Profile cover photo
Profile photo
Philippe Arteau
122 followers
122 followers
About
Philippe's posts

Post has attachment
Auditing CSP headers with Burp and ZAP
Content Security Policy (CSP)  is a HTTP header that instruct the browser to limit resource loading of media, styles and scripts. As you may know, CSP is not adopted yet by industry. Multiple surveys have already been made about the adoption of the security...

Post has attachment
XSS for ASP.net developers
This post was originally posted on GoSecure's blog As a follow-up to the conference given at Confoo few weeks ago , we are doing a focus article on the same topic. The presentation was giving an overview of the modern XSS attack vectors and filter bypass. I...

Post has attachment
Deserialization Vulnerability : Automating the hunt
At the end of 2015, many Java applications were found vulnerable to a common deserialization bug. It all starts with a presentation at AppSecCali  that demonstrate the danger of deserializing user input and having Apache Commons Collections in the classpath...

Post has attachment
Automate dependencies checking
An application is like an iceberg. During a security code review, the focus will always be on the code written by the development team. It is easy to forget that most of the code running in production will be framework, libraries, the web server and the ope...

Post has attachment
Security Code Review for Android applications
You are developing mobile applications and you have red the OWASP Mobile - Top Ten Mobile Risks . You may be wondering what security tools can help you face the growing complexity of your Android applications. Well, there are plenty ! In this article, I wil...

Post has attachment
crossdomain.xml : Beware of Wildcards
This blog entry will describe a wide spread Flash vulnerability that had affected many big websites including paypal.com. The description will picture the state of the website paypal.com and ebay.com in 2013-2014. The vulnerabilities were completely fixed t...

Post has attachment
Predicting Struts CSRF Token (CVE-2014-7809)
A week has passed since the official release of Struts 2.3.20. I would like to now explain how CSRF token could be "easily" predicted by taking advantage of the vulnerability...

Post has attachment
Remote Code Execution .. by design
In rare situations, web applications are design to accept code as input. In most case, it is design to provide flexibility to the administrator of a system. The idea is to replace a complex interface by a Domain Specific Language . For a developper, it is a...

Post has attachment
Find Security Bugs: New version and project status
A new version of FindSecurityBugs was release last week. For those who don't know about it, FindSecurityBugs is a plugin for the Java static analysis tool FindBugs . This plugin consist of a set rules that focus only on security weakness. FindSecurityBugs u...

Post has attachment
Identifying Xml eXternal Entity vulnerability (XXE)
Here is a small writeup on how a XXE was discover on the website RunKeeper.com . The website, as the name suggest, keep track of your trainings (running, cycling, skying, etc.) The vulnerabilities presented were fixed on June 10th 2014. The website accept t...
Wait while more posts are being loaded