Search results

There's increasing talk about static analysis for vulnerability detection as a necessary development step. However, many also discuss the challenges of static analysis. This was discussed extensively at the last Positive Hack Days , and following those discussions, we already wrote about how a...

Reverse engineering is a labor-intensive and challenging task, but not everyone is up to the task. Anyone can feed a program to a decompiler, but not everyone has the patience to decipher the intricacies of machine instructions. The process becomes more challenging if the research is being...

Typically, developers, and even testers, can't always predict in advance what kind of invalid input data will be received by their web application. Traditional testing methods—manual, integration, and even unit tests—are good at handling expected scenarios. However, testing unpredictable ones...

Typically, developers, and even testers, can't always predict in advance what kind of invalid input data will be received by their web application. Traditional testing methods—manual, integration, and even unit tests—are good at handling expected scenarios. However, testing unpredictable ones...

99% of what I do is exploiting avoidable mistakes. Today I'll talk about IDOR, one of the most common and easy-to-exploit web vulnerabilities. It can be used to view someone else's photos on social media, get a discount on an online store, or earn thousands of dollars in bug bounties. Using...

...

Lately, I've been seeing heated debates between .NET supporters and opponents on popular tech forums. These arguments typically begin with a misunderstanding and end in vicious trolling, arguments about life, and comparisons of the radii and specific densities of various spherical cones. Both...

Over the past few years, web application security has become a key issue in IT. For companies, system stability is crucial to their reputation and the avoidance of unnecessary costs. Annual statistics from large information security companies indicate an increase in the number and quality of...

Hi everyone, my name is Vadim Mezentsev, and I'm an Android developer on the Yandex Go team. Today, I'd like to share the story of how we searched for an approach to profiling our app, the challenges we encountered, and how we ultimately implemented a performance measurement library. Our team...

Today, web application security is crucial, so even developers need to master pentesting tools. We've already written about the powerful WPScan framework for WordPress pentesting, but websites also run on other platforms. That's why today we'll explore the more versatile OWASP ZAP (Zed Attack...

Hi, today I'll be writing a long and detailed article about low-level profiling and performance diagnostics. In the comments to my talks and articles, I've heard users repeatedly express a desire to see not just a list of "do's" and "don'ts" patterns, but a comprehensive history. So here's an...

When I was at PKC, my team led about thirty code audits. Many of them were for startups that had raised a Series A or B—this is the stage when founders typically have raised money, are distracted from their all-out focus on going to market, and realize they need to focus more on security. The...

Introduction Python's execution speed often leaves much to be desired. Some people abandon Python for this very reason, but there are several ways to optimize Python code, both in terms of time and memory usage. I'd like to share a few methods that help with real-world problems. I'm using...

I'm not talking about skills or knowledge, nor am I trying to sell the world on the idea of performance optimization. Our world already prioritizes speeding up everything. Optimizing code performance is hard work because it's a problem whose very nature dictates the use of brute force—an...

Alexander Alekseev ( Postgres Professional ) An excellent overview talk from the HighLoad++ 2016 conference on how to profile software code. It covers typical mistakes that occur during measurements. And, of course, about the tools: - gettimeofday - strace, ltrace, truss - gprof - gdb / lldb -...

Hi, I'm Tony Albrecht, an engineer at Riot. I love profiling and optimization. In this article, I'll cover the basics of profiling and analyze a sample of C++ code while profiling it on a Windows machine. We'll start with the basics and gradually delve into the CPU's guts. When we find...

Malware has long been a major threat to information security. Approaches to analyzing and protecting against these types of attacks vary. Generally, two approaches are distinguished: static and dynamic analysis. The goal of static analysis is to find patterns of malicious content in a file or...

I begin every article by mentioning that our team is developing a mobile app security analysis platform. Why? By posting information I find useful, along with various discoveries and tips, I want to share them with like-minded people, help those who are on the same path, and share interesting...

Penetration tests help identify and address weaknesses in a company's security before attackers can exploit them. But for such a test to be truly useful, it's important to understand why you're conducting it, the methodology you're using, and what you'll do with the results. In this article we...

In a conversation with Marshall Clow on the CppCast #300 ABI Stability podcast, we touched on the long-standing news of Visual Studio compiler support for AddressSanitizer (ASan). We've been implementing ASan in our testing system for some time now and want to share a couple of interesting bugs...