XSS and XSRF Together


Mining Meteor

By Tim Medin SANS Instructor & Counter Hack Engineer Meteor is a game-changing framework for rapid software development and is the top-rated web framework on Github. Meteor offers a number of benefits including offering real-time applications by default. With its greatbenefits, we are likely to see more Meteor applications... ...And you should know how to … Continue reading Mining Meteor


Azure 0day Cross-Site Scripting with Sandbox Escape

[Editor's Note: Chris Dale is an amazing gentleman. He finds Cross-Site Scripting (XSS) flaws in the most interesting and wonderful places. In this article, Chrisshares some insights into his methods and how he applied them in finding a zero-day XSS flaw associated with Microsoft Asure. Good reading! -Ed.] By Chris Dale Earlier in 2016, I … Continue reading Azure 0day Cross-Site Scripting with Sandbox Escape


Pen Testing Node.js: Staying N Sync Can Make the Server Go Bye Bye Bye

By Tim Medin I recently came across a node.js server in a pen test. If you aren't familiar with node.js, Wikipedia describes it as "...an open-source, cross-platform runtime environment for developing server-side web applications. Node.js applications are written in JavaScript and can be run within the Node.js runtime on a wide variety of platforms." For … Continue reading Pen Testing Node.js: Staying N Sync Can Make the Server Go Bye Bye Bye


Modifying Android Apps: A SEC575 Hands-on Exercise, Part 1

By Joshua Wright Introduction As a security professional, I'm called on to evaluate the security of Android applications on a regular basis. This evaluation process usually takes on one of two forms: Evaluate app security from an end-user perspective Evaluate app security from a publisher perspective While there is a lot of overlap between the … Continue reading Modifying Android Apps: A SEC575 Hands-on Exercise, Part 1