Software Integrity Blog

Archive for the 'DAST' Category

 

An important update regarding Tinfoil Azure marketplace plans

Hi everyone! Over the last few months, we have been in contact with the Azure App Services team about discontinuing our site extension offering in the Azure Marketplace. Scanning service will continue to be available on our standalone site, and existing users of the Azure extension will have the opportunity to migrate their account. The Azure team has made a full announcement on their blog, which you can read here:

Continue Reading...

Posted in DAST

 

Wormwood – An Explicit Way to Test Absinthe GraphQL APIs

We love GraphQL at Tinfoil! We use it extensively in our Elixir and Phoenix powered API scanner. We try to test out code using ExUnit whenever possible to help ensure a stable and smooth development cycle. Testing an Absinthe GraphQL API usually follows the pattern of: Setting up a ConnCase, making the request, and then validating that the data returned from the request was valid. A lot like the following:

Continue Reading...

Posted in DAST

 

Announcing GraphQL Security Scanning

For the second time this year: API security scanning changes today. We’ve been working hard on adding support to scan GraphQL APIs for security vulnerabilities, best practices, and correctness. Earlier this year, the Tinfoil Security API Scanner initially launched with support for the Swagger documentation format, and we’re excited to expand coverage to now include GraphQL APIs. To be clear, we’re not deprecating support for OpenAPI scanning – in fact, OpenAPI specification v3 support is coming soon! We’ve enjoyed building our own GraphQL APIs to power our user interfaces and we felt the need to ensure their correctness as we built them. To that end we’ve added first-class GraphQL support to our API Scanner. We’re thrilled today to announce the beta of our GraphQL scanning capabilities at the GraphQL Summit conference in San Francisco.

Continue Reading...

Posted in DAST

 

You’ve Got the Swagger, We’ve Got the SaaS

API security scanning changes today. Tinfoil Security is launching our new patent-pending API Scanner! After astounding feedback from developers leveraging our scanner and rigorous testing, we are proud to offer our scanner to the public. We are giving developers and companies the ability to scan and secure APIs with two different methods of deployment: on-premise and SaaS. We are very excited to invite you to see the API Scanner in action.

Continue Reading...

Posted in DAST

 

Server-side GraphQL Querying with Elixir Absinthe

GraphQL is a few years old, and its promises are well known and pretty compelling. Get only the data your front end needs to display, introspection and type constraints, relate all your data in a graph of relationships, etc.! All great things, but if you’re like us and you start to retrofit a GraphQL API onto a REST-based site, you start to notice a divide.

Continue Reading...

Posted in DAST

 

Should I include CSRF protection on a login form?

Since I found Angel’s “Plain English” series of blog posts so helpful when I was first learning about different kinds of vulnerabilities on the web, I wanted to continue that series. I hope to expand into some of the nuances of more commonly known vulnerabilities, and touch on some of the less well known ones. Let’s get started with one special case that I often find questions about: CSRF on a login form.

Continue Reading...

Posted in DAST

 

Today I Learned: Using SCSS in your Vue Components

If you haven’t yet looked into Vue.js, it might be time to. The front-end framework is a powerful, progressive alternative to its main rivals, Facebook’s React and Google-backed Angular, and has been continuously gaining traction among the open source community.

Continue Reading...

Posted in DAST

 

Dockerfiles for Phoenix

While a lot of our older software was written in Ruby and Ruby on Rails we’ve been expanding the past couple of years into Elixir and Phoenix (Elixir’s batteries-included web framework). Docker remains our preferred mechanism to deliver our software in a well-tested and repeatable format. I’d like to share with you a simple Dockerfile for Phoenix, specifically supporting Phoenix >= 1.4 which uses webpack instead of brunch.

Continue Reading...

Posted in DAST

 

Protect Yourself from Magecart Using Subresource Integrity

Magecart has become a big issue in web application security the past few days. They have skimmed credit card information from British Airways and more recently have been injecting into JavaScript assets served by Feedify. Modern websites use many resources to provide the rich experiences customers have come to expect. However, if you don’t directly host or control those resources you are vulnerable to a provider getting attacked and having malicious code injected into the assets you were previously consuming.

Continue Reading...

Posted in DAST

 

A Quick Guide to the Complex: Ecto.Multi

Ecto.Multi, a data structure added in Ecto 2.0, is an extremely useful tool for creating and executing complex, atomic transactions. This very brief guide will cover a few of the most useful methods associated with Ecto.Multi and when to use them. Common Uses insert(multi, name, changeset_or_struct, opts \\ []) The most straightforward way to use Ecto.Multi is to chain individual changesets together. insert, update, and delete functions are available and all behave as you might expect them to, with all operations are executed in the order in which they are added. You can imagine a transaction dealing with a user signing up via an invitation email might look something like this:

Continue Reading...

Posted in DAST