The Open Source Security Testing Methodology Manual, or OSSTMM, was created to: …provide a scientific methodology for the accurate characterization of operational security (OpSec) through examination and correlation of test results in a consistent and reliable way. This manual is adaptable to almost any audit type, including penetration tests, ethical hacking, security assessments, vulnerability assessments, […]
File upload filtering is an extremely important part of web application security that is also notoriously hard to get right. And unfortunately the stakes are high, as vulnerabilities associated with your file upload functionality can quickly turn into critical, exploitable issues with impacts that include remote code execution on the underlying web server. So let’s […]
Today’s blog is just a quick update on home security. As a security professional, one of the most common questions I get from friends and family revolves around concerns they have from smart devices, or Internet of Things (IoT) devices, in their home. Should they be worried about their smart lock on their front door […]
Currently and going forward, many employees may find themselves working from home temporarily or permanently. Security is still extremely important to yourself and your employer and today, we will explore tips and tricks that will help you maintain your security posture while working remotely. Working From Home Security Tips & Tricks Leverage a VPN – […]
Today, we’re going to dig into the most common methods of API authentication out there and discuss some of the security implications associated with each of them, from the perspective of a penetration tester. As Application Programming Interfaces (APIs) continue to become a more prevalent tool used in website architecture, the security associated with them […]
In today’s blog, we will be taking a high-level look at a popular attack called Kerberoasting. Kerberoasting is used by attackers to escalate privileges once they gain initial access to an internal network. As penetration testers, we regularly use this attack vector during engagements and are generally successful in doing so. Let’s take a look […]
We are often times asked “why did you become a penetration tester” or “why should I get into penetration testing”? There are many different reasons to get into penetration testing and everyone is motivated by different things. We took a poll in our office of why our team members got into penetration testing and today […]
In today’s blog, we will be taking a very high-level look at buffer overflow attacks. Attackers exploit buffer overflow vulnerabilities by overwriting the memory of an application. By doing so, an attacker can change the execution flow of the program, thereby instructing the program to execute code stored in an area of memory the attacker controls. Consider […]
The COVID-19 pandemic has reshaped our organizations as we know them. For many, they have shifted from an on-site location to primarily working from home. What was first thought to be a few weeks, has now turned into a few months, and likely the impacts of this pandemic on your organization’s IT operations and procedures […]
We’ve been running across a lot of modern web applications lately that have implemented JSON Web Tokens (also known as JWTs) for session tracking. JWTs are an open, industry standard designed to securely transmit information between two parties as a cryptographically-signed, JSON object. While the JWT specification is designed generically to account for a variety […]
