It’s been an exciting past couple of weeks. First we launched the new CLI, then we integrated with Code Climate, and now we are going to ship a couple more integrations and a new, much asked for enterprise feature: exceptions.

Grunt & Gulp

We know not everyone uses the same tools for their dev/CI process, so the CLI might not be enough for you. To help make requireSafe accessible to everyone we’ve released grunt-requiresafe and gulp-requiresafe.

Additionally with the release of these integrations we are now at feature parity with the Node Security Project tooling. If you are ...

Continue reading »

We are proud to announce an exciting partnership with Code Climate. Starting today requireSafe will be available as one of the many static analysis tools available on Code Climate’s platform.

requireSafe (available in beta) audits your Node.js modules using a seasoned auditing team and alerts you to vulnerabilities when Node Security Project advisories are created or updated. Of interest specifically is the use of the CLI tool to help identify known vulnerabilities in your own projects.

To make this available to as many developers as possible, we’re releasing requireSafe as an open source “Engine” for the Code ...

Continue reading »

Today we are extremely excited to announce the release of a brand new version of the requireSafe Command Line Interface (CLI).

On the surface it works like the old version, however you will notice a lot of extraneous functionality like logging in or registering has been removed, leaving only the core requiresafe check command in place.

Why did you remove all the goodies?

To be blunt we got a little ahead of ourselves with some features in the beta and decided to burn it down and go back to the basics to make it a better experience for our core ...

Continue reading »

All good things eventually come to an end. All poorly maintained but fun projects tend to as well. After 4 years I’m going to shut down xss.io. Its last day will be September 30th.

xss.io was built to serve my needs for extended penetration tests and as a proof of concept for a talk I gave at DEFCON 20 demonstrating the usefulness of such a technique. It met this goal.

I open sourced it a while back, you can find the code here.

Here are some stats from xss.io’s run: - 338 people logged in and ...

Continue reading »

We all know that security is hard. But it’s often hard in an advanced-math kind of way: cryptography, encryption, hashing algorithms, cipher suites, elliptic curves, and all the rest are challenging subjects that are not easy to understand.

By contrast, our topic for today - internationalization - is hard in a messy-reality kind of way. Internationalization (often called “i18n” for short because who wants to keep typing those 18 letters between the “i” and the “n”?) involves some exceedingly complicated matters, including:

  • thousands of human languages
  • dozens of scripts (Latin, Cyrillic, Arabic, Kanji, Runic, etc.) used to write those languages
  • 1 ...
Continue reading »

As of right now there really isn't a great source for all things node security news, and we want to change that.

Starting May 20, we're going to start sending out a security newsletter — a Node Security Newsletter that will get dispatched every two weeks.

But we want to collaborate on curating that news with you. We need your suggestions, hacks, most helpful advisories, etc. – all of the things that you feel would be the best gathering of valuable info for us to share across the Node community.

Sign up to get on the Node Security Newsletter mailing ...

Continue reading »

A Brief Review

For many, this section will be a review, so feel free to skip ahead. However, since we are dealing with some features of the JavaScript language that most of us don't use every day, I'm going to go ahead and give a brief refresher so the rest of this makes sense.

Object oriented programming in JavaScript can be a little bit unconventional. Typically, private methods and variables are expressed as locally declared variables, while public methods and variables are expressed as properties attached to the this object, which is an object that refers to current ...

Continue reading »

A little under a year ago, I began using an application called MailPilot. MailPilot is an email client built around the concept of inbox zero and is available for both iOS and OSX.

Being someone in the security field, I frequently send and receive emails that contain exploit vectors.

A few months into using MailPilot, I had sent an email that had a Cross-Site Scripting vector in it which caused my inbox to render strangely. Of course I had to tinker with it, and ended up getting code execution through simple content injection within the context of the applications NSWebView ...

Continue reading »

Over the years I've been frequently asked how I find the things I do when testing a web application. I've also had to teach a number of people the art and have found it difficult to explain it sometimes. The various stages can overlap and sometimes merge together making it entirely unclear how to proceed.

I've done my best here to distill the points I tend to reiterate over and over down to list of steps for those I teach; I believe they will help you find vulnerabilities in your apps as well.

What Does the App ...

Continue reading »

Team ^lift is kicking off a busy spring season with a quick trip through Cali and over to Portugal.

Last week Adam Baldwin, &yet CSO and ^lift security team lead, stopped by PayPal to share some security insights.

This week, he and security specialist David Dias, head to SINFO in beautiful Lisbon, Portugal. On Wednesday, Adam will be speaking on his personal experiences from his lifelong career in security. Find him or David there to chat ...

Continue reading »