Research Case Study: Supply Chain Security at Scale – Insights into NPM Account Takeovers
Software supply chains are complex ecosystems where even a single vulnerability can lead to widely spread security issues. This blog focuses on supply chain account takeovers, particularly in NPM packages, and explains how attackers exploit expired email domains and leaked credentials to gain access. Through real-world research and examples, we reveal the scale of the […]
Penetration Testing Steps: Beginner’s Guide
Introduction: Penetration testing, also known to many as “pen testing,” is when a simulated cyberattack is conducted against a computer system, network, or web application to assess the exploitation of vulnerabilities. The purpose of penetration testing is to check for vulnerability exploitation in the system so that appropriate steps to prevent such attacks are taken […]
Exploiting pfsense Remote Code Execution – CVE-2022-31814
Greetings everyone, In this write-up, we will be exploring the interesting exploitation that has been done against the pfsense CVE-2022-31814. What is pfsense? pfSense software is a FreeBSD-based operating system designed to install and configure a firewall that can be easily configured via the web interface and installed on any PC. With all of the […]
Understanding JWT: Basics and Security Risks
Introduction to JWT (JSON Web Token): JWT, or JSON Web Token, is a fundamental standard outlined in RFC 7519, designed to securely transmit data among parties using JSON objects. Praised for its compactness, readability, and cryptographic signing facilitated by private or public key pairs provided by the Identity Provider (IdP), JWT has emerged as a […]
The Art of Intrusion: File Upload Bypass & WAF XSS Evasion in AWS S3 Demystified
Summary: Greetings, today we will be sharing an XSS WAF bypass vulnerability that was identified by one of your Application Penetration Testers while working for a client’s audit. Due to the privacy concerns let’s call the target redacted.com. What is the file Upload Vulnerability? A file upload vulnerability is a type of security vulnerability that […]
Guardians of the Digital Realm: Unveiling the Importance of a Credible Cyber Security Team
Welcome to the dynamic landscape of the digital era, where the importance of robust cybersecurity has reached unprecedented heights. As businesses increasingly embrace digital platforms and technology, the threat landscape continues to expand. It is paramount to have a strong cybersecurity team safeguarding the digital realm. In this blog, we take pride in presenting the […]
Unmasking an RFI to LFI Escalation
Introduction: Greetings, we are going to share a recent security assessment that was performed for the client, where a seemingly innocent Remote File Inclusion (RFI) unfolded into a more intricate and fascinating Local File Inclusion (LFI) discovery. The RFI Unveiling: During the Audit we stumbled upon a unique endpoint that fetched CSV file data, incorporating […]
Sneaky Attacks: Critical Account Deletion Vulnerability
Introduction: In the dynamic landscape of cybersecurity, unearthing vulnerabilities is crucial to fortifying digital platforms. Today, we unravel a significant flaw that allows an attacker to delete anyone’s account by exploiting the nuances of email address registration. The Discovery: In our assessment, we stumbled upon a vulnerability that hinges on the subtleties of email addresses […]
Unveiling Improper Access Control: A Journey into Admin Dashboards
In the ever-evolving landscape of cybersecurity, uncovering vulnerabilities is crucial to maintaining the integrity and security of digital platforms. In this write-up, we explore a recently discovered flaw in the access control system, shedding light on the potential risks and impacts it poses. The Discovery: Our journey begins with the identification of an improper access […]