PinnedA Deep Dive On The Most Critical API Vulnerability — BOLA (Broken Object Level Authorization)Intro In this article I dig into the details about Broken Object Level Authorization (BOLA) — the most common and most severe API vulnerability today according to the OWASP API Security Project. Insecure Direct Object Reference (IDOR) and BOLA are the same thing. …API16 min read
Dec 17, 2021Log4Shell — Simple Techincal Explanation of the ExploitLast week’s Log4Shell vulnerability is a dramatic example of how modern applications, interconnected services and pervasive APIs can create substantial security challenges. As a security researcher who has spent years looking at API vulnerabilities, this is an excellent example of how things can go wrong. …Log 4 J6 min read
Sep 23, 2021Hacking your mind — Mindfulness Journey from a hacker perspectiveIntro My job is to hack systems, so I usually write about cybersecurity and different hacking techniques. Today I decided to write about something a bit different — my mindfulness journey and how I find this process similar to hacking. Background Before I jump into the details, I would like to share…Mindfulness9 min read
Aug 23, 202131 Tips — Advanced Bug Bounty & PentestingTo welcome Blackhat & Defcon conferences, we published a daily tip on Bug Bounty & AppSec during the month of July 2021. We started this project because we wanted to help developers, security engineers, and pentesters learn about AppSec and API pentesting. We realize it’s not easy to find resources…Pentesting2 min read
Apr 19, 2021Behind the Scenes of SAST — The Challenges of Code ScanningI love the idea behind Static Application Security Testing (SAST) tools — they aim to create a utopian world clean from application vulnerabilities. If Dynamic Application Security Testing (DAST) tools look at your application to find doors and windows left open to intruders, SAST tools try to prevent them from…Application Security7 min read
Mar 16, 2021Behind the Scenes of DAST — How do Security Scanners Work?The idea behind Dynamic Applications Security Testing (DAST) is pretty clever — a tool that simulates a human penetration tester. With the URL of an app to test, the tool gets its hands dirty and provides a vulnerabilities report. DAST tools are not just contextless fuzzers; they have intelligence and…Appsec7 min read
Aug 26, 2020Modern Application Security — Good and Bad NewsThis is the second article in a 2-part blog series. In the previous article, we talked about the major changes in application development in the last several years. In this article, we will discuss how these changes impact application security as we used to know it, and redefined the boundaries. Extended Boundaries: Application Security is a Widespread Concern …Application Security4 min read
Aug 26, 2020Modern Application Security — What are Modern Applications?Introduction This is the first article in a 2-part blog series outlining how application security has changed (or needs to change). Before I get into the article, let me give you a little background on myself. I am currently the Head of Security Research at Traceable but my personal journey with…API6 min read
Published in InfoSec Write-ups·Feb 4, 202031 Tips — API Security & PentestingTo welcome the new year, we published a daily tip on API Security during the month of January 2020. We started this project because we wanted to help developers, security engineers and pentesters learn about API security and API pentesting. We realize it’s not easy to find resources in these…Pentesting2 min read
Published in Salt Security·Dec 6, 2018What Moving To the Bay Area Taught Me About Loving My Pentesting Tools (Burp Suite vs Fiddler)Let’s talk for a moment about love, relationships and commitment… Most application security engineers I’ve met have already settled down and found their special one. They stick with that one, stay committed and never have a second thought about another. I’m talking about Burp and Fiddler To be honest, I…Application Security7 min read
