Top 10 Web Hacking Techniques of 2024 - James Kettle - ASW #318

Application Security Weekly (Audio)

Player FM - Internet Radio Done Right

80 subscribers

Security

اضافه شده در seven سال پیش

محتوای ارائه شده توسط Security Weekly Productions. تمام محتوای پادکست شامل قسمت‌ها، گرافیک‌ها و توضیحات پادکست مستقیماً توسط Security Weekly Productions یا شریک پلتفرم پادکست آن‌ها آپلود و ارائه می‌شوند. اگر فکر می‌کنید شخصی بدون اجازه شما از اثر دارای حق نسخه‌برداری شما استفاده می‌کند، می‌توانید روندی که در اینجا شرح داده شده است را دنبال کنید.https://fa.player.fm/legal

Profits Through Podcasting

1
100 Episodes WASTED! Fix These 4 Simple Podcast Blunders in Minutes 14:42

۸ weeks پیش14:42

پخش در آینده

لیست ها

پسندیدن

دوست داشته شد

14:42

Is your health and wellness podcast optimized for success, or are crucial oversights holding back your potential? I audited a doctor’s podcast recently and was shocked at what I found. This podcast had over 100 episodes—pretty impressive. However, the whole setup of the podcast had some brutal mistakes that I’m sure were holding this doctor back from seeing bigger results. How can optimizing your podcast's website links transform your show's reach? Are you missing out on SEO benefits that could elevate your visibility? Curious about the impact of professional collaboration on your podcast? Don't let simple mistakes hold you back. Tune in to find out how to turn your podcast into a lead-generating powerhouse! Today’s episode includes: How minor mistakes hinder podcast growth and engagement. Why directing podcast episode links on Apple, Spotify, etc to your own website is ideal. Why collaborating with professional teams can elevate your podcast impact and revenue. How maintaining high production standards enhances credibility, especially in the health and wellness space. How omitting crucial subscription links will limit your audience growth. Why owning a proper domain ensures long-term SEO benefits and authority with search engines. How missing social media links in your show notes makes it difficult for listeners to connect with you. Why understanding and avoiding common mistakes ensures maximum ROI from podcasting efforts. Are you pouring your heart into your podcast but still not seeing the growth you deserve? Download our free guide to unlock your podcast’s full potential and expand your impact: https://eastcoaststudio.com/5mistakes Our LinkedIn: https://www.linkedin.com/company/eastcoaststudio/ Our Instagram: https://www.instagram.com/ecpodcaststudio/…

حدود یک سال پیش 44:57

MP3•خانه قسمت

Segment Resources:

Top 10, 2024: https://portswigger.net/research/top-10-web-hacking-techniques-of-2024
Full nomination list: https://portswigger.net/research/top-10-web-hacking-techniques-of-2024-nominations-open
Project overview: https://portswigger.net/research/top-10-web-hacking-techniques

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-318

345 قسمت

#Tech News #Applicationsecurityweekly #Sdlc #Softwaredevelpmentlifecycle #News #Security #Tech #Software Development #Security Weekly Productions #DevOps #DevSecOps #AppSec #Decrypts

Top 10 Web Hacking Techniques of 2024 - James Kettle - ASW #318

Application Security Weekly (Audio)

80 subscribers

published حدود یک سال پیش

اشتراک گذاری

MP3•خانه قسمت

Segment Resources:

Top 10, 2024: https://portswigger.net/research/top-10-web-hacking-techniques-of-2024
Full nomination list: https://portswigger.net/research/top-10-web-hacking-techniques-of-2024-nominations-open
Project overview: https://portswigger.net/research/top-10-web-hacking-techniques

Visit https://www.securityweekly.com/asw for all the latest episodes!

Show Notes: https://securityweekly.com/asw-318

345 قسمت

#Tech News #Applicationsecurityweekly #Sdlc #Softwaredevelpmentlifecycle #News #Security #Tech #Software Development #Security Weekly Productions #DevOps #DevSecOps #AppSec #Decrypts

همه قسمت ها

1
Appsec News & Interviews from RSAC on Identity and AI - Rami Saas, Charlotte Wylie - ASW #331 1:01:48

۴ روز پیش1:01:48

1:01:48

In the news, Coinbase deals with bribes and insider threat, the NCSC notes the cross-cutting problem of incentivizing secure design, we cover some research that notes the multitude of definitions for secure design, and discuss the new Cybersecurity Skills Framework from the OpenSSF and Linux Foundation. Then we share two more sponsored interviews from this year's RSAC Conference. With more types of identities, machines, and agents trying to access increasingly critical data and resources, across larger numbers of devices, organizations will be faced with managing this added complexity and identity sprawl. Now more than ever, organizations need to make sure security is not an afterthought, implementing comprehensive solutions for securing, managing, and governing both non-human and human identities across ecosystems at scale. This segment is sponsored by Okta. Visit https://securityweekly.com/oktarsac to learn more about them! At Mend.io, we believe that securing AI-powered applications requires more than just scanning for vulnerabilities in AI-generated code—it demands a comprehensive, enterprise-level strategy. While many AppSec vendors offer limited, point-in-time solutions focused solely on AI code, Mend.io takes a broader and more integrated approach. Our platform is designed to secure not just the code, but the full spectrum of AI components embedded within modern applications. By leveraging existing risk management strategies, processes, and tools, we uncover the unique risks that AI introduces—without forcing organizations to reinvent their workflows. Mend.io’s solution ensures that AI security is embedded into the software development lifecycle, enabling teams to assess and mitigate risks proactively and at scale. Unlike isolated AI security startups, Mend.io delivers a single, unified platform that secures an organization’s entire codebase—including its AI-driven elements. This approach maximizes efficiency, minimizes disruption, and empowers enterprises to embrace AI innovation with confidence and control. This segment is sponsored by Mend.io. Visit https://securityweekly.com/mendrsac to book a live demo! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-331…

1
Secure Code Reviews, LLM Coding Assistants, and Trusting Code - Rey Bango, Karim Toubba, Gal Elbaz - ASW #330 1:09:38

11 روز پیش1:09:38

1:09:38

Developers are relying on LLMs as coding assistants, so where are the LLM assistants for appsec? The principles behind secure code reviews don't really change based on who write the code, whether human or AI. But more code means more reasons for appsec to scale its practices and figure out how to establish trust in code, packages, and designs. Rey Bango shares his experience with secure code reviews and where developer education fits in among the adoption of LLMs. As businesses rapidly embrace SaaS and AI-powered applications at an unprecedented rate, many small-to-medium sized businesses (SMBs) struggle to keep up due to complex tech stacks and limited visibility into the skyrocketing app sprawl. These modern challenges demand a smarter, more streamlined approach to identity and access management. Learn how LastPass is reimagining access control through “Secure Access Experiences” - starting with the introduction of SaaS Monitoring capabilities designed to bring clarity to even the most chaotic environments. Secure Access Experiences - https://www.lastpass.com/solutions/secure-access This segment is sponsored by LastPass. Visit https://securityweekly.com/lastpassrsac to learn more about them! Cloud Application Detection and Response (CADR) has burst onto the scene as one of the hottest categories in security, with numerous vendors touting a variety of capabilities and making promises on how bringing detection and response to the application-level will be a game changer. In this segment, Gal Elbaz, co-founder and CTO of Oligo Security, will dive into what CADR is, who it helps, and what the future will look like for this game changing technology. Segment Resources - https://www.oligo.security/company/whyoligo To see Oligo in action, please visit https://securityweekly.com/oligorsac Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-330…

1
AI Era, New Risks: How Data-Centric Security Reduces Emerging AppSec Threats - Vishal Gupta, Idan Plotnik - ASW #329 1:03:03

18 روز پیش1:03:03

1:03:03

We catch up on news after a week of BSidesSF and RSAC Conference. Unsurprisingly, AI in all its flavors, from agentic to gen, was inescapable. But perhaps more surprising (and more unfortunate) is how much the adoption of LLMs has increased the attack surface within orgs. The news is heavy on security issues from MCPs and a novel alignment bypass against LLMs. Not everything is genAI as we cover some secure design topics from the Airborne attack against Apple's AirPlay to more calls for companies to show how they're embracing secure design principles and practices. Apiiro CEO & Co-Founder, Idan Plotnik discusses the AI problem in AppSec. This segment is sponsored by Apiiro. Visit https://securityweekly.com/apiirorsac to learn more about them! Gen AI is being adopted faster than company’s policy and data security can keep up, and as LLM’s become more integrated into company systems and uses leverage more AI enabled applications, they essentially become unintentional data exfiltration points. These tools do not differentiate between what data is sensitive and proprietary and what is not. This interview will examine how the rapid adoption of Gen AI is putting sensitive company data at risk, and the data security considerations and policies organizations should implement before, if, and when their employees may seek to adopt a Gen AI tools to leverage some of their undeniable workplace benefits. Customer case studies: https://www.seclore.com/resources/customer-case-studies/ Seclore Blog: https://www.seclore.com/blog/ This segment is sponsored by Seclore. Visit https://securityweekly.com/seclorersac to learn more about them! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-329…

1
Secure Designs, UX Dragons, Vuln Dungeons - Jack Cable - ASW #328 44:08

25 روز پیش44:08

44:08

In this live recording from BSidesSF we explore the factors that influence a secure design, talk about how to avoid the bite of UX dragons, and why designs should put classes of vulns into dungeons. But we can't threat model a secure design forever and we can't oversimplify guidance for a design to be "more secure". Kalyani Pawar and Jack Cable join the discussion to provide advice on evaluating secure designs through examples of strong and weak designs we've seen over the years. We highlight the importance of designing systems to serve users and consider what it means to have a secure design with a poor UX. As we talk about the strategy and tactics of secure design, we share why framing this as a challenge in preventing dangerous errors can help devs make practical engineering decisions that improve appsec for everyone. Resources https://owasp.org/Top10/A04 2021-Insecure Design/ https://dl.acm.org/doi/10.5555/1251421.1251435 https://www.threatmodelingmanifesto.org https://www.ietf.org/rfc/rfc9700.html https://www.cisa.gov/resources-tools/resources/secure-by-design Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-328…

1
Managing Secrets - Vlad Matsiiako - ASW #327 1:03:03

۵ weeks پیش1:03:03

1:03:03

Secrets end up everywhere, from dev systems to CI/CD pipelines to services, certificates, and cloud environments. Vlad Matsiiako shares some of the tactics that make managing secrets more secure as we discuss the distinctions between secure architectures, good policies, and developer friendly tools. We've thankfully moved on from forced 90-day user password rotations, but that doesn't mean there isn't a place for rotating secrets. It means that the tooling and processes for ephemeral secrets should be based on secure, efficient mechanisms rather than putting all the burden on users. And it also means that managing secrets shouldn't become an unmanaged risk with new attack surfaces or new points of failure. Segment Resources: https://infisical.com/blog/solving-secret-zero-problem https://infisical.com/blog/gitops-secrets-management Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-327…

1
More WAFs in Blocking Mode and More Security Headaches from LLMs - Sandy Carielli, Janet Worthington - ASW #326 1:14:45

۶ weeks پیش1:14:45

1:14:45

The breaches will continue until appsec improves. Janet Worthington and Sandy Carielli share their latest research on breaches from 2024, WAFs in 2025, and where secure by design fits into all this. WAFs are delivering value in a way that orgs are relying on them more for bot management and fraud detection. But adopting phishing-resistant authentication solutions like passkeys and deploying WAFs still seem peripheral to secure by design principles. We discuss what's necessary for establishing a secure environment and why so many orgs still look to tools. And with LLMs writing so much code, we continue to look for ways LLMs can help appsec in addition to all the ways LLMs keep recreating appsec problems. Resources https://www.forrester.com/blogs/breaches-and-lawsuits-and-fines-oh-my-what-we-learned-the-hard-way-from-2024/ https://www.forrester.com/blogs/wafs-are-now-the-center-of-application-protection-suites/ https://www.forrester.com/blogs/are-you-making-these-devsecops-mistakes-the-four-phases-you-need-to-know-before-your-code-becomes-your-vulnerability/ In the news, crates.io logging mistake shows the errors of missing redactions, LLMs give us slopsquatting as a variation on typosquatting, CaMeL kicks sand on prompt injection attacks, using NTLM flaws as lessons for authentication designs, tradeoffs between containers and WebAssembly, research gaps in the world of Programmable Logic Controllers, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-326…

1
In Search of Secure Design - ASW #325 1:07:36

۷ weeks پیش1:07:36

1:07:36

We have a top ten list entry for Insecure Design, pledges to CISA's Secure by Design principles, and tons of CVEs that fall into familiar categories of flaws. But what does it mean to have a secure design and how do we get there? There are plenty of secure practices that orgs should implement are supply chains, authentication, and the SDLC. Those practices address important areas of risk, but only indirectly influence a secure design. We look at tactics from coding styles to design councils as we search for guidance that makes software more secure. Segment resources https://owasp.org/Top10/A04 2021-Insecure Design/ https://www.cisa.gov/securebydesign/pledge https://www.cisa.gov/securebydesign https://kccnceu2025.sched.com/event/1xBJR/keynote-rust-in-the-linux-kernel-a-new-era-for-cloud-native-performance-and-security-greg-kroah-hartman-linux-kernel-maintainer-fellow-the-linux-foundation https://newsletter.pragmaticengineer.com/p/how-linux-is-built-with-greg-kroah https://daniel.haxx.se/blog/2025/04/07/writing-c-for-curl/ Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-325…

