I’ve learned some rather intriguing things about what our mobile apps are doing while we’re not looking in the six days since I launched the challenge to find crazy stuff in mobile app communications [https://www.troyhunt.com/2014/10/find-crazy-stuff-in-mobile-app.html]. For example, there’s the social app that allows you to accept friend requests on behalf of someone else [https://www.troyhunt.com/2014/10/find-crazy-stuff-in-mobile-app.html#comment-1627770487] if you call the API in the right...

In the spirit of “here’s something I couldn’t find an easy answer for so I’m writing it myself”, let me very briefly run you through how to have Raygun ignore specific exception types raised by Web API. Firstly, Web API support came a couple of months ago [https://raygun.io/blog/2014/08/webapi-exception-tracking/] which is rather important given how much stuff is transitioning to APIs these days. I use Web API fairly extensively in Have I been pwned? [https://haveibeenpwned.com/] (HIBP), partl...

Here’s a pop quiz for you: how much data do you reckon this iPad app downloads when it first runs? I don’t mean how big it is to download from the App Store (it’s 25MB), I mean after you download it then simply tap the icon to fire it up, how much data does it pull down if you don’t touch it again? Take a close look and consider the answer before reading on: Now you’ve probably done what I would have done – looked what you can see on the screen, speculated about how you’d build it in a way to...

I imagine this is what it’s like when one of your kids gets old enough to finally beat you at something you’ve poured your heart into teaching them. Yes, I’m proud and it’s awesome that it has turned out so well, but I was still a little disappointed to get this the other day: This came totally out of the blue for me which, of course, is exactly how it’s meant to work. If all this is unfamiliar to you, this is the paste monitoring feature of “Have I been pwned?” (HIBP) which I launched last m...

Remember Shellshock? How could anyone forget! This thing has totally dominated the news – not just the tech news either – and like Heartbleed before it (inevitably the yardstick we compare it to), the hype has been, well, somewhat overinflated. I get it – it is a big thing – but the press has a way of sensationalising things in a pretty unique way. Case in point: I wrote Everything you need to know about the Shellshock Bash bug [https://www.troyhunt.com/2014/09/everything-you-need-to-know-about...

Here’s a scary stat for you: last year was the most hacked year ever. According to Risk Based Security [https://www.riskbasedsecurity.com/reports/2013-DataBreachQuickView.pdf], we saw 823M records exposed via data breaches: Nasty stuff right? Yeah, but it gets worse. As of mid 2014, we’re already looking at 502 million records exposed [http://datalossdb.org/incident_highlights/66-hacking-exposed-78-of-all-records-compromised-in-first-half-of-2014] . Bugger. These breaches keep on coming and w...

It’s six days since I wrote about Shellshock [https://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html] and the response has been massive. There’s clearly a lot of interest in this bug and indeed there have been some pretty dire warnings about the impending “Bashpocalypse” which ultimately, hasn’t really happened. I’m sure it’s made life tricky for some sysadmins and I’m also sure there have been many servers that have suffered from what by all objective measures, remains a pretty...

Did I mention that we have some terrible security flaws with our APIs behind rich client apps? Pretty sure I did’; oh and I did just write a Pluralsight course that shot to the top of the charts [http://pluralsight.com/training/Courses/TableOfContents/hack-your-api-first] so yeah, there’s that! There are a few reasons why vulnerabilities in APIs are the new black: 1. They’re that much less obvious than vulnerabilities in browser-based apps; you don’t see the URL, you don’t get browser war...

This content is now available in the Pluralsight course "Understanding the Shellshock Bash Bug" [http://www.pluralsight.com/courses/shellshock-bash-bug]Remember Heartbleed [https://www.troyhunt.com/2014/04/everything-you-need-to-know-about.html]? If you believe the hype today, Shellshock is in that league and with an equally awesome name albeit bereft of a cool logo (someone in the marketing department of these vulns needs to get on that). But in all seriousness, it does have the potential to be...

These real world experiences with Azure are now available in the Pluralsight course "Modernizing Your Websites with Azure Platform as a Service" [http://www.pluralsight.com/courses/modernizing-websites-microsoft-azure]This is not what you want to see on your Azure website: Ok, so what are we looking at here? CPU goes up and up and up and then… dramatically down. There are even some additional coloured lines in the middle of that graph indicating that there were more instances put on just to d...