Application Security This Week for November 29

Three tools this week.  Pretty cool.


Check your S3 Buckets permission:


Information Disclosure research requires OSInt.  Take a look at IntelOwl:


I might have reported on this before - it isn't new.  It is a purposefully vulnerable Android app, for practice purposes:


Hope everyone had a good and safe thanksgiving.


Application Security This Week for November 22

Troy Hunt has another one of his awesome data breach breakdowns.  Lots to be learned here.

Troy Hunt: Inside the Cit0Day Breach Collection


Awesome paper on unwanted app distribution on Android.

2010.10088.pdf (


In the department of information disclosure department, we have a Go project that will look for URLs exposed by shortner services like

utkusen/urlhunter: a recon tool that allows searching on URLs that are exposed via shortener services (


Have a great thanksgiving!

Application Security This Week for November 15

Portswigger has a really nice new release - update now! Community and pro.


OWASP ZAP has a fantastic new plugin to help test SPAs and the like.


Everything old is new again.  DNS Cache Poisoning is back.


That's the news!

Application Security This Week for November 8

Compass Security built a really nice Burp plugin that helps with the reporting of findings by copying the request and response pair from various tools.


Container Security is all the rage.  Here is a good primer.


Random vulnerability names ... so hawt right now.


One of the Big 4 consulting/audit firms helpfully built a "test your Hacker IQ" quiz that exposes the DB username and password.


I have written in this humble publication many times about my disdain over cryptic TLS vulnerabilities (pun intended) and now Let's Encrypt is going to cut off 30% of Android devices.


That's the news, folks.

Application Security This Week for November 1

Not a lot going on this week.  Almost as if everyone has something else to think about.


Get your debugger on.  Good two parter on getting your feet wet with a little close-to-the-metal code.


For the bounty hunters - Harvard publicked a guide to the legal risk involved in bug hunting.


Writing Go code? Here's a new fuzzer for your Go apps.


That's the news folks. Have a great week!


Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.



profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites