The Web Application Hacker’s Handbook is a good general introduction to web security and the steps you should take when looking for security flaws, which is summarised quite well in the final chapter with this image:
This is a fascinating podcast episode with Troy Hunt from Have I Been Pwned which covers topics such as the Nissan Stack Overflow code reuse, the Ashley Madison data breach, the We-Vibe spying vibrator, Cloudflare and 1Password.
- Don’t chase attackers.
- The principle of least privilege is a distraction.
- Security is more important than speed.
- Reduce the bug rate.
- Eliminate code.
- Think about the Trusted Code Base.
This is a reasonably short post about how the (not fully standardised) Range header and no-CORS requests interacted to cause problems, along with a longer rant on Microsoft’s handling of the issue.