GET EXPRESSVPN DEAL — Get 3 extra months FREE on your 12-month plan (LIMITED TIME OFFER)

Additional menu

The VPN Experts

Home to Best VPN Reviews, Comparisons, and Analysis

You are here: Home / Orenh Application Security, Web Application Security and Penetration Testing

Orenh Application Security, Web Application Security and Penetration Testing

For me, information security is not just a profession – it is a way of thinking, a mindset, which can be used to improve the lives of billions of users.

I am a  security enthusiast. I performed over 400 security audits and penetration tests (application and network), managed a team of a dozen security consultants and reported critical security vulnerabilities in products of large security software vendors, such as Google, IBM, Oracle, Adobe, Microsoft, Facebook, SAP, BEA, and more.

The purpose of this blog is to share my personal opinions and discoveries.

Publications

  • A new web vulnerability that is applicable for Google, Microsoft, Facebook, Yahoo, Mozila and more  (2013 – to be published).
  • IIS Shortname Scanning Tool (2013 – to be published).
  • 3 Paypal XSS –  (2013 – to be published).
  • Google XSS enabled by CSRF and Flow-Bypass  (2013 – to be published).
  • Google Accounts/Email Information Disclosure vulnerability  (2013 – to be published).
  • SAP critical vulnerability (2013 – to be published) – http://scn.sap.com/docs/DOC-8218
  • Google Plus “wormable” Click-Jacking vulnerability (2013 – to be published).
  • Oracle BEA Plumtree DOM cross-site scripting, CVE-2013-1529 (2013) – http://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/1841214.xml
  • Oracle SSO (OBLIX) open redirect vulnerability, CVE-2013-1497 (2013) – http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html
  • Critical persistent cross-site scripting in “Google Sites” (2012): http://www.google.com/about/appsecurity/hall-of-fame/reward/.
  • Adobe ColdFusion remote administrator interface access (2012 – to be published).
  • Hackvertor.co.uk XSS challenge top 7 (2012) – http://challenge.hackvertor.co.uk/?challenge=4 .
  • Ajax Hammer (2012) – http://hasc-research.googlecode.com/files/AJAX%20Hammer%20-%20Harnessing%20AJAX%20for%20(Direct)%20Dynamic%20CSRF.pdf
  • Adobe ColdFusion two cross-site scripting vulnerabilities (2011) – http://www.adobe.com/il_en/support/security/bulletins/apsb11-29.html .
  • Session Puzzling attack (2011) – http://sectooladdict.blogspot.co.il/2011_09_01_archive.html .
  • PHP-IDS Multiple bypasses (2011) – http://sla.ckers.org/forum/read.php?12,30425,36198,page=30.
  • Multiple IBM products login page cross-site scripting vulnerabilities (2010) – http://www.securityfocus.com/bid/38412/info .
  • Facebook login page cross-site scripting (2009 – reported, but not published).
  • Oracle E-Business Suite multiple remote vulnerabilities (2009) – http://www.securityfocus.com/bid/37305/info .
gototop