AppSec Serialized by Invicti

Cross-site scripting (XSS) is one of the oldest web vulnerability types and still a very real threat.
In this episode, Frank Catucci and Dan Murphy talk about the origins of cross-site scripting, some high-profile attacks, and best practices to test for and also prevent XSS in applications. In the fiction segment, Mallory the hacker uses XSS to inject script into an old and vulnerable leaderboard server—but she has to work hard to get around the WAF first.

Knowing what sites, apps, and APIs you’re exposing to the Internet is crucial for determining your realistic risk level and making accurate security decisions.
In this episode, Frank Catucci and Dan Murphy are joined by special guest Bogdan Calin, Principal Security Researcher at Invicti, to talk about ways of determining an organization’s web attack surface and the resulting risk level. In particular, they discuss the pro and cons of various AI and ML approaches to this problem and go deeper into the workings of the pioneering Predictive Risk Scoring feature that Bogdan helped design and build.
In the fiction segment, it’s Bob the CISO’s first day at a new company and from the first cursory check, he’s worried that the org is exposing a lot more that it should be. A call with Alice the head developer does nothing to put his mind at ease—quite the opposite...

APIs are the secret door through which so many application attacks are executed in recent years. Compared to graphical user interfaces, they are far easier to build and deploy but far harder to test and secure, making API security a top concern.
In this episode, Frank Catucci and Dan Murphy dive into the world of API security, discussing high-profile breaches and looking at ways to discover and test the API part of your web applications. In the fiction segment, Mallory the hacker finds a shadow API being exposed by MegaHelix Corp.