Cross Site Scripting, aka XSS is an injection vulnerability wherein an attacker can run their own code. This can take forms of: arbitrary javascript, keylogging, defacing the website (say, with hate speech) or stealing credentials.

Why should I care?

It’s a severe vulnerability — — the attacker’s code is running with privileges of the domain it has a foothold in.

Types:

Stored: this is particularly dangerous, because it’s a once deploy, everyone is affected variety. The target is a webserver that returns this malicious content. For example, a forum post.

Reflected: still as impactful as Stored XSS, with more work involved…


Well hey there Devs and security practitioners. This post is about application security via the OWASP top 10 lens, filtered again…through mine.

If you’re reading this and would like to be a Security Engineer or brush up on your secure development skills — please reference Owasp.org. They have chapters all over the world for networking with other professionals, study groups and helpful documentation covering vulnerabilities and remediation. Their more infamous product is this Owasp top 10 document that is released every two years to follow current patterns.

However, it’s not always straightforward. I’m going to break it down how I…


Look — I get it. It’s kinda crazy to build your own everything because there are people who’ve already done it. The prevalence of SaSS products, Open Source, or plugins are great at solving problems immediately with their flashy features. It could be something for your business like a chatbot, an immediate grammar checking tool, or marketing tracking pixel.

For the purposes of this blog, this is about evaluating purchases in a corporate environment, but they are incredibly applicable to our daily personal choices, or when we’re building software.

Show me the data

First questions I ask when evaluating a product is — what…


This post is coming directly from Considering 3rd party purchases and tools post— so see it for deeper dive into Threat Modeling product assessments by clicking here. This explanation is beefy enough to warrant it’s own post, so enjoy!

First — what are the risks with 3rd party products?

  • Breaking changes: Not just by code injection, but another scenario is if your tooling depends on a CDN and it changes, it might break your site or cause an outage. Not all the problems are malicious by intent.
  • Loss of control of your client product. Code injection like Cross Site Scripting…

Why do you need to care? Untrusted Code running wild on your domain doing nefarious things — that’s why!

In this post we talk about untrusted HTML and JavaScript. You may run user-supplied HTML, raw HTML from a backend service, or HTML templates. In each case, you should take precautions.

Perhaps you’re using an externally sourced chatbot in your application or you’d like to allow an customer to create their own advertisement in creating their own HTML to run on your site. While these can be useful, they can also be dangerous.

We have a saying in Security: “it’s not…


This is a prerequisite to the onsite training I give at conferences. We will download and verify the signature of the Burp Suite package. Then install a cert to inspect HTTPS traffic.

Download and verify

Navigate to https://portswigger.net/burp/communitydownload and download the Community Edition.

View the shasum by clicking the text “show shasums”.

In your terminal navigate to the same directory that the package was downloaded and run the shasum command. Here’s an example for mac:

$ shasum -a 256 /Users/{your name}/Downloads/{burp suite package name here}

Follow the default install directions. Once the application opens it will ask if you want…


I kept a solid record in a spreadsheet, for the most part.

I wish it was as simple as knowing the moment that you actually know the skill inside and out. Fact is, I’m still learning. That number was the count of time spent from just trying to learn to attending code school and a burst of study after — when I secured my first job and was cramming on the ins-and-outs of the framework! Please don’t be discouraged if you’re just starting out. Because this tally, was a thought experiment to start with.

When I was first starting out, I was having a hard time staying motivated and on task. It’s…


Occasionally friends will contact me about learning to code, especially since I come from a non STEM background. This post is a reflection on my experiences in learning to code, selecting a program, how I prepared for attendance, participating in the program, and how I felt after I left. I speak about negative experiences here.

While attending Makersquare the program publicly transitioned to Hack Reactor. It was purchased in 2015 becoming a subsidiary. Same program, and same head of curriculum — Kyle Simpson from the You Don’t Know JS Series. Now six months prior from the publication of this blog…


This post was written on May 20, 2016. I found it in drafts and decided it belongs out on the web.

— -

I know I should be out partying. Really, it’s time for revelry and nostalgia. However, all I wanted was it to be over this entire time. I didn’t enjoy my time at Hack Reactor. Instead of relief, I fear for the job hunt.

Yesterday, I moved apartments in a thunderstorm. On a tiny scooter. Which was part stupid, part hilarious, but mostly beautiful as the sky lit up with purple flashes of lightening. Sloping streets flooded, and…


A tree is our first structure that’s a hierarchical one. Each tree has one root node, and the different trees vary from there. They can be ordered or not. Nodes…

christina mitchell

Application Security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store