Search results

Introduction There are many articles on Habr describing the interesting and complex aspects of web development, but many readers, at the beginning of their web development careers, would like to see material that would help them take the first step from "PHP in 24 hours" to serious development...

You want to find vulnerabilities in your code as quickly as possible, which means you need to automate this process. How exactly can you automate vulnerability detection? There's dynamic security testing, and there's static testing—both have their advantages and disadvantages. Today, we'll take...

This is the dynamic analysis engineering department at Swordfish Security. In previous articles, we described the OWASP ZAP plugin , explained how to scan applications using Burp Suite Pro , and set up automatic authorization in the DAST scanner. Today, we'll discuss what to look for when...

Sometimes you need to profile a program's performance or memory usage in a C++ program. Unfortunately, this is often not as easy as it might seem. This article will cover the specifics of program profiling using valgrind and Google perftools . This material is not very structured; it's more of...

Hi ! Yuri Shabalin, Chief Architect at Swordfish Security, is back on the air. We've been consulting on building secure development processes for our clients for quite some time now. In this process, we constantly encounter various nuances and challenges when implementing DevSecOps practices...

But I also suggest taking a look at the 70K text of the illustrated article-transcript below the cut, compiled by me from the video and slides. Today I'm giving a talk on "Do-It-Yourself Java Profiling." The slides will be in English, but I'll be delivering the talk in Russian. There are a lot...

Imagine this: you wrote a script to process some data on your laptop, went out for coffee, and when you return fifteen minutes later, barely 10% of the script has completed. Why is the script running so slowly? Which part is slowing it down? Is it reading the data, processing it, or saving it...

Burp Suite – JWT-Based Web Application Scanning Tutorial Hello, Habr! It's back to those who report missing security headers in your application—dynamic analysis engineers. In our last article , we described a plugin for OWASP ZAP that simplifies JWT-based authentication. Now we'd like to...

JavaScript Optimization: How to Speed Up Website Scripts Home Blog JavaScript Optimization: How to Speed Up Website Scripts All more or less complex websites and other web projects must include JavaScript. Correct scripting affects not only the functionality of specific page features but...

A Guide to Analyzing Network Traffic with Wireshark 1. What is Wireshark? Program logo Wireshark is a widely used tool for capturing and analyzing network traffic, widely used for both educational purposes and for troubleshooting computer and network problems. Wireshark supports virtually all...

What is a variable? Let's recall the concept of "variable." How do you usually construct a complex definition of this term? Here are examples of how the concept is presented to you on a silver platter: it is a storage of data, values; it is a named area in memory it is a box that has a name in...

Penetration testers are not "half-bad hackers," but information security specialists who simulate real cyberattacks to discover weaknesses in systems. They are also called "ethical hackers" or "security testers," but the essence of their work remains the same: they help companies protect...

Python differs from programming languages such as C# or Java, which force the programmer to name classes according to the names of the files in which the code for those classes resides. Python is the most flexible programming language I've ever encountered. And when you're dealing with...

Stealing password databases from compromised systems is a common problem. This was especially acute in the early years of Unix's development, when passwords were stored in cleartext. A leak of such a database meant a complete compromise of the system. The problem was solved by the world's first...

File analysis can be divided into two types: static, where a file is examined without being executed, and dynamic, where the file is run in a safe environment (a test machine or a virtual machine, such as a sandbox). Here, I will describe how to set up a working environment for safe static...

--- I used to think that I didn’t need comments if I wrote self-documenting code. However, I realized that I do write comments and find them genuinely useful. To see how many comments I write and what kinds they are, I created a script to analyze my Git commits over the past six years. In...

HTTP is a wonderful thing: a protocol that has existed for more than 20 years without major changes. This is the second part of a web security series: the first part was “How Browsers Work.” As we saw in the previous article, browsers interact with web applications over HTTP, which is the main...

In the vast majority of programming languages, if you remove all indentation from the entire source code and then apply auto-formatting, the program will remain fully functional and will also be formatted in a consistent style. At first glance, such an operation seems impossible in Python. At...

When I ran my first worm simulation, the Santa Ana winds were already blowing hard. I’m not a hacker, but it was simple: you open a terminal shell, paste in commands from GitHub, and watch a cascade of symbols scroll across the screen—just like in the movies. As I scanned the code flying past my...

--- Recently, I started learning Kotlin for Android development, and I really like it. Kotlin’s syntax is very similar to Swift, which makes it convenient. I’m still just a beginner in Android development, so there are probably many useful libraries I haven’t had the chance to explore yet, but...