1
Avoiding Appsec's Worst Practices - ASW #324 1:11:19

۸ weeks پیش1:11:19

1:11:19

We take advantage of April Fools to look at some of appsec's myths, mistakes, and behaviors that lead to bad practices. It's easy to get trapped in a status quo of chasing CVEs or discussing which direction to shift security. But scrutinizing decimal points in CVSS scores or rearranging tools misses the opportunity for more strategic thinking. We satirize some worst practices in order to have a more serious discussion about a future where more software is based on secure designs. Segment resources: https://bsidessf2025.sched.com/event/1x8ST/secure-designs-ux-dragons-vuln-dungeons-application-security-weekly https://bsidessf2025.sched.com/event/1x8TU/preparing-for-dragons-dont-sharpen-swords-set-traps-gather-supplies https://www.rfc-editor.org/rfc/rfc3514.html https://www.rfc-editor.org/rfc/rfc1149.html Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-324…

1
Finding a Use for GenAI in AppSec - Keith Hoodlet - ASW #323 54:08

۹ weeks پیش54:08

54:08

LLMs are helping devs write code, but is it secure code? How are LLMs helping appsec teams? Keith Hoodlet returns to talk about where he's seen value from genAI, where it fits in with tools like source code analysis and fuzzers, and where its limitations mean we'll be relying on humans for a while. Those limitations don't mean appsec should dismiss LLMs as a tool. It means appsec should understand how things like context windows might limit a tool's security analysis to a few files, leaving a security architecture review to humans. Segment resources: https://securing.dev/posts/ai-security-reasoning-and-bias/ https://seclists.org/dailydave/2025/q1/0 https://arxiv.org/pdf/2409.16165 https://arxiv.org/pdf/2410.05229 https://nicholas.carlini.com/writing/2025/thoughts-on-future-ai.html Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-323…

1
Redlining the Smart Contract Top 10 - Shashank . - ASW #322 53:01

10 weeks پیش53:01

53:01

The crypto world is rife with smart contracts that have been outsmarted by attackers, with consequences in the millions of dollars (and more!). Shashank shares his research into scanning contracts for flaws, how the classes of contract flaws have changed in the last few years, and how optimistic we can be about the future of this space. Segment Resources: https://scs.owasp.org https://scs.owasp.org/sctop10/ https://solidityscan.com/web3hackhub https://www.web3isgoinggreat.com Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-322…

1
CISA's Secure by Design Principles, Pledge, and Progress - Jack Cable - ASW #321 1:13:50

11 weeks پیش1:13:50

1:13:50

Just three months into 2025 and we already have several hundred CVEs for XSS and SQL injection. Appsec has known about these vulns since the late 90s. Common defenses have been known since the early 2000s. Jack Cable talks about CISA's Secure by Design principles and how they're trying to refocus businesses on addressing vuln classes and prioritizing software quality -- with security one of those important dimensions of quality. Segment Resources: https://www.cisa.gov/securebydesign https://www.cisa.gov/securebydesign/pledge https://www.cisa.gov/resources-tools/resources/product-security-bad-practices https://www.lawfaremedia.org/projects-series/reviews-essays/security-by-design https://corridor.dev Skype hangs up for good, over a million cheap Android devices may be backdoored, parallels between jailbreak research and XSS, impersonating AirTags, network reconnaissance via a memory disclosure vuln in the GFW, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-321…

1
Keeping Curl Successful and Secure Over the Decades - Daniel Stenberg - ASW #320 1:09:02

12 weeks پیش1:09:02

1:09:02

Curl and libcurl are everywhere. Not only has the project maintained success for almost three decades now, but it's done that while being written in C. Daniel Stenberg talks about the challenges in dealing with appsec, the design philosophies that keep it secure, and fostering a community to create one of the most recognizable open source projects in the world. Segment Resources: https://daniel.haxx.se/blog/2025/01/23/cvss-is-dead-to-us/ https://daniel.haxx.se/blog/2024/01/02/the-i-in-llm-stands-for-intelligence/ https://thenewstack.io/curls-daniel-stenberg-on-securing-180000-lines-of-c-code/ Google replacing SMS with QR codes for authentication, MS pulls a VSCode extension due to red flags, threat modeling with TRAIL, threat modeling the Bybit hack, malicious models and malicious AMIs, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-320…

