Include Security

@[email protected]
8 Followers
0 Following
15 Posts

Simply stated: Give us any kind of app and we'll hack it better than the rest.

Our clients include awesome tech companies in Silicon Valley, NYC, and beyond.

Main Sitehttps://www.includesecurity.com
Bloghttps://blog.includesecurity.com
Include SecurityApr 17, 2025

Do you use or exploit WebSockets? Check out our new blog post to see how modern browsers may (or may not) be protecting you from Cross-Site WebSocket Hijacking!

https://blog.includesecurity.com/2025/04/cross-site-websocket-hijacking-exploitation-in-2025/

Cross-Site WebSocket Hijacking Exploitation in 2025 - Include Security Research Blog

Include Security's latest blog post covers Cross-Site WebSocket Hijacking and how modern browser security features do (or don't) protect users. We discuss Total Cookie Protection in Firefox, Private Network Access in Chrome, and review the SameSite attribute's role in CSWH attacks. The post includes a few brief case studies based on situations encountered during real world testing, in addition to a simple test site that can be hosted by readers to explore each of the vulnerability conditions.

Include Security Research Blog
Include SecurityMar 13, 2025
New research🤩 on old tech👴! Our team's latest blog post demonstrates many ways memory vulnerabilities can occur in your legacy Delphi code despite being described as a "memory safe" language by the NSA.
https://blog.includesecurity.com/2025/03/memory-corruption-in-delphi/
Memory Corruption in Delphi - Include Security Research Blog

In our team's latest blog post, we build a few examples that showcase ways in which memory corruption vulnerabilities could manifest in Delphi code despite being included in a list of "memory safe" languages within a paper published by the NSA. We cover how compiler flags and dangerous system library routines could affect memory safety while demonstrating Delphi stack/heap-based overflow examples and conclude with a few tips for developers to avoid introducing memory vulnerabilities in their Delphi code.

Include Security Research Blog
Include SecurityNov 20, 2024
New blog! Join us as we explore seemingly safe but deceptively tricky ground in Elixir, Python, and the Golang standard library. Well-documented behavior is not always what it appears!
https://blog.includesecurity.com/2024/11/spelunking-in-comments-and-documentation-for-security-footguns/
Spelunking in Comments and Documentation for Security Footguns - Include Security Research Blog

Join us as we explore seemingly safe but deceptively tricky ground in Elixir, Python, and the Golang standard library. We cover officially documented, or at least previously discussed, code functionality that could unexpectedly introduce vulnerabilities. Well-documented behavior is not always what it appears!

Include Security Research Blog
Include SecuritySep 18, 2024

Who hacks the hackers? We do!

Our new research on vulns in C2 frameworks used by netpen and red teams.
https://blog.includesecurity.com/

Include Security Research Blog

Team Research blog

Include Security Research Blog
Include SecurityApr 25, 2024

Fresh blog post for ya!

We introduce coverage-guided fuzzing as a concept to hunt down bugs faster via modification of the Fuzzilli fuzzer from Google Project Zero.

https://blog.includesecurity.com/2024/04/coverage-guided-fuzzing-extending-instrumentation/

Coverage Guided Fuzzing - Extending Instrumentation to Hunt Down Bugs Faster! - Include Security Research Blog

In our latest blog post, we introduce coverage-guided fuzzing with a brief description of fundamentals and a demonstration of how modifying program instrumentation can be used to more easily track down the source of vulnerabilities and identify interesting fuzzing paths.

Include Security Research Blog
Show threadInclude SecurityApr 4, 2024
We're glad everybody enjoyed our April fool's joke for 2024. See you can be serious about security but also have fun!
Include SecurityApr 1, 2024

We released our new semgrep rules today. Given the recent news about executive orders from the Whitehouse, we thought it would be important to flag all of the code that doesn't meet federal standards.

Memory Safety is serious stuff today:
https://github.com/IncludeSecurity/Memory-Safety-Detector-Rulepack

#semgrep #security #memorysafety #rust #c #cpp #illegalcode

GitHub - IncludeSecurity/Memory-Safety-Detector-Rulepack: Use these SAST rules to prevent federally illegal code in your applications!

Use these SAST rules to prevent federally illegal code in your applications! - GitHub - IncludeSecurity/Memory-Safety-Detector-Rulepack: Use these SAST rules to prevent federally illegal code in y...

GitHub
Include SecurityMar 18, 2024

The new
@OpenSecurityTraining2 website went up today.

We're happy to support great open/free security training to get more folks into our industry. If you want to learn low-level RE/hacks/OS check out OST2! https://ost2.fyi/Home.html

Include SecurityMar 13, 2024

We're still seeing a lot of Ruby code out there in the tech world. If we see it we hack it! Latest blog post on advanced deserialization gadget chains for exploitation of Ruby applications is up.

https://blog.includesecurity.com/2024/03/discovering-deserialization-gadget-chains-in-rubyland/

Discovering Deserialization Gadget Chains in Rubyland - Include Security Research Blog

If you have ever looked at the source code of a Ruby deserialization gadget chain, I bet you've thought "what sorcery is this"?

Include Security Research Blog
Include SecurityMar 13, 2024

Oh Hi Mastodon world. We're IncludeSec.
https://www.IncludeSecurity.com

We like to talk about hacking stuff.

Home - Include Security

Include Security is an Application Security Consulting Company based in New York City

Include Security