HTTP Request Smuggling Explained: A Beginner’s Guide on identification and mitigation.
There’s a Web application vulnerability called HTTP Request Smuggling that lets attackers sneak harmful requests into a system without detection and by confusing servers about the data they process, it can also lead to serious cybersecurity risks, including data leaks and unauthorized access. In this blog, we’ll break down what HTTP Request Smuggling is, how […]
Performing Android Static Analysis 101-A Complete Guide for Beginners
Android Static Analysis is a foundational approach to identifying vulnerabilities in applications without executing them. This blog provides insight into the tools and techniques required for effective analysis. What is Android Static Analysis: Android static analysis, analyzes an application’s codes, resources, and configuration files without executing the application, which is done with the help of […]
Research Case Study: Supply Chain Security at Scale – Insights into NPM Account Takeovers
Software supply chains are complex ecosystems where even a single vulnerability can lead to widely spread security issues. This blog focuses on supply chain account takeovers, particularly in NPM packages, and explains how attackers exploit expired email domains and leaked credentials to gain access. Through real-world research and examples, we reveal the scale of the […]
Penetration Testing Steps: Beginner’s Guide
Introduction: Penetration testing, also known to many as “pen testing,” is when a simulated cyberattack is conducted against a computer system, network, or web application to assess the exploitation of vulnerabilities. The purpose of penetration testing is to check for vulnerability exploitation in the system so that appropriate steps to prevent such attacks are taken […]
Exploiting pfsense Remote Code Execution – CVE-2022-31814
Greetings everyone, In this write-up, we will be exploring the interesting exploitation that has been done against the pfsense CVE-2022-31814. What is pfsense? pfSense software is a FreeBSD-based operating system designed to install and configure a firewall that can be easily configured via the web interface and installed on any PC. With all of the […]
Understanding JWT: Basics and Security Risks
Introduction to JWT (JSON Web Token): JWT, or JSON Web Token, is a fundamental standard outlined in RFC 7519, designed to securely transmit data among parties using JSON objects. Praised for its compactness, readability, and cryptographic signing facilitated by private or public key pairs provided by the Identity Provider (IdP), JWT has emerged as a […]
The Art of Intrusion: File Upload Bypass & WAF XSS Evasion in AWS S3 Demystified
Summary: Greetings, today we will be sharing an XSS WAF bypass vulnerability that was identified by one of your Application Penetration Testers while working for a client’s audit. Due to the privacy concerns let’s call the target redacted.com. What is the file Upload Vulnerability? A file upload vulnerability is a type of security vulnerability that […]
Guardians of the Digital Realm: Unveiling the Importance of a Credible Cyber Security Team
Welcome to the dynamic landscape of the digital era, where the importance of robust cybersecurity has reached unprecedented heights. As businesses increasingly embrace digital platforms and technology, the threat landscape continues to expand. It is paramount to have a strong cybersecurity team safeguarding the digital realm. In this blog, we take pride in presenting the […]
Unmasking an RFI to LFI Escalation
Introduction: Greetings, we are going to share a recent security assessment that was performed for the client, where a seemingly innocent Remote File Inclusion (RFI) unfolded into a more intricate and fascinating Local File Inclusion (LFI) discovery. The RFI Unveiling: During the Audit we stumbled upon a unique endpoint that fetched CSV file data, incorporating […]
Sneaky Attacks: Critical Account Deletion Vulnerability
Introduction: In the dynamic landscape of cybersecurity, unearthing vulnerabilities is crucial to fortifying digital platforms. Today, we unravel a significant flaw that allows an attacker to delete anyone’s account by exploiting the nuances of email address registration. The Discovery: In our assessment, we stumbled upon a vulnerability that hinges on the subtleties of email addresses […]