Brett BuerhausFlickr has a developer application section called The App Garden. Developers are able to create apps that make API calls to Flickr as an authenticated user via OAuth. I discovered a Cross-Site Request Forgery (CSRF) attack vector that allowed you to attack any user on Flickr.
Brett Buerhaus
After learning about Google's bug bounty program, I decided to look for vulnerabilities on their most sensitive services. Finding a vulnerability on admin.google.com was challenging; I managed to find a simple, but interesting form of Cross-Site Scripting.
Brett Buerhaus
I'll keep this one simple and sweet because anyone reading this blog probably knows what SQL Injection is. I discovered a root access SQL injection on tw.yahoo.com.
Brett Buerhaus
This is part two of a three part series on detecting traffic generated by the security tool Burp Suite. These methods are by no means exhaustive, but are simple tricks that can be used for detecting some of the malicious traffic on your web server.
Brett BuerhausAuthors: 
Brett Buerhaus, Jason Thor Hall
Original Post: http://potatohatsecurity.tumblr.com/post/94565729529/defcon-22-badge-challenge-walkthrough
Brett, Jon, and I recently went to DEFCON and completed the Badge Challenge put together by 1o57. Here is the entire adventure as we experienced it with all of the puzzles, their solutions, and the steps to solve them. Understand that this document contains MASSIVE spoilers so if you do not want to ruin it for yourself please stop reading now.
Brett Buerhaus
I recently started to review the automated vulnerability scanner Burp Suite because of its widespread usage. The tool is used by many security bounty hunters, security professionals, and blackhat hackers for automated scanning and vulnerability detection. While I was using Burp, I was wondering to myself how easy it is for a server to detect that I am using this tool.
Brett BuerhausThe Facebook badges page was vulnerable to stored Cross-Site Scripting (XSS). This was initially reported back in August 2013, but due to communication problems over e-mail it wasn't fixed until early January. Neither party is to blame, but this shows some of the difficulties that companies can face communicating with security researchers.
Brett BuerhausI discovered a vulnerability on Facebook that allowed you to send notifications to any user on Facebook. This could have been used to spam any content you wanted to all users on Facebook.