Blog Index

All the posts have been edited and updated from their original versions. A few dusty ones remain in the archive.

If you’re interested in episodes from the Application Security Weekly podcast, check out the show index.

• AI & LLMs – An ASW Topic Recap
  Nov 14, 2024 • Recap of the Application Security Weekly podcast episodes on AI & LLMs
• The ASW October 2024 Recap
  Nov 1, 2024 • Recap of the Application Security Weekly podcast episodes from October 2024
• The ASW September 2024 Recap
  Oct 4, 2024 • Recap of the Application Security Weekly podcast episodes from September 2024
• The ASW August 2024 Recap
  Sep 6, 2024 • Recap of the Application Security Weekly podcast episodes from August 2024
• The ASW July 2024 Recap
  Aug 2, 2024 • Recap of the Application Security Weekly podcast episodes from July 2024
• The ASW June 2024 Recap
  Jul 5, 2024 • Recap of the Application Security Weekly podcast episodes from June 2024
• The ASW May 2024 Recap
  Jun 7, 2024 • Recap of the Application Security Weekly podcast episodes from May 2024
• The ASW April 2024 Recap
  May 3, 2024 • Recap of the Application Security Weekly podcast episodes from April 2024
• The ASW March 2024 Recap
  Apr 5, 2024 • Recap of the Application Security Weekly podcast episodes from March 2024
• The ASW February 2024 Recap
  Mar 1, 2024 • Recap of the Application Security Weekly podcast episodes from February 2024
• The ASW January 2024 Recap
  Feb 2, 2024 • Recap of the Application Security Weekly podcast episodes from January 2024
• The ASW December 2023 Recap
  Jan 5, 2024 • Recap of the Application Security Weekly podcast episodes from December 2023
• The ASW November 2023 Recap
  Dec 1, 2023 • Recap of the Application Security Weekly podcast episodes from November 2023
• The ASW October 2023 Recap
  Nov 3, 2023 • Recap of the Application Security Weekly podcast episodes from October 2023
• The ASW September 2023 Recap
  Oct 4, 2023 • Recap of the Application Security Weekly podcast episodes from September 2023
• The ASW August 2023 Recap
  Sep 1, 2023 • Recap of the Application Security Weekly podcast episodes from August 2023
• Moving on from the OWASP Top 10
  Mar 30, 2023 • Why the OWASP Top 10 list no longer drives effective appsec
• Celebrating Curl's 25th Anniversary
  Mar 20, 2023 • 25 years of curl -- one of the most impactful open source projects
• How I Conduct Podcast Prep Calls
  Feb 3, 2023 • Notes for conducting prep calls for the podcast
• Some Appsec Haikus
  Dec 15, 2022 • Appsec and DevOps concepts expressed as haikus
• The Fourth Year of the Fourth Edition
  Jan 14, 2018 • Celebrating the 4th edition of Anti-Hacker Tool Kit
• A Week of Security Should Last All Year
  Jul 24, 2017 • Cybersecurity tips to always follow for protecting your devices
• Builder, Breaker, Blather, Why
  Mar 20, 2017 • Software engineering that leads to effective security
• Why You Should Always Use HTTPS
  May 31, 2016 • A non-technical overview of why HTTPS is so important for the web
• I'll ne'er look you i' the plaintext again
  May 3, 2016 • Let's encrypt and the security benefits from DevOps
• You've Violated APE Law!
  Mar 18, 2016 • Secure code and the planet of the apes
• Laws of Magic, Technology, and Appsec
  Feb 12, 2016 • Appsec versions of the quote about technology being indistinguishable from magic
• Bad Code Entitles Good Exploits
  Sep 9, 2014 • XSS example
• A Monstrous Confluence
  May 10, 2014 • Heartbleed detection tool and demonstration in C++
• Soylent Grün ist Menschenfleisch
  Dec 27, 2013 • The web -- it's made of people!
• Selector the Almighty, Subjugator of Elements
  Dec 3, 2013 • XSS payloads to take advantage of the presence of jQuery
• A Default Base of XSS