1
Developer Environments, Developer Experience, and Security - Dan Moore - ASW #319 1:10:21

13 weeks پیش1:10:21

1:10:21

Minimizing latency, increasing performance, and reducing compile times are just a part of what makes a development environment better. Throw in useful tests and some useful security tools and you have an even better environment. Dan Moore talks about what motivates some developers to prefer a "local first" approach as we walk through what all of this means for security. Applying forgivable vs. unforgivable criteria to reDoS vulns, what backdoors in LLMs mean for trust in building software, considering some secure AI architectures to minimize prompt injection impact, developer reactions to Rust, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-319…

1
Top 10 Web Hacking Techniques of 2024 - James Kettle - ASW #318 44:57

14 weeks پیش44:57

44:57

We're getting close to two full decades of celebrating web hacking techniques. James Kettle shares which was his favorite, why the list is important to the web hacking community, and what inspires the kind of research that makes it onto the list. We discuss why we keep seeing eternal flaws like XSS and SQL injection making these lists year after year and how clever research is still finding new attack surfaces in old technologies. But there's a lot of new web technology still to be examined, from HTTP/2 and HTTP/3 to WebAssembly. Segment Resources: Top 10, 2024: https://portswigger.net/research/top-10-web-hacking-techniques-of-2024 Full nomination list: https://portswigger.net/research/top-10-web-hacking-techniques-of-2024-nominations-open Project overview: https://portswigger.net/research/top-10-web-hacking-techniques Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-318…

1
Code Scanning That Works With Your Code - Scott Norberg - ASW #317 1:12:52

15 weeks پیش1:12:52

1:12:52

Code scanning is one of the oldest appsec practices. In many cases, simple grep patterns and some fancy regular expressions are enough to find many of the obvious software mistakes. Scott Norberg shares his experience with encountering code scanners that didn't find the .NET vuln classes he needed to find and why that led him to creating a scanner from scratch. We talk about some challenges in testing tools, making smart investments in engineering time, and why working with .NET's compiler made his decisions easier. Segment Resources: - https://github.com/ScottNorberg-NCG/CodeSheriff.NET Identifying and eradicating unforgivable vulns, an unforgivable flaw (and a few others) in DeepSeek's iOS app, academics and industry looking to standardize principles and practices for memory safety, and more! Visit https://www.securityweekly.com/asw for all the latest episodes! Show Notes: https://securityweekly.com/asw-317…

به Player FM خوش آمدید!

Player FM در سراسر وب را برای یافتن پادکست های با کیفیت اسکن می کند تا همین الان لذت ببرید. این بهترین برنامه ی پادکست است که در اندروید، آیفون و وب کار می کند. ثبت نام کنید تا اشتراک های شما در بین دستگاه های مختلف همگام سازی شود.

به بیش از 500 موضوع گوش کنید

80 subscribers

مشابه Application Security Weekly (Audio)

TERRO Ant Killer Bait Stations T300B - Liquid Bait to Eliminate Ants - 12 Count Stations for Effective Indoor Ant Control

Bounty Quick Size Paper Towels, White, 8 Family Rolls = 20 Regular Rolls (Packaging May Vary)

Mini Mic Pro Wireless Microphone for iPhone, iPad, Android, Lavalier Microphone for Video Recording - 2 Pack iPhone Mic Crystal Clear Recording with USB-C for Podcast, ASMR

پادکست هایی که ارزش شنیدن دارند

Application Security Weekly (Audio) « » Top 10 Web Hacking Techniques of 2024 - James Kettle - ASW #318

Top 10 Web Hacking Techniques of 2024 - James Kettle - ASW #318

پادکست هایی که ارزش شنیدن دارند

به Player FM خوش آمدید!

Clean Skin Club Clean Towels XL™, 100% USDA Biobased Face Towel, Disposable Face Towelette, Eczema Association Accepted, Makeup Remover Dry Wipes, Ultra Soft, 50 Ct, 1 Pack

Amazon eGift Card - Bright Balloons (Animated)

Scott ComfortPlus Toilet Paper, 12 Double Rolls, 231 Sheets per Roll, Septic-Safe, 1-Ply Toilet Tissue

Neutrogena Makeup Remover Wipes, Daily Facial Cleanser Towelettes, Gently Cleanse and Remove Oil & Makeup, Alcohol-Free Makeup Wipes, 2 x 25 ct

مشابه Application Security Weekly (Audio)

راهنمای مرجع سریع

Application Security Weekly (Audio) « »
Top 10 Web Hacking Techniques of 2024 - James Kettle - ASW #318