Hey Everyone, As promised last week, we have made changes to the content of our HBN BootCamp course. We have updated the course content to include the following attack vectors, vulnerabilities and...

Ever since Ron Gula’s RiskyBusiness talk #142 about their Nessus philosophy, I decided to come out of the closet and share with our readers the work we do in the vulnerability management field....

The intertubes have been humming lately around a certain NTP feature to gather lists of NTP servers’ clients and it naturally grabbed our attention. The humming was started by HD Moore recently...

Following on from Evert’s posting about the new BroadView v4, I’d like to showcase a specific aspect of BV that we’ve found useful, namely Attributes. These are small pieces of data collected and...

As the need for online anonymity / privacy grew, the proxy industry flourished with many proxy owners generating passive incomes from their proxy networks. Although ‘proxy’ is normally thought to...

In my previous role working as a security manager for a large retailer, I developed some password tools for various purposes, primarily to help non-security people with some of the basics. I...

The ITWeb security summit is coming up next week from the 11th to 13th of May. This is a conference we’re quite excited about, and have been involved in for the last few years, but most recently,...

I’m pleased to announce the release of J-Baah – the port of CrowBar (our generic HTTP Fuzzing tool) to Java. If you’ve used CrowBar before, using J-Baah should be a breeze. If you haven’t, it...

A brief update from South Africa on some recent talks as well as the upcoming BH USA: our talk proposal has been accepted for BH USA 2010 which makes it the ninth year running that SensePost is...

Most of our clients that make use of our vulnerability management service, HackRack, manage a large and usually interactive web application environment, that makes use of SSL. HackRack would then...

After hearing our talk was accepted at BlackHat, we’re happy to announce that our training will be back for it’s 9th straight run. Speaking of a run, we’re going to be hosting the usual marathon...

Sigh. We’ve never been much good at marketing or advertising, and I guess we still aren’t. But we have tried to give our old website a bit of a face-lift, and it’s starting to feel like we’re...

Since joining SensePost I’ve had a chance to get down and dirty with the threat modeling tool. The original principle behind the tool, first released in 2007 at CSI NetSec, was to throw out...

A very common finding in our day to day vulnerability management endevours is the HTTP Methods Per Directory. In its most basic form, HackRack will determine which HTTP methods are allowed on...

Today at BlackHat USA 2010 we released a tool for manipulating memcached instances; we still need to write it up properly but here’s a link to the tool for the moment. tl;dr: if you find a...

[Update: Disclosure and other points discussed in a little more detail here.] Why memcached? At BlackHat USA last year we spoke about attacking cloud systems, while the thinking was broadly...

Wow. At some point our talk hit HackerNews and then SlashDot after swirling around the Twitters for a few days. The attention is quite astounding given the relative lack of technical sexiness to...

Last week we presented an invited talk at the ISSA conference on the topic of online privacy (embedded below, click through to SlideShare for the original PDF.) The talk is an introductory...

From the team that won the world’s first Soccer Hack Cup, we bring you the latest and the greatest in computer hacking training – SensePost Hacking By Numbers Extended Edition – a local course...

At the invitation of the South African Department of Trade and Industry SensePost will form part of a South African delegation represented at GITEX 2010 from 17-21 October 2010: Dubai...

Our next scheduled training sessions have been planned for November. If you’re interested in attending, the dates and locations are: 1) HBN Bootcamp Edition 7-9th November, BlackHat Abu Dhabi...

Introduction From time to time I like to delve into malware analysis as a pastime and post interesting examples, and recently we received a malware sample that had a low-detection rate. Anti-Virus...

The bad news is that our course at Black Hat Abu Dhabi is completely full. The good news is … they’ve given us a bigger room! So if you’ve been told the course is full, or if you haven’t...

In our recent memcached investigations (a blog post is still in the wings) we came across numerous caches storing serialized data. The caches were not homogenous and so the data was quite varied:...

[This is the second in a series of posts on Pickle. Link to part one.] In the previous post I introduced Python’s Pickle mechanism for serializing and deserializing data and provided a bit of...

[This is the third in a series of posts on Pickle. Link to part one and two.] Thanks for stopping by. This is the third posting on the bowels of Python Pickle, and it’s going to get a little more...

As the year winds down, it’s time to mention a few internal victories that are fun to share: Daniel Cuthbert and Rogan Dawes (both staunch OWASP proponents) have joined our assessment team, which...

To all our customers, staff (past and present), business partners, friends and associates I’d like to wish a joyous and peaceful festive season. What started out as a depression is slowly becoming...

If you use the Gregorian Calendar, then Happy New Year! Down here in South Africa, we’ve also ushered in a new year and in celebration SensePost is releasing source code for our in-house web...

Hey. Charl here. Lots of stuff is happening on the training front right now (ed: right now!), and I wanted to make sure everyone is aware of it. 1. New schedule published At the start of the year...