  Oct 21, 2013 • An XSS vector via quirks of PHP integers
• On a Path to HTML Injection
  Sep 25, 2013 • HTML injection through URL paths
• DRY Fiend (Conjuration/Summoning)
  Aug 27, 2013 • Code reuse for XSS attacks
• Oh, the Secrets You'll Know
  Aug 20, 2013 • Finding secrets in GitHub repos
• Two Hearts That Beat As One
  Jun 24, 2013 • Crafting an XSS payload across two input parameters
• A True XSS That Needs To Be False
  Jun 18, 2013 • XSS that takes advantage of JavaScript syntax quirks
• A Hidden Benefit of HTML5
  Jun 14, 2013 • Finding XSS in hidden input fields
• JavaScript: A Syntax Oddity
  Jun 5, 2013 • Crafting XSS payloads with valid, but strange, JavaScript syntax
• The Wrong Location for a Locale
  Mar 28, 2013 • XSS through localization
• Insistently Marketing Persistent XSS
  Mar 21, 2013 • Example of persistent XSS
• Plugins Stand Out
  Mar 14, 2013 • Insecure browser plugins
• Condign Punishment
  Mar 5, 2013 • Historically harsh punishment for security lapses
• Implicit HTML, Explicit Injection
  Feb 5, 2013 • XSS payloads that take advantage of entity encoding
• Know Your JavaScript (Injections)
  Jan 23, 2013 • Cross-site scripting example inside a JavaScript variable
• User Agent. Secret Agent. Double Agent.
  Jan 21, 2013 • Explanation of CSRF flaws
• A Lesser XSS Attack Greater Than Your Regex Security
  Jan 14, 2013 • Bypass a regex that tried to block XSS
• TOCTOU Twins
  Dec 26, 2012 • Time of check, time of use vulns in web apps
• HIQR for the SPQR
  Dec 5, 2012 • HTML injection quick reference for creating XSS payloads
• Escape from Normality
  Oct 2, 2012 • Noramlizing data before validating it
• My Zombie Incursion into Amazon.com
  Sep 21, 2012 • Cross-site scripting (XSS) on amazon.com via a book's PDF preview
• LinkedIn, HashedOut
  Jun 7, 2012 • Random passwords from the 2012 LinkedIn breach
• Design vs. Implementation
  Jun 5, 2012 • Flaws that stem from design and implementation mistakes
• O[Utf-8]12
  Mar 6, 2012 • Unicode, UTF-8, and character encoding implications for appsec
• The Twelve Web Security Truths
  Nov 16, 2011 • An appsec list inspired by RFC 1925
• Will the Real APT Please Stand Up?
  Jun 16, 2011 • Advanced vs. sophisticated appsec threats
• Klingon, Quenya, or Sindarin?
  Jun 1, 2011 • A brief note on confusion and diffusion
• CSRF and Beyond
  Apr 26, 2011 • Explaining cross-site request forgery (CSRF) vulns
• Advanced Persistent Ignorance
  Apr 14, 2011 • The advanced persistent ignorance that leads to SQL injection flaws.
• Electric Skillet
  Dec 11, 2010 • Appsec ideas from sci-fi books
• Carborundum Saw
  Dec 11, 2010 • Cybercrime imagined in 1986 by Stanisław Lem
• Regex-based security filters drift without anchors
  Jun 15, 2010 • Avoiding subtle flaws in regex-based security filters
• Cross-Site Tracing (XST): The misunderstood vulnerability
  May 18, 2010 • Cross-site tracing (XST) takes advantage of a web server's reflection of the client's HTTP message in a respose to a TRACE request
• At about this time...
  May 8, 2010 • The day of the triffids
• Is a vuln without a useful exploit still a vuln?
  May 7, 2010 • Finding an XSS vuln vs. finding an exploit, and how such vulns should be prioritized
• Of the 2010 OWASP Top 10, Only 3 Not Common, Only 1 Hard To Detect
  Apr 22, 2010 • Observations on the 2010 OWASP Top 10
• Primordial cross-site scripting (XSS) exploits
  Feb 19, 2010 • One of the earliest examples of XSS
• An Alien Concept of Password Security
  Feb 17, 2010 • Password security lessons from the movie Aliens
• Earliest(-ish) hack against web-based email
  Jan 4, 2010 • One of the earliest examples of XSS against web-based email
• So...so you think you can tell
  Jul 30, 2008 • Finding flaws in web apps