Orenh Application Security, Web Application Security and Penetration Testing

For me, information security is not just a profession – it is a way of thinking, a mindset, which can be used to improve the lives of billions of users.

I am a  security enthusiast. I performed over 400 security audits and penetration tests (application and network), managed a team of a dozen security consultants and reported critical security vulnerabilities in products of large security software vendors, such as Google, IBM, Oracle, Adobe, Microsoft, Facebook, SAP, BEA, and more.

The purpose of this blog is to share my personal opinions and discoveries.


  • A new web vulnerability that is applicable for Google, Microsoft, Facebook, Yahoo, Mozila and more  (2013 – to be published).
  • IIS Shortname Scanning Tool (2013 – to be published).
  • 3 Paypal XSS –  (2013 – to be published).
  • Google XSS enabled by CSRF and Flow-Bypass  (2013 – to be published).
  • Google Accounts/Email Information Disclosure vulnerability  (2013 – to be published).
  • SAP critical vulnerability (2013 – to be published) – http://scn.sap.com/docs/DOC-8218
  • Google Plus “wormable” Click-Jacking vulnerability (2013 – to be published).
  • Oracle BEA Plumtree DOM cross-site scripting, CVE-2013-1529 (2013) – http://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/1841214.xml
  • Oracle SSO (OBLIX) open redirect vulnerability, CVE-2013-1497 (2013) – http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html
  • Critical persistent cross-site scripting in “Google Sites” (2012): http://www.google.com/about/appsecurity/hall-of-fame/reward/.
  • Adobe ColdFusion remote administrator interface access (2012 – to be published).
  • Hackvertor.co.uk XSS challenge top 7 (2012) – http://challenge.hackvertor.co.uk/?challenge=4 .
  • Ajax Hammer (2012) – http://hasc-research.googlecode.com/files/AJAX%20Hammer%20-%20Harnessing%20AJAX%20for%20(Direct)%20Dynamic%20CSRF.pdf
  • Adobe ColdFusion two cross-site scripting vulnerabilities (2011) – http://www.adobe.com/il_en/support/security/bulletins/apsb11-29.html .
  • Session Puzzling attack (2011) – http://sectooladdict.blogspot.co.il/2011_09_01_archive.html .
  • PHP-IDS Multiple bypasses (2011) – http://sla.ckers.org/forum/read.php?12,30425,36198,page=30.
  • Multiple IBM products login page cross-site scripting vulnerabilities (2010) – http://www.securityfocus.com/bid/38412/info .
  • Facebook login page cross-site scripting (2009 – reported, but not published).
  • Oracle E-Business Suite multiple remote vulnerabilities (2009) – http://www.securityfocus.com/bid/37305/info .
About Sebastian Riley

Sebastian Riley is a cyberlibertarian activist and an internet freedom fighter who strongly believes in an unsegregated and uncensored internet. With a cybersecurity degree, Sebastian is a professional bug hunter and a freelance opensource penetration tester.